当前位置:网站首页>STM32 reverse entry
STM32 reverse entry
2022-07-05 13:21:00 【Luo Hanxiang】
Link to the original text :
stm32 Reverse entry _ The blog of Hetian Wangan Laboratory -CSDN Blog
Pay attention to our
One 、 Preface
Today's learning record
Two 、 Reappear
1、SCTF 2020 Password Lock
Reference link :https://xuanxuanblingbling.github.io/iot/2020/07/08/stm32/
Title Description :
This is a STM32F103C8T6 MCU Password lock It has 4 A button , Respectively 1, 2, 3, 4. They correspond to each other GPIO_PA1, GPIO_PA2, GPIO_PA3, GPIO_PA4 flag1 The format is SCTF{ Correct key password } Enter the correct password , It will pass the serial port (PA9–TX) send out flag2
Their thinking :
The attachment of the title gives a Intel hex file , And given the chip information, we can determine the memory layout of the program and the correspondence between peripheral registers and memory . The key to reverse is to understand the meaning of program code , Next, we will analyze this step by step hex file .
1. hex File structure
Intel hex The file format consists of plain text , It contains information such as the loading address and entry address of the program , Reading this information can help us quickly locate the starting entry of the program instead of ida To configure .
- Read Intel hex file
We can use a text editor to open the title attachment , The key information is as follows :
:020000040800F2
...
...
:04000005080000ED02
:00000001FF
The program loading address is
0x08000000
The program entry address is
0x080000ED
Procedure to
:00000001FF
endingThe rest is all file data
2、 Memory layout
Find the website of the chip manual :https://www.alldatasheet.com/ Inside we can find STM32F103C8T6 Manuals , The first page finds some information we need
- Flash memory:32-to-128 Kbytes
- SRAM:6-to-20 Kbytes
31 page Memory Map It can let us more intuitively understand the detailed layout of memory
To sum up, we got the complete memory layout information of the program :
- Flash Memory: 0x8000000 ~ 0x801FFFF (128K)
- SRAM: 0x20000000 ~ 0x20004FFF (20K)
- Peripherals: 0x40000000 ~ 0x40023400
3、IDA analysis
After the analysis just now, we know the memory layout of the program , among Flash In addition to containing code , And interrupt vector table .Periphers The register in the segment is that we need to have a general understanding of alignment in the reverse process . And for hex Through the analysis of the file, we learned that in addition to the loading address and entry address , Everything else is gone hex In file , So we need to manually configure these memory layout information to tell IDA How to identify . open ida Tools , According to the manual just now, we can find that the chip is arm32 Armv7-M framework , Select the configuration as shown in the following figure, and then click ok
You can see that some functions can be recognized , among start The address of the function is analyzed with us hex The program entry address found in the file structure is the same .
If hex The entry address information is not given in the file. We can also find RESET Interrupt handler function to determine program entry function . among RESET The address of the interrupt function can be in STM32 Chinese Reference Manual V10.pdf Find relevant information in
Reference resources STM32 The location of the interrupt vector table 、 Redirect We can see in the interrupt vector table RESET The address of 0x8000004
The address is fixed , What is changeable is the loading address of the program . We jump to 0x8000004
On this address , Press keyboard D The key divides the above data into 4 Byte form found reset The address for 0x8000101
Jump to RESET Interrupt handling function , There are two jumps . Jump to for the first time nullsub_1 Up and put the address of the next instruction into LR register ,nullsub_1 The function is to jump back LR Address in register , So the first jump is meaningless . The second jump is ours start Address , So you can use this method to locate the entry address of the program .
You can find this program by following the entry address all the time main Where is the function , But after entering, you can find a large red mark on the left , Observing these red areas is actually IDA Unrecognized address , That is, the memory segments we need to add before analyzing the memory layout .
We are IDA New China Segment, As shown in the figure below :
At this time, as long as we click again F5 You can turn these red signs into memory for normal recognition
4、 Fix interrupt vector table
Use IDApython Recover the information before the program entry address
for i in range(0x8000000,0x80000eb,1):
del_items(i)
for i in range(0x8000000,0x80000eb,4):
create_dword(i)
After the repair, we observe the address inside , You will find many duplicate addresses 0x800016D
, You will find that there is no function defined in these addresses . Continue to check the interrupt vector table and you will find the following different memory addresses
Reference resources STM32 Chinese Reference Manual V10.pdf We can find these in EXTI Address of the interrupt handling function
stm32-EXTI
Follow up these function addresses and you will find IDA It is not recognized as a function , So let's first press... At the starting address of the function P key , Then disassemble to see these interrupt handling functions , Here I use EXTI_4 Take the interrupt handling function of as an example to briefly introduce the functions of these interrupt handling functions .
int EXTI_4()
{
int result; // r0
EXTI_LINE = 16;
switch ( sum )
{
case 1:
unk_20000006 = 116;
return sum++ + 1;
case 2:
unk_20000010 = 95;
return sum++ + 1;
case 4:
unk_2000000E = unk_20000001;
return sum++ + 1;
default:
result = 0;
sum = 0;
break;
}
return result;
}
The program starts with an interrupt / Event line ,EXTI_4 The interrupt / The event line is 0x10, Then use a piece of memory ( It's written here sum) As the storage location of the accumulated number . We can see when sum The value of 1、2、4 when sum It's worth it +1, If not, it will start again . So we can judge 1、2、4 Namely EXTI_4 The number of digits appearing in the password , Similarly, the other three buttons are the same , Through these sequences, we can get the final flag by flag{1442413}, And we can find in main In the function, the program first simulated the input of a password , By comparing the above value with EXTI_LINE We can also get flag value .
