说一下你硬件配置啊
通过用 IDA 对 init 静态反编译发现,里面做了好多细微工作,包括释放一些文件(猜测),但调用的时候却是远程调用一些库
由于 BBIagent 用的是 uclibc,而非普通的 glibc,所以 IDA 没能跟踪出函数名称,只知道调用参数,所以换了另外的方法
通过对 rootfs 展开后,将里面 init 用到的 lib 库复制到 Linux 系统中后,用 ltrace 跟踪 init 发现了一些线索
# ltrace init
__libc_start_main(0x804cb40, 1, 0xbffffb24, 0x804d178, 0x804d1c0
strrchr("init", '/') = NULL
umask(022) = 022
geteuid() = 0
getpid() = 20509
getopt(1, 0xbffffb24, "t:") = -1
fprintf(0x40150e00, "Usage: %s 0123456SsQqAaBbCcUu\n", "init"Usage: init 0123456SsQqAaBbCcUu
) = 32
exit(1
+++ exited (status 1) +++
# ltrace ./init
__uClibc_start_main(1, 0xbffffb24, 0xbffffb2c, 0x8049300, 0x8055128
malloc(1024) = 0x8058f48
malloc(1024) = 0x8059350
malloc(128) = 0x8059758
__xpg_basename(0xbffffc18, 0xbffffafc, 0x400008c6, 0x40005248, 2704) = 0xbffffc1a
openlog("init", 1, 176) =
strcmp("init", "connect") = 1
strcmp("init", "sconf") = -1
strcmp("init", "init") = 0
signal(15, 0x804cd28) = NULL
umask(022) = 022
mkdir("/proc", 0555) = -1
mount(0x80564d2, 0x80564cc, 0x80564cd, 0, 0) = -1
mount(0x80564d2, 0x80564de, 0x80564d7, 0, 0) = -1
mkdir("/tmp", 01777) = -1
symlink("/proc/mounts", "/etc/mtab") = -1
mkdir("/tmp/var", 0755) = -1
symlink("/tmp/var", "/var") = -1
mkdir("/var/run", 0755) = -1
mkdir("/var/log", 0755) = -1
mkdir("/var/conf/", 0600) = -1
mkdir("/bin", 0755) = -1
mkdir("/usr", 0755) = -1
symlink("/", "/usr/local") = -1
symlink("/bin", "/usr/bin") = -1
memcpy(0xbffff8c0, "_]\005\bg]\005\br]\005\b~]\005\b\211]\005\b\225]\005\b\236]\005\b\250]\005\b"..., 92) = 0xbffff8c0
symlink("/sbin/ifconfig", "/bin/sh") = -1
symlink("/sbin/ifconfig", "/bin/route") = -1
symlink("/sbin/ifconfig", "/bin/insmod") = -1
symlink("/sbin/ifconfig", "/bin/rmmod") = -1
symlink("/sbin/ifconfig", "/bin/gunzip") = -1
symlink("/sbin/ifconfig", "/bin/tar") = -1
symlink("/sbin/ifconfig", "/bin/true") = -1
symlink("/sbin/ifconfig", "/bin/cat") = -1
symlink("/sbin/ifconfig", "/bin/false") = -1
symlink("/sbin/ifconfig", "/bin/gunzip") = -1
symlink("/sbin/ifconfig", "/bin/gzip") = -1
symlink("/sbin/ifconfig", "/bin/kill") = -1
symlink("/sbin/ifconfig", "/bin/killall") = -1
symlink("/sbin/ifconfig", "/bin/mkdir") = -1
symlink("/sbin/ifconfig", "/bin/rm") = -1
symlink("/sbin/ifconfig", "/bin/tar") = -1
symlink("/sbin/ifconfig", "/bin/test") = -1
symlink("/sbin/ifconfig", "/bin/unzip") = -1
symlink("/sbin/ifconfig", "/bin/yes") = -1
symlink("/sbin/ifconfig", "/sbin/klogd") = -1
symlink("/sbin/ifconfig", "/sbin/logread") = -1
symlink("/sbin/ifconfig", "/sbin/syslogd") = -1
fopen("/proc/cmdline", "r") = 0x80597e0
memset(0xbffff880, '\000', 128) = 0xbffff880
fgets("ro root=LABEL=/ acpi=force conso"..., 128, 0x80597e0) = 0xbffff880
