Unscrambling Lua

Binwalk’s output
Figure 1: Binwalk output
default-config.xml
Figure 2: default-config.xml
Confirming crypto.lua format
Figure 3: Confirming crypto.lua format
Bad header error
Figure 4: Bad header error
docker run — rm -it bestwu/deepin:15.5 bash
luadec bad code in precompiled chunk
Figure 5: luadec bad code in precompiled chunk
luac bad code in precompiled chunk
Figure 6: luac bad code in precompiled chunk
lua bytecode parser output
Figure 7: lua bytecode parser output
Quotation about return instructions
Figure 8: Quotation about return instructions
Empty file compiled with luac
Figure 9: Empty file compiled with luac
CLOSE instead of RETURN
Figure 10: CLOSE instead of RETURN
python3 ulua.py -r ref/ -s sample/ -f crypto.lua -o crypto.patched.lua
ulua.py output
Figure 11: ulua.py output
mkdir ./sample/; find ./squashfs-root/usr/lib/lua/luci/ -iname “*.lua” -exec cp {} ./sample/ \;mkdir ./ref/; find openwrt-luci/libs/ -iname “*.lua” -exec bash -c ‘luac -o ./ref/`basename {}` {}’ \;
Hardcoded encryption key
Figure 12: Hardcoded encryption key
Figure 13: SSH shell
Figure 13: SSH shell

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Daniel Santos

Daniel Santos

Security researcher and penetration tester