还原IoT设备中魔改的Luac文件 - TP-Link Archer C7实例分析<\/h1>

1. 背景介绍<\/h2>
本文详细讲解如何还原IoT设备中经过修改的Lua字节码文件(Luac)，以TP-Link Archer C7路由器为例。该设备使用的Lua版本为5.1.4，但对其字节码格式进行了自定义修改，导致标准反编译工具无法直接使用。<\/p>

2. Lua字节码加载流程分析<\/h2>

2.1 标准Lua加载流程<\/h3>

标准Lua加载执行chunk的流程如下：<\/p>

lua_open<\/code> 打开Lua环境<\/li>
luaL_dofile<\/code> 宏实际调用 luaL_loadfile<\/code> 和 lua_pcall<\/code><\/li>
luaL_loadfile<\/code> 最终调用 f_parser<\/code><\/li>

f_parser<\/code> 判断文件类型并解析<\/li>
<\/ol>
#define luaL_dofile(L, fn) \
<\/span><\/span><\/span>    (luaL_loadfile(L, fn) || lua_pcall(L, 0, LUA_MULTRET, 0))
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(void<\/span>) {
<\/span><\/span>    lua_State *<\/span>L=<\/span>lua_open();
<\/span><\/span>    lua_register(L, "print"<\/span>,print);
<\/span><\/span>    if<\/span> (luaL_dofile(L, NULL)!=<\/span>0<\/span>)
<\/span><\/span>        fprintf(stderr, "%s<\/span>\n<\/span>"<\/span>,lua_tostring(L, -<\/span>1<\/span>));
<\/span><\/span>    lua_close(L);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 解析过程详解<\/h3>
f_parser<\/code> 函数的工作流程：<\/p>
static<\/span> void<\/span> f_parser<\/span> (lua_State *<\/span>L, void<\/span> *<\/span>ud) {
<\/span><\/span>    int<\/span> i;
<\/span><\/span>    Proto *<\/span>tf;
<\/span><\/span>    Closure *<\/span>cl;
<\/span><\/span>    struct<\/span> SParser *<\/span>p =<\/span> cast(struct<\/span> SParser *<\/span>, ud);
<\/span><\/span>    int<\/span> c =<\/span> luaZ_lookahead(p-><\/span>z);  \/\/ 预读第一个字符
<\/span><\/span><\/span><\/span>    luaC_checkGC(L);
<\/span><\/span>    tf =<\/span> ((c ==<\/span> LUA_SIGNATURE[0<\/span>]) ?<\/span> luaU_undump : luaY_parser)(L, p-><\/span>z, &<\/span>p-><\/span>buff, p-><\/span>name);
<\/span><\/span>    cl =<\/span> luaF_newLclosure(L, tf-><\/span>nups, hvalue(gt(L)));
<\/span><\/span>    cl-><\/span>l.p =<\/span> tf;
<\/span><\/span>    for<\/span> (i=<\/span>0<\/span>; i<<\/span>tf-><\/span>nups; i++<\/span>)  \/* initialize eventual upvalues *\/<\/span>
<\/span><\/span>        cl-><\/span>l.upvals[i] =<\/span> luaF_newupval(L);
<\/span><\/span>    setclvalue(L, L-><\/span>top, cl);
<\/span><\/span>    incr_top(L);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2.1 luaU_undump<\/code> 函数<\/h4>
负责解析字节码文件：<\/p>
Proto*<\/span> luaU_undump<\/span> (lua_State*<\/span> L, ZIO*<\/span> Z, Mbuffer*<\/span> buff, const<\/span> char<\/span>*<\/span> name) {
<\/span><\/span>    LoadState S;
<\/span><\/span>    if<\/span> (*<\/span>name==<\/span>'@'<\/span> ||<\/span> *<\/span>name==<\/span>'='<\/span>) S.name=<\/span>name+<\/span>1<\/span>;
<\/span><\/span>    else<\/span> if<\/span> (*<\/span>name==<\/span>LUA_SIGNATURE[0<\/span>]) S.name=<\/span>"binary string"<\/span>;
<\/span><\/span>    else<\/span> S.name=<\/span>name;
<\/span><\/span>    S.L=<\/span>L;
<\/span><\/span>    S.Z=<\/span>Z;
<\/span><\/span>    S.b=<\/span>buff;
<\/span><\/span>    LoadHeader(&<\/span>S);    \/\/ 文件头
<\/span><\/span><\/span><\/span>    return<\/span> LoadFunction(&<\/span>S,luaS_newliteral(L, "=?"<\/span>));  \/\/ 函数体
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2.2 文件头结构<\/h4>
标准Luac文件头格式：<\/p>
typedef<\/span> struct<\/span> {
<\/span><\/span>    char<\/span> signature[4<\/span>];    \/\/ #define LUA_SIGNATURE "\033Lua"
<\/span><\/span><\/span><\/span>    uchar version;        \/\/ 0x51,0x52,0x53
