我想在这里分析这个 UEFI bios 。当我在 IDA 中打开它时,它看起来很压缩。此外,IDA 将处理器类型列为 ZLOG。这不应该是 IDA 的多处理器设置吗?
无论如何,如果我没记错的话,它被压缩并分成了一些奇怪的部分。我如何解压缩它并更详细地查看它?
如果这没有被压缩,我怎么能对此进行一些静态分析?
谢谢
解压和分析VMWARE EFI64 bios
逆向工程
静态分析
解压
BIOS
虚拟机
欧菲
2021-07-04 08:03:52
3个回答
开始分析二进制文件的最快和最简单的方法可能是开始使用binwalk扫描文件。
这是您文件的签名扫描输出:
$ binwalk EFI64.ROM
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 UEFI PI Firmware Volume, volume size: 2097152, header size: 0, revision: 0, EFI Firmware File System v2, GUID: 8C8CE578-8A3D-4F1C-3599-896185C32DD3
332 0x14C Microsoft executable, portable (PE)
36864 0x9000 Microsoft executable, portable (PE)
90112 0x16000 Microsoft executable, portable (PE)
122880 0x1E000 Microsoft executable, portable (PE)
155648 0x26000 Microsoft executable, portable (PE)
221184 0x36000 Microsoft executable, portable (PE)
249924 0x3D044 Microsoft executable, portable (PE)
401408 0x62000 Microsoft executable, portable (PE)
434176 0x6A000 Microsoft executable, portable (PE)
462936 0x71058 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 4636688 bytes
据介绍binwalk,这是一个UEFI 平台初始化卷,其中包含多个 PE 文件和一个大型 LZMA 压缩块。
二进制文件中有很大的高熵区域,表明存在压缩或加密,因此binwalk检测到的 LZMA 签名似乎是真阳性。可视化可以帮助我们看到这一点:
通过binwalk加上-E标志:
通过binvis.io(粉色为高熵,黑色为低熵):
我们也可以尝试使用-e带有binwalk. 提取的文件与原始文件类似,但似乎包含更多 PE 文件,以及字符串和数据:
_EFI64.ROM.extracted $ binwalk 71058
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
16 0x10 UEFI PI Firmware Volume, volume size: 4636672, header size: 0, revision: 0, EFI Firmware File System v2, GUID: 8C8CE578-8A3D-4F1C-3599-896185C32DD3
220 0xDC Microsoft executable, portable (PE)
29152 0x71E0 Microsoft executable, portable (PE)
57916 0xE23C Microsoft executable, portable (PE)
78508 0x132AC Microsoft executable, portable (PE)
123668 0x1E314 Microsoft executable, portable (PE)
140148 0x22374 Microsoft executable, portable (PE)
173004 0x2A3CC Microsoft executable, portable (PE)
193580 0x2F42C Microsoft executable, portable (PE)
214156 0x3448C Microsoft executable, portable (PE)
247771 0x3C7DB mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
251403 0x3D60B mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
288024 0x46518 Microsoft executable, portable (PE)
308624 0x4B590 Microsoft executable, portable (PE)
333292 0x515EC Microsoft executable, portable (PE)
419420 0x6665C Microsoft executable, portable (PE)
440012 0x6B6CC Microsoft executable, portable (PE)
456516 0x6F744 Microsoft executable, portable (PE)
477128 0x747C8 Microsoft executable, portable (PE)
497708 0x7982C Microsoft executable, portable (PE)
518328 0x7E8B8 Microsoft executable, portable (PE)
534844 0x8293C Microsoft executable, portable (PE)
551556 0x86A84 Microsoft executable, portable (PE)
576212 0x8CAD4 Microsoft executable, portable (PE)
617252 0x96B24 Microsoft executable, portable (PE)
650108 0x9EB7C Microsoft executable, portable (PE)
687140 0xA7C24 Microsoft executable, portable (PE)
805379 0xC4A03 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
834684 0xCBC7C Microsoft executable, portable (PE)
888036 0xD8CE4 Microsoft executable, portable (PE)
912684 0xDED2C Microsoft executable, portable (PE)
937332 0xE4D74 Microsoft executable, portable (PE)
970180 0xECDC4 Microsoft executable, portable (PE)
990732 0xF1E0C Microsoft executable, portable (PE)
1019468 0xF8E4C Microsoft executable, portable (PE)
1052308 0x100E94 Microsoft executable, portable (PE)
1101532 0x10CEDC Microsoft executable, portable (PE)
1122116 0x111F44 Microsoft executable, portable (PE)
1224664 0x12AFD8 Microsoft executable, portable (PE)