strstr("ro root=LABEL=/ acpi=force conso"..., "rootfs") = NULL
strstr("ro root=LABEL=/ acpi=force conso"..., "idefs") = NULL
strstr("ro root=LABEL=/ acpi=force conso"..., "usbfs") = NULL
strstr("ro root=LABEL=/ acpi=force conso"..., "ram") = NULL
strstr("ro root=LABEL=/ acpi=force conso"..., "NI=") = NULL
fclose(0x80597e0) = 0
open("/dev/fd0", 0, 01001313740) = -1
fopen("/proc/cmdline", "r") = 0x80597e0
memset(0xbffff890, '\000', 128) = 0xbffff890
fgets("ro root=LABEL=/ acpi=force conso"..., 128, 0x80597e0) = 0xbffff890
strstr("ro root=LABEL=/ acpi=force conso"..., "rootfs") = NULL
strstr("ro root=LABEL=/ acpi=force conso"..., "idefs") = NULL
strstr("ro root=LABEL=/ acpi=force conso"..., "usbfs") = NULL
strstr("ro root=LABEL=/ acpi=force conso"..., "ram") = NULL
strstr("ro root=LABEL=/ acpi=force conso"..., "NI=") = NULL
fclose(0x80597e0) = 0
mkdir("/tmp/pkg", 0755) = -1
mkdir("/tmp/etc", 0755) = -1
mkdir("/etc/.config/", 0755) = -1
printf("==>> Read error - %d\n", 1==>> Read error - 1
) = 20
--- SIGINT (Interrupt) ---
+++ killed by SIGINT +++
通过上面太美对 BBIagent 目录结构的分析可以看出,它不仅像 busybox 那样将有一些功能压缩到一个文件 init 中(比如各种 .cgi 文件),还将用到的各种 bin 也放到了 ifconfig 中,这是之前没有发现的
学过 C 语言的人都知道,main 函数有 argc 和 argv 两个参数,其中存放参数那个二维数组的第一个一维字符串就是所执行的程序自身的名称,busybox 通过这种方法来是先执行一个程序达到不同效果的
之后的测试更加证实了我的想法,其实 ifconfig 就是将 busybox 改了名字而已
# ll
total 384
-rw-r--r-- 1 root root 11161 Feb5 23:17 a
-rwxr-xr-x 2 root root 102584 Apr 112005 ifconfig
-rwxr-xr-x 1 root root 68384 Aug 18 15:41 init
-rwxr-xr-x 1 root root 40648 Apr92005 iptables
-rwxr-xr-x 1 root root 42020 Apr92005 mini_httpd
# cp ifconfig busybox
# ll
total 276
-rw-r--r-- 1 root root 11161 Feb5 23:17 a
-rwxr-xr-x 1 root root 102584 Apr 112005 busybox
-rwxr-xr-x 1 root root 102584 Apr 112005 ifconfig
-rwxr-xr-x 1 root root 68384 Aug 18 15:41 init
-rwxr-xr-x 1 root root 40648 Apr92005 iptables
-rwxr-xr-x 1 root root 42020 Apr92005 mini_httpd
# ./busybox
BusyBox v1.00 (2005.04.11-08:11+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
# exit
#
其实 init 也是同理,和 busybox 类似,我们之所以看不到 rootfs 展开后有什么东西,是由于大多数后期展开工作是由 init 来完成的
用同样的思想,又做了下面的测试
# ll
total 276
-rw-r--r-- 1 root root 11161 Feb5 23:17 a
lrwxrwxrwx 1 root root 4 Feb6 01:11 get.cgi -> init
-rwxr-xr-x 1 root root 102584 Apr 112005 ifconfig
lrwxrwxrwx 1 root root 4 Feb6 01:10 index.cgi -> init
-rwxr-xr-x 1 root root 68384 Aug 18 15:41 init
-rwxr-xr-x 1 root root 40648 Apr92005 iptables
-rwxr-xr-x 1 root root 42020 Apr92005 mini_httpd
lrwxrwxrwx 1 root root 4 Feb6 01:11 put.cgi -> init
lrwxrwxrwx 1 root root 4 Feb6 01:10 reg.cgi -> init
lrwxrwxrwx 1 root root 4 Feb6 01:11 run.cgi -> init
lrwxrwxrwx 1 root root 8 Feb6 01:07 sh -> ifconfig
