参考https://www.freebuf.com/articles/endpoint/335030.html

测试固件 https://service.tp-link.com.cn/detail_download_7989.html

固件提取

binwalk解压固件，在第一部分即为要分析的二进制文件，可以拖进ida分析

设置为arm小端字节序，点set

随便选择加载地址

进来之后可以看到真正的加载地址

修复符号

VxWorks采用usrInit进行栈初始化，usrInit是VxWorks系统引导后运行的第一个函数。调用bzero函数对bss区的数据进行清零。

binwalk 解压得到所有内容，通过grep 搜索符号表

grep -nr "bzero" .

xxd得到对应的十六进制数

xxd -g 1 -u ./15CBBA >15CBBA.chr

确定符号表中符号的偏移，通过出现连续字符串的开始，即0x001a728

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yNAqux7c-1691033042845)(https://secure2.wostatic.cn/static/nwoxbBWYMvVEe5bDYJ13iG/image.png?auth_key=1691033035-jSmBWdaxkSDidDnxYhjrqb-0-ae27733d97336f8f2c6794e7ad3842ce)]

在该文件的开头记录着符号表的偏移，54对应flag，0x40373684对应AES_CMAC的偏移

使用idapython脚本恢复符号表

• 重定位加载地址
• 读取符号表文件，定位到对应偏移分别得到地址和符号名
• 创建函数并设置函数名

from  idaapi import *
import idc
def has_symbol(address):symbol_name = idc.get_name(address)return bool(symbol_name)def read_symbol_table(filename, symbol_address_offset,symbol_offset):with open(filename, "rb") as f:f.seek(symbol_address_offset)content=f.read()with open(filename, "rb") as f:f.seek(symbol_offset)content_symbol=f.read()symbol_address=[]    for item in range(0,len(content),8):if item>=symbol_offset:breaksymbol_data = content[item:item+4] # Assuming 32-bit address, change the size as neededsymbol_address.append(int.from_bytes(symbol_data, byteorder="big"))symbol_list=content_symbol.split(b"\x00")print("found address,symbol len",len(symbol_address),len(symbol_list))for a,s in zip(symbol_address,symbol_list):yield (a,s)def create_symbol(symbol_address, symbol_name):add_func(symbol_address)idc.set_name(symbol_address, symbol_name.decode(), SN_NOCHECK)
def init(ida_load_addr):rebase_program(ida_load_addr,8) # 测试时ida会根据前一次的地址加上这个偏移得到基地址，刚开始设置为0，只执行一次即可def main():filename = "/Users/guosiyu/Desktop/aiwencode/loudong_liyong/tplink/_wdr7660gv1-cn-up_2019-08-30_10.37.02.bin.extracted/15CBBA"current_base=get_imagebase()ida_load_addr=0x40205000-current_basesymbol_address_offset = 0xc  # Offset where the symbol address is located in the filesymbol_offset = 0x001a728  # Offset of the symbol in the fileinit(ida_load_addr)auto_wait()for addr,symbol in read_symbol_table(filename, symbol_address_offset,symbol_offset):print("found address,symbol:",hex(addr),symbol)if(has_symbol(addr)):continuecreate_symbol(addr, symbol)# symbol_address = base_address + symbol_address_offset# symbol_name = "your_symbol_name"  # Replace this with the desired symbol name# print(f"Created symbol: {symbol_name} at address: 0x{symbol_address:08X}")if __name__ == "__main__":main()

补充

工具 https://github.com/PAGalaxyLab/vxhunter好像也可以，未测试