解密大华摄像头ROM

1.下载rom文件后修改文件的前两个字节的ASCII码值DH为PK（zip头），改后缀名为.zip

rom文件

修改后的rom文件

解压rom文件

2.挂载文件系统

大华的ROM使用了squashfs和cramfs文件系统，但img文件的前64字节是自己添加的。

去掉img文件的前64个字节，然后用mount挂载就可以获取到passwd文件从而获取到root密码的hash，最后跑了hash几个小时，roo密码为vizxv

挂载后的文件

FreeBSD make buildkernel

Make buildkernel 流程概览

图表 1 : make buildkernel流程

一、     编译内核

1.修改 /usr/src/sys/i386/conf/GENERIC 配置内核

2.编译内核

cd /usr/src

make buildkernel  或者 make buildkernel KERNCONF=MY_GENERIC

用下面的make参数将make信息顺便记录到/root/buildkernel.log中

make buildkernel | tee /root/buildkernel.log

二、     Makefile 流程

编译内核的起始Makefile 是从 /usr/src目录下的Makefile文件开始的.

在/usr/src/Makefile 中首先将buildkerenl 参数(target) 传递给${TGTS}

图表 2 : /usr/src/Makefile

然后在219行使用变量 ${_MAKE}继续执行

图表 3 : /usr/src/Makefile

看一下${_MAKE}的定义,${_MAKE}指定去make 当前目录下的 Makefile.inc1

图表 4 : /usr/src/Makefile

接下来在/usr/src/Makefile.inc1里可以看到整个内核编译的流程了,从 stage 1-3.

图表 5 : /usr/src/Makefile.inc1

首先mkdir了一个目录

mkdir -p /usr/obj/usr/src/sys

然后 stage 1 调用config 命令解析GENERIC生成接下来编译要用的Makefile和一些c文件.

cd /usr/src/sys/i386/conf

config  -d /usr/obj/usr/src/sys/GENERIC  /usr/src/sys/i386/conf/GENERIC

config 的源码在 /usr/src/usr.sbin/config 目录下.

Makefile是由makefile()函数生成的.

图表 6 : /usr/src/usr.sbin/config/main.c

在i386平台下,makefile()函数读取/usr/src/sys/conf目录下的files和files.i386并根据文件里的规则生成相应的Makefile.

最终的Makefile 为/usr/obj/usr/src/sys/GENERIC/Makefile,后面所有buildkernel都由这个Makefile 开始.

Stage 2 :如下图

图表 7 : /usr/src/Makefile.inc1

Stage 2会用config 生成的Makefile make相关的目标.

这里看下 stage2.1 中 ${KMAKE } {CLEANDIR} 的流程

命令如下:

make  -m /usr/src/share/mk TARGET=i386 TARGET_ARCH=i386  KERNEL=kernel cleandir

${KRNLOBJDIR}/${_kernel} 对应/usr/obj/usr/src/sys/GENERIC

即上一步 config 生成的Makefile

Makefile末尾包含了 /usr/src/sys/conf/kern.post.mk.

图表 8 : /usr/obj/usr/src/sys/GENERIC/Makefile

到 kern.post.mk里, cleandir 参数(target)会被依赖于 kernel-cleandir

图表 9 : /usr/src/sys/conf/kern.post.mk

kernel-cleandir的规则

图表 10 : /usr/src/sys/conf/kern.post.mk

kernel-clean

图表 11 : /usr/src/sys/conf/kern.post.mk

Stage 3

图表 12 : /usr/src/Makefile.inc1

Stage 3基本流程和 Stage 2差不多,都是 Make –f /usr/obj/usr/src/sys/GENERIC/Makefile.

gdb Command

ctrl+x+a      // -tui mode
gdb -d  | set directory  // set src  directory
show directories

set logging on
set logging file file.log
set logging overwrite [on|off]
set logging redirect [on|off]
set logging


gdb tty /dev/pts/8

run arg0 arg1 ...
set args arg0 arg1 ...
show args
file program

finish        //执行到函数返回 gu
c             //继续执行  g
until         //执行到某处
print *ptr    //
print *ptr@10 //显示数组中的10个元素
display *ptr  //自动显示

watch x       //x 变化时中断

break file.c:function if <COND> | info breakpoints | clear | delete | disable | enable
tbreak  args  //中断一次
hbreak  args //硬件断点
thbreak args  //中断一次硬件断点

rbreak  regex //在所有匹配 regex表达式的函数上设断
rbreak .    //程序所有函数


backtrace | bt  // k

frame
comands
disassemble

layout asm
disas main
x/10i main
info reg
si
ni

Command	Description
help	List gdb command topics.
help topic-classes	List gdb command within class.
help command	Command description.
apropos search-word	Search for commands and command topics containing search-word.
info args i args	List program command line arguments
info breakpoints	List breakpoints
info break	List breakpoint numbers.
info break breakpoint-number	List info about specific breakpoint.
info watchpoints	List breakpoints
info registers	List registers in use
info threads	List threads in use
info set	List set-able option
Break and Watch
break funtion-name break line-number break ClassName::functionName	Suspend program at specified function of line number.
break +offset break -offset	Set a breakpoint specified number of lines forward or back from the position at which execution stopped.
break filename:function	Don't specify path, just the file name and function name.
break filename:line-number	Don't specify path, just the file name and line number. break Directory/Path/filename.cpp:62
break *address	Suspend processing at an instruction address. Used when you do not have source.
break line-number if condition	Where condition is an expression. i.e. x > 5 Suspend when boolean expression is true.
break line thread thread-number	Break in thread at specified line number. Use info threads to display thread numbers.
tbreak	Temporary break. Break once only. Break is then removed. See "break" above for options.
watch condition	Suspend processing when condition is met. i.e. x > 5
clear clear function clear line-number	Delete breakpoints as identified by command option.
delete d	Delete all breakpoints, watchpoints, or catchpoints.
delete breakpoint-number delete range	Delete the breakpoints, watchpoints, or catchpoints of the breakpoint ranges specified as arguments.
disable breakpoint-number-or-range enable breakpoint-number-or-range	Does not delete breakpoints. Just enables/disables them. Example: Show breakpoints: info break Disable: disable 2-9
enable breakpoint-number once	Enables once
continue c	Continue executing until next break point/watchpoint.
continue number	Continue but ignore current breakpoint number times. Usefull for breakpoints within a loop.
finish	Continue to end of function.
Line Execution
step s step number-of-steps-to-perform	Step to next line of code. Will step into a function.
next n next number	Execute next line of code. Will not enter functions.
until until line-number	Continue processing until you reach a specified line number. Also: function name, address, filename:function or filename:line-number.
info signals info handle handle SIGNAL-NAME option	Perform the following option when signal recieved: nostop, stop, print, noprint, pass/noignore or nopass/ignore
where	Shows current line number and which function you are in.
Stack
backtrace bt bt inner-function-nesting-depth bt -outer-function-nesting-depth	Show trace of where you are currently. Which functions you are in. Prints stack backtrace.
backtrace full	Print values of local variables.
frame frame number f number	Show current stack frame (function where you are stopped) Select frame number. (can also user up/down to navigate frames)
up down up number down number	Move up a single frame (element in the call stack) Move down a single frame Move up/down the specified number of frames in the stack.
info frame	List address, language, address of arguments/local variables and which registers were saved in frame.
info args info locals info catch	Info arguments of selected frame, local variables and exception handlers.
Source Code
list l list line-number list function list - list start#,end# list filename:function	List source code.
set listsize count show listsize	Number of lines listed when list command given.
directory directory-name dir directory-name show directories	Add specified directory to front of source code path.
directory	Clear sourcepath when nothing specified.
Machine Language
info line info line number	Displays the start and end position in object code for the current line in source. Display position in object code for a specified line in source.
disassemble 0xstart 0xend	Displays machine code for positions in object code specified (can use start and end hex memory values given by the info linecommand.
stepi si nexti ni	step/next assembly/processor instruction.
x 0xaddress x/nfu 0xaddress	Examine the contents of memory. Examine the contents of memory and specify formatting. n: number of display items to print f: specify the format for the output u: specify the size of the data unit (eg. byte, word, ...) Example: x/4dw var
Examine Variables
print variable-name p variable-name p file-name::variable-name p 'file-name'::variable-name	Print value stored in variable.
p *array-variable@length	Print first # values of array specified by length. Good for pointers to dynamicaly allocated memory.
p/x variable	Print as integer variable in hex.
p/d variable	Print variable as a signed integer.
p/u variable	Print variable as a un-signed integer.
p/o variable	Print variable as a octal.
p/t variable x/b address x/b &variable	Print as integer value in binary. (1 byte/8bits)
p/c variable	Print integer as character.
p/f variable	Print variable as floating point number.
p/a variable	Print as a hex address.
x/w address x/4b &variable	Print binary representation of 4 bytes (1 32 bit word) of memory pointed to by address.
GDB Modes
set gdb-option value	Set a GDB option
set logging on set logging off show logging set logging file log-file	Turn on/off logging. Default name of file is gdb.txt
set print array on set print array off show print array	Default is off. Convient readable format for arrays turned on/off.
set print array-indexes on set print array-indexes off show print array-indexes	Default off. Print index of array elements.
set print pretty on set print pretty off show print pretty	Format printing of C structures.
set print union on set print union off show print union	Default is on. Print C unions.
set print demangle on set print demangle off show print demangle	Default on. Controls printing of C++ names.
Start and Stop
run r run command-line-arguments run < infile > outfile	Start program execution from the beginning of the program. The command break main will get you started. Also allows basic I/O redirection.
continue c	Continue execution to next break point.
kill	Stop program execution.
quit q	Exit GDB debugger.

