本猫以前写asm和C的时候常常不忘“逆向”一把,后来写驱动的时候也用VM之类的搭建“双机”调试环境进行调试;也对于一些小的软件crack cd-key神马的不亦乐乎。自从使用鸟所谓的高级动态语言ruby之后,这种黑逆的心态貌似逐渐减弱了...不过逮到机会还是难免心痒痒啊。
ruby+linux的开源方式早已不要向bin码一样还要dis asm,不过有时候想要搞清楚一些功能还是要用点小技巧的,下面就解决一个小的问题给大家展示下这些东东吧
ntp是一个时钟同步协议用在服务器和路由器上,ruby也有很多相关的gem,比如net-ntp,在gem install net-ntp之后可以使用如下代码获取ntp服务器的标准时间:
#!/usr/bin/ruby require 'net/ntp' def get_ntp_time(srv_addr) puts Net::NTP.get(srv_addr).time end get_ntp_time(ARGV[0])
运行结果如下:
[email protected]:~/src/ruby_src$ ./dzh.rb pool.ntp.org 2014-12-04 14:06:20 +0800 [email protected]:~/src/ruby_src$ ./dzh.rb time.nist.gov 2014-12-04 14:07:00 +0800
我简单分析了下ntp协议,发现如果自己实现可以用tcp或是udp的方式向ntp服务器端口123(ntp服务端口)发送一些报文,然后接收返回即可。我开始以为报文是任意的,因为以前记得用telnet ip 123也返回了时间字符串(现在觉得可能是记错了啊!
)于是有了我的第一次尝试:
#!/usr/bin/ruby
require 'net/ntp'
def get_ntp_time_udp(srv_addr,msg)
s = UDPSocket.new
s.connect srv_addr,123
s.send msg,0
response,address = s.recvfrom 1024
puts [response,address]
s.close
end
def get_ntp_time(srv_addr)
puts Net::NTP.get(srv_addr).time
end
if ARGV.count == 1
get_ntp_time(ARGV[0])
else
get_ntp_time_udp(ARGV[0],ARGV[1])
end
运行要带2个参数,第二个参数是要发送的报文:./ut.rb time.nist.gov hi , 但是运行后长时间挂起,貌似ntp服务器没有返回啊!分析了一下,ntp报文可能不是随便发的,要有一定格式,但到底是啥格式呢?百度了一下,格式比较复杂,转换成代码较麻烦啊!不如看一下net-ntp的实现代码不是更好吗?虽然是net-ntp是开源的,但是源文件在哪呢?怎么找呢?不如先用ruby的调试模式debug一下呗,ruby在运行时加上 -r debug(或是-rdebug)可以实现调试的功能,然后用n指令实现单步,用s指令实现单步步入跟踪:
[email protected]:~/src/ruby_src$ ruby -rdebug ut.rb time.nist.gov Debug.rb Emacs support available. /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:57: RUBYGEMS_ACTIVATION_MONITOR.enter (rdb:1) n /usr/lib/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:143: RUBYGEMS_ACTIVATION_MONITOR.exit (rdb:1) n dzh.rb:2:require 'net/ntp' (rdb:1) n dzh.rb:4:def get_ntp_time_udp(srv_addr,msg) (rdb:1) n dzh.rb:14:def get_ntp_time(srv_addr) (rdb:1) n dzh.rb:18:if ARGV.count == 1 (rdb:1) n dzh.rb:19: get_ntp_time(ARGV[0]) (rdb:1) s dzh.rb:15: puts Net::NTP.get(srv_addr).time (rdb:1) s /var/lib/gems/2.1.0/gems/net-ntp-2.1.2/lib/net/ntp/ntp.rb:67: sock = UDPSocket.new
这样起码可以看到Net::NTP.get的源代码在哪了。打开ntp.rb,并不复杂,一共200多行代码。其中注释很多都是#:nodoc:,是不是这样实现作者也没有找到依据文档呢?ntp.rb全部源代码如下:
require 'socket'
require 'timeout'
module Net #:nodoc:
module NTP
TIMEOUT = 60 #:nodoc:
NTP_ADJ = 2208988800 #:nodoc:
NTP_FIELDS = [ :byte1, :stratum, :poll, :precision, :delay, :delay_fb,
:disp, :disp_fb, :ident, :ref_time, :ref_time_fb, :org_time,
:org_time_fb, :recv_time, :recv_time_fb, :trans_time,
:trans_time_fb ]
MODE = {
0 => 'reserved',
1 => 'symmetric active',
2 => 'symmetric passive',
3 => 'client',
4 => 'server',
5 => 'broadcast',
6 => 'reserved for NTP control message',
7 => 'reserved for private use'
}
STRATUM = {
0 => 'unspecified or unavailable',
1 => 'primary reference (e.g., radio clock)'
