直接binwalk提取
sudo binwalk -Me --run-as=root fr100pacv1.bin
提取出来下面这些东西:
我们分析看一下:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
20 0x14 IMG0 (VxWorks) header, size: 909568
43956 0xABB4 U-Boot version string, "U-Boot 1.1.3 (Jun 2 2017 - 18:37:14)"
57492 0xE094 IMG0 (VxWorks) header, size: 852096
57620 0xE114 LZMA compressed data, properties: 0x6E, dictionary size: 8388608 bytes, uncompressed size: 1267504 bytes
677152 0xA5520 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1758 bytes
678325 0xA59B5 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3237 bytes
678785 0xA5B81 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 200 bytes
678981 0xA5C45 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 80 bytes
679039 0xA5C7F LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 21984 bytes
682408 0xA69A8 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 147 bytes
682529 0xA6A21 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 493 bytes
682948 0xA6BC4 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2826 bytes
684431 0xA718F LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 32861 bytes
691537 0xA8D51 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4383 bytes
693333 0xA9455 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2747 bytes
694524 0xA98FC LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7316 bytes
696832 0xAA200 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1981 bytes
697735 0xAA587 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 15912 bytes
701953 0xAB601 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2955 bytes
702968 0xAB9F8 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6623 bytes
704981 0xAC1D5 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3565 bytes
706289 0xAC6F1 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2831 bytes
707554 0xACBE2 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4280 bytes
708886 0xAD116 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 10925 bytes
711326 0xADA9E LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 286 bytes
711548 0xADB7C LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3912 bytes
712971 0xAE10B LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5943 bytes
714894 0xAE88E LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5955 bytes
716799 0xAEFFF LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6416 bytes
718873 0xAF819 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1638 bytes
719622 0xAFB06 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7549 bytes
721691 0xB031B LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 857 bytes
722183 0xB0507 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 22381 bytes
727974 0xB1BA6 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 658 bytes
728333 0xB1D0D LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4425 bytes
730048 0xB23C0 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4401 bytes
731619 0xB29E3 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4797 bytes
733485 0xB312D LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6333 bytes
735563 0xB394B LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2864 bytes
736803 0xB3E23 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7106 bytes
738927 0xB466F LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4353 bytes
740792 0xB4DB8 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 10715 bytes
743663 0xB58EF LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3421 bytes
744899 0xB5DC3 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5246 bytes
746532 0xB6424 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3185 bytes
747893 0xB6975 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1818 bytes
748655 0xB6C6F LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 716 bytes
749073 0xB6E11 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1048 bytes
749677 0xB706D LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2522 bytes
750896 0xB7530 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2640 bytes
752163 0xB7A23 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1607 bytes
752923 0xB7D1B LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4403 bytes
754638 0xB83CE LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 749 bytes
755041 0xB8561 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2600 bytes
756057 0xB8959 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1230 bytes
756657 0xB8BB1 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3844 bytes
758108 0xB915C LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2816 bytes
759133 0xB955D LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 4870 bytes
760503 0xB9AB7 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 9220 bytes
762923 0xBA42B LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 10038 bytes
766556 0xBB25C LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6395 bytes
768517 0xBBA05 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 17503 bytes
771879 0xBC727 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2398 bytes
772960 0xBCB60 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3504 bytes
774432 0xBD120 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1175 bytes
775058 0xBD392 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3068 bytes
776301 0xBD86D LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1754 bytes