wordpress password hash algorithm

 1 import md5
 2 import struct
 3 import binascii
 4 count=8192
 5 
 6 itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
 7 
 8 def encode64(input,cnt=16):
 9         output=''
10         i=0
11         while (i<cnt):
12                 value = ord(input[i])
13                 i = i+1
14                 output = output + itoa64[value&0x3f]
15 
16                 if(i<cnt):
17                         value |= ord(input[i])<<8
18                 output = output + itoa64[(value>>6)&0x3f]
19 
20                 if(i >= cnt):break
21                 i = i+1
22                 if(i<cnt):
23                         value |= ord(input[i])<<16
24                 output = output + itoa64[(value>>12)&0x3f]
25 
26                 if(i >= cnt):break
27                 i = i+1
28                 output = output + itoa64[(value>>18)&0x3f]
29 
30         return output
31 def decode64(input):
32         output=''
33         i=0
34         cnt = len(input)
35         value = 0
36         while (i<cnt):
37                 value=itoa64.find(input[i])
38                 i=i+1
39                 if(i >= cnt):break
40                 value |= itoa64.find(input[i])<<6
41 
42                 i=i+1
43                 if(i >= cnt):break
44                 value |= itoa64.find(input[i]) <<12
45 
46                 i=i+1
47                 if(i >= cnt):break
48                 value |= itoa64.find(input[i]) <<18
49                 output = output + struct.pack('<I',value)[0:3]
50 
51                 i=i+1
52         return output+ struct.pack('<I',value)[0]
53 
54 def wp_hash(salt,password):
55         hash=md5.md5(salt+password)
56 
57         for i in range(count):
58                 hash = md5.md5(hash.digest()+password)
59 
60         print hash.hexdigest()
61         print encode64(hash.digest())
62 
63 def bin2hex(input):
64         return ''.join('%02x' % ord(c) for c in input)
65 if __name__ == '__main__':
66     #test $P$Bat/4YEzkmzJMTWoFKaJlCOO1DAwUc.
67     # $P$    B    at/4YEzk    mzJMTWoFKaJlCOO1DAwUc.
68     #sign = '$P$'
69     #count = 1<<itoa64.index('B')
70 
71         wp_hash('at/4YEzk','123456')
72         x=decode64('mzJMTWoFKaJlCOO1DAwUc.')
73         print bin2hex(x)
src: https://github.com/i3here/Web/tree/master
https://drive.google.com/file/d/0B3xt4Nh1OAl6VmVVcnNRc1I3aXM/edit?usp=sharing