解压 IpCam 固件 - Binwalk 提取问题

逆向工程 二元分析 二进制
2021-06-23 08:40:35

我正在尝试使用 Binwalk 来提取 IpCam bin 固件。我为 WebUI 成功地做到了,但我不能在固件本身上。

问题:它只是提取“sysversion.txt,有点轻:)。

文件:

ron@vpsXXXXXX:~/firmware$ ls
CH-sys-48.53.64.67.zip

验证和提取:

ron@vpsXXXXXX:~/firmware$ binwalk CH-sys-48.53.64.67.zip

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, compressed size: 605571, uncompressed size: 612699, name: CH-sys-48.53.64.67.bin
605717        0x93E15         End of Zip archive

ron@vpsXXXXXX:~/firmware$ file CH-sys-48.53.64.67.zip
CH-sys-48.53.64.67.zip: Zip archive data, at least v2.0 to extract
ron@vpsXXXXXX:~/firmware$ unzip CH-sys-48.53.64.67.zip
Archive:  CH-sys-48.53.64.67.zip
  inflating: CH-sys-48.53.64.67.bin

Binwalk 无需解压:

ron@vpsXXXXXX:~/firmware$ binwalk CH-sys-48.53.64.67.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
172           0xAC            Zip archive data, at least v2.0 to extract, compressed size: 8969, uncompressed size: 19091, name: system/system/lib/libsns_gc1004.so
9337          0x2479          End of Zip archive
9499          0x251B          Zip archive data, at least v2.0 to extract, compressed size: 7813, uncompressed size: 16341, name: system/system/lib/libsns_ov9712_plus.so
17518         0x446E          End of Zip archive
17680         0x4510          Zip archive data, at least v2.0 to extract, compressed size: 90121, uncompressed size: 353248, name: system/system/lib/libOnvif.so
107987        0x1A5D3         End of Zip archive
108149        0x1A675         Zip archive data, at least v2.0 to extract, compressed size: 43603, uncompressed size: 84480, name: system/system/lib/libvoice_arm.so
151946        0x2518A         End of Zip archive
152108        0x2522C         Zip archive data, at least v2.0 to extract, compressed size: 130, uncompressed size: 227, name: system/init/ipcam.sh
152406        0x25356         End of Zip archive
152568        0x253F8         Zip archive data, at least v2.0 to extract, compressed size: 402383, uncompressed size: 886168, name: system/system/bin/encoder
555129        0x87879         End of Zip archive
555291        0x8791B         Zip archive data, at least v2.0 to extract, compressed size: 35394, uncompressed size: 74200, name: system/system/bin/wifidaemon
590869        0x90415         End of Zip archive
591031        0x904B7         Zip archive data, at least v2.0 to extract, compressed size: 1852, uncompressed size: 9692, name: system/system/bin/grade.sh
593063        0x90CA7         End of Zip archive
593225        0x90D49         Zip archive data, at least v2.0 to extract, compressed size: 8704, uncompressed size: 20212, name: system/system/bin/updata
602105        0x92FF9         End of Zip archive
602267        0x9309B         Zip archive data, at least v2.0 to extract, compressed size: 1874, uncompressed size: 4522, name: system/system/bin/gpio_aplink.ko
604333        0x938AD         End of Zip archive
604495        0x9394F         Zip archive data, at least v2.0 to extract, compressed size: 7241, uncompressed size: 16802, name: system/system/bin/motogpio.ko
611922        0x95652         End of Zip archive
612084        0x956F4         Zip archive data, at least v1.0 to extract, compressed size: 8, uncompressed size: 8, name: system/system/bin/fwversion.bin
612282        0x957BA         End of Zip archive
612444        0x9585C         Zip archive data, at least v1.0 to extract, compressed size: 9, uncompressed size: 9, name: system/system/bin/sysversion.txt
612645        0x95925         End of Zip archive

Binwalk 提取: 

ron@vpsXXXXXX:~/firmware$ binwalk -Mer CH-sys-48.53.64.67.bin

Scan Time:     2016-01-19 00:36:12
Target File:   /home/ron/firmware/CH-sys-48.53.64.67.bin
MD5 Checksum:  58df9214226cfe46760215bfca0c496c
Signatures:    344

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
172           0xAC            Zip archive data, at least v2.0 to extract, compressed size: 8969, uncompressed size: 19091, name: system/system/lib/libsns_gc1004.so
9337          0x2479          End of Zip archive
9499          0x251B          Zip archive data, at least v2.0 to extract, compressed size: 7813, uncompressed size: 16341, name: system/system/lib/libsns_ov9712_plus.so
17518         0x446E          End of Zip archive
17680         0x4510          Zip archive data, at least v2.0 to extract, compressed size: 90121, uncompressed size: 353248, name: system/system/lib/libOnvif.so
107987        0x1A5D3         End of Zip archive
108149        0x1A675         Zip archive data, at least v2.0 to extract, compressed size: 43603, uncompressed size: 84480, name: system/system/lib/libvoice_arm.so
151946        0x2518A         End of Zip archive
152108        0x2522C         Zip archive data, at least v2.0 to extract, compressed size: 130, uncompressed size: 227, name: system/init/ipcam.sh
152406        0x25356         End of Zip archive
152568        0x253F8         Zip archive data, at least v2.0 to extract, compressed size: 402383, uncompressed size: 886168, name: system/system/bin/encoder
555129        0x87879         End of Zip archive
555291        0x8791B         Zip archive data, at least v2.0 to extract, compressed size: 35394, uncompressed size: 74200, name: system/system/bin/wifidaemon
590869        0x90415         End of Zip archive
591031        0x904B7         Zip archive data, at least v2.0 to extract, compressed size: 1852, uncompressed size: 9692, name: system/system/bin/grade.sh
593063        0x90CA7         End of Zip archive
593225        0x90D49         Zip archive data, at least v2.0 to extract, compressed size: 8704, uncompressed size: 20212, name: system/system/bin/updata
602105        0x92FF9         End of Zip archive
602267        0x9309B         Zip archive data, at least v2.0 to extract, compressed size: 1874, uncompressed size: 4522, name: system/system/bin/gpio_aplink.ko
604333        0x938AD         End of Zip archive
604495        0x9394F         Zip archive data, at least v2.0 to extract, compressed size: 7241, uncompressed size: 16802, name: system/system/bin/motogpio.ko
611922        0x95652         End of Zip archive
612084        0x956F4         Zip archive data, at least v1.0 to extract, compressed size: 8, uncompressed size: 8, name: system/system/bin/fwversion.bin
612282        0x957BA         End of Zip archive
612444        0x9585C         Zip archive data, at least v1.0 to extract, compressed size: 9, uncompressed size: 9, name: system/system/bin/sysversion.txt
612645        0x95925         End of Zip archive