# ./reg.cgi
# ltrace ./reg.cgi
__uClibc_start_main(1, 0xbffffb14, 0xbffffb1c, 0x8049300, 0x8055128
malloc(1024) = 0x8058f48
malloc(1024) = 0x8059350
malloc(128) = 0x8059758
__xpg_basename(0xbffffc0e, 0xbffffaec, 0x400008c6, 0x4000524c, 2704) = 0xbffffc10
openlog("reg.cgi", 1, 176) =
strcmp("reg.cgi", "connect") = 1
strcmp("reg.cgi", "sconf") = -1
strcmp("reg.cgi", "init") = 1
strcmp("reg.cgi", "index.cgi") = 1
strcmp("reg.cgi", "put.cgi") = 1
strcmp("reg.cgi", "get.cgi") = 1
strcmp("reg.cgi", "run.cgi") = -1
strcmp("reg.cgi", "reg.cgi") = 0
getenv("HTTP_COOKIE") = NULL
closelog() =
exit(99
+++ exited (status 99) +++
#
暂时只有这些能耐了,希望这些信息对太美能够有所帮助 ^_^
[ 本帖最后由 platinum 于 2006-2-6 01:54 编辑 ]
这是 BBIagent 里面 iptables 支持的模块
# pwd
/BBIagent/lib/iptables
# ll
total 100
-rwxr-xr-x 1 root root 9503 Apr92005 libipt_conntrack.so
-rwxr-xr-x 1 root root 5074 Apr92005 libipt_DNAT.so
-rwxr-xr-x 1 root root 4928 Apr92005 libipt_iprange.so
-rwxr-xr-x 1 root root 3932 Apr92005 libipt_mac.so
-rwxr-xr-x 1 root root 4030 Apr92005 libipt_MASQUERADE.so
-rwxr-xr-x 1 root root 6465 Apr92005 libipt_mport.so
-rwxr-xr-x 1 root root 5360 Apr92005 libipt_REJECT.so
-rwxr-xr-x 1 root root 5042 Apr92005 libipt_SNAT.so
-rwxr-xr-x 1 root root 2650 Apr92005 libipt_standard.so
-rwxr-xr-x 1 root root 4378 Apr92005 libipt_state.so
-rwxr-xr-x 1 root root 7850 Apr92005 libipt_tcp.so
-rwxr-xr-x 1 root root 9154 Apr92005 libipt_time.so
-rwxr-xr-x 1 root root 5606 Apr92005 libipt_udp.so
#
相比之下我自己的防火墙功能模块
# ll /lib/iptables/
total 532
-rwxr-xr-x 1 root root 5807 Jan6 00:12 libipt_account.so
-rwxr-xr-x 1 root root 5396 Jan6 00:12 libipt_addrtype.so
-rwxr-xr-x 1 root root 4909 Jan6 00:12 libipt_ah.so
-rwxr-xr-x 1 root root 3920 Jan6 00:12 libipt_CLASSIFY.so
-rwxr-xr-x 1 root root 3962 Jan6 00:12 libipt_comment.so
-rwxr-xr-x 1 root root 3826 Jan6 00:12 libipt_condition.so
-rwxr-xr-x 1 root root 4184 Jan6 00:12 libipt_connlimit.so
-rwxr-xr-x 1 root root 4110 Jan6 00:12 libipt_connmark.so
-rwxr-xr-x 1 root root 4978 Jan6 00:12 libipt_CONNMARK.so
-rwxr-xr-x 1 root root 9743 Jan6 00:12 libipt_conntrack.so
-rwxr-xr-x 1 root root 5554 Jan6 00:12 libipt_DNAT.so
-rwxr-xr-x 1 root root 5519 Jan6 00:12 libipt_dscp.so
-rwxr-xr-x 1 root root 5296 Jan6 00:12 libipt_DSCP.so
-rwxr-xr-x 1 root root 4645 Jan6 00:12 libipt_ecn.so
-rwxr-xr-x 1 root root 4525 Jan6 00:12 libipt_ECN.so
-rwxr-xr-x 1 root root 4913 Jan6 00:12 libipt_esp.so
-rwxr-xr-x 1 root root 3954 Jan6 00:12 libipt_fuzzy.so
-rwxr-xr-x 1 root root 7541 Jan6 00:12 libipt_geoip.so
-rwxr-xr-x 1 root root 9009 Jan6 00:12 libipt_hashlimit.so
-rwxr-xr-x 1 root root 3698 Jan6 00:12 libipt_helper.so
