Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

How to Disassemble vxworks System?

RCE of Linux tools and programs.
Locked
wsgtrsys
Junior Member
Posts: 8
Joined: Wed Dec 14, 2005 10:55 am
Contact:

How to Disassemble vxworks System?

Post by wsgtrsys »

i want Disassemble an vxworks system,vxworks system have a elf image file,,and i use IDA Pro Disassemble it ,but have a problem.

http://www.routerclub.com/attachments/S ... NROu4B.gif

this system is a bas system, it use network card mac address to register it.
underside is the system file.

ftp://61.161.79.48/router/vxwork.rar
0xf001
Posts: 601
Joined: Thu Jul 29, 2004 11:00 am
Contact:

Post by 0xf001 »

mr. routerclub,

please its getting boring, _what_ is your problem? what did you do to try to solve it???

--
0xf001
wsgtrsys
Junior Member
Posts: 8
Joined: Wed Dec 14, 2005 10:55 am
Contact:

Post by wsgtrsys »

this vxworks system is crack by me ,thanks 0xf001
evilkings

will u ?

Post by evilkings »

will you give more information about this ? we are facing some problem in analyzing a vxworks binary .
JMI
Senior Member
Posts: 5329
Joined: Wed Apr 25, 2001 2:00 pm

Post by JMI »

And what did YOU do to try to solve it?

Regards,
JMI
evilkings

Post by evilkings »

i tried to load the binary into ida and its running for more than 24 hours and i couldnt able to get the section info.
And more than, when i loaded it, few of the variables thats within the text section is not linked.
for ex,

push 0xnnnnnnnn -> Actually this is part of text section

And IDA is not linking it properly. In few of the places all the strings used in the function is included between the function,
any idea howto automate this ? did anyone faced the same kind of problems ?
hazard
Junior Member
Posts: 3
Joined: Wed May 17, 2006 3:14 pm

Post by hazard »

I tried once to crack some vxwoks firmware. Inside the original file was another zlib compressed file that needed to be extracted. I used simple python script to extract data and continue analysis. Could find script if interested.
Did you set correct processor for your binary?
evilkings

Post by evilkings »

yes.it was an interesting exercise to try !! after playing with the large binary for lonnng time, i could manage to disassemble it correctly . whatever i had was x86 binary and i loaded that in the ida pro as binary file and after doing few more analysis, i could able to create few function and then on...it was a nice experience !!
"hazard" if you could share that script, please send it across . it will be useful in few cases if you are reversing Linux kernel binary also. please share that !!
hazard
Junior Member
Posts: 3
Joined: Wed May 17, 2006 3:14 pm

Post by hazard »

it's super simple but effective :)

Code: Select all

from sys import *
from struct import *
from zlib import *

def main():
    print "\nextract and decompress zlib"
    if len(argv) is not 3:
        print """
Usage:
  <argv1> source file
  <argv2> dest file
    """
        exit()
    else:
        print """
Using:
  Source: %s
  Dest: %s
     """ % (argv[1],argv[2])
    try:
        in_fd=open(argv[1],"rb")
    except:
        print "[-]Could't open file %s" % argv[1]
        exit()

    try:
        out_fd=open(argv[2],"wb")
    except:
        print "[-]Could't open file %s" % argv[2]
        exit()

    buff=in_fd.read()
    print 'Length', hex(len(buff))

    for i in range(len(buff)):
        try:
            decomS = decompress(buff[i:])
        except:
#            print '.'
            continue

    print "Got it :) ", i, hex(i)
    out_fd.write(decomS)
    print "[+]Done writing to '%s'" % argv[2]

if __name__=="__main__":
    main()
Locked