5.20的也出了?这速度也太快了吧
好东西,支持你~
这个得留下脚印
我试了好象不行,导入key不对
谢谢分享,好人一生平安!
好东西。下来研究一下。谢谢分享。楼主好人。;P
不错,,明天试试看
看看怎么样。
你这个 S09plugin 大小 415 字节 (415 字节)
我以前下载的S09plugin 大小 77 字节 (77 字节)
是不是存在后门啊!
cyso 发表于 2012-11-5 19:59 static/image/common/back.gif
你这个 S09plugin 大小 415 字节 (415 字节)
我以前下载的S09plugin 大小 77 字节 (77 字节)...
能发一个77K的S09plugin给我,我研究一下不同之处,谢谢
1456106335@qq.com
谢谢分享啊。。。
虽然用不到,但还是非常感谢。
感谢楼主分享,看看先
cyso 发表于 2012-11-5 19:59
你这个 S09plugin 大小 415 字节 (415 字节)
我以前下载的S09plugin 大小 77 字节 (77 字节)...
h ttps://ispforum.cz/viewtopic.php?f=4&t=9813&start=45
honzam16 pro 2012 18:47
Hi all
Since I do decompiling as a hobby, I grabbed the "cracked" 5.18 ISO and did a quick analysis on what the crack changed.
Two files were added to the system package:
/etc/rc.d/run.d/S09plugin - this is an init script that runs on startup and starts the "clone" binary
/nova/bin/clone - this file is interesting for many reasons:
- there are multiple layers of obfuscation/encryption present in the file; I only managed to remove the first layer of obfuscation so far
- it is filled with many anti-debugging and anti-VM techniques (designed to make analysis harder)
- it seems to make hashes of the routing table, cpu/memory information and partition list; dunno what it does with the info
- seems to hijack /dev/tty, shows its own password prompt; dunno what it does with the password after that
- contains 6 binaries which are extracted and executed/loaded on startup
Binary 1: this one is a file/copy rename utility; no malicious code here
Binary 2: Like the "clone" app, this one is filled with anti-debug code; it extracts/loads the kernel modules.
Binary 3/4: These are the uniprocessor/SMP versions of the malware code. This one does multiple things:
- adds a kernel workqueue that periodically looks up the DNS address of "dns.vpn2vpn.info", "vvvvva.com" (?), "ssl.vpn2vpn.info"
- depending on the dns replies, downloads and inserts a new kernel module from the returned addresses; this can be used to execute arbitrary code on the router
- adds a hook to the netfilter firewall layer that modifies packets coming from port 53 (DNS)
Binary 5/6: These are the uniprocessor/SMP versions of the crack itself.
It hooks generic_ide_ioctl and ata_sas_scsi_ioctl and modifies the information returned about the MBR and the disks, so the kernel always sees the same driver serial number and accepts the same ROS software key.
I didn't check the other packages, so it is possible that those are infected in some way too.
Conclusion: DON'T USE !
一老外的帖子,貌似里面有猫腻。
可惜只支持到5.20,高一点的版本就不支持了~~这点很无语中~~