Flag: Tornado! Hurricane!

Error: Authentication required to access requested resource.

 Forums >>    >> 

Topic created on: by .


  phn1x     December 31, 2009 09:13.34 CST
If the binary image is not in a known file format that IDA supports you are not going to get disassembly even if you choose the correct CPU.

First, google the hell out of the application to discover where it came from if you don't know already. Then google the hell out of the device it came from and you should be able to determine the cpu type.

As I stated before, if you know the CPU type, but the file format is proprietary you will not get disassembly. You will have to first figure out the structure of the .bin / firmware image. Then you can either write your own loader for IDA, or adjust your loading offsets based on your findings, create segments, etc. Alternatively, you can write an idapython/idc script to create functions from a prologue (see http://eusecwest.com/esw08/esw08-muniz.pdf) for the general concept).

Reversing firmware is a pain in the ass when the format is proprietary. It is a different world from re'ing PE/ELf binaries for known OS's.

  reidmefirst   December 31, 2009 14:36.04 CST
Many automotive CPUs are MPC8xx/5xx (powerpc).  You might start by trying the file at offset 0x100, treating that as a pointer to the first instruction and making code from there with ppc as the cpu in ida.  0x9020 looks like a stw, so it maybe a function preamble (storing some regs on the stack or something).

Failing that, like phn1x says you will have to identify the CPU first, maybe get the programmer's reference manual for that cpu, and find out what the CPU does at boot/how it finds its first instruction.  Generally even if the operating system is compressed, there's going to be an uncompressed bootloader or something that executes first from flash, which should give you a hint what compression algorithm is used, and where the uncompressed data will be copied.

Here is a python script to try to auto-make-functions:

from idaapi import *
from idc import *
from idautils import *
def make_functions(pattern):
  ea = 0x00 # maybe should be minEA to deal with rebased exes
  endea = idaapi.cvar.inf.maxEA
  flags = BIN_SEARCH_FORWARD & BIN_SEARCH_CASE
  while ea != BADADDR
    newea = find_binary(ea, endea, pattern, 16, flags)
    auto_make_proc(newea)
    ea = newea + 4 # stupid kludge to advance find_binary

Call it with the hex bytes that make up a function preamble, like:

make_functions("55 89 e5")

would make functions for x86.

Note: Registration is required to post to the forums.

Active in Last 5 Minutes
waleedassar

There are 28,225 total registered users.


Recently Created Topics
Reverse Engineering ...
Jan/23
Career: DoD Agency I...
Jan/22
"Disappearing&q...
Jan/17
Career: Software Sec...
Jan/11
Where is the call st...
Jan/07
IDA Pro 6.1 Breakpoi...
Jan/01
How to create data s...
Dec/30
can i search all mod...
Dec/23
IDA symbol table exp...
Dec/20
An anti-attach trick
Dec/17


Recent Forum Posts
Reverse Engineering ...
NirIzr
"Disappearing&q...
NirIzr
Reverse Engineering ...
charlie
"Disappearing&q...
charlie
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
An anti-attach trick
waleeda...
An anti-attach trick
Bass
Looking for value in...
NirIzr


Recent Blog Entries
cmathieu
Feb/07
Hacker Carnival

waleedassar
Feb/06
OllyDbg v1.10 And Hardware ...

waleedassar
Jan/31
Yet Another Anti-Debug Trick

RolfRolles
Jan/22
Finding Bugs in VMs with a ...

waleedassar
Jan/13
An OllyDbg Bug Disables Sof...

More ...


Recent Blog Comments
waleedassar on:
Feb/07
OllyDbg v1.10 And Hardware ...

NirIzr on:
Feb/07
OllyDbg v1.10 And Hardware ...

NirIzr on:
Feb/05
Yet Another Anti-Debug Trick

trolotou on:
Feb/05
Doudoune Moncler -Pennies F...

waleedassar on:
Feb/01
Yet Another Anti-Debug Trick

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit