routeros2.9.14系统启动后运行的进程

心想事成

look

naboo

是这样的。。

netlea

是啊,不过只能玩一天时间!
有时间大家能不能PJ一下这个版本,也许已经有人已经有了,但怕影响大,不放出来吧

心想事成

发现它的加密和解密用以下函数:

1. 
   
2. 0x4012ada0  xdr_float
   
3. 0x4012ade0  xdr_double
   
4. 0x4012ae80  xdrmem_create
   
5. 0x4012b150  xdrrec_create
   
6. 0x4012b600  xdrrec_endofrecord
   
7. 0x4012b7e0  xdrrec_eof
   
8. 0x4012b850  xdrrec_skiprecord
   
9. 0x4012ba40  xdr_reference
   
10. 0x4012bb60  xdr_pointer
    
11. 0x4012bbe0  xdrstdio_create
    
12. 0x4012be90  getpublickey
    
13. 0x4012bf60  getsecretkey
    
14. 0x4012c170  xdr_sizeof
    
15. 0x4012c230  authdes_create
    
16. 0x4012c690  authdes_pk_create
    
17. 0x4012c920  xdr_authdes_cred
    
18. 0x4012c9c0  xdr_authdes_verf
    
19. 0x4012cad0  cbc_crypt
    
20. 0x4012cb60  ecb_crypt
    
21. 0x4012d8a0  des_setparity
    
22. 0x4012d8e0  key_gendes
    
23. 0x4012ddd0  key_get_conv
    
24. 0x4012de30  key_setnet
    
25. 0x4012de90  key_decryptsession_pk
    
26. 0x4012df10  key_encryptsession_pk
    
27. 0x4012df90  key_decryptsession
    
28. 0x4012e000  key_encryptsession
    
29. 0x4012e070  key_secretkey_is_set
    
30. 0x4012e0f0  key_setsecret
    
31. 0x4012e190  xdr_keystatus
    
32. 0x4012e1c0  xdr_keybuf
    
33. 0x4012e200  xdr_netnamestr
    
34. 0x4012e240  xdr_cryptkeyarg
    
35. 0x4012e290  xdr_cryptkeyarg2
    
36. 0x4012e2f0  xdr_cryptkeyres
    
37. 0x4012e350  xdr_unixcred
    
38. 0x4012e3c0  xdr_getcredres
    
39. 0x4012e420  xdr_key_netstarg
    
40. 0x4012e480  xdr_key_netstres
    
41. 0x4012e4e0  user2netname
    
42. 0x4012e5f0  host2netname
    
43. 0x4012e740  getnetname
    
44. 0x4012e7a0  netname2user
    
45. 0x4012e870  netname2host

复制代码

反编译了其中的一个函数:key_get_conv

1. Dump of assembler code for function key_get_conv:
   
2. 0x4012ddd0 :    push   %ebp
   
3. 0x4012ddd1 :    mov    %esp,%ebp
   
4. 0x4012ddd3 :    push   %ebx
   
5. 0x4012ddd4 :    sub    $0xc,%esp
   
6. 0x4012ddd7 :    call   0x4012dddc
   
7. 0x4012dddc :   pop    %ebx
   
8. 0x4012dddd :   add    $0x34218,%ebx
   
9. 0x4012dde3 :   mov    0x8(%ebp),%ecx
   
10. 0x4012dde6 :   lea    0xfffffff0(%ebp),%eax
    
11. 0x4012dde9 :   mov    0xffffff74(%ebx),%edx
    
12. 0x4012ddef :   push   %eax
    
13. 0x4012ddf0 :   mov    0xffffff34(%ebx),%eax
    
14. 0x4012ddf6 :   push   %eax
    
15. 0x4012ddf7 :   mov    $0xa,%eax
    
16. 0x4012ddfc :   call   0x4012dc10
    
17. 0x4012de01 :   test   %eax,%eax
    
18. 0x4012de03 :   jne    0x4012de0f
    
19. 0x4012de05 :   mov    $0xffffffff,%eax
    
20. 0x4012de0a :   mov    0xfffffffc(%ebp),%ebx
    
21. 0x4012de0d :   leave
    
22. 0x4012de0e :   ret
    
23. 0x4012de0f :   mov    0xfffffff0(%ebp),%ecx
    
24. 0x4012de12 :   test   %ecx,%ecx
    
25. 0x4012de14 :   jne    0x4012de05
    
26. 0x4012de16 :   mov    0xfffffff4(%ebp),%edx
    
27. 0x4012de19 :   mov    0xfffffff8(%ebp),%ecx
    
28. 0x4012de1c :   mov    0xc(%ebp),%eax
    
29. 0x4012de1f :   mov    %edx,(%eax)
    
30. 0x4012de21 :   mov    %ecx,0x4(%eax)
    
31. 0x4012de24 :   xor    %eax,%eax
    
32. 0x4012de26 :   mov    0xfffffffc(%ebp),%ebx
    
33. 0x4012de29 :   leave
    
34. 0x4012de2a :   ret
    
35. 0x4012de2b :   nop
    
36. 0x4012de2c :   lea    0x0(%esi),%esi

复制代码

有对它感兴趣的,可以联系我,共同探讨下.呵呵

心想事成

我发现ros29的加密和28有很大的不同.它好象是用进程通信的办法.加密和解密本身没有包含在单个程序中.所以想要暴破单个程序是不可能的.