<\/span><\/span><\/span><\/span>    uchar format;
<\/span><\/span>    uchar endian;
<\/span><\/span>    uchar size_int;
<\/span><\/span>    uchar size_size_t;
<\/span><\/span>    uchar size_Instruction;
<\/span><\/span>    uchar size_lua_Number;
<\/span><\/span>    uchar lua_num_valid;
<\/span><\/span>    uchar luac_tail[0x6<\/span>];
<\/span><\/span>} GlobalHeader;
<\/span><\/span><\/code><\/pre>2.2.3 LoadFunction<\/code> 函数<\/h4>
加载函数原型：<\/p>
static<\/span> Proto*<\/span> LoadFunction<\/span> (LoadState*<\/span> S, TString*<\/span> p) {
<\/span><\/span>    Proto*<\/span> f;
<\/span><\/span>    if<\/span> (++<\/span>S-><\/span>L-><\/span>nCcalls ><\/span> LUAI_MAXCCALLS) error(S,"code too deep"<\/span>);
<\/span><\/span>    f=<\/span>luaF_newproto(S-><\/span>L);
<\/span><\/span>    setptvalue2s(S-><\/span>L,S-><\/span>L-><\/span>top,f);
<\/span><\/span>    incr_top(S-><\/span>L);
<\/span><\/span>    f-><\/span>source=<\/span>LoadString(S);
<\/span><\/span>    if<\/span> (f-><\/span>source==<\/span>NULL) f-><\/span>source=<\/span>p;
<\/span><\/span>    \/\/ protoheader
<\/span><\/span><\/span><\/span>    f-><\/span>linedefined=<\/span>LoadInt(S);
<\/span><\/span>    f-><\/span>lastlinedefined=<\/span>LoadInt(S);
<\/span><\/span>    f-><\/span>nups=<\/span>LoadByte(S);
<\/span><\/span>    f-><\/span>numparams=<\/span>LoadByte(S);
<\/span><\/span>    f-><\/span>is_vararg=<\/span>LoadByte(S);
<\/span><\/span>    f-><\/span>maxstacksize=<\/span>LoadByte(S);
<\/span><\/span>    LoadCode(S,f);       \/\/ code
<\/span><\/span><\/span><\/span>    LoadConstants(S,f);  \/\/ constants
<\/span><\/span><\/span><\/span>    LoadDebug(S,f);      \/\/ debug
<\/span><\/span><\/span><\/span>    IF(!<\/span>luaG_checkcode(f),"bad code"<\/span>);
<\/span><\/span>    S-><\/span>L-><\/span>top--<\/span>;
<\/span><\/span>    S-><\/span>L-><\/span>nCcalls--<\/span>;
<\/span><\/span>    return<\/span> f;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. TP-Link Lua修改点分析<\/h2>
3.1 Opcode重排<\/h3>
TP-Link修改了标准Lua的Opcode顺序：<\/p>
标准Opcode顺序<\/strong>:<\/p>
typedef<\/span> enum<\/span> {
<\/span><\/span>    OP_MOVE, OP_LOADK, OP_LOADBOOL, OP_LOADNIL,
<\/span><\/span>    OP_GETUPVAL, OP_GETGLOBAL, OP_GETTABLE,
<\/span><\/span>    OP_SETGLOBAL, OP_SETUPVAL, OP_SETTABLE,
<\/span><\/span>    OP_NEWTABLE, OP_SELF, OP_ADD, OP_SUB,
<\/span><\/span>    OP_MUL, OP_DIV, OP_MOD, OP_POW, OP_UNM,
<\/span><\/span>    OP_NOT, OP_LEN, OP_CONCAT, OP_JMP, OP_EQ,
<\/span><\/span>    OP_LT, OP_LE, OP_TEST, OP_TESTSET, OP_CALL,
<\/span><\/span>    OP_TAILCALL, OP_RETURN, OP_FORLOOP,
<\/span><\/span>    OP_FORPREP, OP_TFORLOOP, OP_SETLIST,
<\/span><\/span>    OP_CLOSE, OP_CLOSURE, OP_VARARG
<\/span><\/span>} OpCode;
<\/span><\/span><\/code><\/pre>TP-Link Opcode顺序<\/strong>:<\/p>
typedef<\/span> enum<\/span> {
<\/span><\/span>    OP_GETTABLE, OP_GETGLOBAL, OP_SETGLOBAL,
<\/span><\/span>    OP_SETUPVAL, OP_SETTABLE, OP_NEWTABLE,
<\/span><\/span>    OP_SELF, OP_LOADNIL, OP_LOADK, OP_LOADBOOL,
<\/span><\/span>    OP_GETUPVAL, OP_LT, OP_LE, OP_EQ, OP_DIV,
<\/span><\/span>    OP_MUL, OP_SUB, OP_ADD, OP_MOD, OP_POW,
<\/span><\/span>    OP_UNM, OP_NOT, OP_LEN, OP_CONCAT, OP_JMP,
<\/span><\/span>    OP_TEST, OP_TESTSET, OP_MOVE, OP_FORLOOP,
<\/span><\/span>    OP_FORPREP, OP_TFORLOOP, OP_SETLIST,
