search

bananabr / ulua

A python script to apply a known plain text attack to Lua 5.1 bytecode files obfuscated with instruction swapping.
GNU General Public License v3.0
12 stars 1 forks source link

IndexError: cannot fit 'int' into an index-sized integer #3

Open NHPT opened 1 year ago

NHPT commented 1 year ago

luad.py no error but ulua.py error

./ulua.py -r ref/ -s sample/ -f ~/vuln/ubifs-root/12D4.ubi/squashfs-root/usr/lib/lua/luci/sgi/cgi.lua -o cgi.lua
Processing reference files
Processing file: ref/rpcc.lua
Processing file: ref/README.lua
Processing file: ref/test_fs.lua
Processing file: ref/mime.lua
Processing file: ref/conditionals.lua
Processing file: ref/nixio.fs.lua
Processing file: ref/prepara_sql2.lua
Processing file: ref/date.lua
Processing file: ref/nixio.TLSContext.lua
Processing file: ref/json.lua
Processing file: ref/nixio.UnifiedIO.lua
Processing file: ref/test_conc.lua
Processing file: ref/test_sql2.lua
Processing file: ref/axssl.lua
Processing file: ref/nixio.bin.lua
Processing file: ref/nixio.bit.lua
Processing file: ref/test_session.lua
Processing file: ref/test_sql.lua
Processing file: ref/test_err.lua
Processing file: ref/CHANGELOG.lua
Processing file: ref/download.lua
Processing file: ref/util.lua
Processing file: ref/nixio.crypto.lua
Processing file: ref/receiver.lua
Processing file: ref/debug.lua
Processing file: ref/env.lua
Processing file: ref/nixio.CryptoHash.lua
Processing file: ref/nixio.TLSSocket.lua
Processing file: ref/ruci.lua
Processing file: ref/nixio.File.lua
Processing file: ref/ltn12.lua
Processing file: ref/test_htk.lua
Processing file: ref/iptparser.lua
Processing file: ref/test_lib.lua
Processing file: ref/httpclient.lua
Processing file: ref/fs.lua
Processing file: ref/nixio.lua
Processing file: ref/http.lua
Processing file: ref/test_main.lua
Processing file: ref/test_cookies.lua
Processing file: ref/nixio.Socket.lua
Processing file: ref/ipkg.lua
Processing sample files
Processing file: sample/accountmgnt.lua
Processing file: sample/nwcache.lua
Processing file: sample/system.lua
Processing file: sample/passwd_recovery.lua
Processing file: sample/mime.lua
Processing file: sample/dhcps.lua
Processing file: sample/cloud_account.lua
Processing file: sample/security.lua
Processing file: sample/conditionals.lua
Processing file: sample/speed_test.lua
Processing file: sample/store.lua
Processing file: sample/nightMode.lua
Processing file: sample/smtps.lua
Processing file: sample/vpn.lua
Processing file: sample/proto_pptp.lua
Processing file: sample/mcu_upgrade.lua
Processing file: sample/client_mgmt.lua
Processing file: sample/folder_sharing.lua
Processing file: sample/access_control.lua
Processing file: sample/init.lua
Processing file: sample/firewall.lua
Processing file: sample/date.lua
Processing file: sample/imb.lua
Processing file: sample/security_settings.lua
Processing file: sample/usbshare.lua
Processing file: sample/ledpm.lua
Processing file: sample/disk_setting.lua
Processing file: sample/feedback.lua
Processing file: sample/hostNetwork.lua
Processing file: sample/smart_network.lua
Processing file: sample/zone-details.lua
Processing file: sample/time_machine.lua
Processing file: sample/pptpd.lua
Processing file: sample/upgrade.lua
Processing file: sample/proto_dhcp.lua
Processing file: sample/json.lua
Processing file: sample/fmup.lua
Processing file: sample/wifidog.lua
Processing file: sample/region.lua
Processing file: sample/proto_pppoa.lua
Processing file: sample/cacheloader.lua
Processing file: sample/app_timesetting.lua
Processing file: sample/tzdata.lua
Processing file: sample/openvpn.lua
Processing file: sample/modify_schedule_list.lua
Processing file: sample/parental_control.lua
Processing file: sample/rule-details.lua
Processing file: sample/l2tpoveripsec.lua
Processing file: sample/reboot.lua
Processing file: sample/crypto.lua
Processing file: sample/vpnconn.lua
Processing file: sample/i18n.lua
Processing file: sample/forward-details.lua
Processing file: sample/iptv.lua
Processing file: sample/onemesh.lua
Processing file: sample/administration.lua
Processing file: sample/ffs.lua
Processing file: sample/yandex_dns.lua
Processing file: sample/config.lua
Processing file: sample/speed_test_parser.lua
Processing file: sample/forwards.lua
Processing file: sample/easymesh_network.lua
Processing file: sample/parttbl.lua
Processing file: sample/quick_setup.lua
Processing file: sample/streamboost.lua
Processing file: sample/networkStatistic.lua
Processing file: sample/onemesh_network.lua
Processing file: sample/igmp_proxy.lua
Processing file: sample/proto_static.lua
Processing file: sample/qos.lua
Processing file: sample/version.lua
Processing file: sample/protodata.lua
Processing file: sample/cgi.lua
Processing file: sample/ip.lua
Processing file: sample/easy_mesh.lua
Processing file: sample/tfstats.lua
Processing file: sample/upnp.lua
Processing file: sample/domain_login.lua
Processing file: sample/bluetooth.lua
Processing file: sample/util.lua
Processing file: sample/service.lua
Processing file: sample/ledgeneral.lua
Processing file: sample/form.lua
Processing file: sample/ddns.lua
Processing file: sample/uuid.lua
Processing file: sample/protocol.lua
Processing file: sample/rules.lua
Processing file: sample/login.lua
Processing file: sample/network.lua
Processing file: sample/syslog.lua
Processing file: sample/proto_pppoe.lua
Processing file: sample/networkPermission.lua
Processing file: sample/wps.lua
Processing file: sample/debug.lua
Traceback (most recent call last):
  File "/root/vuln/ulua-master/./ulua.py", line 427, in <module>
    sample_chunk = lc.parse(bytecode)
                   ^^^^^^^^^^^^^^^^^^
  File "/root/vuln/ulua-master/./ulua.py", line 259, in parse
    chunk.top_function_block = self.decode_chunk(
                               ^^^^^^^^^^^^^^^^^^
  File "/root/vuln/ulua-master/./ulua.py", line 158, in decode_chunk
    fb.number_of_upvalues = self.get_byte(chunk)
                            ^^^^^^^^^^^^^^^^^^^^
  File "/root/vuln/ulua-master/./ulua.py", line 116, in get_byte
    b = chunk.get_byte(self.index)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/vuln/ulua-master/./ulua.py", line 323, in get_byte
    b = self.bytecode[index]
        ~~~~~~~~~~~~~^^^^^^^
IndexError: cannot fit 'int' into an index-sized integer

