Yuu

概述

很久很久以前(大约20年7月)写的一个奇奇怪怪的算法,当时的目的是为了从一堆动漫图片中获取其线稿用于描画练习
但是当时还没有现如今流行的各种大模型,根本做不到快速的本地抽出,所以就去尝试了解了一下一些简单的图像处理库
(当时还在用7300HQ老U,做不到基于纯图形或者推测的处理),后来就想了个办法,用色容差和反色+灰度来解决这个问题,出来的效果也暂且不算难看,用于描画练习则是绰绰有余了。
最近翻出来了当时的V1和V2版本代码,仔细阅读后发现写的属实非常烂,就直接尝试对其进行了直接的整体重构
以下为代码,编译时请携带好STB的头,用clang -Os -o OSE3 OSE3.C -lm来执行编译

#define STB_IMAGE_IMPLEMENTATION
#include "stb_image.h"
#define STB_IMAGE_WRITE_IMPLEMENTATION
#include "stb_image_write.h"

#define GRAYSCALE_RED_WEIGHT 0.3
#define GRAYSCALE_GREEN_WEIGHT 0.59
#define GRAYSCALE_BLUE_WEIGHT 0.11

void imgProcessGray(uint8_t *s, int sx, int sy, int stride, uint8_t *p, int gstride)
{
    for (int y=0; y<sy; y++) {
        for (int x=0; x<sx; x++) {
            p[x] = GRAYSCALE_RED_WEIGHT * s[x*3+0] + GRAYSCALE_GREEN_WEIGHT * s[x*3+1] + GRAYSCALE_BLUE_WEIGHT *s[x*3+2];
        }
        s += stride*3;
        p += gstride;
    }
}

void imgProcessDilate(uint8_t *s, int w, int h, int k, uint8_t *p)
{
    for (int y=1; y<h-1; y++) {
        for (int x=1; x<w-1; x++) {
            uint8_t uc = s[ (y+0)*w + (x+0) ];
            uint8_t ua = s[ (y-1)*w + (x+0) ];
            uint8_t ub = s[ (y+1)*w + (x+0) ];
            uint8_t ul = s[ (y+0)*w + (x-1) ];
            uint8_t ur = s[ (y+0)*w + (x+1) ];
            uint8_t ux = 0;
            if (uc > ux) ux = uc;
            if (ua > ux) ux = ua;
            if (ub > ux) ux = ub;
            if (ul > ux) ux = ul;
            if (ur > ux) ux = ur;
            p[ y*w + x ] = ux;
        }
    }
}

void imgProcessAbsdiff(uint8_t *s, uint8_t *s2, int w, int h, uint8_t *p)
{
    for (int n=0; n<w*h; n++) {
        *p++ = abs(*s++ - *s2++);
    }
}

void imgProcessReverse(uint8_t *s, int w, int h, uint8_t *p)
{
    for (int n=0; n<w*h; n++) {
        *p++ = 255 - *s++;
    }
}

int main(int argc, char* argv[])
{
    if (argc != 2) {
        fprintf(stderr, "Otaku Strokes Extractor v3\n");
        fprintf(stderr, "Usage: %s <image_path>\n", argv[0]);
        return 1;
    }

    char *name = argv[1];

    int w, h, bpp;
    uint8_t *pixels = stbi_load(name, &w, &h, &bpp, 3);
    if (!pixels) {
        fprintf(stderr, "Failed to load image: %s\n", name);
        return 1;
    }

    uint8_t *gray = (uint8_t*) malloc(w*h*4);
    if (!gray) {
        fprintf(stderr, "Failed to allocate memory for image processing.\n");
        stbi_image_free(pixels);
        return 1;
    }

    uint8_t *dilated = gray + w*h;
    uint8_t *diff = dilated + w*h;
    uint8_t *contour = diff + w*h;

    printf("Processing %s...\n", name);
    imgProcessGray(pixels, w, h, w, gray, w);
    imgProcessDilate(gray, w, h, 5, dilated);
    imgProcessAbsdiff(gray, dilated, w, h, diff);
    imgProcessReverse(diff, w, h, contour);
    stbi_write_jpg("result.jpg", w, h, 1, contour, 0);
    printf("Done for %s !\n", name);

    free(gray);
    stbi_image_free(pixels);

    return 0;
}

Windows体验版(使用MSYS2的gcc 11.3.0链静态构建)
OSE3_x64.exe

效果

原图
OSE3_Original
线稿
OSE3_Result
©版权所有者:クール教信者·双葉社/ドラゴン生活向上委員会


利用OpenCV的色容差检测功能,做到了马来西亚国旗——辉煌条纹(Jalur Gemilang)的检测
当前功能仅有检测到Jalur Gemilang时,冻结那一帧,之后可能会再添加一些2333的功能。
由于该程序目标为马来西亚人,所以提示语也采用了马来文🤣

