有条件的自己也可以定制ROS 5.20插件版

tmd · 发表于 2012-8-17 16:00:51

5.20的也出了？这速度也太快了吧

qqqqfcu · 发表于 2012-8-17 16:17:02

好东西，支持你~

kkpplc · 发表于 2012-8-17 21:12:42

这个得留下脚印

lyd2004888 · 发表于 2012-8-18 15:19:39

我试了好象不行，导入key不对

lf028cn · 发表于 2012-8-19 22:17:35

谢谢分享，好人一生平安！

flypigha · 发表于 2012-8-23 20:02:21

好东西。下来研究一下。谢谢分享。楼主好人。

yagamixp · 发表于 2012-8-31 15:14:33

不错,,明天试试看

3148715 · 发表于 2012-8-31 17:44:43

看看怎么样。

cyso · 发表于 2012-11-5 19:59:28

你这个 S09plugin 大小 415 字节 (415 字节)
我以前下载的 S09plugin 大小 77 字节 (77 字节)
是不是存在后门啊！

rockup · 发表于 2012-11-5 20:20:58

cyso 发表于 2012-11-5 19:59

登录/注册后可看大图

你这个 S09plugin 大小 415 字节 (415 字节)
我以前下载的 S09plugin 大小 77 字节 (77 字节) ...

能发一个77K的S09plugin给我，我研究一下不同之处，谢谢
1456106335@qq.com

cheng4ever · 发表于 2013-4-22 22:58:23

谢谢分享啊。。。

yikeit · 发表于 2013-7-18 00:18:08

虽然用不到，但还是非常感谢。

ROS_昕 · 发表于 2013-7-20 20:25:56

感谢楼主分享，看看先

tournet · 发表于 2013-9-22 10:05:51

cyso 发表于 2012-11-5 19:59
你这个 S09plugin 大小 415 字节 (415 字节)
我以前下载的 S09plugin 大小 77 字节 (77 字节) ...

h　ttps://ispforum.cz/viewtopic.php?f=4&t=9813&start=45
honzam 16 pro 2012 18:47
Hi all
Since I do decompiling as a hobby, I grabbed the "cracked" 5.18 ISO and did a quick analysis on what the crack changed.

Two files were added to the system package:
/etc/rc.d/run.d/S09plugin - this is an init script that runs on startup and starts the "clone" binary
/nova/bin/clone - this file is interesting for many reasons:
- there are multiple layers of obfuscation/encryption present in the file; I only managed to remove the first layer of obfuscation so far
- it is filled with many anti-debugging and anti-VM techniques (designed to make analysis harder)
- it seems to make hashes of the routing table, cpu/memory information and partition list; dunno what it does with the info
- seems to hijack /dev/tty, shows its own password prompt; dunno what it does with the password after that
- contains 6 binaries which are extracted and executed/loaded on startup

Binary 1: this one is a file/copy rename utility; no malicious code here
Binary 2: Like the "clone" app, this one is filled with anti-debug code; it extracts/loads the kernel modules.
Binary 3/4: These are the uniprocessor/SMP versions of the malware code. This one does multiple things:
- adds a kernel workqueue that periodically looks up the DNS address of "dns.vpn2vpn.info", "vvvvva.com" (?), "ssl.vpn2vpn.info"
- depending on the dns replies, downloads and inserts a new kernel module from the returned addresses; this can be used to execute arbitrary code on the router
- adds a hook to the netfilter firewall layer that modifies packets coming from port 53 (DNS)
Binary 5/6: These are the uniprocessor/SMP versions of the crack itself.
It hooks generic_ide_ioctl and ata_sas_scsi_ioctl and modifies the information returned about the MBR and the disks, so the kernel always sees the same driver serial number and accepts the same ROS software key.

I didn't check the other packages, so it is possible that those are infected in some way too.
Conclusion: DON'T USE !

一老外的帖子，貌似里面有猫腻。

yagamixp · 发表于 2013-9-22 10:19:35

可惜只支持到5.20,高一点的版本就不支持了~~这点很无语中~~

账号		自动登录	找回密码
密码			注册

[其它] 有条件的自己也可以定制ROS 5.20插件版