Abstract
Disassembly, as a principal reverse-engineering tool, is the process of recovering the equivalent assembly instructions of a program's machine code from its binary representation. However, when disassembling a firmware file, the disassembly process cannot be performed well if the image base is unknown. In this paper, we propose an innovative method to determine the image base of a firmware file with ARM/Thumb instruction set. First, based on the characteristics of the function entry table (FET) for an ARM processor, an algorithm called FIND-FET is proposed to identify the function entry tables. Second, by using the most common instructions of function prologue and FETs, the FIND-BASE algorithm is proposed to determine the candidate image base by counting the matched functions and then choose the one with maximal matched FETs as the final result. The algorithms are applied on some firmwares collected from the Internet, and results indicate that they can effectively find out the image base for the majority of example firmware files.
Original language | English |
---|---|
Pages (from-to) | 351-359 |
Number of pages | 9 |
Journal | IEICE Transactions on Information and Systems |
Volume | E99D |
Issue number | 2 |
DOIs | |
Publication status | Published - Feb 2016 |
Keywords
- Determining
- Disassembly
- Firmware
- Image base
- Reverse engineering