实验效果

OPENCV_PJG

# pjg.py V3
import cv2
import numpy as np

lower_red1 = np.array([0, 100, 100])
upper_red1 = np.array([10, 255, 255])

lower_red2 = np.array([160, 100, 100])
upper_red2 = np.array([180, 255, 255])

lower_white = np.array([0, 0, 200])
upper_white = np.array([180, 30, 255])

lower_yellow = np.array([20, 100, 100])
upper_yellow = np.array([30, 255, 255])

lower_blue = np.array([100, 100, 100])
upper_blue = np.array([130, 255, 255])


def dF(frame):
    hsv = cv2.cvtColor(frame, cv2.COLOR_BGR2HSV)
    mask_red = cv2.inRange(hsv, lower_red1, upper_red1)
    mask_red2 = cv2.inRange(hsv, lower_red2, upper_red2)
    mask_white = cv2.inRange(hsv, lower_white, upper_white)
    mask_blue = cv2.inRange(hsv, lower_blue, upper_blue)
    mask_yellow = cv2.inRange(hsv, lower_yellow, upper_yellow)
    mask = cv2.bitwise_or(mask_red, mask_red2, mask_white)
    mask = cv2.bitwise_or(mask, mask_blue)
    mask = cv2.bitwise_or(mask, mask_yellow)
    if cv2.countNonZero(mask_red) > 100 and cv2.countNonZero(mask_white) > 100 and cv2.countNonZero(mask_blue) > 100 and cv2.countNonZero(mask_yellow) > 100:
        return True


cap = cv2.VideoCapture(0)
print("Pengesan Jalur Gemilang\nVersi Aplikasi: V3\nMasukkan 'q' untuk keluar\n")
while True:
    ret, frame = cap.read()
    if dF(frame):
        print('Unsur Jalur Gemilang dikesankan!!!')
        cv2.waitKey(0)

    cv2.imshow('Pengesan Jalur Gemilang', frame)

    if cv2.waitKey(1) & 0xFF == ord('q'):
        break

    if cv2.getWindowProperty('Pengesan Jalur Gemilang', cv2.WND_PROP_VISIBLE) < 1:
        cap.release()
        cv2.destroyAllWindows()
        break

很久以前接触到日系手机内核里面各式各样的LSM的时候,就对LSM背后到底是什么,产生了一些奇怪的兴趣。
最近有些得空,读了一些关于LSM,钩子,内核相关的东西,再搭上以前对FJSEC这些OEM LSM的逆向的经验。
尝试胡乱弄个LSM出来看看?也许有用也也许没用,又成为了一个慢慢挖坑再填坑的作品。
为啥叫NGLSM?NG是我很早用的一个网名,全称是Nango,不懂当初为什么会想到这个名字,但是既然想到了,那么就这样叫吧。

// 2023.06.08-00.00.01/FIRST RELEASE
// 2023.06.11-00.01.01/ADD PROTECT OF SETSOCKOPT/GETSOCKOPT
#include <linux/lsm_hooks.h>
#include <linux/path.h>
#include <linux/cred.h>
#include <linux/errno.h>
#include <linux/fs.h>
#include <linux/file.h>
#include <linux/mount.h>
#include <linux/bprm.h>
#include <linux/socket.h>
#include <asm/uaccess.h>
#include <linux/seq_file.h>

