我正在分析具有 CPU ARM946E-S 的设备的固件。它没有文件系统,只有汇编代码和字符串。
我已经用ida pro反汇编了固件,但是找不到入口点。
我知道在中断地址表中有一个名为'Reset'的指针,我可以用它来启动动态分析,但我也找不到IAT。
显然,我尝试使用 binwalk 和radare2 对其进行分析,但未成功。
有人能告诉我如何找到中断地址表吗?
编辑
在Brendan Dolan-Gavitt的回答之后。
在 cpu 文档中,有一个称为“交替向量选择”的控制寄存器。
我不知道如何获得控制寄存器表。
我还有一个疑问。我的固件是 16MB,那么如果设置了 Bit 13,IVT 在哪里?
由于我无法找到 IVT,我决定尝试Brendan建议的方法:
IVT 的每一个入口都是一条跳转到特定位置的 arm 指令。执行无条件跳转的唯一指令是b(分支)。所以我推断IVT是由一组b条指令组成的。
b 的操作码是 EA。所以在固件的十六进制版本中搜索......
它只找到了一个。
使用radare2分析该位置:
这些分支指令指向自己。这没有任何意义。
对于ARM946E-S 技术参考手册,异常向量(包括复位向量)应位于内存中的 0x00000000 或 0xFFFF0000,具体取决于该Alternate vectors select位是否设置。这些向量的布局如下所示:
Exception | Address
----------------------------|-----------------------
Reset | 0xffff0000
Undefined Instruction | 0xffff0004
SWI | 0xffff0008
Prefetch Abort | 0xffff000c
Data Abort | 0xffff0010
Reserved | 0xffff0014
IRQ | 0xffff0018
FIQ | 0xffff001c
(从这篇博客文章中复制的表格,但您也可以在ARM 体系结构参考手册的某处找到它)
请注意,这些中的每一个都不是指针而是一条 ARM 指令(通常是跳转到该向量的处理程序)。您可以通过查看内核入口点代码来了解如何在 Linux 等系统中实现此功能的示例:https : //github.com/torvalds/linux/blob/f77ac2e378be9dd61eb88728f0840642f045d9d1/arch/arm/kernel/entry-armv.S #L1183-L1191
您的情况的一个复杂问题是,由于您正在处理固件映像而不是在内存中查看它,因此您必须弄清楚映像实际映射到内存中的位置。或者,您可以尝试反汇编整个图像(例如,使用 objdump 进行线性反汇编)并查找匹配的分支指令序列。
第一个字节是异常向量:
CODE:00000000 LDR PC, =0x1000005C
CODE:00000004 ; ---------------------------------------------------------------------------
CODE:00000004 LDR PC, =0x10000044
CODE:00000008 ; ---------------------------------------------------------------------------
CODE:00000008 LDR PC, =0x10000048
CODE:0000000C ; ---------------------------------------------------------------------------
CODE:0000000C LDR PC, =0x1000004C
CODE:00000010 ; ---------------------------------------------------------------------------
CODE:00000010 LDR PC, =0x10000050
CODE:00000010 ; ---------------------------------------------------------------------------
CODE:00000014 ALIGN 8
CODE:00000018 LDR PC, =0x10000054
CODE:0000001C ; ---------------------------------------------------------------------------
CODE:0000001C LDR PC, =0x10000058
CODE:0000001C ; ---------------------------------------------------------------------------
CODE:00000020 off_20 DCD 0x1000005C ; DATA XREF: CODE:00000000↑r
CODE:00000024 off_24 DCD 0x10000044 ; DATA XREF: CODE:00000004↑r
CODE:00000028 off_28 DCD 0x10000048 ; CODE XREF: sub_1D8↓j
CODE:00000028 ; DATA XREF: CODE:00000008↑r ...
CODE:0000002C off_2C DCD 0x1000004C ; DATA XREF: CODE:0000000C↑r
CODE:00000030 off_30 DCD 0x10000050 ; DATA XREF: CODE:00000010↑r
CODE:00000034 off_34 DCD 0x10000054 ; DATA XREF: CODE:00000018↑r
CODE:00000038 off_38 DCD 0x10000058 ; DATA XREF: CODE:0000001C↑r
显然,代码映射在0x10000000. 变基后,我们可以看到您找到的循环是虚拟处理程序:
CODE:10000000 LDR PC, =Reset_Handler
CODE:10000004 ; ---------------------------------------------------------------------------
CODE:10000004 LDR PC, =Undef_Hander
CODE:10000008 ; ---------------------------------------------------------------------------
CODE:10000008 LDR PC, =SWI_Handler
CODE:1000000C ; ---------------------------------------------------------------------------
CODE:1000000C LDR PC, =PrefAbort_Handler
CODE:10000010 ; ---------------------------------------------------------------------------
CODE:10000010 LDR PC, =DataAbort_Handler
CODE:10000010 ; ---------------------------------------------------------------------------
CODE:10000014 ALIGN 8
CODE:10000018 LDR PC, =IRQ_Handler
CODE:1000001C ; ---------------------------------------------------------------------------
CODE:1000001C LDR PC, =FIQ_Handler
CODE:1000001C ; ---------------------------------------------------------------------------
CODE:10000020 off_10000020 DCD Reset_Handler ; DATA XREF: CODE:10000000↑r
CODE:10000024 off_10000024 DCD Undef_Hander ; DATA XREF: CODE:10000004↑r
CODE:10000028 off_10000028 DCD SWI_Handler ; DATA XREF: CODE:10000008↑r
CODE:1000002C off_1000002C DCD PrefAbort_Handler ; DATA XREF: CODE:1000000C↑r
CODE:10000030 off_10000030 DCD DataAbort_Handler ; DATA XREF: CODE:10000010↑r
CODE:10000034 off_10000034 DCD IRQ_Handler ; DATA XREF: CODE:10000018↑r
CODE:10000038 off_10000038 DCD FIQ_Handler ; DATA XREF: CODE:1000001C↑r
CODE:1000003C aV10 DCB "v1.0"
CODE:10000040 DCD 0x1C200
CODE:10000044
CODE:10000044 ; =============== S U B R O U T I N E =======================================
CODE:10000044
CODE:10000044 ; Attributes: noreturn
CODE:10000044
CODE:10000044 Undef_Hander ; CODE XREF: CODE:10000004↑j
CODE:10000044 ; Undef_Hander↓j
CODE:10000044 ; DATA XREF: ...