}
2.upto(15) do |i|
STRATUM[i] = 'secondary reference (via NTP or SNTP)'
end
16.upto(255) do |i|
STRATUM[i] = 'reserved'
end
REFERENCE_CLOCK_IDENTIFIER = {
'LOCL' => 'uncalibrated local clock used as a primary reference for a subnet without external means of synchronization',
'PPS' => 'atomic clock or other pulse-per-second source individually calibrated to national standards',
'ACTS' => 'NIST dialup modem service',
'USNO' => 'USNO modem service',
'PTB' => 'PTB (Germany) modem service',
'TDF' => 'Allouis (France) Radio 164 kHz',
'DCF' => 'Mainflingen (Germany) Radio 77.5 kHz',
'MSF' => 'Rugby (UK) Radio 60 kHz',
'WWV' => 'Ft. Collins (US) Radio 2.5, 5, 10, 15, 20 MHz',
'WWVB' => 'Boulder (US) Radio 60 kHz',
'WWVH' => 'Kaui Hawaii (US) Radio 2.5, 5, 10, 15 MHz',
'CHU' => 'Ottawa (Canada) Radio 3330, 7335, 14670 kHz',
'LORC' => 'LORAN-C radionavigation system',
'OMEG' => 'OMEGA radionavigation system',
'GPS' => 'Global Positioning Service',
'GOES' => 'Geostationary Orbit Environment Satellite'
}
LEAP_INDICATOR = {
0 => 'no warning',
1 => 'last minute has 61 seconds',
2 => 'last minute has 59 seconds)',
3 => 'alarm condition (clock not synchronized)'
}
###
# Sends an NTP datagram to the specified NTP server and returns
# a hash based upon RFC1305 and RFC2030.
def self.get(host="pool.ntp.org", port="ntp", timeout=TIMEOUT)
sock = UDPSocket.new
sock.connect(host, port)
client_localtime = Time.now.to_f
client_adj_localtime = client_localtime + NTP_ADJ
client_frac_localtime = frac2bin(client_adj_localtime)
ntp_msg = (['00011011']+Array.new(12, 0)+[client_localtime, client_frac_localtime.to_s]).pack("B8 C3 N10 B32")
sock.print ntp_msg
sock.flush
read, write, error = IO.select [sock], nil, nil, timeout
if read[0]
client_time_receive = Time.now.to_f
data, _ = sock.recvfrom(960)
Response.new(data, client_time_receive)
else
# For backwards compatibility we throw a Timeout error, even
# though the timeout is being controlled by select()
raise Timeout::Error
end
end
def self.frac2bin(frac) #:nodoc:
bin = ''
while bin.length < 32
bin += ( frac * 2 ).to_i.to_s
frac = ( frac * 2 ) - ( frac * 2 ).to_i
end
bin
end
private_class_method :frac2bin
class Response
attr_reader :client_time_receive
def initialize(raw_data, client_time_receive)
@raw_data = raw_data
@client_time_receive = client_time_receive
@packet_data_by_field = nil
end
def leap_indicator
@leap_indicator ||= (packet_data_by_field[:byte1].bytes.first & 0xC0) >> 6
end
def leap_indicator_text
@leap_indicator_text ||= LEAP_INDICATOR[leap_indicator]
end
def version_number
@version_number ||= (packet_data_by_field[:byte1].bytes.first & 0x38) >> 3
end
def mode
@mode ||= (packet_data_by_field[:byte1].bytes.first & 0x07)
end
def mode_text
@mode_text ||= MODE[mode]
