参考https://www.freebuf.com/articles/endpoint/335030.html
测试固件 https://service.tp-link.com.cn/detail_download_7989.html
固件提取
binwalk解压固件,在第一部分即为要分析的二进制文件,可以拖进ida分析
设置为arm小端字节序,点set
随便选择加载地址
进来之后可以看到真正的加载地址
修复符号
VxWorks采用usrInit进行栈初始化,usrInit是VxWorks系统引导后运行的第一个函数。调用bzero函数对bss区的数据进行清零。
binwalk 解压得到所有内容,通过grep 搜索符号表
grep -nr "bzero" .
xxd得到对应的十六进制数
xxd -g 1 -u ./15CBBA >15CBBA.chr
确定符号表中符号的偏移,通过出现连续字符串的开始,即0x001a728
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yNAqux7c-1691033042845)(https://secure2.wostatic.cn/static/nwoxbBWYMvVEe5bDYJ13iG/image.png?auth_key=1691033035-jSmBWdaxkSDidDnxYhjrqb-0-ae27733d97336f8f2c6794e7ad3842ce)]
在该文件的开头记录着符号表的偏移,54对应flag,0x40373684对应AES_CMAC的偏移
使用idapython脚本恢复符号表
- 重定位加载地址
- 读取符号表文件,定位到对应偏移分别得到地址和符号名
- 创建函数并设置函数名
from idaapi import *
import idc
def has_symbol(address):symbol_name = idc.get_name(address)return bool(symbol_name)def read_symbol_table(filename, symbol_address_offset,symbol_offset):with open(filename, "rb") as f:f.seek(symbol_address_offset)content=f.read()with open(filename, "rb") as f:f.seek(symbol_offset)content_symbol=f.read()symbol_address=[] for item in range(0,len(content),8):if item>=symbol_offset:breaksymbol_data = content[item:item+4] # Assuming 32-bit address, change the size as neededsymbol_address.append(int.from_bytes(symbol_data, byteorder="big"))symbol_list=content_symbol.split(b"\x00")print("found address,symbol len",len(symbol_address),len(symbol_list))for a,s in zip(symbol_address,symbol_list):yield (a,s)def create_symbol(symbol_address, symbol_name):add_func(symbol_address)idc.set_name(symbol_address, symbol_name.decode(), SN_NOCHECK)
def init(ida_load_addr):rebase_program(ida_load_addr,8) # 测试时ida会根据前一次的地址加上这个偏移得到基地址,刚开始设置为0,只执行一次即可def main():filename = "/Users/guosiyu/Desktop/aiwencode/loudong_liyong/tplink/_wdr7660gv1-cn-up_2019-08-30_10.37.02.bin.extracted/15CBBA"current_base=get_imagebase()ida_load_addr=0x40205000-current_basesymbol_address_offset = 0xc # Offset where the symbol address is located in the filesymbol_offset = 0x001a728 # Offset of the symbol in the fileinit(ida_load_addr)auto_wait()for addr,symbol in read_symbol_table(filename, symbol_address_offset,symbol_offset):print("found address,symbol:",hex(addr),symbol)if(has_symbol(addr)):continuecreate_symbol(addr, symbol)# symbol_address = base_address + symbol_address_offset# symbol_name = "your_symbol_name" # Replace this with the desired symbol name# print(f"Created symbol: {symbol_name} at address: 0x{symbol_address:08X}")if __name__ == "__main__":main()
补充
工具 https://github.com/PAGalaxyLab/vxhunter好像也可以,未测试
)
)
和异构多核架构(AMP))
后端(maven)项目)
