反转D'Link DIR 100固件

我正在尝试提取此固件，但遇到了一些问题。关于binwalk固件的第一堂课显示了以下内容：

DECIMAL     HEX         DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
48          0x30        LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 992240 bytes
275832      0x43578     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 65011 bytes
312165      0x4C365     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6425 bytes
314338      0x4CBE2     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6198 bytes
316542      0x4D47E     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 11645 bytes
319496      0x4E008     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9923 bytes
322366      0x4EB3E     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3981 bytes
323721      0x4F089     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1269 bytes
324228      0x4F284     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9785 bytes
327024      0x4FD70     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9717 bytes
329754      0x5081A     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9957 bytes
332630      0x51356     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 4544 bytes
334066      0x518F2     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 378 bytes
334305      0x519E1     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1019 bytes
334787      0x51BC3     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 12756 bytes
338395      0x529DB     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 16497 bytes
343482      0x53DBA     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 11019 bytes
347416      0x54D18     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 39577 bytes
358366      0x577DE     JPEG image data, JFIF standard  1.02
358907      0x579FB     JPEG image data, JFIF standard  1.02
359442      0x57C12     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1787 bytes
361070      0x5826E     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 893 bytes
361902      0x585AE     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 637 bytes
362528      0x58820     JPEG image data, JFIF standard  1.02
363522      0x58C02     JPEG image data, JFIF standard  1.02
364963      0x591A3     JPEG image data, JFIF standard  1.01
376049      0x5BCF1     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 683 bytes
376714      0x5BF8A     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 761 bytes
377462      0x5C276     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 225 bytes
377638      0x5C326     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 4146 bytes
378953      0x5C849     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1487 bytes
379723      0x5CB4B     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2240 bytes
380729      0x5CF39     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1527 bytes
381510      0x5D246     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 8294 bytes
384148      0x5DC94     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 10412 bytes
385299      0x5E113     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 16812 bytes
389806      0x5F2AE     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9294 bytes
391417      0x5F8F9     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 9108 bytes
392764      0x5FE3C     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 4796 bytes
393633      0x601A1     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3710 bytes
394440      0x604C8     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 7870 bytes
395948      0x60AAC     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 10764 bytes
398896      0x61630     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6804 bytes
400960      0x61E40     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2135 bytes
401785      0x62179     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2864 bytes
402878      0x625BE     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3747 bytes
404192      0x62AE0     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2776 bytes
405196      0x62ECC     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6761 bytes
407148      0x6366C     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1582 bytes
407859      0x63933     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6849 bytes
409864      0x64108     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 4678 bytes
411440      0x64730     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 11297 bytes
414011      0x6513B     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3990 bytes
415534      0x6572E     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 12540 bytes
418894      0x6644E     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3623 bytes
420239      0x6698F     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 13366 bytes
423782      0x67766     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 5498 bytes
425717      0x67EF5     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1524 bytes
426450      0x681D2     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 28728 bytes
434580      0x6A194     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 18125 bytes
439538      0x6B4F2     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 36719 bytes
445116      0x6CABC     LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 1940 bytes

检查hexdump代码后，我发现binwalk检测到lzma魔幻数字'5d 00'，但我认为不一致且为假阳性：

root@kali:~/Desktop/Firmwares/DLink# cat hexdump.txt | grep '5d 00'
00000030  5d 00 00 00 02 f0 23 0f  00 00 00 00 00 00 20 20  |].....#.......  |
0000c7b0  f9 5d 00 0e e6 e7 55 ca  16 5f d1 c9 67 67 30 c7  |.]....U.._..gg0.|
00049900  ac 00 5d 00 00 00 02 c9  1d 00 00 00 00 00 00 00  |..].............|
0004a2c0  6e 93 3d d1 e8 e3 96 5a  f9 17 38 b1 28 5d 00 00  |n.=....Z..8.(]..|
0004bb30  25 14 f9 96 26 85 58 20  18 07 b9 fa e3 5d 00 00  |%...&.X .....]..|
0004c360  9f f6 e9 d8 28 5d 00 00  00 02 19 19 00 00 00 00  |....(]..........|
0004cbe0  f6 20 5d 00 00 00 02 36  18 00 00 00 00 00 00 00  |. ]....6........|
0004d470  3f 38 df 6f 97 98 4b 41  0d 83 14 d8 4d 00 5d 00  |?8.o..KA....M.].|
0004e000  78 c4 bc c4 11 98 56 00  5d 00 00 00 02 c3 26 00  |x.....V.].....&.|
0004eb30  e6 73 64 e2 bc fa 37 7a  11 0d 3c b1 d2 af 5d 00  |.sd...7z..<...].|
0004f080  57 ad 80 5f 20 ef 40 0e  7c 5d 00 00 00 02 f5 04  |W.._ .@.|]......|
0004f280  1a 1c ab 00 5d 00 00 00  02 39 26 00 00 00 00 00  |....]....9&.....|
0004fd70  5d 00 00 00 02 f5 25 00  00 00 00 00 00 00 1e 12  |].....%.........|

之后，我浏览了十六进制转储，并在00000000和00042fa0中找到了一些字符串：

00000000  41 49 48 30 4c 0f c1 fb  80 00 01 00 00 04 2f 74  |AIH0L........./t|
00042fa0  6e 23 00 00 41 49 48 30  4c 0f c1 fb 00 00 00 00  |n#..AIH0L.......|

搜索AIH0L我没有发现任何有用的东西，但现在卡住了。。

对我来说，熵分析似乎也很奇怪。

有人遇到过这个问题还是想知道如何提取它？
注意事项。我在hexdump文件中找到了'fs'，我找到了zfs标头：

t @ kali：〜/ Desktop / Firmwares / DLink＃ grep zfs

0000b990  65 a7 0c aa 7a 66 73 24  1e bc b6 e8 d7 c4 29 1a  |e...zfs$......).|

我不确定这是否指向真正的zfs，或者这只是一个巧合。我将固件从该位置复制到最后，但是无法识别新文件，binwalk讲座与上面相同。

#1 楼

binwalk识别的LZMA压缩是正确的（或者至少大多数是正确的-我没有全部检查）。如果您实际上提取并解压缩LZMA文件，您会发现第一个（偏移量为0x30）包含设备的代码（某种MIPS RTOS），其余似乎是Web界面的HTML文件。 br />

好吧，那是真的。我已经尝试解压缩它，但是没有用。也许我以前错了。谢谢！

– Nucklear
13年9月24日在17:33

并非所有LZMA实用程序都是平等的。我使用了p7zip，对我来说效果很好。如果已经安装了p7zip，则可以给binwalk -re选项，该选项将dd并将所有LZMA文件解压缩到一个目录中。

–devttys0
2013年9月24日18:29

编程黑洞网

反转D'Link DIR 100固件

#1 楼

评论