Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "what is Binbloom". In the operation of actual cases, many people will encounter such a dilemma. Then let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Binbloom

Binbloom is a firmware analysis software for binary source code, which is designed to help researchers analyze the binary source code of firmware and automatically determine some functional features of the target firmware. The tool is compatible with all common system architectures because it only makes simple feature statistics on the target firmware.

In order to calculate the load address, we also need some external reverse engineering analysis tools to help us extract the list of potential functions in the target firmware before using Binbloom.

Functional characteristics

Load address: Binbloom can parse the original binary firmware and determine its load address.

Byte order: Binbloom can use some heuristic algorithms to determine the byte order of the target firmware.

UDS database: Binbloom can parse the original binary firmware and check if it has an array containing the UDS command id.

Tool download / installation

First of all, researchers need to clone the source code of the project locally using the following command:

Git clone https://github.com/quarkslab/binbloom.gitcd binbloom

Next, build the latest version of Binbloom using the following command:

Mkdir buildcd buildcmake.. make

Finally, install the latest version of Binbloom (only Linux systems are supported) with the following command:

The make install tool uses to determine the byte order: binbloom-f firmware.bin-e

After running the above command, Binbloom returns the following output data:

Loaded firmware.bin, size:624128, bit:fff00000, 000fffff, nb_segments:4096, shift:20End address:00098600Determining the endiannessComputing heuristics in big endian order:Base: 00000000: unique pointers:1839, number of array elements:217900Base: 01000000: unique pointers:1343, number of array elements:13085Base: 02000000: unique pointers:621, number of array elements:5735Base: 03000000: unique pointers:566, number of array elements:3823Base: 05000000: unique pointers:575, number of array elements:6139Base: 80000000: unique pointers:642 Number of array elements:528247210Computing score in little endian order:Base: 00000000: unique pointers:8309, number of array elements:515404515404This firmware seems to be LITTLE ENDIAN

In the above output data, the last line is the most important one, because it gives the final analysis result. The other lines represent the number of unique pointers and array elements that Binbloom can find in the target firmware, whether in large-end mode or small-end mode, and this information can be used to help determine the heuristic that the tool will use to determine the byte order.

Determine the load address

First, we need to provide a file containing a list of potential function addresses in hexadecimal format, each on a single line, as follows:

0000001000000054000005f000000a5000000a5400000ac000000b4000000b6c00000b7400000bc0

This file needs to be named after the file name of the firmware file, followed by ".fun" as the suffix name of the file.

This file can be generated using the tag_code () function provided by the Python script tag_code.py. The steps to generate using IDA Pro are as follows:

Load the firmware file in IDA Pro and select address 0

From the File menu in IDA Pro, select the script file and select py

In the command line terminal at the bottom of the IDA Pro window, using tag_code (), the function file will be generated automatically

If you want to use other tools to generate function files, as long as you load the firmware file at address 0. For example, the hexadecimal value in the function file corresponds to the offset in the firmware.

Next, we can have Binbloom calculate the potential load address (list) by calculating the correlation score between the potential function and the function pointer array in the firmware:

Binbloom-f firmware.bin-b

After the above command is executed, Binbloom will return to us the output shown below:

Loaded firmware.bin, size:2668912, bit:ffc00000, 003fffff, nb_segments:1024, shift:22End address:0028b970loaded 14903 functions Highest score for base address: 1545, for base address 80010000For information, here are the best scores:For base address 80010000, found 1545 functionsSaving function pointers for this base address...Done.

In the above output file, we can see that the target firmware provides 14903 potential functions. When the program assumes that the loaded base address is 0x8001000, the tool finds a total of 1545 eligible objects in the function pointer array.

If there are different areas in the source code of the target firmware, Binbloom will display all the different areas in the firmware and the corresponding loading address:

Highest score for base address: 93, for base address 00000000For information, here are the best scores:For base address 00000000, found 93 functionsFor base address 00040000, found 93 functions

At this point, we have obtained the address 0x00000000 and the code snippet at 0x00040000.

Binbloom generates two output files:

Firmware.fad: this file contains the address of the identified function

Firmware.fpt: this file contains the address of the identified function pointer

Now we can open IDA Pro (or other reverse engineering analysis software) again, load the firmware at the specified address, and then import the addresses of 1545 identified functions:

Load the firmware at the specified address in IDA Pro

In the File menu, select the script file, and then select py

Select a .fad file

Select the .fpt file

Look for UDS database (for ECU firmware)

Binbloom can try to search any array that contains UDS/KWP2000 ID, which can be done here with the-u option:

Binbloom-f firmware.bin-u

The above command returns the following output:

Loaded firmware.bin, size:1540096, bit:ffe00000, 001fffff, nb_segments:2048 Shift:21End address:00178000UDS DB position: 1234 with a score of 12 and a stride of 12:10 00 31 00 26 27 00 8000 00 00 0011 00 31 00 24 3d 01 8000 00 00 0022 00 10 00 2c 42 01 8000 00 00 0027 00 10 00 1c 41 01 80 60 a8 01 8028 00 31 0036 7f 01 8000 00 00 002e 00 10 00 18 88 01 80 08 ae 01 8031 00 30 00 10 41 01 8000 00 00 0034 00 10 00 46 4e 01 8000 00 00 0036 00 10 00 2a 2d 01 8000 000 0 0037 00 10 00 32 3c 00 80 00 00 00 003e 00 31 00 54 5b 01 80 00 b2 01 8085 00 31 00 6a 2f 01 80 00 00 00 "what is Binbloom" Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.