FortiGate飞塔固件自加解密逆向分析教程<\/h1>

1. 前言与背景<\/h2>
在IoT漏洞挖掘过程中，经常会遇到固件加密的问题，导致在没有硬件设备的情况下无法进行漏洞挖掘。本教程将详细分析FortiGate OS固件的自加密、自解密机制，通过逆向工程方法找到加密位置并实现解密。<\/p>

2. 准备工作<\/h2>

2.1 环境搭建<\/h3>
安装必要的工具：<\/li> <\/ol>
apt-get install qemu
<\/span><\/span>apt install qemu-utils
<\/span><\/span><\/code><\/pre>
加载FortiGate VMDK镜像：<\/li>
<\/ol>
modprobe nbd max_part=<\/span>16<\/span>
<\/span><\/span>qemu-nbd --connect=<\/span>\/dev\/nbd1 FortiGate7_4_2-disk1.vmdk
<\/span><\/span>mount \/dev\/nbd1p1 \/mnt
<\/span><\/span><\/code><\/pre>
查看启动配置文件：<\/li>
<\/ol>
cat extlinux.conf
<\/span><\/span><\/code><\/pre>3. 固件加载流程分析<\/h2>
3.1 Linux内核rootfs加载机制<\/h3>
Linux内核通过populate_rootfs<\/code>函数加载initramfs：<\/p>
static<\/span> int<\/span> __init populate_rootfs<\/span>(void<\/span>) {
<\/span><\/span>    \/* Load the built in initramfs *\/<\/span>
<\/span><\/span>    char<\/span> *<\/span>err =<\/span> unpack_to_rootfs(__initramfs_start, __initramfs_size);
<\/span><\/span>    if<\/span> (err)
<\/span><\/span>        panic("%s"<\/span>, err);
<\/span><\/span>    
<\/span><\/span>    \/* If available load the bootloader supplied initrd *\/<\/span>
<\/span><\/span>    if<\/span> (initrd_start &&<\/span> !<\/span>IS_ENABLED(CONFIG_INITRAMFS_FORCE)) {
<\/span><\/span>        err =<\/span> unpack_to_rootfs((char<\/span> *<\/span>)initrd_start, initrd_end -<\/span> initrd_start);
<\/span><\/span>        if<\/span> (!<\/span>err) {
<\/span><\/span>            free_initrd();
<\/span><\/span>            goto<\/span> done;
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            clean_rootfs();
<\/span><\/span>            unpack_to_rootfs(__initramfs_start, __initramfs_size);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.2 FortiOS实现分析<\/h3>
FortiOS基于Linux内核4.19.13(从7.4.3版本开始)，通过逆向flatkc<\/code>文件(使用vmlinux-to-elf转换为ELF格式)可以找到相关功能。<\/p>
逆向后的关键函数：<\/p>
__int64<\/span> populate_rootfs<\/span>() {
<\/span><\/span>    v0 =<\/span> _initramfs_size;
<\/span><\/span>    v1 =<\/span> unpack_to_rootfs(_initramfs_start, _initramfs_size);
<\/span><\/span>    if<\/span> (v1)
<\/span><\/span>        panic((unsigned<\/span> int<\/span>)&<\/span>aS_18[1<\/span>], v1, v2, v3, v4, v5);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (initrd_start) {
<\/span><\/span>        v6 =<\/span> unpack_to_rootfs(initrd_start, initrd_end -<\/span> initrd_start);
<\/span><\/span>        if<\/span> (!<\/span>v6) {
<\/span><\/span>            free_initrd();
<\/span><\/span>            goto<\/span> LABEL_10;
<\/span><\/span>        }
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    LABEL_10:
<\/span><\/span>    flush_delayed_fput();
<\/span><\/span>    load_default_modules();
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 签名验证机制<\/h2>
4.1 fgt_verify_initrd函数分析<\/h3>
该函数负责ramdisk的签名检查和解密：<\/p>