end
def stratum
@stratum ||= packet_data_by_field[:stratum]
end
def stratum_text
@stratum_text ||= STRATUM[stratum]
end
def poll_interval
@poll_interval ||= packet_data_by_field[:poll]
end
def precision
@precision ||= packet_data_by_field[:precision] - 255
end
def root_delay
@root_delay ||= bin2frac(packet_data_by_field[:delay_fb])
end
def root_dispersion
@root_dispersion ||= packet_data_by_field[:disp]
end
def reference_clock_identifier
@reference_clock_identifier ||= unpack_ip(packet_data_by_field[:stratum], packet_data_by_field[:ident])
end
def reference_clock_identifier_text
@reference_clock_identifier_text ||= REFERENCE_CLOCK_IDENTIFIER[reference_clock_identifier]
end
def reference_timestamp
@reference_timestamp ||= ((packet_data_by_field[:ref_time] + bin2frac(packet_data_by_field[:ref_time_fb])) - NTP_ADJ)
end
def originate_timestamp
@originate_timestamp ||= (packet_data_by_field[:org_time] + bin2frac(packet_data_by_field[:org_time_fb]))
end
def receive_timestamp
@receive_timestamp ||= ((packet_data_by_field[:recv_time] + bin2frac(packet_data_by_field[:recv_time_fb])) - NTP_ADJ)
end
def transmit_timestamp
@transmit_timestamp ||= ((packet_data_by_field[:trans_time] + bin2frac(packet_data_by_field[:trans_time_fb])) - NTP_ADJ)
end
def time
@time ||= Time.at(receive_timestamp)
end
# As described in http://tools.ietf.org/html/rfc958
def offset
@offset ||= (receive_timestamp - originate_timestamp + transmit_timestamp - client_time_receive) / 2.0
end
protected
def packet_data_by_field #:nodoc:
if [email protected]_data_by_field
@packetdata = @raw_data.unpack("a C3 n B16 n B16 H8 N B32 N B32 N B32 N B32")
@packet_data_by_field = {}
NTP_FIELDS.each do |field|
@packet_data_by_field[field] = @packetdata.shift
end
end
@packet_data_by_field
end
def bin2frac(bin) #:nodoc:
frac = 0
bin.reverse.split("").each do |b|
frac = ( frac + b.to_i ) / 2.0
end
frac
end
def unpack_ip(stratum, tmp_ip) #:nodoc:
if stratum < 2
[tmp_ip].pack("H8").unpack("A4").bytes.first
else
ipbytes = [tmp_ip].pack("H8").unpack("C4")
sprintf("%d.%d.%d.%d", ipbytes[0], ipbytes[1], ipbytes[2], ipbytes[3])
end
end
end
end
end
可以看到net-ntp的get方法使用的是TCP的方式,而且其实现的报文格式正常也是怎么也猜不到哦(
),其中写了若干方法实现net字节顺序到本机字节顺序的相互转换。为了简单我们把它改写为UDP的方式吧,我们也不要啥类了,直接写全局方法吧,改写后的方法如下:
#!/usr/bin/ruby
require 'net/ntp'
MY_NTP_ADJ = 2208988800 #:nodoc:
MY_NTP_FIELDS = [ :byte1, :stratum, :poll, :precision, :delay, :delay_fb,
:disp, :disp_fb, :ident, :ref_time, :ref_time_fb, :org_time,
:org_time_fb, :recv_time, :recv_time_fb, :trans_time,
:trans_time_fb ]
def bin2frac(bin) #:nodoc:
frac = 0
bin.reverse.split("").each {|b|frac = ( frac + b.to_i ) / 2.0}
frac
end
def frac2bin(frac) #:nodoc:
bin = ''
while bin.length < 32
bin += ( frac * 2 ).to_i.to_s
