原始连接:
http://www.sockpuppet.org/tqbf/l ... ty-analysis-in.html
Walk into the data center with my escort. Look at appliance. "No, you can't have a login to the box". "No, you can't generate any packets and look at the responses; these are hooked up to production servers". I've got professional liability insurance, but it's probably best not to exercise it. Mope briefly.
Oh look, the shipping containers for the appliance are in the corner. Maybe there's a manual inside? A-ha! Better yet, the installer CD! Copy the installer binary onto my mac.
Run deezee on the binary, see what it finds: a 30 megabyte zlib-compressed segment.
Hexdump it; an ASCII magic number, zeroes, a small 32-bit number, and a 32-bit number that happens to be the length of the file.
Strings it; "PowerPC Processor Version Number". Nice.
Wild guess: the header is 32 bytes long, the first number is a loading offset, the second the length of the segment. Strip the header off. Load the binary into IDA Pro as "Binary File", "PowerPC".
Rebase the image to the loading offset from the header so the jump targets will line up right. Go to the beginning of the file. Hit 'C' to start analyzing and finding code. Watch the green scrub at the top of the window start to show flecks of blue.
Hm. Didn't get too far through the file. Let's go back to the strings. Yep, there's a whole bunch of things that look like function names. And this looks suspiciously like a well-known embedded operating system.
No reason for all these names to be here unless there's a symbol table. Fire up the hex editor, search for one of the function names. There it is, right next to all the other strings. No addresses in front of or after the strings.
The addresses have to be here somewhere. What comes after the name strings? The end of the file. Before? Pay dirt: about 100k of flag-word-then-zero-word-then-address-then-address.
The first address points towards the end of the file --- past it, in fact --- ah, subtract the loading offset --- nice, points right to the beginning of the string. The second address points towards the beginning of the file. Probably the symbol's offset. Looks like I have a symbol table!
50 lines of C and I have what looks like "nm" output.
5 lines of Python and I have an IDC script calling MakeNameEx() and MakeFunction() for every symbol.
Load it up. Go get a Dr. Pepper. About a third of my IDA Pro Scrubbing bar has changed from green to blue.
Randomly sample some of the functions. They're all there. Yep, the instructions at the beginning of each function I look at are unmistakeably PowerPC function prologues.
At this point, I might as well have source code. In fact, it's even better: my source code is graphical. How much you wanna bet I'm the first person outside the vendor to ever read it? Hilarity ensues.