__int64<\/span> fgt_verify_initrd<\/span>() {
<\/span><\/span>    size =<\/span> ::<\/span>initrd_end -<\/span> initrd_start;
<\/span><\/span>    if<\/span> (::<\/span>initrd_end -<\/span> initrd_start <=<\/span> 0x100u<\/span> ||<\/span> (unsigned<\/span> int<\/span>)fgt_verifier_open(public_key)) {
<\/span><\/span>        err_code =<\/span> -<\/span>1<\/span>;
<\/span><\/span>        goto<\/span> LABEL_19;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 计算SHA-256哈希(不包括最后256字节)
<\/span><\/span><\/span><\/span>    sha256_init(sha_context);
<\/span><\/span>    sha256_update_0(sha_context, initrd_start, (unsigned<\/span> int<\/span>)(size -<\/span> 256<\/span>));
<\/span><\/span>    sha256_final_0(sha_context, local_hash_1);
<\/span><\/span>    
<\/span><\/span>    \/\/ 读取并验证签名数据
<\/span><\/span><\/span><\/span>    raw_data =<\/span> mpi_read_raw_data(::<\/span>initrd_end -<\/span> 256LL<\/span>, 256<\/span>);
<\/span><\/span>    if<\/span> (raw_data) {
<\/span><\/span>        if<\/span> ((int<\/span>)mpi_cmp_ui(raw_data, 0<\/span>) <<\/span> 0<\/span> ||<\/span> 
<\/span><\/span>            (int<\/span>)mpi_cmp(signature_data, public_key[0<\/span>]) >=<\/span> 0<\/span>) {
<\/span><\/span>            err_code =<\/span> -<\/span>22<\/span>;
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            \/\/ RSA签名验证
<\/span><\/span><\/span><\/span>            mod_pow_result =<\/span> mpi_alloc(0<\/span>);
<\/span><\/span>            err_code =<\/span> mpi_powm(mod_pow_result, signature_data, public_key[1<\/span>], public_key[0<\/span>]);
<\/span><\/span>            
<\/span><\/span>            \/\/ 检查签名格式(PKCS#1 v1.5)
<\/span><\/span><\/span><\/span>            verify_result2 =<\/span> verify_result |<\/span> temp1 |<\/span> *<\/span>(BYTE *<\/span>)(initrd_end -<\/span> 256<\/span>) ^<\/span> 1<\/span>;
<\/span><\/span>            ptr =<\/span> (BYTE *<\/span>)(initrd_end -<\/span> 255<\/span>);
<\/span><\/span>            do<\/span> {
<\/span><\/span>                verify_result2 |=<\/span> (unsigned<\/span> __int8<\/span>)~*<\/span>ptr++<\/span>;
<\/span><\/span>            } while<\/span> ((BYTE *<\/span>)(initrd_end -<\/span> 53<\/span>) !=<\/span> ptr);
<\/span><\/span>            
<\/span><\/span>            \/\/ 检查哈希匹配
<\/span><\/span><\/span><\/span>            for<\/span> (n32 =<\/span> 0<\/span>; n32 !=<\/span> 32<\/span>; ++<\/span>n32)
<\/span><\/span>                err_code |=<\/span> (*<\/span>((BYTE *<\/span>)(local_hash +<\/span> n32)) ^<\/span> *<\/span>(BYTE *<\/span>)(initrd_end +<\/span> n32 -<\/span> 33<\/span>));
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    ::<\/span>initrd_end -=<\/span> 256LL<\/span>; \/\/ 移除签名数据
<\/span><\/span><\/span><\/span>    fgt_verify_decrypt();  \/\/ 解密操作
<\/span><\/span><\/span><\/span>    return<\/span> err_code;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 签名验证流程<\/h3>

