IoT固件分析技术详解<\/h1>

一、固件壳检测与分析<\/h2>

1. 常见壳类型<\/h3>

1.1 压缩壳<\/h4>

定义<\/strong>：通过压缩技术减少可执行文件大小，运行时动态解压缩代码<\/li>
优点<\/strong>：提高下载速度，减少存储空间<\/li>

典型工具<\/strong>：UPX(极限压缩)、FUPX等<\/li> <\/ul>
1.2 加密壳<\/h4>

定义<\/strong>：通过加密程序代码防止逆向工程和分析<\/li>
优点<\/strong>：保护软件版权，提高安全性<\/li>
典型工具<\/strong>：VMProtect、Themida等<\/li> <\/ul>
1.3 混淆壳<\/h4>

定义<\/strong>：改变代码结构和控制流增加逆向难度<\/li>
优点<\/strong>：使代码难以理解，增加破解难度<\/li>
典型工具<\/strong>：ProGuard(Java)、ConfuserEx(.NET)<\/li> <\/ul>
2. 壳检测工具<\/h3>

推荐工具下载地址：http:\/\/www.52bug.cn\/nxtool\/3191.html<\/li>
使用方法参考：https:\/\/blog.csdn.net\/ftxyz23\/article\/details\/133100418<\/li> <\/ul>
二、工业控制固件分析实战<\/h2>
1. 2020工业信息安全技能大赛案例<\/h3>
1.1 文件分析<\/h4>

仅发现一个bin文件<\/li>
解压后得到217文件而非文件系统<\/li>
架构：PowerPC big endian<\/li> <\/ul>
1.2 IDA逆向分析<\/h4>

直接打开无法解析函数<\/li>
需要使用IDC脚本恢复函数：<\/li> <\/ul>
from<\/span> idaapi import<\/span> *<\/span> <\/span><\/span>from<\/span> idc import<\/span> *<\/span> <\/span><\/span> <\/span><\/span>loadaddress =<\/span> 0x10000<\/span> <\/span><\/span>eaStart =<\/span> 0x31eec4<\/span> +<\/span> loadaddress <\/span><\/span>eaEnd =<\/span> 0x348114<\/span> +<\/span> loadaddress <\/span><\/span>ea =<\/span> eaStart <\/span><\/span>eaEnd =<\/span> eaEnd <\/span><\/span> <\/span><\/span>while<\/span> ea <<\/span> eaEnd: <\/span><\/span> create_strlit(Dword(ea), BADADDR) <\/span><\/span> sName =<\/span> get_strlit_contents(Dword(ea)) <\/span><\/span> print sName <\/span><\/span> if<\/span> sName: <\/span><\/span> eaFunc =<\/span> Dword(ea +<\/span> 4<\/span>) <\/span><\/span> MakeName(eaFunc, sName) <\/span><\/span> MakeCode(eaFunc) <\/span><\/span> MakeFunction(eaFunc, BADADDR) <\/span><\/span> ea =<\/span> ea +<\/span> 16<\/span> <\/span><\/span><\/code><\/pre>1.3 关键发现<\/h4> 搜索"ftpuser"找到flag：flag{RcQbRbzRyc}<\/code><\/li> <\/ul> 2. 2019工业信息安全技能大赛案例<\/h3> 2.1 文件分析<\/h4> 解压后只有home文件夹<\/li> 搜索硬编码字符串命令：<\/li> <\/ul> find . | xargs grep -ri password <\/span><\/span><\/code><\/pre>2.2 分析结果<\/h4> 发现两个相关文件：<\/p> PHMISystem<\/li> JZPHMISystem<\/li> <\/ul> <\/li> 确认正确flag：flag{icspwd}<\/code><\/p> <\/li> <\/ul> 3. firmware后门分析案例<\/h3> 3.1 文件分析<\/h4> 解压后为bin文件<\/li> 多次提取找到文件系统<\/li> 搜索到\/tmp下有后门程序<\/li> <\/ul> 3.2 壳检测与脱壳<\/h4> 检测到UPX压缩壳<\/li> 使用UPX工具解压后分析<\/li> <\/ul> 3.3 后门分析<\/h4> 查找字符串发现远程服务器信息<\/li> 跟踪相关函数找到连接信息<\/li> 最终结果：echo.byethost51.com:36667<\/code><\/li> 对应flag：flag{33a422c45d551ac6e4756f59812a954b}<\/code><\/li> <\/ul> 三、关键技术与工具总结<\/h2> 壳检测<\/strong>：使用专用工具识别压缩壳、加密壳和混淆壳<\/li> 逆向分析<\/strong>：针对不同架构(如PowerPC big endian)使用IDA等工具<\/li> 字符串搜索<\/strong>：在文件系统中快速定位关键信息<\/li> 脚本辅助<\/strong>：使用IDC\/Python脚本辅助逆向工程<\/li> 固件提取<\/strong>：多次尝试提取bin文件中的文件系统<\/li> <\/ol> 四、实用命令速查<\/h2> 搜索文件系统中字符串：<\/li> <\/ol> find . | xargs grep -ri password <\/span><\/span><\/code><\/pre> UPX脱壳命令：<\/li> <\/ol> upx -d 文件名 <\/span><\/span><\/code><\/pre> IDA脚本模板：<\/li> <\/ol> from<\/span> idaapi import<\/span> *<\/span> <\/span><\/span>from<\/span> idc import<\/span> *<\/span> <\/span><\/span> <\/span><\/span># 设置加载地址和函数范围<\/span> <\/span><\/span>loadaddress =<\/span> 0x10000<\/span> <\/span><\/span>eaStart =<\/span> 0<\/span>xSTART_ADDR +<\/span> loadaddress <\/span><\/span>eaEnd =<\/span> 0xE<\/span>ND_ADDR +<\/span> loadaddress <\/span><\/span> <\/span><\/span># 遍历恢复函数<\/span> <\/span><\/span>ea =<\/span> eaStart <\/span><\/span>while<\/span> ea <<\/span> eaEnd: <\/span><\/span> # 创建字符串引用<\/span> <\/span><\/span> create_strlit(Dword(ea), BADADDR) <\/span><\/span> sName =<\/span> get_strlit_contents(Dword(ea)) <\/span><\/span> if<\/span> sName: <\/span><\/span> eaFunc =<\/span> Dword(ea +<\/span> 4<\/span>) <\/span><\/span> MakeName(eaFunc, sName) <\/span><\/span> MakeCode(eaFunc) <\/span><\/span> MakeFunction(eaFunc, BADADDR) <\/span><\/span> ea =<\/span> ea +<\/span> OFFSET <\/span><\/span><\/code><\/pre>