frac = ( frac * 2 ) - ( frac * 2 ).to_i
end
bin
end
def packet_data_by_field(raw_data) #:nodoc:
packetdata = raw_data.unpack("a C3 n B16 n B16 H8 N B32 N B32 N B32 N B32")
packet_data_by_field = {}
MY_NTP_FIELDS.each do |field|
packet_data_by_field[field] = packetdata.shift
end
puts "bin:"+"@"*50
puts packet_data_by_field
puts "@"*54
packet_data_by_field
end
def receive_timestamp(raw_data)
(packet_data_by_field(raw_data)[:recv_time] + bin2frac(packet_data_by_field(raw_data)[:recv_time_fb])) - MY_NTP_ADJ
end
def get_ntp_time_udp(srv_addr)
s = UDPSocket.new
s.connect srv_addr,123
client_localtime = Time.now.to_f
client_adj_localtime = client_localtime + Net::NTP::NTP_ADJ
client_frac_localtime = frac2bin(client_adj_localtime)
bin = (['00011011']+Array.new(12, 0)+[client_localtime, client_frac_localtime.to_s]).pack("B8 C3 N10 B32")
s.send bin,0
response,address = s.recvfrom(1024)
puts "ip:#{address}"
puts "bin:"+"*"*50
puts response
puts "*"*54
puts "GET TIME IS : #{Time.at(receive_timestamp(response))}"
end
def get_ntp_time(srv_addr)
puts Net::NTP.get(srv_addr).time
end
if ARGV.count == 1
get_ntp_time(ARGV[0])
else
get_ntp_time_udp(ARGV[0])
end
看一下运行结果吧:
[email protected]:~/src/ruby_src$ ./dzh.rb pool.ntp.org 1
ip:["AF_INET", 123, "202.112.29.82", "202.112.29.82"]
bin:**************************************************
!?
_?z??*????_ST???`? ?*?x0??=?*?x0??
******************************************************
bin:@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
{:byte1=>"\x1C", :stratum=>2, :poll=>3, :precision=>233, :delay=>0, :delay_fb=>"0000110100100001", :disp=>0, :disp_fb=>"0000101000100000", :ident=>"5fde7ad2",
:ref_time=>3626664177, :ref_time_fb=>"11010000110111000101111101010011", :org_time=>1417675511, :org_time_fb=>"10111000011000001001101000100000",
:recv_time=>3626664312, :recv_time_fb=>"00110000100100001001110000111101", :trans_time=>3626664312, :trans_time_fb=>"00110000100110101101101011011
001"}
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
bin:@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
{:byte1=>"\x1C", :stratum=>2, :poll=>3, :precision=>233, :delay=>0, :delay_fb=>"0000110100100001", :disp=>0, :disp_fb=>"0000101000100000", :ident=>"5fde7ad2",
:ref_time=>3626664177, :ref_time_fb=>"11010000110111000101111101010011", :org_time=>1417675511, :org_time_fb=>"10111000011000001001101000100000",
:recv_time=>3626664312, :recv_time_fb=>"00110000100100001001110000111101", :trans_time=>3626664312, :trans_time_fb=>"00110000100110101101101011011
001"}
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
GET TIME IS : 2014-12-04 14:45:12 +0800
开源自有开源的好处,否则为了分析这点功能,只有载入IDA pro之类的重型武器了。还有一种办法是用抓包器看net-ntp发送的数据格式,看后照搬!正如看了《星际穿越》后觉得懂得了点神马一样:任何问题都有解决办法,无论什么样的问题!而且解决办法肯定不止一种!
时间: 2024-10-10 13:30:54