计算initrd内容的SHA-256哈希(不包括最后256字节)<\/li>
读取initrd末尾的256字节签名数据<\/li>
使用RSA公钥验证签名<\/li>
检查签名格式是否符合PKCS#1 v1.5标准：

第一个字节必须为0x01的取反(0xFE)<\/li>
接下来的201个字节必须全为0xFF<\/li>
<\/ul>
<\/li>
验证签名中的哈希值与计算得到的哈希值一致<\/li>
<\/ol>
5. 公钥解密机制<\/h2>
5.1 fgt_verifier_open函数<\/h3>
该函数初始化RSA公钥：<\/p>
__int64<\/span> __fastcall<\/span> fgt_verifier_open<\/span>(__int64<\/span> *<\/span>p_public_key) {
<\/span><\/span>    FFFFFFFF814967A8 =<\/span> (int<\/span> *<\/span>)kmem_cache_alloc(qword_FFFFFFFF814967A8, 0x6000C0<\/span>);
<\/span><\/span>    n_e =<\/span> fgt_verifier_pub_key(FFFFFFFF814967A8);
<\/span><\/span>    n_e =<\/span> rsa_parse_pub_key((__int64<\/span>)v14, FFFFFFFF814967A8_1, 270<\/span>);
<\/span><\/span>    
<\/span><\/span>    e =<\/span> mpi_read_raw_data(v14[1<\/span>], (__int64<\/span>)v14[9<\/span>]);  \/\/ 读取公钥e
<\/span><\/span><\/span><\/span>    n =<\/span> mpi_read_raw_data(v14[0<\/span>], (__int64<\/span>)v14[8<\/span>]);  \/\/ 读取公钥n
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    public_key =<\/span> {n, e, v11_chunk, v12_chunk};
<\/span><\/span>    return<\/span> n_e;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.2 fgt_verifier_pub_key函数<\/h3>
从固件中提取加密的公钥并使用ChaCha20解密：<\/p>
unsigned<\/span> __int64<\/span> __fastcall<\/span> fgt_verifier_pub_key<\/span>(int<\/span> *<\/span>initrd_start) {
<\/span><\/span>    \/\/ 生成32字节密钥
<\/span><\/span><\/span><\/span>    sha256_init(buf_);
<\/span><\/span>    sha256_update_0((__int64<\/span>)buf_, &<\/span>unk_FFFFFFFF817932E3, 29<\/span>);
<\/span><\/span>    sha256_update_0((__int64<\/span>)buf_, &<\/span>EKY, 3<\/span>);
<\/span><\/span>    sha256_final_0((__int64<\/span>)buf_, (__int64<\/span>)key);
<\/span><\/span>    
<\/span><\/span>    \/\/ 生成8字节的IV
<\/span><\/span><\/span><\/span>    sha256_init(buf_);
<\/span><\/span>    sha256_update_0((__int64<\/span>)buf_, byte_FFFFFFFF817932E1, 31<\/span>);
<\/span><\/span>    sha256_update_0((__int64<\/span>)buf_, &<\/span>EKY, 1<\/span>);
<\/span><\/span>    sha256_final_0((__int64<\/span>)buf_, (__int64<\/span>)iv);
<\/span><\/span>    
<\/span><\/span>    \/\/ ChaCha20解密
<\/span><\/span><\/span><\/span>    crypto_chacha20_init(p_KEY, v6, iv);
<\/span><\/span>    chacha20_docrypt((__int64<\/span>)p_KEY, initrd_start, initrd_start_, 0x10E<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.3 ChaCha20实现<\/h3>
unsigned<\/span> __int64<\/span> __fastcall<\/span> chacha20_docrypt<\/span>(__int64<\/span> KEY, int<\/span> *<\/span>initrd_start, int<\/span> *<\/span>initrd_start_2, __int64<\/span> size) {
<\/span><\/span>    if<\/span> (initrd_start !=<\/span> initrd_start_2)
<\/span><\/span>        memcpy(initrd_start, initrd_start_2, (unsigned<\/span> int<\/span>)size);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (size_1 <=<\/span> 63<\/span>) {
<\/span><\/span>        initrd_start_3 =<\/span> initrd_start;
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        do<\/span> {
<\/span><\/span>            chacha20_block((unsigned<\/span> __int64<\/span> *<\/span>)KEY, (__int64<\/span>)enc_block);
<\/span><\/span>            initrd_start_4 =<\/span> initrd_start_1;
<\/span><\/span>            do<\/span> {
<\/span><\/span>                *<\/span>((_QWORD *<\/span>)initrd_start_4 -<\/span> 1<\/span>) ^=<\/span> *<\/span>(_QWORD *<\/span>)(enc_block +<\/span> 8<\/span> *<\/span> v11);
<\/span><\/span>            } while<\/span> (v11);
<\/span><\/span>            initrd_start_1 +=<\/span> 16<\/span>;
<\/span><\/span>        } while<\/span> (initrd_start_1 !=<\/span> initrd_start_3);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    if<\/span> (size_1) {