<\/span><\/span>    OP_CLOSE, OP_CLOSURE, OP_RETURN,
<\/span><\/span>    OP_TAILCALL, OP_VARARG
<\/span><\/span>} OpCode;
<\/span><\/span><\/code><\/pre>3.2 新增常量类型<\/h3>
TP-Link添加了新的常量类型 LUA_TINT<\/code> (值为9)，用于表示整型数据：<\/p>
case<\/span> 9<\/span>:<\/span>  \/\/ LUA_TINT
<\/span><\/span><\/span><\/span>    setnvalue(o, (lua_Number)LoadInt(S));
<\/span><\/span>    break<\/span>;
<\/span><\/span><\/code><\/pre>4. 还原实现方法<\/h2>
4.1 使用Python脚本转换<\/h3>
使用Construct库定义Luac文件结构，并编写适配器处理TP-Link的特殊修改。<\/p>
4.1.1 定义标准Luac结构<\/h4>
Luac =<\/span> Struct(
<\/span><\/span>    "global_head"<\/span> \/<\/span> GlobalHead,
<\/span><\/span>    "top_proto"<\/span> \/<\/span> Proto
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>GlobalHead =<\/span> Struct(
<\/span><\/span>    "signature"<\/span> \/<\/span> Const(b<\/span>"<\/span>\x1b<\/span>Lua"<\/span>),
<\/span><\/span>    "version"<\/span> \/<\/span> Version,
<\/span><\/span>    "format"<\/span> \/<\/span> Format,
<\/span><\/span>    "endian"<\/span> \/<\/span> Endian,
<\/span><\/span>    "size_int"<\/span> \/<\/span> Int8ul,
<\/span><\/span>    "size_size_t"<\/span> \/<\/span> Int8ul,
<\/span><\/span>    "size_instruction"<\/span> \/<\/span> Int8ul,
<\/span><\/span>    "size_lua_number"<\/span> \/<\/span> Int8ul,
<\/span><\/span>    "lua_num_valid"<\/span> \/<\/span> Byte,
<\/span><\/span>)
<\/span><\/span><\/code><\/pre>4.1.2 Opcode转换适配器<\/h4>
OpCodeMap =<\/span> [
<\/span><\/span>    6<\/span>, 5<\/span>, 7<\/span>, 8<\/span>, 9<\/span>, 10<\/span>, 11<\/span>, 3<\/span>, 1<\/span>, 2<\/span>, 4<\/span>, 
<\/span><\/span>    24<\/span>, 25<\/span>, 23<\/span>, 15<\/span>, 14<\/span>, 13<\/span>, 12<\/span>, 16<\/span>, 17<\/span>, 18<\/span>, 
<\/span><\/span>    19<\/span>, 20<\/span>, 21<\/span>, 22<\/span>, 26<\/span>, 27<\/span>, 0<\/span>, 31<\/span>, 32<\/span>, 33<\/span>, 
<\/span><\/span>    34<\/span>, 35<\/span>, 36<\/span>, 28<\/span>, 30<\/span>, 29<\/span>, 37<\/span>
<\/span><\/span>]
<\/span><\/span>
<\/span><\/span>class<\/span> InstructionAdapter<\/span>(Adapter):
<\/span><\/span>    def<\/span> _encode<\/span>(self, obj, context, path):
<\/span><\/span>        obj.<\/span>opcode =<\/span> OpCode.<\/span>parse(integer2bits(OpCodeMap.<\/span>index(int(obj.<\/span>opcode)), 6<\/span>))
<\/span><\/span>        return<\/span> obj
<\/span><\/span>    
<\/span><\/span>    def<\/span> _decode<\/span>(self, obj, context, path):
<\/span><\/span>        obj.<\/span>opcode =<\/span> OpCode.<\/span>parse(integer2bits(OpCodeMap[int(obj.<\/span>opcode)], 6<\/span>))
<\/span><\/span>        return<\/span> obj
<\/span><\/span><\/code><\/pre>4.1.3 常量类型适配器<\/h4>
class<\/span> ConstantAdapter<\/span>(Adapter):
<\/span><\/span>    def<\/span> _decode<\/span>(self, obj, context, path):
<\/span><\/span>        if<\/span> int(obj.<\/span>data_type) ==<\/span> 9<\/span>:
<\/span><\/span>            obj.<\/span>data_type =<\/span> LuaDatatype.<\/span>parse(b<\/span>'<\/span>\x03<\/span>'<\/span>)
<\/span><\/span>            obj.<\/span>data =<\/span> float(obj.<\/span>data)
<\/span><\/span>        return<\/span> obj
<\/span><\/span>    
<\/span><\/span>    def<\/span> _encode<\/span>(self, obj, context, path):
<\/span><\/span>        return<\/span> obj
<\/span><\/span><\/code><\/pre>4.2 转换流程<\/h3>