Scan Time:     2016-01-19 00:36:12
Target File:   /home/ron/firmware/_CH-sys-48.53.64.67.bin.extracted/system/system/bin/sysversion.txt
MD5 Checksum:  3e98d83fbced8eb62c79542f5df5a14f
Signatures:    344

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

只提取了一个目标文件...

快速浏览标题:

ron@vpsXXXXXX:~/firmware$ head -n1 CH-sys-48.53.64.67.bin | hexdump -C
00000000  77 77 77 2e 6f 62 6a 65  63 74 2d 63 61 6d 65 72  |www.object-camer|
00000010  61 2e 63 6f 6d 2e 62 79  2e 68 6f 6e 67 7a 78 2e  |a.com.by.hongzx.|
00000020  73 79 73 74 65 6d 2f 73  79 73 74 65 6d 2f 6c 69  |system/system/li|
00000030  62 2f 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |b/..............|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000060  6c 69 62 73 6e 73 5f 67  63 31 30 30 34 2e 73 6f  |libsns_gc1004.so|
00000070  2e 7a 69 70 00 00 00 00  00 00 00 00 00 00 00 00  |.zip............|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000a0  e3 23 00 00 43 40 35 30  00 00 00 00 50 4b 03 04  |.#..C@50....PK..|
000000b0  14 00 00 00 08 00 fa 8b  5d 47 89 42 30 43 09 23  |........]G.B0C.#|
000000c0  00 00 93 4a 00 00 22 00  1c 00 73 79 73 74 65 6d  |...J.."...system|
000000d0  2f 73 79 73 74 65 6d 2f  6c 69 62 2f 6c 69 62 73  |/system/lib/libs|
000000e0  6e 73 5f 67 63 31 30 30  34 2e 73 6f 55 54 09 00  |ns_gc1004.soUT..|
000000f0  03 88 e7 31 56 88 e7 31  56 75 78 0b 00 01 04 ed  |...1V..1Vux.....|
00000100  03 00 00 04 ed 03 00 00  e5 7c 0b 78 53 55 d6 f6  |.........|.xSU..|
00000110  3e b9 b4 69 9a cb 69 cf  29 96 8b 92 0a           |>..i..i.)....|
0000011d

知道为什么我无法提取所有内容吗?

谢谢 !

罗南

1个回答

虽然我的binwalk版本正确提取文件到system文件夹只包含的zip文件一起sysversion.txt,我简短描述为什么你只看到sysversion.txt在存档文件。这是因为固件文件包含多个 PKZIP 档案,而 binwalk 不知道这些文件的确切大小。因此,它可以根据 PK 魔法正确识别 PKZIP 文件的开头,但在不知道正确文件大小的情况下,它将剩余字节提取到创建的 ZIP 文件中。由于 PKZIP 格式的中央目录结构存储在 ZIP 文件的末尾,因此在压缩数据sysversion.txt.zip和解压缩的ZIP 文件以 结尾后,文件查看器或解压缩器可能会找到最后一个 ZIP 文件的中央目录。

要解决此问题,您可以检查您找到 ZIP 文件所在文件夹中的系统文件夹,或者您可以手动解压缩文件。
如果你看一下CH-sys-48.53.64.67.bin文件的开头,你会发现它的结构很简单。它以魔法字符串开头(图中用蓝色标记)。下一个元素是一个 0x40 字节长的目录名(用黄色标记),后跟一个 0x40 字节长的文件名条目(用绿色标记)。在文件名之后,您将找到文件的大小(用紫色标记)、一些标志和二进制内容(用灰色标记的二进制文件的开头)。

在此处输入图片说明

根据这些信息,您可以编写一个简单的脚本来正确提取文件,例如:

import sys
import struct

if (len(sys.argv) < 2):
    print 'usage: parse binary'
    sys.exit(1)

b = open(sys.argv[1], 'rb').read()
o = 0x20
while(o < len(b)-0x20):
    dir = b[o:o+0x40].strip('\x00')
    fname = b[o+0x40:o+0x80].strip('\x00')
    size = struct.unpack('L', b[o+0x80:o+0x84])[0]
    unk1 = struct.unpack('L', b[o+0x84:o+0x88])[0]
    unk2 = struct.unpack('L', b[o+0x88:o+0x8c])[0]
    print '%x, %s, %s: %x, %x, %x'%(o, dir, fname, size, unk1, unk2)
    open(fname, 'wb').write(b[o+0x8c:o+0x8c+size])
    o += 0x8c+size
其它你可能感兴趣的问题
上一篇中兴反向工程config.bin文件问题 下一篇逆向工程 Earthsiege 2 3D 模型格式