Millet route anti-compilation in lua file in firmware

Xiaomi route by the AX3600, AX1800 unpack, found Lua scripting encryption
After finding the information, I found UNLUAC to make an anti-assessment.

Configure binwalk, ubi_reader, unluac

Binwalk configuration:

git clone https://github.com/ReFirmLabs/binwalk.git
cd binwalk
sudo python3 setup.py install

UBI_Reader configuration:

git clone https://github.com/jrspruitt/ubi_reader
cd ubi_reader
sudo python3 setup.py install
sudo apt-getinstall python-lzo
sudo apt-get install liblzo2-dev

UNLUAC configuration:

git clone https://github.com/NyaMisty/unluac_miwifi.git
cd unluac_miwifi
mkdir build
javac -d build -sourcepath src  src/unluac/*.java
jar -cfm build/unluac.jar src/META-INF/MANIFEST.MF -C build  .

Mainly thisunluac.jarDisassembly

AX3600, AX1800 firmware official download address:

Unpacking AX3600:

binwalk -Me binwalk -Me miwifi_r3600_firmware_02d97_1.1.15.bin 
cd _miwifi_r3600_firmware_02d97_1.1.15.bin.extracted/
ubireader_extract_images 2AC.ubi
cd ubifs-root/2AC.ubi
sudo unsquashfs ./img-928520125_vol-ubi_rootfs.ubifs

Unpacking AX1800:

binwalk -Me binwalk -Me miwifi_rm1800_firmware_df7e3_1.0.385.bin 
cd _miwifi_rm1800_firmware_df7e3_1.0.385.bin.extracted/
ubireader_extract_images 2B0.ubi 
cd ubifs-root/2B0.ubi/
sudo unsquashfs ./img-1921350739_vol-rootfs_data.ubifs

enter
squashfs-root/usr/lib/lua/luci/controller/api
View the script:

Encrypted this time
unluac.jarTo make an anti-vocabulary, choose the following function file test:
squashfs-root/usr/lib/lua/luci/controller/api/misystem.lua
Remember this file Copy under this AX3600, AX1800, respectively, next to unluar.jar
Convenient comparison

touch ax3600.lua
java -jar ./unluac.jar ./misystem.lua > ax3600.lua

View the function of vulnerability after disassembly

setConfigIotDev = L14
function L14()
  local L0, L1, L2, L3, L4, L5, L6, L7, L8, L9, L10, L11, L12, L13, L14, L15, L16, L17, L18, L19, L20
  L0 = require
  L1 = "xiaoqiang.common.XQFunction"
  L0 = L0(L1)
  L1 = require
  L2 = "xiaoqiang.util.XQWifiUtil"
  L1 = L1(L2)
  L2 = require
  L3 = "luci.util"
  L2 = L2(L3)
  L3 = {}
  L3.code = 0
  L4 = {}
  L5 = {}
  L6 = require
  L7 = "luci.model.uci"
  L6 = L6(L7)
  L6 = L6.cursor
  L6 = L6()
  L8 = L6
  L7 = L6.get
  L9 = "miscan"
  L10 = "config"
  L7 = L7(L8, L9, L10, L11)
  L7 = L7 or L7
  L8 = nil
  L9 = {}
  L10 = L1.getWifiBasicInfo
  L10 = L10(L11)
  L10 = L10.on
  L10 = L10 == 1
  wifi24GOn = L10
  if L7 == "1" then
    L10 = wifi24GOn
    if L10 then
      L10 = "scan 1"
      scancmd = L10
      L10 = L2.execl
      L10 = L10(L11)
      if L10 then
        for L14, L15 in L11, L12, L13 do
          L16 = L0.isStrNil
          L17 = L15
          L16 = L16(L17)
          if not L16 then
            L17 = L15
            L16 = L15.match
            L18 = "ssid:(%S+) bssid:(%S+) model:(%S+) routerSSID:(%S+) routerBSSID:(%S+)"
            L16, L17, L18, L19, L20 = L16(L17, L18)
            router_bssid = L20
            router_ssid = L19
            model = L18
            bssid = L17
            ssid = L16
            L16 = ssid
            if L16 ~= nil then
              L16 = table
              L16 = L16.insert
              L17 = L4
              L18 = {}
              L19 = tostring
              L20 = model
              L19 = L19(L20)
              L18.model = L19
              L19 = tostring
              L20 = ssid
              L19 = L19(L20)
              L18.ssid = L19
              L19 = tostring
              L20 = bssid
              L19 = L19(L20)
              L18.bssid = L19
              L19 = tostring
              L20 = router_ssid
              L19 = L19(L20)
              L18.router_ssid = L19
              L19 = tostring
              L20 = router_bssid
              L19 = L19(L20)
              L18.router_bssid = L19
              L16(L17, L18)
            end
          end
        end
      end
    end
  end
  L5.list = L4
  L3.data = L5
  L10 = _UPVALUE0_
  L10 = L10.write_json
  L10(L11)
end

It seems that it is not very intuitive, compares the change of the same function in the AX1800
Left is AX1800 right is AX3600

From the change code to see that the AX3600 has fixed the injectable function.
It is still not very intuitive under the overall anti-assessment.

Intelligent Recommendation

Anti -compilation byte code file (Class file)

...

Day13 (switch, anti-compilation, view class file)

Switch multi-selection structure There is also an implementation method that the multi-selection structure is the Switch Case statement. Switch case statement determines whether a variable is equal to...

SWF file anti-compilation debugging record

Written in front: The playback of the web page SWF files in 2006 generally does not need to be encrypted, but directly calls the SWF file to play in the player; for about 11 years, the SWF file has gr...

Window10 anti-compilation APK file details record

1, prepare tool APKTOOL Tools effect: The layout file, XML file, Androidmanifest.xml, and pictures, etc. dex2jar effect: Compile APK to Java source code, that is, transform classs.dex into JAR files, ...

Android implementation anti-compilation XML resource file

Recently I updated a file searcher, I need to make an XML file in the APK. I have studied the XML parser that finds that I can get an APK package via the AssetManager class, but I can't save it direct...