2024年3月22日发(作者:)

I started IDA to look at this binary, clearly httpConfUpload was the function to start hacking from.

Due to a reference to des_min_do and some string starting with DES_ I suspected that DES was used as cypher.

des_min_do was a galore of bitwise operators and nasty loops, clearly it was an inlined cryptographic function, and before

calling it a pointer to a fixed null terminated string was pushed to the stack. It could be some salt or key passed to the

encryption function so I'll note this string which was 478DA50BF9E3D2CF.

I tried to decrypt it with mdecrypt using that string as key but without success:

$ mdecrypt -b -a des -f key <

I looked again at the binary and I searching for the _des string I found md5_des which suggested me to use the md5 hash

function:

$ mdecrypt -b -a des -f key -o mcrypt-md5 <

again with no luck, so I tried all the block modes available until I found the correct one:

$ mdecrypt -b -a des -m ecb -f key -o mcrypt-md5 <

lan_ip 192.168.1.254

lan_msk 255.255.255.0

lan_gateway 0.0.0.0

The file is decrypted! Note that the trailing 16 bytes are the md5 sum of the files without trailing zeroes:

the same can be done with openssl:

$ openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in

Have fun!