-rwxr-xr-x 1 root root 6638 Jan6 00:12 libipt_icmp.so
-rwxr-xr-x 1 root root 3568 Jan6 00:12 libipt_IMQ.so
-rwxr-xr-x 1 root root 4565 Jan6 00:12 libipt_IPMARK.so
-rwxr-xr-x 1 root root 5019 Jan6 00:12 libipt_iprange.so
-rwxr-xr-x 1 root root 6616 Jan6 00:12 libipt_ipv4options.so
-rwxr-xr-x 1 root root 2957 Jan6 00:12 libipt_IPV4OPTSSTRIP.so
-rwxr-xr-x 1 root root 8724 Jan6 00:12 libipt_layer7.so
-rwxr-xr-x 1 root root 4575 Jan6 00:12 libipt_length.so
-rwxr-xr-x 1 root root 5078 Jan6 00:12 libipt_limit.so
-rwxr-xr-x 1 root root 6546 Jan6 00:12 libipt_LOG.so
-rwxr-xr-x 1 root root 4129 Jan6 00:12 libipt_mac.so
-rwxr-xr-x 1 root root 4043 Jan6 00:12 libipt_mark.so
-rwxr-xr-x 1 root root 4730 Jan6 00:12 libipt_MARK.so
-rwxr-xr-x 1 root root 4267 Jan6 00:12 libipt_MASQUERADE.so
-rwxr-xr-x 1 root root 2857 Jan6 00:12 libipt_MIRROR.so
-rwxr-xr-x 1 root root 8095 Jan6 00:12 libipt_multiport.so
-rwxr-xr-x 1 root root 4216 Jan6 00:12 libipt_NETLINK.so
-rwxr-xr-x 1 root root 4528 Jan6 00:12 libipt_NETMAP.so
-rwxr-xr-x 1 root root 3720 Jan6 00:12 libipt_NFQUEUE.so
-rwxr-xr-x 1 root root 2859 Jan6 00:12 libipt_NOTRACK.so
-rwxr-xr-x 1 root root 5619 Jan6 00:12 libipt_nth.so
-rwxr-xr-x 1 root root 5959 Jan6 00:12 libipt_owner.so
-rwxr-xr-x 1 root root 5232 Jan6 00:12 libipt_physdev.so
-rwxr-xr-x 1 root root 4607 Jan6 00:12 libipt_pkttype.so
-rwxr-xr-x 1 root root 4712 Jan6 00:12 libipt_psd.so
-rwxr-xr-x 1 root root 3765 Jan6 00:12 libipt_quota.so
-rwxr-xr-x 1 root root 4014 Jan6 00:12 libipt_random.so
-rwxr-xr-x 1 root root 3954 Jan6 00:12 libipt_realm.so
-rwxr-xr-x 1 root root 7502 Jan6 00:12 libipt_recent.so
-rwxr-xr-x 1 root root 4266 Jan6 00:12 libipt_REDIRECT.so
-rwxr-xr-x 1 root root 5467 Jan6 00:12 libipt_REJECT.so
-rwxr-xr-x 1 root root 5805 Jan6 00:12 libipt_ROUTE.so
-rwxr-xr-x 1 root root 6750 Jan6 00:12 libipt_rpc.so
-rwxr-xr-x 1 root root 4770 Jan6 00:12 libipt_SAME.so
-rwxr-xr-x 1 root root 10420 Jan6 00:12 libipt_sctp.so
-rwxr-xr-x 1 root root 5522 Jan6 00:12 libipt_SNAT.so
-rwxr-xr-x 1 root root 2946 Jan6 00:12 libipt_standard.so
-rwxr-xr-x 1 root root 4539 Jan6 00:12 libipt_state.so
-rwxr-xr-x 1 root root 2938 Jan6 00:12 libipt_TARPIT.so
-rwxr-xr-x 1 root root 3752 Jan6 00:12 libipt_TCPLAG.so
-rwxr-xr-x 1 root root 4523 Jan6 00:12 libipt_tcpmss.so
-rwxr-xr-x 1 root root 3920 Jan6 00:12 libipt_TCPMSS.so
-rwxr-xr-x 1 root root 8354 Jan6 00:12 libipt_tcp.so
-rwxr-xr-x 1 root root 9539 Jan6 00:12 libipt_time.so
-rwxr-xr-x 1 root root 4847 Jan6 00:12 libipt_tos.so
-rwxr-xr-x 1 root root 4560 Jan6 00:12 libipt_TOS.so
-rwxr-xr-x 1 root root 2855 Jan6 00:12 libipt_TRACE.so
-rwxr-xr-x 1 root root 4272 Jan6 00:12 libipt_ttl.so
