Pinczakko的AwardBIOS逆向工程指导
生活随笔
收集整理的這篇文章主要介紹了
Pinczakko的AwardBIOS逆向工程指导
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
Pinczakko的AwardBIOS逆向工程指導(dǎo)
作 者: beiyu
時 間: 2007-04-05,10:15
鏈 接: http://bbs.pediy.com/showthread.php?threadid=42166
Pinczakko的AwardBIOS逆向工程指導(dǎo)
作者:Pinczakko
翻譯:beiyu?http://beiyu.bokee.com
Email:?beiyuly@gmail.com
時間:2006.6.6
ida的使用和最后展望沒有翻譯,希望有興趣的朋友能夠補(bǔ)上。
目錄
Pinczakko的AwardBios逆向工程指導(dǎo)??1
1.序言??2
2.準(zhǔn)備工作??2
2.1.PCI?BUS??3
2.2.ISA?BUS??4
3.一些硬件特性??4
3.1.?BIOS?芯片地址??5
3.2.?晦澀的硬件接口(Port)??6
3.3.?"可重定位"?硬件Port??8
3.4.?Expansion?ROM?Handling??9
4.一些軟件特性??10
4.1.call指令特性??10
4.2.?retn?Instruction?Peculiarity??10
5.?用到的工具??13
5.1.?我們的需求??13
5.2.?IDA?Pro技術(shù)介紹??13
5.2.1.?IDA?Pro介紹??13
5.2.2.?IDA?Pro?Scripting?And?Key?Bindings??19
6.?Award?BIOS?文件結(jié)構(gòu)??26
6.1.壓縮部分??26
6.2.?純二進(jìn)制部分??27
6.3.?真實系統(tǒng)(Mainboard)中的內(nèi)存印象??27
7.?反匯編BIOS??28
7.1.?Bootblock??29
7.1.1.?"Virtual?Shutdown"?routine??29
7.1.2.?Chipset_Reg_Early_Init?routine??29
7.1.3.?Init_Interrupt_n_PwrMgmt?routine??35
7.1.4.?Call?To?"Early?Silicon?Support"?Routine??36
7.1.5.?Bootblock?Is?Copied?And?Executed?In?RAM??37
7.1.6.?Call?to?bios?decompression?routine?and?the?jump?into?decompressed?system?bios??39
7.1.6.1.?Enable?FFF80000h-FFFDFFFFh?decoding??40
7.1.6.2.?Copy?lower?128KB?of?BIOS?code?from?ROM?chip?into?RAM??40
7.1.6.3.?Disable?FFF8_0000h-FFFD_FFFFh?decoding??40
7.1.6.4.?Verify?checksum?of?the?whole?compressed?BIOS?image??40
7.1.6.5.?Look?for?the?decompression?engine??41
7.1.6.6.?Decompress?the?compressed?BIOS?components??41
7.1.6.7.?Shadow?the?BIOS?code??60
7.1.6.8.?Enable?the?microprocessor?cache?then?jump?into?the?decompressed?system?BIOS??60
7.2.?System?BIOS?a.k.a?Original.tmp??61
7.2.1.?Entry?point?from?"Bootblock?in?RAM"??61
7.2.2.?The?awardext.rom?and?Extension?BIOS?Components?(lower?128KB?bios-code)?Relocation?Routine??62
7.2.3.?Call?to?the?POST?routine?a.k.a?"POST?jump?table?execution"??64
7.2.4.?The?"segment?vector"?Routines??68
7.2.5.?"chksum_ROM"?Procedure??72
7.2.6.?Original.tmp?Decompression?Routine?for?The?"Extension_BIOS?Components"??72
7.2.7.?Microcode?Update?Routine??90
8.?激昂展望??92
9.?結(jié)束語??92
1.序言