777194 0xBDBEA LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 8625 bytes
780142 0xBE76E LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2387 bytes
781236 0xBEBB4 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 23062 bytes
786131 0xBFED3 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 42347 bytes
798172 0xC2DDC LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5860 bytes
799567 0xC334F LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 38827 bytes
809641 0xC5AA9 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 14864 bytes
814530 0xC6DC2 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2508 bytes
815184 0xC7050 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3847 bytes
816478 0xC755E LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3883 bytes
820405 0xC84B5 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 7922 bytes
828347 0xCA3BB LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 138 bytes
828501 0xCA455 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 136 bytes
828652 0xCA4EC LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 769 bytes
829448 0xCA808 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 689 bytes
830164 0xCAAD4 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 976 bytes
831148 0xCAEAC LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1004 bytes
832185 0xCB2B9 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1150 bytes
832297 0xCB329 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 812 bytes
833136 0xCB670 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 16085 bytes
835051 0xCBDEB LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 16268 bytes
837156 0xCC624 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 827 bytes
838014 0xCC97E LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 795 bytes
838833 0xCCCB1 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 570 bytes
839426 0xCCF02 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2199 bytes
841084 0xCD57C LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2742 bytes
843083 0xCDD4B LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2661 bytes
845036 0xCE4EC LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 365 bytes
845421 0xCE66D LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3247 bytes
848678 0xCF326 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2247 bytes
849730 0xCF742 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 34308 bytes
861851 0xD269B LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5950 bytes
864123 0xD2F7B LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2995 bytes
865222 0xD33C6 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 93724 bytes
896698 0xDAEBA LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 9268 bytes
899285 0xDB8D5 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 6012 bytes
900919 0xDBF37 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2706 bytes
902127 0xDC3EF LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 3434 bytes
902719 0xDC63F LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 2678 bytes
903333 0xDC8A5 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 9021 bytes
904193 0xDCC01 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 859 bytes
904478 0xDCD1E LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 5230 bytes
905026 0xDCF42 LZMA compressed data, properties: 0x5A, dictionary size: 8388608 bytes, uncompressed size: 1114 bytes
简单分析一下:
-
IMG0 (VxWorks) Header
- 起始偏移量
- 十进制:20
- 十六进制:0x14
-
描述:
IMG0
是 VxWorks 操作系统使用的映像头,表示映像的起始部分。大小为 909,568 字节。
- 起始偏移量
-
U-Boot Version String
-
起始偏移量
:
- 十进制:43,956
- 十六进制:0xABB4
-
描述:包含 U-Boot 的版本字符串,例如
"U-Boot 1.1.3 (Jun 2 2017 - 18:37:14)"
。U-Boot 是一种常用的开源引导加载程序,广泛应用于嵌入式设备。
-
-
多个 IMG0 (VxWorks) Header
- 起始偏移量
- 十进制:57,492(0xE094)和 57,620(0xE114)
-
描述:再次出现
IMG0
头,大小分别为 852,096 字节和包含 LZMA 压缩数据的段。
- 起始偏移量
-
LZMA 压缩数据段
-
起始偏移量:从 57,620(0xE114)到 905,026(0xDCF42)
-
描述
:大部分数据段被标记为 LZMA 压缩数据,具有以下特征:
-
属性(Properties):通常为
0x5A
或0x6E
,表示 LZMA 的压缩属性。 - 字典大小(Dictionary Size):均为 8,388,608 字节(8 MB),这是 LZMA 压缩算法中用于压缩和解压数据的字典大小。
- 解压后大小(Uncompressed Size):各段解压后的数据大小不一,从几百字节到数万字节不等。
-
属性(Properties):通常为
-
我们把每个lzma压缩数据段的初始值和大小得出,并可视化
可以发现57620开始的压缩数据段占比最大 猜测是主程序
于是我们用dd来手动提取57620:
dd if=fr100pacv1.bin of=57620.lzma bs=1 skip=57620 count=619532
成功提取并得到57620.lzma然后将其放入010editor查看
这一段的灰度完全不同,说明这里的数据是冗杂多余的应该删除,然后就可以成功解压了
再用binwalk 分析57620可以得到:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
176636 0x2B1FC Copyright string: "Copyright(C) 2001-2011 by TP-LINK TECHNOLOGIES CO., LTD."
522740 0x7F9F4 PEM certificate
523412 0x7FC94 PEM RSA private key
559336 0x888E8 Copyright string: "Copyright FAST_TECHNOLOGIES"
790532 0xC1004 HTML document header
790597 0xC1045 HTML document footer
947428 0xE74E4 PEM certificate
947484 0xE751C PEM certificate request
947668 0xE75D4 PEM RSA private key
947864 0xE7698 PEM EC private key
947928 0xE76D8 PEM DSA private key
1049388 0x10032C XML document, version: "1.0"
1049576 0x1003E8 Base64 standard index table
1183672 0x120FB8 SHA256 hash constants, little endian
1242908 0x12F71C XML document, version: "1.0"
这里的重点在 little endian 小端序,但是没有具体的架构信息,通过ida分析一次次的测试
进来后是这样,进来的时候有提醒过你按c再你认为的开始处 进行反编译
可以看到虽然是编译成功了 但是这种代码连函数名称都没有肯定是多少有问题的,于是我们从开始的汇编分析:
这里跳转的0XB0000600于是猜想程序段基址在0XB0000000这个位置,接下来就是用ghidra进行分析了
可以看到基本可以反编译了:
但是这里有个问题 可以发现有些地方还是0x8000000开头,同时字符串解引也失败了
于是我们把基址也改为这个值0X80000000
至此固件的主程序就基本提取完成了,就可以进行进一步的分析了
总结:
从开始的binwalk自动提取,到手动提取的转换,警醒着我们,脚本小子是成不了大牛的 得跳出自己的舒适圈
参考文章: