Research Article
Determining the Image Base of Smart Device Firmware for Security Analysis
Listing 2
Determining the image base by searching jump tables (DBJT).
Input:firmwareFile | Output: A sorted result of the elements and their occurrence in multiset M | function DBJT (firmwareFile) | fileSize ⟵Obtain the size of firmwareFile | offset ⟵0 | while(0 ≤ offset < fileSize) do | CMP_FLAG ⟵ FALSE | LDRLS_FLAG ⟵ FALSE | B_FLAG ⟵ FALSE | if Current instruction is CMP instruction, then | CMP_FLAG ⟵ TRUE | else | offset ⟵ offset +4 | continue | end if | if The second instruction is LDRLS instruction, then | LDRLS_FLAG ⟵ TRUE | else | offset ← offset +4 | continue | end if | if The third instruction is B instruction, then | B_FLAG ⟵ TRUE | else | offset ⟵ offset +4 | continue | end if | if CMP_FLAG ==TRUE && LDRLS_FLAG == TRUE && B_FLAG == TRUE then | jt[n] ⟵ Read the jump table | min_addr ⟵ Obtain the minimum element of the array jt[n] | offset_case1 ⟵ Obtain offset of the first case block | base ⟵ min_addr - offset_case1 | if base % 4 ==0 then | M ⟵ base | end if | offset ⟵ offset_case1 | end if | offset ⟵ offset +4 | end while | Count the number of occurrences of each element in the multiset M | Sort the elements and their occurrence in descending order by number of occurrences | Output: Sorted elements and their occurrences | end function |
|