Could you help me?Thanks.If you need more info please reply me.

bananabr commented 1 year ago

If you could send me the files you are using somehow, I would be glad to help.

NHPT commented 1 year ago

Thank you. File in: https://github.com/NHPT/TempFile/tree/main/usr/lib/lua/luci You can also obtain it here https://static.tp-link.com/upload/firmware/2023/202303/20230308/Archer%20AX21 (US) V3 230219.zip

francoataffarel commented 1 year ago

Hello @NHPT any news?

bananabr commented 1 year ago

Could you try processing fewer samples at a time? Start with one and see if that works.

vovkarazov123 commented 1 year ago

Hello, i try do some things, but get error

python3 ulua.py -r ref/ -s sample/ -f locale.lua -o locale.patched.lua
Processing reference files
Processing file: ref/zoneinfo.lua
Processing sample files
Processing file: sample/zoneinfo.lua
13 opcodes mapped
Patching file locale.lua ...
Traceback (most recent call last):
  File "/root/tplink/archer_ax21/Archer AX21(US)_V2_230426/ulua/ulua.py", line 454, in <module>
    chunk = lc.parse(bytecode, opcode_map=opcode_map)
  File "/root/tplink/archer_ax21/Archer AX21(US)_V2_230426/ulua/ulua.py", line 259, in parse
    chunk.top_function_block = self.decode_chunk(
  File "/root/tplink/archer_ax21/Archer AX21(US)_V2_230426/ulua/ulua.py", line 178, in decode_chunk
    opcode = opcode_map[opcode]
KeyError: 0
vovkarazov123 commented 1 year ago

When i use many samples i get error in opcode 16 and 22. Using bruteforce some values get me normal patched file, but luadec can't correctly decompile file. This is errors in luadec -- DECOMPILER ERROR at PC86: Confused about usage of register: R3 in 'UnsetPending'