解析TP-Link Luac文件<\/li>
修改Opcode顺序为标准顺序<\/li>
转换特殊常量类型为标准类型<\/li>
生成标准Luac文件<\/li>
使用标准反编译工具(如unluac)处理<\/li>
<\/ol>
if<\/span> lua_type ==<\/span> TPLINK_LUA:
<\/span><\/span>    header =<\/span> lua_tplink.<\/span>GlobalHead.<\/span>parse(data)
<\/span><\/span>    lua_tplink.<\/span>lua_type_define(header)
<\/span><\/span>    h =<\/span> lua_tplink.<\/span>Luac.<\/span>parse(data)
<\/span><\/span>    
<\/span><\/span>    # 32bit系统设置<\/span>
<\/span><\/span>    lua_ori.<\/span>lua_type_set(4<\/span>, 4<\/span>, 8<\/span>, 4<\/span>)
<\/span><\/span>    h.<\/span>global_head =<\/span> lua_ori.<\/span>GlobalHead.<\/span>parse(
<\/span><\/span>        bytes([0x1B<\/span>, 0x4C<\/span>, 0x75<\/span>, 0x61<\/span>, 0x51<\/span>, 0x00<\/span>, 
<\/span><\/span>               0x01<\/span>, 0x04<\/span>, 0x04<\/span>, 0x04<\/span>, 0x08<\/span>, 0x00<\/span>]))
<\/span><\/span>    
<\/span><\/span>    d =<\/span> lua_ori.<\/span>Luac.<\/span>build(h)
<\/span><\/span>    with<\/span> open(outfile_path, 'wb'<\/span>) as<\/span> fp:
<\/span><\/span>        fp.<\/span>write(d)
<\/span><\/span><\/code><\/pre>5. 总结与建议<\/h2>
5.1 还原Luac的通用方法<\/h3>