#define STATUS_FILE "/tmp/lsm_status"
#define STATUS_PERMISSIVE "PER"
#define STATUS_ENFORCING "ENF"
#define STATUS_ENFORCING_MMAP "ENF2"
#define STATUS_MAX 100

static int nglsm_status(void)
{
    struct file *f;
    char buf[STATUS_MAX];
    mm_segment_t fs;
    int status = -1; // unknown

    f = filp_open(STATUS_FILE, O_RDONLY, 0);
    if (IS_ERR(f))
    {
        return status;
    }

    fs = get_fs();
    set_fs(get_ds());
    f->f_op->read(f, buf, STATUS_MAX, &f->f_pos);
    set_fs(fs);

    if (strncmp(buf, STATUS_PERMISSIVE, strlen(STATUS_PERMISSIVE)) == 0)
    {
        status = 0; // permissive
    }
    else if (strncmp(buf, STATUS_ENFORCING, strlen(STATUS_ENFORCING)) == 0)
    {
        status = 1; // enforcing
    }
    else if (strncmp(buf, STATUS_ENFORCING_MMAP, strlen(STATUS_ENFORCING_MMAP)) == 0)
    {
        status = 2; // enforcing mmap
    }

    filp_close(f, NULL);
    return status;
}

static int nglsm_sb_mount(const char *dev_name, struct path *path,
                          const char *type, unsigned long flags, void *data)
{
    int status = nglsm_status();
    if (status == 0)
    {
        return 0;
    }

    printk(KERN_ERR "[NGLSM]Mount was not allowed\n");
    return -EPERM;
}

static int nglsm_sb_umount(struct vfsmount *mnt, int flags)
{
    int status = nglsm_status();
    if (status == 0)
    {
        return 0;
    }

    printk(KERN_ERR "[NGLSM]UMount was not allowed\n");
    return -EPERM;
}

static int nglsm_sb_pivotroot(struct path *old_path, struct path *new_path)
{
    int status = nglsm_status();
    if (status == 0)
    {
        return 0;
    }

    printk(KERN_ERR "[NGLSM]PivotRoot was not allowed\n");
    return -EPERM;
}

static int nglsm_socket_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
{
    int status = nglsm_status();
    if (status == 0)
    {
        return 0;
    }

    printk(KERN_ERR "[NGLSM]GetSockOpt was not allowed\n");
    return -EPERM;
}

static int nglsm_socket_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
{
    int status = nglsm_status();
    if (status == 0)
    {
        return 0;
    }

    printk(KERN_ERR "[NGLSM]SetSockOpt was not allowed\n");
    return -EPERM;
}

static struct security_hook_list nglsm_hooks[] __lsm_ro_after_init = {
    LSM_HOOK_INIT(sb_mount, nglsm_sb_mount),
    LSM_HOOK_INIT(sb_umount, nglsm_sb_umount),
    LSM_HOOK_INIT(sb_pivotroot, nglsm_sb_pivotroot),
    LSM_HOOK_INIT(socket_getsockopt, nglsm_socket_getsockopt),
    LSM_HOOK_INIT(socket_setsockopt, nglsm_socket_setsockopt),
};

static int lsm_status_proc_show(struct seq_file *m, void *v)
{
    int status = nglsm_status();
    switch (status)
    {
    case 0:
        seq_printf(m, "Permissive\n");
        break;
    case 1:
        seq_printf(m, "Enforcing\n");
        break;
    case 2:
        seq_printf(m, "Enforcing Stage 2\n");
        break;
    default:
        seq_printf(m, "Unknown\n");
    }
    return 0;
}

static int lsm_status_proc_open(struct inode *inode, struct file *file)
{
    return single_open(file, lsm_status_proc_show, NULL);
}

static const struct file_operations lsm_status_proc_fops = {
    .owner = THIS_MODULE,
    .open = lsm_status_proc_open,
    .read = seq_read,
    .llseek = seq_lseek,
    .release = single_release,
};

static __init int nglsm_init(void)
{
    security_add_hooks(nglsm_hooks, ARRAY_SIZE(nglsm_hooks), "nglsm");
    proc_create("lsm_status", 0, NULL, &lsm_status_proc_fops);
    printk(KERN_INFO "[NGLSM]LOADED\n");
    return 0;
}

security_initcall(nglsm_init);

AWA.SH

此脚本可在Alpine Linux下快速部署网页应用所需的服务器及服务

功能

  • 可选择使用的语言,包括PHP, Python, Node.js
  • 可选择网页服务器,包括Nginx, Apache, Lighttpd
  • 可选择数据库引擎,包括MariaDB, SQLite
  • 可从软件源内自动寻找最新的PHP版本并执行安装

使用

wget --no-check-certificate https://obj.yuu.ink/script/awa.sh && chmod +x awa.sh && ./awa.sh

