Determining the base address of MIPS firmware based on absolute address statistics and string reference matching

摘要

Getting the accurate firmware base address is not only the prerequisite for disassembling firmware correctly, but also the basis for reverse analysis. Currently, most existing base address determination methods are applied to the ARM architecture, and a few address determination methods of MIPS firmware highly rely on researcher's manual analysis and experience. To address this problem, based on 32-bit absolute address statistics and string reference matching, an automatic method for the base address determination of MIPS firmware is proposed. Firstly, the 32-bit immediate value loading, addressing mode and string referencing of the MIPS architecture systems are analyzed. Secondly, the Absolute Address Searching (AAS) algorithm and String Reference Matching (SRM) algorithm are proposed based on the analysis. The AAS algorithm utilizes the lui-ori, lui-lw and lui-addiu instruction pairs to identify and record the absolute addresses loaded to registers. According to the distributions of addresses recorded by AAS, the range of candidate base addresses can be determined. Then the lui-addiu instruction pair is used by the SRM algorithm to search for string reference addresses. For every address in the range of candidate base addresses, the SRM algorithm verifies whether each string reference address points to the beginning of a string under the current candidate base address, and thereby the matching rate is calculated. Based on the matching rates corresponding to each of the candidate base addresses, the right base address can be determined. Lastly, the proposed method is applied to the test set composed of 12 mainstream MIPS firmware files. Experimental results demonstrate that the proposed method can determine the base addresses of MIPS firmware files automatically and accurately. Furthermore, the proposed method is also applied to a firmware section after decompression and the result indicates that the proposed method is efficient for automatically determining the loading addresses of firmware sections. (C) 2019 Published by Elsevier Ltd.