侯智晟-meowheckerouo@gmail.com **Outline** [TOC] ARM Simulator https://cpulator.01xz.net/?sys=arm-de1soc ARM -> Advance RISC Machine # Layout 面版 ## Register  r0 ~ r6 Normal Registers r7 -> systems call ### sp (Stack pointer) Tell us next usable Address (Base on stack memory) ### lr (link register) Invoke function ; 保存子例程調用完成時要返回的地址的寄存器 ### pc (program counter) -> Trace next Instruction 的 memory address ### Stack Memory Stack Memory -> Computer RAM  Address 1 = 1 Byte Address 0x10 -> 16 Byte  ### cpsr(current program status register ) 有flag 會標示 數值 正負 ### spsr (save program status register) 要不要進位 是否 overflow # First Program ## Assebbler Language:Basic Syntax ``` lable opcode oprand1, oprand2... #Commands ``` ### Label Address 標記 ### opcode 指令操作碼 ### operand 不同指令則有所不同個operand  --- ``` mov R1 #1 ``` ## Register 7 ### systems invoke - Manage - input - ouput - process exec - Communication - systems interrupt R7 #1 - systems invoke -> 查 table ->找出對應的Instruction 用法 assign value 給 register 7 ## mov Register Assignment! ``` .global _start _start: MOV R0,#0x01 MOV R7,#1 SWI #0 ```  ## SWI(Software Interrupt) Interrupt Process ``` SWI #0 ``` ## Little-Endian  # Address Model ## Register Immediate Addressing (立即尋址) 表示 能夠立即的賦值 操作  ## Register Indirect Addressing 類似 Pointer  r0 -> stack Address ## Stack 把data 放在 Stack memory 中 ``` .global _start _start: .data list: .word 1,2,3,4,5,-1,-2 ``` .data 定義 Memory 的數據段 list -> Varaiable .word -> 為Data type -> 32 bit ### LDR From Stack to Register Syntax ``` LDR R1 R2(Address), #offset ``` R2 #4 == *(R2) +1 Offest 1 = One Bytes ``` .global _start @ 定义 _start 符号为全局符号 _start: @ 定义 _start 标签 LDR R0,=list @ 把list的地址装载到寄存器R0中 .data @ 定义数据段 list: @ 定义一个名为 list 的符号，用于访问数据段中的数据 .word 1,2,3,4,5,-1,-2 @ 在 list 符号指向的位置定义一些整数值 ``` =list Return memory Address   code 2 ``` .global _start _start: LDR R0,=list #=list like list[] LDR R1,[R0] .data list: .word 1,2,3,4,5,-1,-2 ``` [] -> 取value *R0 -> R1 Regitser   code3 ``` .global _start _start: LDR R0,=list @ RO = *(list[]); LDR R1,[R0] @ *R1=*(R0); LDR R2,[R0,#4] @ *(R2)=*(R1+1) .data list: .word 1,2,3,4,5,-1,-2 ```   ### Pre Increase syntax ``` LDR R2, [R0 #4]! ``` 先對 R0 做偏移取值 再存到R2這個 Register   ### Post Increase syntax ``` LDR R2,[R0],# ``` ``` .global _start _start: LDR R0,=list @ RO = *(list[]); LDR R1,[R0] @ *R1=*(R0); LDR R2,[R0],#4 @ *(R2)=*(R1+1); .data list: .word 1,2,3,4,5,-1,-2 ```   # Arithmetic CPSR (Current programe status register ) ``` .global _start _start: MOV R0,#6 MOV R1,#9 ADD R2,R1,R0 SUB R3,R1,R2 @-3 MOV R4,#-3 MOV R5,#0xffffffff ``` ## CPSR CPST -> 4 bit - negative - zero - carry - overflow  ### Negative flag  當有 SUB command -> N flag 會根據計算結果來設定flag  ### Zero flag  ### Carry flag 0xffffffff + 0x00000000a = 1(carry -> carry flag set 1 ) + 0x000000009  ### ADC ADD oprand + carray 操作  # Logical Operation ## And Operation ``` .global _start _start MOV R0, #0xffffffff MOV R1, #0x21 AND R2, R0, R1 ``` R2 -> 0x21  ## OR Operation  ## EOR Operation Exclusive OR 1 0 -> 1 0 1 -> 1 0 0 -> 0 1 1 -> 0  ## MVN Move Negative 0x000000ff --Negative--> 0xffffff00 255 -> -256 --- -256 原因 0x80000100 -> remote 符號未 再取補數 ->0xfffffEff-> 補數+1 ->0xffffff00 (逆推)   ## Remove 特定的Bit(And operation) And Op Remote bit -> set 0 reserve bit -> set 1 # Logical Shift/Rotaion ## Shfit ``` .global _start _start: @logical shifting @left MOV R0,#10 LSL R0,#1 //R0*2 @right MOV R1,#10 LSR R1,#1 //R1/2 ``` ### LSL (logical shift left) value * 2 00000101 -> 0001010 5 -> 10 ``` MOV R0,#10 MOV R1,R0,LSR #1 //R1 = R0/2 ``` ### LSR (logical shift right) value / 2 00000101 -> 00000010 5 -> 2.5 -> 2 00000011 -> 00000001 3 - > 1.5 -> 1 ## Rotation  LSR 最小的bit 有消失的問題 ### ROR ``` .global _start _start: MOV R0,#0x0f ROR R0,#1 ``` # Condiction and Branch ## CMP compare 但不跳轉 (條件句大哥) syntax ``` CMP R0, R1 ``` (R0 - R1) -> 如果為 Negative -> CPSR: N flag = 1 ## Cmpare and Jump to Branch 會去看 CPSR flag 來去執行其他操作 ### BGT (Branch if greater than) ">" ``` .global _start _start: MOV R0,#3 MOV R1,#2 CMP R0,R1 //R0-R1 BGT greater MOV R2,#2 greater: MOV R2,#1 ``` 如果 jump 到 greater label(Branch) -> MOV R2, #2 會被skip掉  ### BLT (Branch if less than ) "<" ### BLE "<=" ### BEQ "=" ### BNE "!=" ## Jump to Branch ### BAL (branch and link) Notice: 他不會把 Next instruction Address 純在LR 裡面   # Loop And Branch ## BAL ``` .global _start _start: LDR R0,=list @Ro == list 入口 .data list: .word 1,2,3,4,5,6,7 ```  類似於 C Language "\n" ``` .equ endlist 0xaaaaaaaa ```  C language  ``` for (int i =0; i< array/size of (int);i++){ if (array[i] != "\0"){ a=a+i; i++; } } ``` ARM ``` .global _start .equ EOF, 0xaaaaaaaa //save in the memory _start: LDR R0,=list LDR R3,=EOF LDR R1,[R0] ADD R2,R2,R1 loop: LDR R1,[R0,#4]! @gat memory value CMP R1,R3 BEQ exit ADD R2,R2,R1 BAL loop exit: .data list: .word 1,2,3,4,5,6,7,8,9,10 ```  # Condiction Instriction Execution c Laguage ``` if(a<b){ add(a,b) } ``` ``` .global _start .equ EOF, 0xaaaaaaaa //save in the memory _start: MOV R0,#10 MOV R1,#9 CMP R0,R1 BLT addR1R2 BAL exit addR1R2: ADD R3,R2,R1 exit: ``` # Branch with Link Register and Return ## Function BL 跟 BX (Return 一個 Address ) ## BL (Branch Link 在跳轉到另一個Branch時 會記錄下一個 Instruction Address 直接存到 Link Register (但她不會直接回去) ``` .global _start _start: MOV R0,#1 MOV R1,#1 BL add2 MOV R5,#9 add2: ADD R2,R0,R1 ```  ## BX (Branch Return) 回到LR存的Address ``` .global _start _start: MOV R0,#1 MOV R1,#1 BL add2 MOV R5,#9 add2: ADD R2,R0,R1 BX lr ``` BX -> LR 有點像 Pointer , BX oprand 就會讓 Instruction 回到LR 的位置  # Preserving and Retrieving Data from Stack Memory 保留和取出 data From Stack Memory ## Stack Memory Compiler 會去 Register assign (Register 的賦值 由compiler 分配) Push 跟 PoP value -> 要考慮 stack 結構 (FILO) ## link Register BL (branch link) LR - recording Next instruction and waiting function invoke finishing ## Local Register  ## Push Preserving Data into Stack ``` .global _start _start: MOV R0,#1 MOV R1,#1 PUSH {R0,R1} BL add2 POP {R0,R1} BL end add2: MOV R0,#5 MOV R1,#6 ADD R2,R1,R2 BX lr end: ```  push -> register value -> stack 裡面 push 完 sp(Stack Pointer) 會指向 push 進去的Initial Address ## PoP Getting Register value form stack Memory ``` .global _start _start: MOV R0,#1 MOV R1,#1 PUSH {R0,R1} BL add2 POP {R0,R1} BL end add2: MOV R0,#5 MOV R1,#6 ADD R2,R1,R2 BX lr end: ``` ## Function Return 利用stack -> 來 implement Function ```arm .global _start _start: MOV R0,#1 MOV R1,#1 PUSH {R0,R1} BL add2 POP {R9} @R9 = function return value POP {R0,R1} MOV R3,R9 B end add2: MOV R0,#5 MOV R1,#6 ADD R2,R0,R1 PUSH {R2} @return value BX lr end: ```  ### Observe stack address 越push -> (sp) Address 愈小  # Hardware Interactions Arm CPU 與 Device  ## Switch CPU 可以透過 Switch (Device) 取得 Value 可以放到 Register 中 ### .equ 用於定位 可以想成 Declare Pointer ``` .equ switchAddress, 0xff20040 .global _start _start: LDR R1,=switchAddress ```  根據上圖 可以知道Switches Device Address 是多少  ``` .equ switchAddress, 0xff200040 .global _start _start: LDR R0,=switchAddress LDR R1,[R0] @ *(RO) ```   RO -> switch Address ## LED Device ### STR 將src Register 32 bit value 送到 處存器的Address syntax ``` STR srcR [Raddress] ``` ``` .equ switchAddress, 0xff200040 @switch pointer .equ ledAddress ,0xff200000 @led pointer .global _start _start: LDR R0,=switchAddress LDR R1,[R0] @ value 1111 LDR R0,=ledAddress STR R1,[R0] @STR "register value ->　led" ```  # Setting up Qemu for ARM Programming ## Raspberrypi ->Run ARM program Part 1 http://downloads.raspberrypi.org/raspbian/images/raspbian-2017-04-10/  模擬操作系統 -> 模擬 Raspberrypi systems Part 2 Install operating systems kernel https://github.com/dhruvvyas90/qemu-rpi-kernel/blob/master/kernel-qemu-4.4.34-jessie --- ## Install QEMU QEMU（quick Emulator） 允許了為一種架構編譯的程式在另外一種架構上面執行  ``` root@ubuntu:/home/user/Desktop/arm # sudo apt install qemu-system ``` ## RUN Raspberrypi on the qume Setting.sh ``` qemu-system-arm -kernel kernel-qemu-4.4.34-jessie -cpu arm1176 -m 256 -M versatilepb -serial stdio -append "root=/dev/sda2 rootfstype=ext4 rw" -hda 2017-04-10-raspbian-jessie.img -nic user,hostfwd=tcp::5022-:22 -no-reboot ``` cup -> arm1176 m -> virtual RAM (allocate memory size) M -> Machine type -append "root=/dev/sda2 rootfstype=ext4 rw" -> 建立file systems -hda 讓東西? 指向 raspberrypi -nic user,hostfwd=tcp::5022-:22 -no-reboot -> 透過SSH 進入 我們虛擬的機器 port 5022 -> port 22 ## Using ssh connect to raspberry pi  ``` sudo service ssh start ``` Ubuntu 登入 ``` ssh pi@localhost -p 5022 ``` password: raspberry # Print String to Terminal (On Raspberry pi) ```arm .global _start _start: MOV R0,#1 @standard in -> out put on terminal LDR R1,=message @memory Address LDR R2,=stringLen @data length MOV R7,#7 @tell to os system out put result on the screen SWI 0 @interrupt os systems MOV R7,#1 @interrupte process SWI 0 @interrupte os systems .data message: .asciz "Meowhecker \n" stringLen =.-message ``` .asciz 會自動加上 控字符串 (類似 /0 符號) 定義 他為一個string 也可以寫成 .string ## Main() 1. Define 讓 message 要寫到哪 2. 要有一個reference Address (找到欲輸出位置) 3. 定義 輸出長度 4. 