逆向工程 - 从 ZynOS 备份，但是不能用 LZS 解压 - 吾爱随笔录

从 ZynOS 备份，但是不能用 LZS 解压

逆向工程静态分析开箱

2021-06-16 13:01:32

所以我有这个来自 Zyxel 路由器 P-660HW-T3 v3 的 rom-0 文件，我想解压缩它，我尝试了很多工具，其中一个你可以在这里找到使用 lzs 进行解压的工具，它适用于某些 rom-0文件（较小的大约 16 kB），但在我的没有，我的大约有 50 kB 并且几乎没有差异。这是“正常”文件


00000000  01 01 00 01 19 48 64 62  67 61 72 65 61 00 00 00  |.....Hdbgarea...|
00000010  00 00 00 00 18 00 00 00  01 48 00 00 00 00 00 00  |.........H......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000160  00 00 00 00 00 00 00 00  52 ca c0 ea de ad be af  |........R.......|
00000170  00 00 00 0e 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000180  05 03 00 ad 52 c9 a4 e5  80 46 e7 50 ff ff a1 f4  |....R....F.P....|
00000190  00 00 00 19 00 00 00 00  05 03 00 d4 52 c9 a4 e5  |............R...|
000001a0  80 46 e7 50 ff ff 9e 08  00 00 00 64 80 09 89 ac  |.F.P.......d....|
000001b0  04 03 00 d5 52 c9 bb 21  80 46 eb b8 ff ff a2 30  |....R..!.F.....0|
000001c0  00 09 3a c9 00 00 00 00  04 03 00 d6 52 c9 bb 21  |..:.........R..!|
000001d0  80 46 eb b8 ff ff a2 2f  00 09 3a c9 00 00 00 00  |.F...../..:.....|
000001e0  04 03 00 d7 52 c9 ba 49  80 46 eb b8 ff ff a2 35  |....R..I.F.....5|
000001f0  52 c9 ba 49 00 00 00 00  04 03 00 d8 52 c9 ba 49  |R..I........R..I|

和


00000410  80 46 e7 50 ff ff 9e 08  00 00 00 64 80 09 8b 3c  |.F.P.......d...<|
00000420  55 55 55 55 00 00 00 00  00 00 00 00 00 00 00 00  |UUUU............|
00000430  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000006d0  00 00 00 00 55 55 55 55  00 00 00 00 80 41 00 00  |....UUUU.....A..|
000006e0  00 00 00 00 00 00 00 0e  00 00 00 00 00 00 00 01  |................|
000006f0  00 00 00 00 ff ff ff fe  00 00 ff 14 00 00 00 01  |................|
00000700  00 00 00 30 00 00 00 01  80 45 cc f0 00 00 00 01  |...0.....E......|
00000710  00 00 00 01 00 00 00 63  80 41 4c 78 00 00 00 01  |.......c.ALx....|

和


00002000  02 94 00 03 1f fc 62 6f  6f 74 00 00 00 00 00 00  |......boot......|
00002010  00 00 00 00 00 20 00 0c  01 48 73 70 74 2e 64 61  |..... ...Hspt.da|
00002020  74 00 00 00 00 00 00 00  1a b0 13 52 01 68 61 75  |t..........R.hau|
00002030  74 6f 65 78 65 63 2e 6e  65 74 00 00 01 f4 01 dc  |toexec.net......|
00002040  1c 18 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00002050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

这是我的


00000000  01 01 00 01 00 00 19 48  64 62 67 61 72 65 61 00  |.......Hdbgarea.|
00000010  00 00 00 00 00 00 00 00  18 00 00 00 00 00 00 00  |................|
00000020  01 48 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.H..............|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000150  00 00 00 00 00 00 00 05  00 00 00 01 00 00 00 02  |................|
00000160  00 00 00 03 00 00 00 01  00 00 00 00 de ad be af  |................|
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000180  03 03 00 30 38 6d 46 1a  00 00 00 18 ff ff a1 f4  |...08mF.........|
00000190  00 00 00 01 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001b0  00 00 00 00 00 00 00 00  05 03 00 5c 38 6d 46 1a  |...........\8mF.|
000001c0  00 00 00 18 ff ff 9e 08  00 00 00 64 80 09 e0 5c  |...........d...\|
000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001f0  05 03 00 32 38 6d 46 2a  00 00 00 20 ff ff a1 f4  |...28mF*... ....|
00000200  00 00 00 03 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000220  00 00 00 00 00 00 00 00  04 03 00 5d 38 6d 46 2a  |...........]8mF*|
00000230  00 00 00 20 ff ff a2 29  00 00 00 00 00 00 00 00  |... ...)........|
00000240  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|