2、2021 HWS Enter the camp -STM32
After the introduction of the previous question, let's practice another question , open IDA Type selection segment arm32, Schema selection ARMv7-M framework .
Next, set the loading address and reading address of the program to 0x8000000
, The loading address refers to IDA What is the analysis address loaded , and Input File It refers to where the firmware should be loaded , After setting, we click OK Complete set .
After entering, you will find IDA No function was recognized , Don't worry, we can locate reset Interrupt processing to find main Position of function . take 0x8000004
The byte at the address becomes 4 byte , obtain reset Interrupt handler address 0x8000101
.
You can find that the end of the address is an odd digit , stay arm This represents thumb Pattern . We can do it in 0x8000101
Address press C Key to generate code
Follow the program all the time and we will find main Function location sub_80003C0
, And found the function that needs to be reversed sub_8000314
_BYTE *sub_8000314()
{
_BYTE *v0; // r4
char *v1; // r5
int v2; // r6
char v3; // t1
v0 = (_BYTE *)sub_80003F0(48);
v1 = &byte_8000344;
v2 = 0;
while ( v2++ != 0 )
{
v3 = *v1++;
*v0++ = (v3 ^ 0x1E) + 3;
sub_8000124(v1);
}
return v0;
}
Write a problem-solving script to get flag value
li = [0x7D, 0x77, 0x40, 0x7A, 0x66, 0x30, 0x2A, 0x2F, 0x28, 0x40, 0x7E, 0x30, 0x33, 0x34, 0x2C, 0x2E, 0x2B, 0x28, 0x34, 0x30, 0x30, 0x7C, 0x41, 0x34, 0x28, 0x33, 0x7E, 0x30, 0x34, 0x33, 0x33, 0x30, 0x7E, 0x2F, 0x31, 0x2A, 0x41, 0x7F, 0x2F, 0x28, 0x2E, 0x64]
print(''.join(chr((i ^ 0x1E) + 3) for i in li))
Original manuscript collection
Solicit original technical articles , Welcome to post
Send email :[email protected]
Type of article : Hacker geek Technology 、 Information security hot spots, security research and analysis and other security related issues
Through review and release, you can gain 200-800 Yuan .
Shooting range practice , stamp “ Read the original ”
边栏推荐
- Binder communication process and servicemanager creation process
- CloudCompare——点云切片
- Parsing XML using Dom4j
- MMSeg——Mutli-view时序数据检查与可视化
- AVC1与H264的区别
- About the single step debugging of whether SAP ui5 floating footer is displayed or not and the benefits of using SAP ui5
- Flutter draws animation effects of wave movement, curves and line graphs
- 今年上半年,通信行业发生了哪些事?
- 山东大学暑期实训一20220620
- MSTP and eth trunk
猜你喜欢
Could not set property ‘id‘ of ‘class XX‘ with value ‘XX‘ argument type mismatch 解决办法
爱可生SQLe审核工具顺利完成信通院‘SQL质量管理平台分级能力’评测
Principle and performance analysis of lepton lossless compression
Flutter 3.0更新后如何应用到小程序开发中
先写API文档还是先写代码?
峰会回顾|保旺达-合规和安全双驱动的数据安全整体防护体系
MMSeg——Mutli-view时序数据检查与可视化
蜀天梦图×微言科技丨达梦图数据库朋友圈+1
FPGA learning notes: vivado 2019.1 add IP MicroBlaze
量价虽降,商业银行结构性存款为何受上市公司所偏爱?
随机推荐
SAE international strategic investment geometry partner
DataPipeline双料入选中国信通院2022数智化图谱、数据库发展报告
Fragmented knowledge management tool memos
“百度杯”CTF比赛 九月场,Web:SQL
Hiengine: comparable to the local cloud native memory database engine
Jenkins installation
DataPipeline双料入选中国信通院2022数智化图谱、数据库发展报告
"Baidu Cup" CTF competition in September, web:sql
Talk about seven ways to realize asynchronous programming
APICloud Studio3 WiFi真机同步和WiFi真机预览使用说明
[notes of in-depth study paper]uctransnet: rethink the jumping connection in u-net from the perspective of transformer channel
什么是网络端口
Go string operation
数据泄露怎么办?'华生·K'7招消灭安全威胁
RHCSA8
今年上半年,通信行业发生了哪些事?
Changing JS code has no effect
Apicloud studio3 API management and debugging tutorial
APICloud Studio3 API管理与调试使用教程
Developers, is cloud native database the future?