我非常歡迎你能夠來實踐復(fù)雜的Award?Bios的代碼研究工作。本文不是一篇官方的Award?Bios逆向工程的文章,也不是由Award公司內(nèi)部人員編輯的。我只是一個好奇的普通人,我真的很喜歡搞清楚我的電腦的Bios是怎樣工作的。我寫這篇文章的是為了公開我的發(fā)現(xiàn)和研究,從而回報那些我所犯的錯誤,都是我在逆向工程進(jìn)程當(dāng)中所犯的。你有幾個可能性來讀這篇文章,也許你是一個老資格的黑客,也許你是一個像我一樣的系統(tǒng)程序設(shè)計愛好者,也許你只是一個好奇的外行。只有一點是肯定的,你肯定可以從這篇文章有所收獲,可以提高你的技巧。無論如何,我已經(jīng)寫了一個準(zhǔn)備章節(jié),來保證你吸收這篇文章所具備的知識。
除非你自己反匯編了Bios的文件,你是不會理解搞清楚BIOS的工作的。
??這篇文章的目的是消除疑惑,定位好你自己,在開始對BIOS的逆向工程工作中,為你提供一個參考。
2.準(zhǔn)備工作
??1.我必須承認(rèn),這個工作需要x86的知識。
??2.保護(hù)模式下的編成開發(fā)知識。你必須學(xué)會怎樣讓x86機(jī)器從實模式轉(zhuǎn)移到保護(hù)模式。也就是說,你必須學(xué)會初步的x86保護(hù)模式OS開發(fā)。www.osdever.net是一個很好的學(xué)習(xí)這方面知識的網(wǎng)站。最重要的事情是保護(hù)模式的數(shù)據(jù)結(jié)構(gòu)是怎樣工作的。我的意思是GDT、IDT、x86控制寄存器和段寄存器是怎樣工作的,特別是award?bios用他們來實現(xiàn)他的奇妙的地方——稍后文章解釋。
??3.什么是x86的不真實模式。他是一個x86機(jī)器在真是模式和保護(hù)模式之間的的狀態(tài)——稍后文章解釋。
??4.X86直接硬件編程開發(fā)。你需要知道怎樣編程直接制硬件,特別是在你主板上面的。你可以聯(lián)系這個,通過windows上的直接訪問硬件程序開發(fā)練習(xí)。這個不是必需的,但是如果你懂的話,會給你帶來很多方便。你也需要知道一些x86總線協(xié)議,比如PCI和ISA——稍后文章解釋。
??5.你必須理解大部分你的主板芯片的手冊。比如北橋和南橋控制寄存器。
2.1.PCI?BUS
??官方的PCI總線標(biāo)準(zhǔn)系統(tǒng)是由PCISIG(PCI?Special?Interest?Group)維持的。他可能是某種公司,他介于Intel和其他大公司,比如Microsoft。他將要被Arapahoe?(PCI-Express?a.k.a?PCI-e)?and?Hypertransport代替。但是PCI曾經(jīng)是在保持一種標(biāo)準(zhǔn)。Hypertransport向后兼容PCI。Arapahoe也是一樣。只是這個PCI的標(biāo)準(zhǔn)是沒有公開的。
??首先,PCI?BUS是一個32位寬度的總線。通訊需要32bit的地址模式。讀寫操作需要32位地址。64位PCI?Bus不是天生就是,他使用了雙重地址回路實現(xiàn)。所以你可以說PCI就是一個32位總線的系統(tǒng)。
??其次,這個總線系統(tǒng)定義位置是,控制端口PORT?CF8h?–?CFBh,數(shù)據(jù)端口CFCh?–?CFFh。這些端口用來配置相應(yīng)的PCI芯片,比如讀寫PCI芯片的配置寄存器值。
??第三,這個總線系統(tǒng)強(qiáng)制我們和PCI通訊需要遵守下面的法則(從用戶CPU觀點):
1.??寫目標(biāo)總線號,設(shè)備號,功能號和偏移/寄存器號到配置地質(zhì)端口,然后使能bit置1。通俗講就是,寫寄存器的地址到你想要寫入的PCI地址端口。
2.??從一個配置數(shù)據(jù)端口執(zhí)行一個one-byte,?two-byte,?or?four-byte?I/O讀操作或者寫操作。通俗講就是,讀寫數(shù)據(jù)從你想要讀寫的PCI端口。
作為一個提示,據(jù)我所知,每一個今天用到的BUS/通訊協(xié)議,使用簡單的法則來使芯片互相通訊,而這些芯片有一個復(fù)雜的總線協(xié)議。
有了上面的定義,這里提供一個x86的匯編碼片斷,來說明怎樣使用這些配置端口。
No.??Mnemonic?(masm?syntax)??Comment
1??Pushad??保存所有通用寄存器的值
2??mov?eax,80000064h??把將要訪問的PCI芯片寄存器的地址放入eax
(offset?64h?device?00:00:00?or?hostbridge)
3??mov?dx,0CF8h??地址端口放入dx。因為是PCI,我們用CF8h作為端口,來打開訪問這個設(shè)備。
4??out?dx,eax??發(fā)送PCI地址端口到processor的I/O空間
5??mov?dx,0CFCh??數(shù)據(jù)端口放入dx。因為是PCI,我們用CFCh作為端口,來和這個設(shè)備數(shù)據(jù)通信。
6??in?eax,dx??將從這個設(shè)備讀出的數(shù)據(jù)放入eax
7??or?eax,?00020202??改變數(shù)據(jù)(this?is?only?example,?don't?try?this?in?your?machine,?it?may?hang?or?even?destroy?your?machine)
8??out?dx,eax??將數(shù)據(jù)發(fā)送回設(shè)備
9??............??-
10??Popad??出棧所有寄存器值
11??Ret??返回?