告訴Computer 把 內容印到銀幕上 ## R7 Register R7 -> 中斷process execute 讓 OS systems 接管執行 interrupt -4 輸出到Screen 上 -1 ENd proccess ## SWI SWI 0 -> 中斷 OS Systems, Back to the process END process R7,#1 靠訴OS 中斷 process SWI 0 -> interrupt OS ## Assamble --> Object code --> loader --> program --> process ``` root@raspberrypi:/home/pi# as meowhecker.s -o meowhecker.o root@raspberrypi:/home/pi# ld meowhecker.o -o meowhecker root@raspberrypi:/home/pi# ./meowhecker Meowhecker ``` as 組裝 ld -> loader # Debugging ARM programs with GDB ``` root@raspberrypi:/home/pi# gdb meowhecker ``` ## Break point syntax ``` break "lable" ``` 我們可以設置break point 來分析 program ``` (gdb) break _start Breakpoint 1 at 0x10074 ``` ## Run the Program Aftter Setting break poing finished, we could run the program ``` (gdb) run Starting program: /home/pi/meowhecker Breakpoint 1, 0x00010074 in _start () ``` ## layout We will through layout the know the program info 打開GDB layout ``` layout asm ```  Switch layout Noting : (ctrl + x)幹要先按 + o 可以切換Layout ### Register 查看register 方法 Way 1 ``` (gdb) info register r0 r0 0x0 0 ``` Way 2 直接打開Register layout ``` (gdb) layout regs ```  ## Next Instruction  Stack 中 Message Address 已經load 進去R1 Register  ## Analysis Memory (查看stack) 查看 Stack Memory slot (32-bit) Syntax ``` x/[memory slot數量xdcu ] [initial Address] ``` x -> 16 d -> 10 d -> char 16(hexadecimal) message -> ascii 會看不出來在幹嘛 ``` (gdb) x/10x $r1 0x20098: 0x776f654d 0x6b636568 0x0a207265 0x00134100 0x200a8: 0x65610000 0x00696261 0x00000901 0x08010600 0x200b8: 0x732e0001 0x61746d79 ``` x -> exam (檢查) ``` (gdb) x/15c $r1 0x20098: 77 'M' 101 'e' 111 'o' 119 'w' 104 'h' 101 'e' 99 'c' 107 'k' 0x200a0: 101 'e' 114 'r' 32 ' ' 10 '\n' 0 '\000' 65 'A' 19 '\02 3' ``` \000 -> null string # Firmware Analysis & IoT Reverse Engineering Reference https://www.youtube.com/watch?v=zs86OYea8Wk Target Firemware :**TP-Link TL-WR1042NDv1** (路由器) ## Download **TP-Link TL-WR1042NDv1** ```bash ┌──(root㉿Meowhecker)-[/home/meowhecker/firmwareAnalysis] └─# wget http://www.tp-link.com/resources/software/TL-WR1042ND_V1_130923.zip ┌──(root㉿Meowhecker)-[/home/meowhecker/firmwareAnalysis] └─# mv wr1042nv1_en_3_15_7_up_boot\(130923\).bin routerFirmware.bin ┌──(root㉿Meowhecker)-[/home/meowhecker/firmwareAnalysis] └─# ls routerFirmware.bin TL-WR1042ND_V1_130923.zip ``` ## Analyzing the firmware ### file ``` ┌──(root㉿Meowhecker)-[/home/meowhecker/firmwareAnalysis] └─# file routerFirmware.bin routerFirmware.bin: firmware 1042 v1 TP-LINK Technologies ver. 1.0, version 3.15.7, 8258048 bytes or less, at 0x200 998400 bytes , at 0x100000 7077888 bytes ``` ## Binwalk (Automatic Reverse Tools) Binwalk could be used to serach binary file and extract the file systems or code - \- e Automatically extract important files. ``` ┌──(root㉿Meowhecker)-[/home/meowhecker/firmwareAnalysis] └─# binwalk -e routerFirmware.bin --run-as=root DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 TP-Link firmware header, firmware version: 0.25336.3, image version: "", product ID: 0x0, product version: 272760833, kernel load address: 0x0, kernel entry point: 0x20000, kernel offset: 8258048, kernel length: 512, rootfs offset: 998400, rootfs length: 1048576, bootloader offset: 7077888, bootloader length: 0 5824 0x16C0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 72992 bytes 131584 0x20200 TP-Link firmware header, firmware version: 0.0.3, image version: "", product ID: 0x0, product version: 272760833, kernel load address: 0x0, kernel entry point: 0x20000, kernel offset: 8126464, kernel length: 512, rootfs offset: 998400, rootfs length: 1048576, bootloader offset: 7077888, bootloader length: 0 142344 0x22C08 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3100784 bytes .... WARNING: Symlink points outside of the extraction directory: /home/meowhecker/firmwareAnalysis/_routerFirmware.bin.extracted/squashfs-root/etc/passwd -> /tmp/passwd; changing link target to /dev/null for security purposes. 