1310756 0x140024 Microsoft executable, portable (PE)
1351772 0x14A05C Microsoft executable, portable (PE)
1372316 0x14F09C Microsoft executable, portable (PE)
1401060 0x1560E4 Microsoft executable, portable (PE)
1430052 0x15D224 Microsoft executable, portable (PE)
1458804 0x164274 Microsoft executable, portable (PE)
1487788 0x16B3AC Microsoft executable, portable (PE)
1516564 0x172414 Microsoft executable, portable (PE)
1533148 0x1764DC Microsoft executable, portable (PE)
1553740 0x17B54C Microsoft executable, portable (PE)
1650772 0x193054 Microsoft executable, portable (PE)
1683620 0x19B0A4 Microsoft executable, portable (PE)
1720548 0x1A40E4 Microsoft executable, portable (PE)
1757476 0x1AD124 Microsoft executable, portable (PE)
1790308 0x1B5164 Microsoft executable, portable (PE)
1827244 0x1BE1AC Microsoft executable, portable (PE)
1860084 0x1C61F4 Microsoft executable, portable (PE)
1892964 0x1CE264 Microsoft executable, portable (PE)
1913756 0x1D339C Microsoft executable, portable (PE)
1946836 0x1DB4D4 Microsoft executable, portable (PE)
1991980 0x1E652C Microsoft executable, portable (PE)
2037140 0x1F1594 Microsoft executable, portable (PE)
2057716 0x1F65F4 Microsoft executable, portable (PE)
2094676 0x1FF654 Microsoft executable, portable (PE)
2127516 0x20769C Microsoft executable, portable (PE)
2184932 0x2156E4 Microsoft executable, portable (PE)
2246444 0x22472C Microsoft executable, portable (PE)
2283396 0x22D784 Microsoft executable, portable (PE)
2303940 0x2327C4 Microsoft executable, portable (PE)
2349060 0x23D804 Microsoft executable, portable (PE)
2426948 0x250844 Microsoft executable, portable (PE)
2488452 0x25F884 Microsoft executable, portable (PE)
2517188 0x2668C4 Microsoft executable, portable (PE)
2562308 0x271904 Microsoft executable, portable (PE)
2607436 0x27C94C Microsoft executable, portable (PE)
2652564 0x287994 Microsoft executable, portable (PE)
2734564 0x29B9E4 Microsoft executable, portable (PE)
2826055 0x2B1F47 Neighborly text, "Neighbor Solicitation messages sent while performing Duplicate Address Detection on a tentative address. A value of zero indicatAddress Detection on a tentative address. A value of zero indicates that Duplicate Address Detection is not performed."
2841124 0x2B5A24 Microsoft executable, portable (PE)
2886244 0x2C0A64 Microsoft executable, portable (PE)
2935468 0x2CCAAC Microsoft executable, portable (PE)
2984732 0x2D8B1C Microsoft executable, portable (PE)
3005316 0x2DDB84 Microsoft executable, portable (PE)
3029964 0x2E3BCC Microsoft executable, portable (PE)
3054636 0x2E9C2C Microsoft executable, portable (PE)
3079324 0x2EFC9C Microsoft executable, portable (PE)
3099944 0x2F4D28 Microsoft executable, portable (PE)
3136900 0x2FDD84 Microsoft executable, portable (PE)
3157508 0x302E04 Microsoft executable, portable (PE)
3182196 0x308E74 Microsoft executable, portable (PE)
3206884 0x30EEE4 Microsoft executable, portable (PE)
3231580 0x314F5C Microsoft executable, portable (PE)
3256252 0x31AFBC Microsoft executable, portable (PE)
3272732 0x31F01C Microsoft executable, portable (PE)
3313804 0x32908C Microsoft executable, portable (PE)
3358956 0x3340EC Microsoft executable, portable (PE)
3388919 0x33B5F7 Copyright string: "Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson"
3388980 0x33B634 Copyright string: "Copyright (c) 1996-1997 Andreas Dilger"
3389019 0x33B65B Copyright string: "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."