分析目标设备的Lua版本<\/li>
逆向分析liblua.so中的加载逻辑<\/li>
对比标准Lua与目标设备的差异：

文件头魔改(magic number、格式字段)<\/li>
结构体字段顺序变化<\/li>
常量类型修改或新增<\/li>
Opcode顺序或定义变化<\/li>
<\/ul>
<\/li>
编写转换工具将魔改Luac转为标准格式<\/li>
使用标准反编译工具处理<\/li>
<\/ol>
5.2 针对TP-Link的特殊处理<\/h3>

Opcode顺序重映射<\/li>
处理新增的LUA_TINT常量类型<\/li>
确保文件头字段正确设置(32位小端架构)<\/li>
<\/ol>
5.3 后续处理建议<\/h3>

使用unluac或luadec反编译标准Luac<\/li>
对于复杂逻辑，可结合动态分析<\/li>
考虑使用大模型辅助代码还原和理解<\/li>
<\/ol>

还原IoT设备中魔改的Luac文件 - TP-Link Archer C7实例分析<\/h1>

1. 背景介绍<\/h2> 本文详细讲解如何还原IoT设备中经过修改的Lua字节码文件(Luac)，以TP-Link Archer C7路由器为例。该设备使用的Lua版本为5.1.4，但对其字节码格式进行了自定义修改，导致标准反编译工具无法直接使用。<\/p>

2. Lua字节码加载流程分析<\/h2>

3. TP-Link Lua修改点分析<\/h2>

4. 还原实现方法<\/h2>

4.1 使用Python脚本转换<\/h3> 使用Construct库定义Luac文件结构，并编写适配器处理TP-Link的特殊修改。<\/p>

5. 总结与建议<\/h2>

5.3 后续处理建议<\/h3> 使用unluac或luadec反编译标准Luac<\/li> 对于复杂逻辑，可结合动态分析<\/li> 考虑使用大模型辅助代码还原和理解<\/li> <\/ol>

1. 背景介绍<\/h2>
本文详细讲解如何还原IoT设备中经过修改的Lua字节码文件(Luac)，以TP-Link Archer C7路由器为例。该设备使用的Lua版本为5.1.4，但对其字节码格式进行了自定义修改，导致标准反编译工具无法直接使用。<\/p>

4.1 使用Python脚本转换<\/h3>
使用Construct库定义Luac文件结构，并编写适配器处理TP-Link的特殊修改。<\/p>

5.3 后续处理建议<\/h3>

使用unluac或luadec反编译标准Luac<\/li>
对于复杂逻辑，可结合动态分析<\/li>
考虑使用大模型辅助代码还原和理解<\/li> <\/ol>