作为学习打包固件和娱乐的一种方式,我正在尝试为附加的入门级泰克函数发生器固件解压缩最新固件
我已阅读论坛并安装了 REMnux VM。我还使用了XOR Cracker 站点。
我已经说服自己该文件是XORed 并且没有使用附加的binvis图像进行加密
这些站点和工具都同意可能的 XOR 模式,94 94 90 a1 91 89 91 92 是最有可能的。
我还研究了Malwarebytes 上可用的优秀信息
但是,保存 XORed 文件的所有组合时,我无法找到有意义的字符串,也无法通过 binwalk 来理解保存的文件。
我错过了什么吗?任何人都可以提出任何其他策略来产生未异或的文件吗?
它只是加法/减法(mod 256)。
#!/usr/bin/python3
# These key bytes are the two's complement of the hex sequence mentioned in the question.
# The string appears twice in the decrypted blob, which makes me think it's what is used.
key = [ord(n) for n in "llp_owon"]
with open("AFG1022_V1.2.4.tfb", "rb") as infile:
data = infile.read()
outdata=bytearray()
for n in range(0, len(data)):
outdata.append((data[n]+key[n%len(key)])&0xff)
with open("decrypted.bin", "wb") as outfile:
outfile.write(outdata)
编辑:一些额外的信息:
// all uint32_t values are little endian
struct section {
uint32_t valid; // 0x00000001 if present, 0x00000000 if not
uint32_t offset; // offset to beginning of this payload in this file
uint32_t length; // length of this payload
uint32_t crc32; // crc32 of the payload described by this section
};
// This is the header at the start of the firmware file
struct firmware_header {
uint32_t crc32; // crc32 of file_contents[4:]
uint8_t version[16]; // version string
uint8_t package_type[12]; // package type string ("UpgradePack")
section s[8]; // the payloads, see above for the structure
uint8_t model[40]]; // hardware model
};
// Each section index accesses a specific path
const char *section_paths[8] = {
"/flash/boot/fp",
"/flash/boot/tx",
"/flash/boot/bmp", // splashscreen bitmap
"/flash/boot/hz",
"/flash/boot/os", // load at address 0x00000000, ARM
"/flash/boot/bios",
"/flash/boot/menu",
"/flash/boot/help",
};