-rwxr-xr-x 1 root root 4303 Jan6 00:12 libipt_TTL.so
-rwxr-xr-x 1 root root 6167 Jan6 00:12 libipt_u32.so
-rwxr-xr-x 1 root root 5868 Jan6 00:12 libipt_udp.so
-rwxr-xr-x 1 root root 5230 Jan6 00:12 libipt_ULOG.so
-rwxr-xr-x 1 root root 2801 Jan6 00:12 libipt_unclean.so
-rwxr-xr-x 1 root root 3980 Jan6 00:12 libipt_XOR.so
#
另外,通过 strings 对 init 进行分析,发现了里面一段
# strings /BBIagent/sbin/init|grep ifconfig
/sbin/ifconfig %s %s netmask %s
/sbin/ifconfig lo 127.0.0.1 netmask 255.0.0.0
/sbin/ifconfig eth1 0.0.0.0 up
/sbin/ifconfig
/sbin/ifconfig imq up
/sbin/ifconfig %s 0.0.0.0 up
#
# strings ./init|awk '/^\-A|iptables/'
/sbin/iptables -t nat -N tpred
/sbin/iptables -t nat -A PREROUTING -i %s -p tcp -d ! %s -j tpred
-A POSTROUTING -t nat -s %0/%1 -o %3 -j MASQUERADE
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i %2 -m state --state NEW -j ACCEPT
-A INPUT -i %3 -p tcp -j portscan
-A FORWARD -i %3 -p tcp -j portscan
-A PREROUTING -t mangle -j usertos
-A PREROUTING -t nat -i %2 -d %0 -j RETURN
-A PREROUTING -t nat -j service-d
-A POSTROUTING -t nat -o %2 -s %0/%1 -j service-s
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
/sbin/iptables -A portscan -p tcp --tcp-flags %s -j DROP
-A INPUT -j block
-A FORWARD -j block
-A FORWARD -i %2 -j access
/sbin/iptables %s
/sbin/iptables -t nat -R PREROUTING 2 -d %s -j service-d
#
发现 BBIagent 其实功能很单一,和软件路由比差远了,和我自己的比差得更远,只是好在对 iptables 不熟悉得人来说,操作起来方便些而已,不去破解也罢,用好 Linux、学好 iptables,了解他的工作原理才是关键。。。。
[ 本帖最后由 platinum 于 2006-2-6 01:58 编辑 ]
# ltrace ./reg.cgi
__uClibc_start_main(1, 0xbffffb14, 0xbffffb1c, 0x8049300, 0x8055128
malloc(1024) = 0x8058f48
malloc(1024) = 0x8059350
malloc(128) = 0x8059758
__xpg_basename(0xbffffc0e, 0xbffffaec, 0x400008c6, 0x4000524c, 2704) = 0xbffffc10
openlog("reg.cgi", 1, 176) =
strcmp("reg.cgi", "connect") = 1
strcmp("reg.cgi", "sconf") = -1
strcmp("reg.cgi", "init") = 1
strcmp("reg.cgi", "index.cgi") = 1
strcmp("reg.cgi", "put.cgi") = 1
strcmp("reg.cgi", "get.cgi") = 1
strcmp("reg.cgi", "run.cgi") = -1
strcmp("reg.cgi", "reg.cgi") = 0
getenv("HTTP_COOKIE") = NULL
closelog() =
exit(99
+++ exited (status 99) +++
#
它要检查COOKIE,如果没有COOKIE值,就直接退出。
只需要把jz short loc_8054608改为jnz short loc_8054608就可以搞定了吧?然后看它下一步到底做什么去了?
请问破解成功了吗?
正需要这个版本,等待破解.
顺便问一下,1.8.1版的软件可以限制网内的某个IP上网吗?
原帖由 td198 于 2006-2-20 14:57 发表
正需要这个版本,等待破解.
顺便问一下,1.8.1版的软件可以限制网内的某个IP上网吗?
可以啊,首先绑定网内的网卡的mac地址,跟着用MAC地址指定ip地址,跟着就可以限制ip能否访问internet?
自从试用ROUTEOS失败后,还是想继续用BBIagent2.0,期盼破解点出来!简单实用才是硬道理!^_^
每天都来顶一下!盼望出2.0破解
今天来过了,发现没有人回,继续顶
今天又来看看,顶上去,让更多的人看到!:)
我还是觉得coyo好用些,BBiagent 要米米的,定制性也不好,效果也不怎么好,用了coyo后对它没什么兴趣了。
等待2.0的破解版。
想得太美版主,有没有消息了?给大家吹点BBIagent的风呀!:P
等待破解.....