1180160 0x120200 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2722564 bytes, 763 inodes, blocksize: 131072 bytes, created: 2013-09-23 07:39:23 ``` info - TP-Link firmware header - LZMA compressed data - Squashfs 文件系統 1180160 0x120200 Squashfs 文件系統，little endian，版本 4.0，壓縮：lzma，大小：2722564 字節，763 個 inode，塊大小：131072 字節，創建時間：2013-09-23 07:39:23 ## Access file systems ``` ┌──(root㉿Meowhecker)-[/home/meowhecker/firmwareAnalysis] └─# cd _routerFirmware.bin.extracted ┌──(root㉿Meowhecker)-[/home/meowhecker/firmwareAnalysis/_routerFirmware.bin.extracted] └─# ls 120200.squashfs 16C0 16C0.7z 22C08 22C08.7z squashfs-root ┌──(root㉿Meowhecker)-[/home/meowhecker/firmwareAnalysis/_routerFirmware.bin.extracted] └─# cd squashfs-root ┌──(root㉿Meowhecker)-[/home/meowhecker/firmwareAnalysis/_routerFirmware.bin.extracted/squashfs-root] └─# ls bin dev etc home init lib linuxrc mnt proc sbin sys tmp usr var web ``` 透過進入file systems 可以研究 一些 Default setting e.g. - Default credential - Remote configuration (telnet, ssh ) ``` ┌──(root㉿Meowhecker)-[/home/…/firmwareAnalysis/_routerFirmware.bin.extracted/squashfs-root/etc] └─# cat shadow root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: john --wordlist=/home/meowhecker/wordlists/rockyou.txt ``` ## Enumerate File systems ### / ``` ┌──(root㉿Meowhecker)-[/home/meowhecker/firmwareAnalysis/_routerFirmware.bin.extracted/squashfs-root] └─# ls -la 總用量 60 drwxrwxr-x 15 501 502 4096 9月 23 2013 . drwxr-xr-x 3 root root 4096 6月 11 13:42 .. drwxrwxr-x 2 501 502 4096 9月 23 2013 bin drwxrwxr-x 5 501 502 4096 6月 11 13:42 dev drwxrwxr-x 4 501 502 4096 6月 11 14:00 etc drwxrwxr-x 2 501 502 4096 9月 23 2013 home lrwxrwxrwx 1 501 502 11 9月 23 2013 init -> bin/busybox drwxrwxr-x 3 501 502 4096 9月 23 2013 lib lrwxrwxrwx 1 501 502 11 9月 23 2013 linuxrc -> bin/busybox drwxrwxr-x 2 501 502 4096 9月 23 2013 mnt drwxrwxr-x 2 501 502 4096 9月 23 2013 proc drwxrwxr-x 2 501 502 4096 9月 23 2013 sbin drwxrwxr-x 2 501 502 4096 9月 23 2013 sys drwxrwxr-x 2 501 502 4096 9月 23 2013 tmp drwxrwxr-x 5 501 502 4096 9月 23 2013 usr drwxrwxr-x 2 501 502 4096 9月 23 2013 var drwxrwxr-x 9 501 502 4096 9月 23 2013 web ``` lrwxrwxrwx 1 501 502 11 9月 23 2013 linuxrc -> bin/busybox ### Linuxrc In embedded operating systems, /linuxrc is commonly designated as the init process. ### /bin ``` ┌──(root㉿Meowhecker)-[/home/…/firmwareAnalysis/_routerFirmware.bin.extracted/squashfs-root/bin] └─# ls acltd chmod egrep grep iptables iwpriv ls ob ping setmib true auth date false iapp irf kill mount od ps sh umount busybox df fgrep ib iw lld2d msh orf rm sleep wscd cat echo getmib idd iwcontrol login ntfs-3g ow rssi tc ```