loverouter

想了一点儿办法，安装一个shell上去，下面是dmesg 的信息：

Linux version 2.4.31 (build@builder) (gcc version 2.95.4 20011002 (Debian prerelease)) #2 Thu Feb 23 17:25:23 EET 2006
BIOS-provided physical RAM map:
BIOS-e820: 0000000000000000 - 000000000009f800 (usable)
BIOS-e820: 000000000009f800 - 00000000000a0000 (reserved)
BIOS-e820: 00000000000dc000 - 0000000000100000 (reserved)
BIOS-e820: 0000000000100000 - 0000000003ef0000 (usable)
BIOS-e820: 0000000003ef0000 - 0000000003eff000 (ACPI data)
BIOS-e820: 0000000003eff000 - 0000000003f00000 (ACPI NVS)
BIOS-e820: 0000000003f00000 - 0000000004000000 (usable)
BIOS-e820: 00000000fec00000 - 00000000fec10000 (reserved)
BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved)
BIOS-e820: 00000000fffe0000 - 0000000100000000 (reserved)
64MB LOWMEM available.
On node 0 totalpages: 16384
zone(0): 4096 pages.
zone(1): 12288 pages.
zone(2): 0 pages.
Kernel command line: ro root=100
Initializing CPU#0
Detected 1901.270 MHz processor.
Console: colour VGA+ 80x25
Calibrating delay loop... 3801.08 BogoMIPS
Memory: 62864k/65536k available (973k kernel code, 2220k reserved, 257k data, 68k init, 0k highmem)
Dentry cache hash table entries: 8192 (order: 4, 65536 bytes)
Inode cache hash table entries: 4096 (order: 3, 32768 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 4096 (order: 2, 16384 bytes)
Page-cache hash table entries: 16384 (order: 4, 65536 bytes)
CPU: CLK_CTL MSR was 0. Reprogramming to 20000000
CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line)
CPU: L2 Cache: 256K (64 bytes/line)
CPU:     After generic, caps: 0383fbff c1c3fbff 00000000 00000000
CPU:             Common caps: 0383fbff c1c3fbff 00000000 00000000
CPU: AMD Athlon(tm) XP 2200+ stepping 01
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Checking 'hlt' instruction... OK.
POSIX conformance testing by UNIFIX
PCI: PCI BIOS revision 2.10 entry at 0xfd9a0, last bus=1
PCI: Using configuration type 1
PCI: Probing PCI hardware
PCI: Probing PCI hardware (bus 00)
PCI: Using IRQ router PIIX/ICH [8086/7110] at 00:07.0
PCI: Cannot allocate resource region 4 of device 00:07.1
Limiting direct PCI/PCI transfers.
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
Journalled Block Device driver loaded
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0x03f8 (irq = 4) is a 16550A
ttyS01 at 0x02f8 (irq = 3) is a 16550A
Real Time Clock Driver v1.10f
Floppy drive(s): fd0 is 1.44M
FDC 0 is a post-1991 82077
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
Uniform Multi-Platform E-IDE driver Revision: 7.00beta4-2.4
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
hda: VMware Virtual IDE Hard Drive, ATA DISK drive
hdb: VMware Virtual IDE CDROM Drive, ATAPI CD/DVD-ROM drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
hda: attached ide-disk driver.
hda: 209715 sectors (107 MB) w/32KiB Cache, CHS=832/4/63
Partition check:
hda: hda1
Initializing Cryptographic API