00000ea0  04 03 00 2e 38 6d 45 ee  00 00 00 20 ff ff a1 f4  |....8mE.... ....|
00000eb0  00 00 00 0b 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000ec0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000ed0  00 00 00 00 00 00 00 00  04 03 00 59 38 6d 45 ee  |...........Y8mE.|
00000ee0  00 00 00 20 ff ff a2 33  00 00 00 00 00 00 00 00  |... ...3........|
00000ef0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000f10  04 03 00 5a 38 6d 45 ee  00 00 00 20 ff ff a2 2e  |...Z8mE.... ....|
00000f20  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000f40  00 00 00 00 00 00 00 00  03 03 00 5b 38 6d 45 f7  |...........[8mE.|
00000f50  00 00 00 15 ff ff a5 fc  ff ff f4 47 80 9a e2 98  |...........G....|
00000f60  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000f80  55 55 55 55 00 00 00 00  00 00 00 00 00 00 00 00  |UUUU............|
00000f90  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001b90  00 00 00 00 55 55 55 55  00 00 00 00 ff ff ff ff  |....UUUU........|
00001ba0  00 00 00 02 00 00 00 00  00 00 00 00 00 00 00 00  |................|


00001fd0  80 7a 00 00 bf c0 5f 90  80 66 00 00 00 00 00 00  |.z...._..f......|
00001fe0  80 5e 05 b4 80 40 11 c8  00 00 00 00 00 00 00 00  |.^...@..........|
00001ff0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00002000  02 c8 00 03 00 00 9f fc  62 6f 6f 74 00 00 00 00  |........boot....|
00002010  00 00 00 00 00 00 00 00  00 20 00 00 00 0c 00 00  |......... ......|
00002020  01 48 73 70 74 2e 64 61  74 00 00 00 00 00 00 00  |.Hspt.dat.......|
00002030  00 00 9a b0 00 00 3f 6c  00 00 01 68 61 75 74 6f  |......?l...hauto|
00002040  65 78 65 63 2e 6e 65 74  00 00 00 00 01 f4 00 00  |exec.net........|
00002050  01 52 00 00 9c 18 00 00  00 00 00 00 00 00 00 00  |.R..............|
00002060  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

正如你在上面看到的那样，我将文件的某些部分分开，所以 Binwalk 在“正常”文件上说的是什么


$ binwalk rom-0

DECIMAL       HEXADECIMAL     DESCRIPTION
------------------------------------------------------------------------------------------------------------------------------------------------------
0             0x0             ZyXEL rom-0 configuration block, name: "dbgarea", compressed size: 0, uncompressed size: 6144, data offset from start of block: 344
8212          0x2014          ZyXEL rom-0 configuration block, name: "spt.dat", compressed size: 4946, uncompressed size: 6832, data offset from start of block: 376
8232          0x2028          ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 476, uncompressed size: 500, data offset from start of block: 7208

还有我的


$ binwalk rom-4.51 

DECIMAL       HEXADECIMAL     DESCRIPTION
------------------------------------------------------------------------------------------------------------------------------------------------------
2             0x2             ZyXEL rom-0 configuration block, name: "dbgarea", compressed size: 6144, uncompressed size: 0, data offset from start of block: 16
7319          0x1C97          LZMA compressed data, properties: 0xD0, dictionary size: 33554432 bytes, uncompressed size: 31360 bytes
8220          0x201C          ZyXEL rom-0 configuration block, name: "spt.dat", compressed size: 39600, uncompressed size: 0, data offset from start of block: 16
8246          0x2036          ZyXEL rom-0 configuration block, name: "autoexec.net", compressed size: 500, uncompressed size: 0, data offset from start of block: 16

LZMA 标头“不正确”，无法解压缩，也许它的修改不知道，所以文件有 dbgarea、spt.dat、autoexec.net 标准块，但它是否与“修改过的”lzs 合并，你能告诉吗？

以下是来自“旧” rom-0 的 RE 的一些注释

所以我现在看到“没有帮助”，所以我会发布整个文件，这样你就可以看到整个图片

嘿，我有 30000 个字符的限制，所以这里是文件链接 http://pastebin.com/2X00B6rJ任何人都可以帮助我“揭示”他们对 lzs 压缩所做的（更改）什么，我假设它的 lzs

许多 tnx 的建议，欢呼

2个回答

它是用 LZS ( Lempel-Ziv-Stack ) 压缩的。

我试图用pythonic的方式提取密码，看看这个shell脚本和一小段c代码就足够了：

shell + C 解决方案

用python提取LZS的方法

并在同一个 python 脚本中替换 'dd' 用法：

def romcutter(fname): import sys fpos=8568 fend=8788 fhandle=file(fname) fhandle.seek(fpos) chunk="*" amount=221 while fpos < fend: if fend-fpos < amount: amount = fend- fpos chunk = fhandle.read(amount) fpos += len(chunk) return chunk

取rom-0，用刀具切割，提取结果LZS....