CODE:10000044 B Undef_Hander
CODE:10000044 ; End of function Undef_Hander
CODE:10000044
CODE:10000048
CODE:10000048 ; =============== S U B R O U T I N E =======================================
CODE:10000048
CODE:10000048 ; Attributes: noreturn
CODE:10000048
CODE:10000048 SWI_Handler ; CODE XREF: CODE:10000008↑j
CODE:10000048 ; SWI_Handler↓j
CODE:10000048 ; DATA XREF: ...
CODE:10000048 B SWI_Handler
CODE:10000048 ; End of function SWI_Handler
CODE:10000048
CODE:1000004C
CODE:1000004C ; =============== S U B R O U T I N E =======================================
CODE:1000004C
CODE:1000004C ; Attributes: noreturn
CODE:1000004C
CODE:1000004C PrefAbort_Handler ; CODE XREF: CODE:1000000C↑j
CODE:1000004C ; PrefAbort_Handler↓j
CODE:1000004C ; DATA XREF: ...
CODE:1000004C B PrefAbort_Handler
CODE:1000004C ; End of function PrefAbort_Handler
CODE:1000004C
CODE:10000050
CODE:10000050 ; =============== S U B R O U T I N E =======================================
CODE:10000050
CODE:10000050 ; Attributes: noreturn
CODE:10000050
CODE:10000050 DataAbort_Handler ; CODE XREF: CODE:10000010↑j
CODE:10000050 ; DataAbort_Handler↓j
CODE:10000050 ; DATA XREF: ...
CODE:10000050 B DataAbort_Handler
CODE:10000050 ; End of function DataAbort_Handler
CODE:10000050
CODE:10000054
CODE:10000054 ; =============== S U B R O U T I N E =======================================
CODE:10000054
CODE:10000054 ; Attributes: noreturn
CODE:10000054
CODE:10000054 IRQ_Handler ; CODE XREF: CODE:10000018↑j
CODE:10000054 ; IRQ_Handler↓j
CODE:10000054 ; DATA XREF: ...
CODE:10000054 B IRQ_Handler
CODE:10000054 ; End of function IRQ_Handler
CODE:10000054
CODE:10000058
CODE:10000058 ; =============== S U B R O U T I N E =======================================
CODE:10000058
CODE:10000058 ; Attributes: noreturn
CODE:10000058
CODE:10000058 FIQ_Handler ; CODE XREF: CODE:1000001C↑j
CODE:10000058 ; FIQ_Handler↓j
CODE:10000058 ; DATA XREF: ...
CODE:10000058 B FIQ_Handler
CODE:10000058 ; End of function FIQ_Handler
CODE:10000058
CODE:1000005C ; ---------------------------------------------------------------------------
CODE:1000005C
CODE:1000005C Reset_Handler ; CODE XREF: CODE:10000000↑j
CODE:1000005C ; DATA XREF: CODE:10000000↑o ...
CODE:1000005C MOV R1, #0x12
CODE:10000060 ORR R0, R1, #0
CODE:10000064 MCR p15, 0, R0,c9,c1, 1
CODE:10000068 MOV R1, #0x12
CODE:1000006C ORR R0, R1, #0x100000
CODE:10000070 MCR p15, 0, R0,c9,c1, 0
CODE:10000074 MRC p15, 0, R0,c1,c0, 0
CODE:10000078 ORR R0, R0, #0x50000
CODE:1000007C MCR p15, 0, R0,c1,c0, 0
CODE:10000080 LDR R0, =0x5200F010
CODE:10000084 LDR R1, [R0]
CODE:10000088 ORR R1, R1, #0xE
CODE:1000008C STR R1, [R0]
CODE:10000090 LDR R12, =sub_10000140
CODE:10000094 BX R12 ; sub_10000140
中的代码Reset_Handler执行非常基本的 hw init,然后跳转到准备其余环境的代码(将代码和数据复制到其最终位置,然后跳转到它)。