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 4096)
Linux IP multicast router 0.06 plus PIM-SM
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 3k freed
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 68k freed
hda2: bad access: block=2, count=2
end_request: I/O error, dev 03:02 (hda), sector 2
EXT3-fs: unable to read superblock
hda2: bad access: block=2, count=2
end_request: I/O error, dev 03:02 (hda), sector 2
EXT2-fs: unable to read superblock
kjournald starting.  Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
EXT3 FS 2.4-0.9.19, 19 August 2002 on ide0(3,1), internal journal
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
panicSaver: starting...
panicSaver: start at sector 0x0000c763
panicSaver: will write 2 sectors
panicSaver: started
CSLIP: code copyright 1989 Regents of the University of California
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP MPPE compression module registered
Generic GRE driver
GRE: registered protocol 0xb88
l2tp_init
IPv4 over IPv4 tunneling driver
Registering EoGRE
GRE: registered protocol 0x64
NET4: Ethernet Bridge 008 for NET4.0
Bridge firewalling registered
PCQ: registered per-connection queue
AGR: registered qdisc
pcnet32.c:v1.30h 06.24.2004 tsbogend@alpha.franken.de
PCI: Found IRQ 11 for device 00:11.0
pcnet32: PCnet/PCI II 79C970A at 0x1080, 00 0c 29 cc da 21 assigned IRQ 11.
eth0: registered as PCnet/PCI II 79C970A
PCI: Found IRQ 10 for device 00:12.0
pcnet32: PCnet/PCI II 79C970A at 0x1400, 00 0c 29 cc da 2b assigned IRQ 10.
eth1: registered as PCnet/PCI II 79C970A
pcnet32: 2 cards_found.
imq driver loaded.
RATE: registered
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
isdnphone: driver initialized, time = 850
ISDN subsystem Rev: 1.1.4.1/1.1.4.1/1.1.4.1/1.1.4.1/1.1.4.1/1.1.4.1 loaded
scx200_wdt: NatSemi SCx200 Watchdog Driver
Software Watchdog Timer: 0.05, timer margin: 60 sec
isapnp: Scanning for PnP cards...
isapnp: No Plug & Play device found
Linux Kernel Card Services 3.1.22
  options:  [pci] [cardbus]
Intel ISA PCIC probe: not found.
ds: no socket drivers loaded!
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
usb-uhci.c: $Revision: 1.275 $ time 17:23:12 Feb 23 2006
usb-uhci.c: High bandwidth mode enabled
usb-uhci.c: v1.275:USB Universal Host Controller Interface driver
lcd module loaded
ip_conntrack version 2.1 (27648 buckets, 110592 max) - 336 bytes per conntrack
i2c-core.o: i2c core module version 2.7.0 (20021208)
Netfilter messages via NETLINK v0.12.
i2c-nscacb.o version 1.3.1
ctnetlink v0.12: registering with nfnetlink.
nfnetlink_subsys_register: registering subsystem ID 1
i2c-proc.o version 2.7.0 (20021208)
lm87.o version 2.7.0 (20021208)
ip_tables: (C) 2000-2002 Netfilter core team
ipt_time loading
ipt_random match loaded
netfilter PSD loaded - (c) astaro AG
eth0: devid 1
eth1: devid 2

txwwy

强顶

lgl7078

hao de

lzbnet

看不懂 。。。

soft_route

偶也看不懂！

banban

顶上来..