3389516 0x33B84C CRC32 polynomial table, little endian
3393612 0x33C84C CRC32 polynomial table, big endian
3416404 0x342154 Microsoft executable, portable (PE)
3436964 0x3471A4 PNG image, 16 x 23, 8-bit/color RGBA, non-interlaced
3437904 0x347550 Microsoft executable, portable (PE)
3456260 0x34BD04 Microsoft executable, portable (PE)
3480948 0x351D74 Microsoft executable, portable (PE)
3505628 0x357DDC Microsoft executable, portable (PE)
3530360 0x35DE78 Microsoft executable, portable (PE)
3591800 0x36CE78 Microsoft executable, portable (PE)
3608308 0x370EF4 Microsoft executable, portable (PE)
3628928 0x375F80 Microsoft executable, portable (PE)
3653612 0x37BFEC Microsoft executable, portable (PE)
3674284 0x3810AC Microsoft executable, portable (PE)
3740004 0x391164 Microsoft executable, portable (PE)
3789332 0x39D214 Microsoft executable, portable (PE)
3830392 0x3A7278 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 33562 bytes
3840284 0x3A991C XML document, version: "1.0"
3849137 0x3ABBB1 Copyright string: "Copyright</key>"
3849162 0x3ABBCA Copyright string: "Copyright Apple Computer, Inc. 2000-2003. Copyright David Elliott 2007</string>"
3849204 0x3ABBF4 Copyright string: "Copyright David Elliott 2007</string>"
3849716 0x3ABDF4 XML document, version: "1.0"
3850010 0x3ABF1A Copyright string: "Copyright 2002-2006 Apple Computer, Inc.</string>"
3853372 0x3ACC3C XML document, version: "1.0"
3855380 0x3AD414 XML document, version: "1.0"
3888980 0x3B5754 XML document, version: "1.0"
3923772 0x3BDF3C Microsoft executable, portable (PE)
4577500 0x45D8DC CRC32 polynomial table, little endian
提取文件的熵图看起来类似于 LZMA 压缩块之前原始文件的第一部分的熵。
分析的下一步可能是验证binwalk检测为 PE 文件头的签名是否为真,并且其中确实嵌入了 PE 文件。binwalk检测 x86 操作码(这可能没有任何意义,因为文件的体系结构是 x86-64,但它似乎相关),并且当检查十六进制转储时,可以看到似乎是 PE 文件信息:
$ binwalk -A 71058
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
3857660 0x3ADCFC Intel x86 instructions, function prologue
3857700 0x3ADD24 Intel x86 instructions, function prologue
3857740 0x3ADD4C Intel x86 instructions, function prologue
3857800 0x3ADD88 Intel x86 instructions, function prologue
3857860 0x3ADDC4 Intel x86 instructions, function prologue
3857920 0x3ADE00 Intel x86 instructions, function prologue
3857934 0x3ADE0E Intel x86 instructions, function prologue
3857992 0x3ADE48 Intel x86 instructions, function prologue
3858050 0x3ADE82 Intel x86 instructions, function prologue
3858102 0x3ADEB6 Intel x86 instructions, function prologue
3858160 0x3ADEF0 Intel x86 instructions, function prologue
3858212 0x3ADF24 Intel x86 instructions, function prologue
3858508 0x3AE04C Intel x86 instructions, function prologue
3858644 0x3AE0D4 Intel x86 instructions, function prologue
3858678 0x3AE0F6 Intel x86 instructions, function prologue
3858708 0x3AE114 Intel x86 instructions, function prologue
3858780 0x3AE15C Intel x86 instructions, function prologue
3858834 0x3AE192 Intel x86 instructions, function prologue
3858858 0x3AE1AA Intel x86 instructions, function prologue
3858882 0x3AE1C2 Intel x86 instructions, function prologue
EFI64.ROM 的并排十六进制转储和通过以下方式提取的文件binwalk -W -l 6000 ../EFI64.ROM 71058(注意字符串PE, .text, .data- 单击图像放大):
您可以尝试切出从一个 PE 标头延伸到另一个 PE 标头的字节并将其拆解。如果切片可以反汇编并且反汇编看起来是正确的,那么它可能真的是一个PE文件。如果是这种情况,可以应用相同的方法来提取其余的嵌入 PE 文件。
它没有被压缩,它只是有一些 IDA 无法识别的格式,所以它错误地假设它是 zilog 处理器的代码。您应该改为选择 Meta PC 处理器,然后指定要将其处理为 32 位代码。它会让你看到一些代码片段。但是您必须了解这个 EFI64.ROM 文件的格式才能将它正确加载到 IDA。否则代码将加载到错误的地址并且不会寻址正确的数据(即字符串、函数地址和常量)。
其它你可能感兴趣的问题