从 bin 固件中提取文件

逆向工程 二元分析 嵌入式
2021-06-24 09:22:42

我有一个固件映像,用于刷新我想要研究的 BMW NBT 导航系统。我对文件进行了 binwalk(下面的转储)。

我想提取单个文件,尤其是 ELF 文件和 LZMA 压缩文件。这可以用 objcopy 和 dd 来完成吗?

一个小例子会很棒。

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
114           0x72            XML document, version: "1.0"
8840          0x2288          ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
52909         0xCEAD          eCos RTOS string reference: "ECOScheme COP1 V1.6"
53692         0xD1BC          eCos RTOS string reference: "ECOScheme COP1 V1.6"
58157         0xE32D          ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
64383         0xFB7F          eCos RTOS string reference: "ECOScheme COP1 V1.6"
65035         0xFE0B          eCos RTOS string reference: "ECOScheme COP1 V1.6"
65611         0x1004B         eCos RTOS string reference: "ECOScheme COP1 V1.6"
66263         0x102D7         eCos RTOS string reference: "ECOScheme COP1 V1.6"
68264         0x10AA8         ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV)
105904        0x19DB0         LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
254206        0x3E0FE         ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV)
1672272       0x198450        eCos RTOS string reference: "ECOScheme COP1 V1.6"
1865538       0x1C7742        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
1873098       0x1C94CA        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
1884709       0x1CC225        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
1884817       0x1CC291        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
1895380       0x1CEBD4        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
1976563       0x1E28F3        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
1994774       0x1E7016        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
2067424       0x1F8BE0        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
2109540       0x203064        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
2190676       0x216D54        LZMA compressed data, properties: 0x5E, dictionary size: 16777216 bytes, uncompressed size: 100663296 bytes
2191505       0x217091        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
2322380       0x236FCC        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
2322488       0x237038        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
2325714       0x237CD2        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
2341002       0x23B88A        LZMA compressed data, properties: 0x64, dictionary size: 16777216 bytes, uncompressed size: 100663296 bytes
2341757       0x23BB7D        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
2416921       0x24E119        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
2420792       0x24F038        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
2497195       0x261AAB        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
2668975       0x28B9AF        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
2769589       0x2A42B5        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
2848565       0x2B7735        LZMA compressed data, properties: 0x5E, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes
2849037       0x2B790D        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
3035059       0x2E4FB3        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
3064068       0x2EC104        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
3109994       0x2F746A        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
3138482       0x2FE3B2        LZMA compressed data, properties: 0x5E, dictionary size: 16777216 bytes, uncompressed size: 100663296 bytes
3139318       0x2FE6F6        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
3351394       0x332362        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
3383710       0x33A19E        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
3388738       0x33B542        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
3488674       0x353BA2        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
3537093       0x35F8C5        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
3537201       0x35F931        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
3551343       0x36306F        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
3557569       0x3648C1        eCos RTOS string reference: "ECOScheme COP1 V1.6"
3558221       0x364B4D        eCos RTOS string reference: "ECOScheme COP1 V1.6"
3558797       0x364D8D        eCos RTOS string reference: "ECOScheme COP1 V1.6"
3559449       0x365019        eCos RTOS string reference: "ECOScheme COP1 V1.6"
3561455       0x3657EF        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
4111948       0x3EBE4C        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
4313272       0x41D0B8        eCos RTOS string reference: "ECOScheme"
4571691       0x45C22B        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
4571799       0x45C297        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
4574094       0x45CB8E        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
4653693       0x47027D        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
4671701       0x4748D5        LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, missing uncompressed size
6264853       0x5F9815        LZMA compressed data, properties: 0x90, dictionary size: 16777216 bytes, uncompressed size: 9995975 bytes
6655733       0x658EF5        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
6656288       0x659120        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
6663431       0x65AD07        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
6985016       0x6A9538        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes
6985572       0x6A9764        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
7350538       0x70290A        LZMA compressed data, properties: 0xD8, dictionary size: 16777216 bytes, uncompressed size: 203703495 bytes
7436659       0x717973        Copyright string: " 1995-2005 Jean-loup Gailly valid block type"
7441843       0x718DB3        Copyright string: " 1995-2005 Mark Adler "
7475248       0x721030        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 50331648 bytes
7475807       0x72125F        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
7489707       0x7248AB        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
7490222       0x724AAE        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
8328766       0x7F163E        LZMA compressed data, properties: 0xC7, dictionary size: 4194304 bytes, uncompressed size: 272680704 bytes
9051574       0x8A1DB6        Ubiquiti partition header, header size: 56 bytes, name: "ICLE", base address: 0x00000000, data size: 0 bytes
9298202       0x8DE11A        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
9298762       0x8DE34A        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
9307694       0x8E062E        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
9308222       0x8E083E        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
9335661       0x8E736D        Copyright string: " 1995-2005 Mark Adler "
9338719       0x8E7F5F        LZMA compressed data, properties: 0x5D, dictionary size: 262144 bytes, missing uncompressed size
9339847       0x8E83C7        LZMA compressed data, properties: 0x5D, dictionary size: 524288 bytes, missing uncompressed size
9339990       0x8E8456        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
9340503       0x8E8657        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
9921653       0x976475        eCos RTOS string reference: "ECOScheme Version. COP1 (Version 1.6 or greater) supported."
9924189       0x976E5D        eCos RTOS string reference: "ECOScheme Version. Version 1.6 or greater supported."
9974124       0x98316C        LZMA compressed data, properties: 0x64, dictionary size: 16777216 bytes, uncompressed size: 10835 bytes
10064980      0x999454        ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV)
10079707      0x99CDDB        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
10171624      0x9B34E8        eCos RTOS string reference: "eCost"
11268739      0xABF283        LZMA compressed data, properties: 0xC7, dictionary size: 4194304 bytes, uncompressed size: 272680704 bytes
11269511      0xABF587        LZMA compressed data, properties: 0xC7, dictionary size: 4194304 bytes, uncompressed size: 272680704 bytes
12395860      0xBD2554        XML document, version: "1.0"
12747285      0xC28215        Copyright string: " (C) 2010. Hitachi ULSI Systems Co.,Ltd. Co.,Ltd."
12747445      0xC282B5        Copyright string: " (C) 2009. Hitachi ULSI Systems Co.,Ltd. Co.,Ltd."
12758672      0xC2AE90        LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
2个回答

从 0.50 版开始,binwalk有一个 -e 选项来提取文件。不幸的是,手册没有告诉你这一点,但是如果你调用binwalk -version,它会告诉你

-e, --extract=[file]          Automatically extract known file types. Load rules from file, if specified.

当然,您也可以使用 dd。比如你想要68264的可执行文件,先计算它的大小(105904-68264=37640),然后:

$ dd if=myfile.bin of=executable.so bs=1 skip=68264 count=37640

根据需要重复其他内容。

您可以使用 -D 选项根据签名删除部分。

例如,要提取 ELF 部分,请执行以下操作:

binwalk -D "elf 32-bit lsb shared object":.so image.bin

请注意小写签名字符串。

您可以指定多个 -D 实例。

有关更多详细信息,请参阅 binwalk wiki:https : //github.com/devttys0/binwalk/wiki

其它你可能感兴趣的问题
上一篇为什么 Java 源代码与其反编译结果之间存在(有时是主要的)差异? 下一篇除了实践,我还应该掌握哪些技能才能擅长逆向工程软件?