<\/span><\/span>        chacha20_block((unsigned<\/span> __int64<\/span> *<\/span>)KEY, (__int64<\/span>)enc_block);
<\/span><\/span>        _crypto_xor(initrd_start_3, initrd_start_3, enc_block, size_1);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 解密工具实现<\/h2>
6.1 解密RSA公钥<\/h3>
\/* gcc decrypt_rsapubkey.c chacha20.c -o decrypt_rsapubkey -lssl -lcrypto *\/<\/span>
<\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <openssl\/evp.h><\/span>
<\/span><\/span><\/span>#include<\/span> "chacha20.h"<\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) {
<\/span><\/span>    \/\/ 初始化
<\/span><\/span><\/span><\/span>    EVP_MD_CTX *<\/span>mdctx;
<\/span><\/span>    unsigned<\/span> char<\/span> *<\/span>md1 =<\/span> NULL;
<\/span><\/span>    unsigned<\/span> char<\/span> *<\/span>md2 =<\/span> NULL;
<\/span><\/span>    
<\/span><\/span>    \/\/ 生成密钥和IV
<\/span><\/span><\/span><\/span>    sha256_init(buf_);
<\/span><\/span>    sha256_update_0((__int64<\/span>)buf_, &<\/span>unk_FFFFFFFF817932E3, 29<\/span>);
<\/span><\/span>    sha256_update_0((__int64<\/span>)buf_, &<\/span>EKY, 3<\/span>);
<\/span><\/span>    sha256_final_0((__int64<\/span>)buf_, (__int64<\/span>)key);
<\/span><\/span>    
<\/span><\/span>    \/\/ ChaCha20解密
<\/span><\/span><\/span><\/span>    struct<\/span> chacha20_context ctx;
<\/span><\/span>    chacha20_init_context(&<\/span>ctx, md1, md2);
<\/span><\/span>    chacha20_xor(&<\/span>ctx, g_RSA_PubKey, 270<\/span>);
<\/span><\/span>    
<\/span><\/span>    printf("BER-encoded pub key:<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    printhex(g_RSA_PubKey, 270<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6.2 解密rootfs<\/h3>
\/* gcc decrypt_rootfs.c chacha20.c -o decrypt_rootfs -lssl -lcrypto *\/<\/span>
<\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <openssl\/evp.h><\/span>
<\/span><\/span><\/span>#include<\/span> "chacha20.h"<\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> **<\/span>argv) {
<\/span><\/span>    \/\/ 读取输入文件
<\/span><\/span><\/span><\/span>    FILE *<\/span>f =<\/span> fopen(argv[1<\/span>], "rb"<\/span>);
<\/span><\/span>    fseek(f, 0<\/span>, SEEK_END);
<\/span><\/span>    long<\/span> fsize =<\/span> ftell(f);
<\/span><\/span>    fseek(f, 0<\/span>, SEEK_SET);
<\/span><\/span>    fsize -=<\/span> 256<\/span>; \/\/ 跳过尾部签名
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ 解密
<\/span><\/span><\/span><\/span>    struct<\/span> chacha20_context ctx;
<\/span><\/span>    chacha20_init_context(&<\/span>ctx, md1, md2);
<\/span><\/span>    chacha20_xor(&<\/span>ctx, data, fsize);
<\/span><\/span>    
<\/span><\/span>    \/\/ 检查是否为GZ文件
<\/span><\/span><\/span><\/span>    uint16_t<\/span> magic =<\/span> *<\/span>(int16_t<\/span> *<\/span>)data;
<\/span><\/span>    if<\/span> (magic !=<\/span> 0x8B1F<\/span>) {
<\/span><\/span>        fprintf(stderr, "Failed to decrypt (not a GZ, magic=%X)<\/span>\n<\/span>"<\/span>, magic);
<\/span><\/span>        return<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 写入输出文件
<\/span><\/span><\/span><\/span>    FILE *<\/span>f_out =<\/span> fopen(argv[2<\/span>], "wb"<\/span>);
<\/span><\/span>    fwrite(data, fsize, 1<\/span>, f_out);
<\/span><\/span>    fclose(f_out);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>7. 自动化提取密钥<\/h2>
使用Python脚本自动提取固件中的密钥：<\/p>
from<\/span> miasm.analysis.binary import<\/span> Container
<\/span><\/span>from<\/span> miasm.analysis.machine import<\/span> Machine
<\/span><\/span>from<\/span> miasm.core.locationdb import<\/span> LocationDB