更新

R2(2023.07.14)
修复一个严重错误
R1(2023.06.02)
初版


最近把很早以前购买的三星平板拿出来继续使用,其SoC是三星半导体自制的Exynos 9611,由于我买的是WIFI+LTE版本,其存在基带。很久以前用搭载Exynos4210的三星S2的时候,就对三星的奇怪的香农基带感到好奇。
历经快十年的对于逆向的爱好,最近再阅读了一些大牛写的代码和他们提供的Loader,成功的对目前最新的Exynos Shannon基带固件做到了解包,解压后可直接使用ShannonRE项目之中的Loader和静态分析工具进行分析。
当然如果你只是对三星的调试模式比较好奇的话,在我的解压工具中,其将自动从main区块中搜索AT指令,可通过终端模拟器连接到Samsung DM端口发送AT指令进行调试。

# siu.py v2
import struct
import re
import argparse
from contextlib import closing

class TOC:
    def __init__(self, fstream, fpos=None):
        try:
            if fpos is not None:
                fstream.seek(fpos)
            self.buf = fstream.read(32)
        except Exception as e:
            print(f"[!]ERROR Reading TOC Header: {e}")
            self.buf = bytearray(32)

    def unpack(self):
        try:
            self.name = self.buf[:12].rstrip(b"\x00").decode("utf-8")
            self.start = struct.unpack("i", self.buf[12:16])[0]
            self.size = struct.unpack("i", self.buf[20:24])[0]
            self.secdata = struct.unpack("i", self.buf[24:28])[0]
            self.queue = struct.unpack("i", self.buf[28:32])[0]
        except struct.error as e:
            print(f"[!]ERROR Unpacking TOC: {e}")
            raise

    def print_info(self):
        print(f"Block Name: {self.name}")
        print(f"Start Offset: 0x{self.start:08x}")
        print(f"Size: 0x{self.size:08x}")
        print(f"Sec Data: 0x{self.secdata:08x}")
        print(f"Queue: {self.queue}")


class IMG:
    def __init__(self, fstream, header):
        fstream.seek(header.start)
        self.buf = fstream.read(header.size)

    def unpack(self):
        pass

    def write(self, dst):
        with open(f"{dst}.bin", "wb") as f:
            f.write(self.buf)


class BOOT(IMG):
    def unpack(self):
        print('Done')


def unpack_toc(file_stream, name):
    header = TOC(file_stream)
    header.unpack()
    header.print_info()
    if header.name != name:
        raise ValueError(f"Unexpected TOC name. Expected {name}, got {header.name}")
    return header


def unpack_img(file_stream, header, img_type):
    img = img_type(file_stream, header)
    img.unpack()
    return img


def find_in_img(img, pattern, filename):
    strings = re.findall(rb'%s[^\x00]*' % pattern.encode(), img.buf)
    with open(f'{filename}.TXT', 'wb') as f:
        for s in strings:
            f.write(s + b'\n')
    print(f"Found {len(strings)} strings")
    return strings


def main():
    parser = argparse.ArgumentParser(description="SHANNON Image Unpacker v1.2 by Yuu/Idea from ShannonRE by grant-h")
    parser.add_argument('file', help='Path to the binary file')
    parser.add_argument('--at', action='store_true', help='Find AT strings')
    parser.add_argument('--ver', help='Find version strings for a given model')

    args = parser.parse_args()

    with closing(open(args.file, "rb")) as file_stream:
        toc_header = unpack_toc(file_stream, "TOC")
        boot_header = unpack_toc(file_stream, "BOOT")
        main_header = unpack_toc(file_stream, "MAIN")
        vss_header = unpack_toc(file_stream, "VSS")
        nv_header = unpack_toc(file_stream, "NV")
        offset_header = unpack_toc(file_stream, "OFFSET")

        boot_img = unpack_img(file_stream, boot_header, BOOT)
        boot_img.write("boot")

        main_img = unpack_img(file_stream, main_header, IMG)
        main_img.write("main")

        vss_img = unpack_img(file_stream, vss_header, IMG)
        vss_img.write("vss")

        nv_img = unpack_img(file_stream, nv_header, IMG)
        nv_img.write("nv")

        if args.at:
            find_in_img(main_img, 'AT+', 'AT')
        if args.ver:
            ver_strings = find_in_img(main_img, args.ver, 'VER')
            if ver_strings:
                print(f"Possible Version: {ver_strings[0].decode()}")


if __name__ == "__main__":
    main()