<\/span><\/span>
<\/span><\/span>def<\/span> get_rootfs_key<\/span>(target_binary):
<\/span><\/span>    fdesc =<\/span> open(target_binary, 'rb'<\/span>)
<\/span><\/span>    loc_db =<\/span> LocationDB()
<\/span><\/span>    cont =<\/span> Container.<\/span>from_stream(fdesc, loc_db)
<\/span><\/span>    machine =<\/span> Machine(cont.<\/span>arch)
<\/span><\/span>    
<\/span><\/span>    # 根据架构设置寄存器<\/span>
<\/span><\/span>    if<\/span> cont.<\/span>arch ==<\/span> "x86_64"<\/span>:
<\/span><\/span>        ret_val_reg =<\/span> machine.<\/span>mn.<\/span>regs.<\/span>RAX
<\/span><\/span>        arg_val_reg =<\/span> machine.<\/span>mn.<\/span>regs.<\/span>RSI
<\/span><\/span>    elif<\/span> cont.<\/span>arch ==<\/span> "aarch64l"<\/span>:
<\/span><\/span>        ret_val_reg =<\/span> machine.<\/span>mn.<\/span>regs.<\/span>X0
<\/span><\/span>        arg_val_reg =<\/span> machine.<\/span>mn.<\/span>regs.<\/span>X1
<\/span><\/span>    
<\/span><\/span>    # 反汇编分析<\/span>
<\/span><\/span>    mdis =<\/span> machine.<\/span>dis_engine(cont.<\/span>bin_stream, loc_db=<\/span>cont.<\/span>loc_db)
<\/span><\/span>    addr =<\/span> loc_db.<\/span>get_name_offset("fgt_verifier_pub_key"<\/span>)
<\/span><\/span>    asmcfg =<\/span> mdis.<\/span>dis_multiblock(addr)
<\/span><\/span>    
<\/span><\/span>    # 符号执行提取密钥<\/span>
<\/span><\/span>    lifter =<\/span> machine.<\/span>lifter_model_call(mdis.<\/span>loc_db)
<\/span><\/span>    ircfg =<\/span> lifter.<\/span>new_ircfg_from_asmcfg(asmcfg)
<\/span><\/span>    symb =<\/span> SymbolicExecutionEngine(lifter)
<\/span><\/span>    
<\/span><\/span>    all_seeds =<\/span> []
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        irblock =<\/span> ircfg.<\/span>get_block(addr)
<\/span><\/span>        if<\/span> irblock is<\/span> None<\/span>:
<\/span><\/span>            break<\/span>
<\/span><\/span>        
<\/span><\/span>        addr =<\/span> symb.<\/span>eval_updt_irblock(irblock, step=<\/span>False<\/span>)
<\/span><\/span>        if<\/span> ret_val_reg in<\/span> symb.<\/span>symbols.<\/span>symbols_id:
<\/span><\/span>            reg_expr =<\/span> symb.<\/span>symbols.<\/span>symbols_id[ret_val_reg]
<\/span><\/span>            if<\/span> reg_expr.<\/span>is_function_call():
<\/span><\/span>                target =<\/span> reg_expr.<\/span>args[0<\/span>]
<\/span><\/span>                target_func =<\/span> loc_db.<\/span>get_offset_location(target.<\/span>arg)
<\/span><\/span>                target_func =<\/span> list(loc_db.<\/span>get_location_names(target_func))[0<\/span>]
<\/span><\/span>                if<\/span> target_func ==<\/span> "sha256_update"<\/span>:
<\/span><\/span>                    all_seeds.<\/span>append(symb.<\/span>symbols.<\/span>symbols_id[arg_val_reg].<\/span>arg)
<\/span><\/span>    
<\/span><\/span>    seed_addr =<\/span> min(all_seeds)
<\/span><\/span>    seed_data =<\/span> cont.<\/span>executable.<\/span>get_virt().<\/span>get(seed_addr, seed_addr +<\/span> 32<\/span>)
<\/span><\/span>    return<\/span> binascii.<\/span>hexlify(seed_data).<\/span>upper()
<\/span><\/span><\/code><\/pre>8. 总结<\/h2>


固件解密流程<\/strong>：<\/p>

通过逆向分析找到固件自解密机制<\/li>
提取并解密RSA公钥<\/li>
绕过签名验证<\/li>
解密rootfs内容<\/li>
<\/ul>
<\/li>

关键技术点<\/strong>：<\/p>

FortiOS使用修改的Linux内核加载机制<\/li>
采用PKCS#1 v1.5格式的RSA签名验证<\/li>
使用ChaCha20算法加密关键数据<\/li>
通过SHA-256派生密钥和IV<\/li>
<\/ul>
<\/li>

应用场景<\/strong>：<\/p>

无硬件设备时的固件漏洞挖掘<\/li>
固件修改与重新打包<\/li>
安全研究与分析<\/li>
<\/ul>
<\/li>
<\/ol>
这种方法不仅适用于FortiGate固件，也可应用于其他采用类似自加密机制的IoT设备固件分析。<\/p>