??
??我想上面的代碼已經(jīng)非常清晰了。這里有一個PCI寄存器地址格式例子:
mov?eax,80000064h
??the?80000064h?is?the?address.?The?meaning?of?these?bits?are:?
bit?position??31??30??29??28??27??26??25??24??23??22??21??20??19??18??17??16??15??14??13??12??11??10??9??8??7??6??5??4??3??2??1??0
binary?value??1??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??1??1??0??0??1??0??0
hexadecimal?value??8??0??0??0??0??0??6??4
???Bit?31是一個使能標(biāo)志。如果這個位置設(shè)置了,我們就給與PCI?bus讀寫通信的權(quán)利了,否則就是禁止。那就是為什么我們在最左邊有一個8的原因。
???Bits?30?-?24?保留?bits。
???Bits?23?-?16?是?PCI?Bus?號。
???Bits?15?-?11是PCI?設(shè)備號。?
???Bits?10?-?8?是PCI?功能號。
???Bits?7?-?0?是偏移地址。
80000064h的意思就是我們通訊的設(shè)備是bus?0,?device?0,?function?0,?偏移地址是64h。實際上這個是我們主板上面的北橋芯片中的存儲控制配置寄存器。大多數(shù)環(huán)境下,bus?0,?device?0,?function?0是Hostbridge,你需要參考自己的芯片數(shù)據(jù)表來改變這個。大概來講,他們要作如下工作:讀取偏移地址,改寫數(shù)據(jù),寫回設(shè)備。
2.2.ISA?BUS
??AFAIK(恕我直言),ISA?bus?不是標(biāo)準(zhǔn)的總線。因此,實際上任何ISA設(shè)備可以存在于系統(tǒng)的16-bit?I/O地址空間。我對ISA?bus的經(jīng)驗很有限(CMOS?chip?,mainboard's?hardware?monitoring?chip-?Winbond?W83781D)。這兩個芯片用了上面提到的PCI?bus通用算法:
1.??先送出你想要讀寫的設(shè)備的地址。只有那樣,你才可以通過這個設(shè)備的數(shù)據(jù)端口發(fā)送接收數(shù)據(jù)。
2.??通過數(shù)據(jù)端口,發(fā)送接收將要通過設(shè)備讀寫的數(shù)據(jù)。
我的硬件監(jiān)視芯片用端口295h作為地址端口,296h作為數(shù)據(jù)端口。CMOS用70h作為地址端口,71h作為數(shù)據(jù)端口。
3.一些硬件特性
X86平臺存在很多hack,特別是他的bios。這個要歸功于向下兼容。這章要討論一對在我BIOS反匯編中遇到的問題。
3.1.?BIOS?芯片地址
??最重要的負(fù)責(zé)bios代碼處理的芯片是南橋和北橋芯片。由于這方面,北橋負(fù)責(zé)系統(tǒng)地址空間管理,比如bios?shadowing,處理訪問RAM和處理事務(wù),用bios?ROM作為南橋的目標(biāo),南橋最后積存bios?rom。南橋主要負(fù)責(zé)使能rom解碼控制,這將要寄存要訪問的bios?rom的存儲地址。下面展示的地址可以存在于系統(tǒng)DRAM和bios?rom芯片中的任何一個,這取決于在bios代碼執(zhí)行時,南橋和北橋寄存器的設(shè)置。
Physical?Address??Also?Known?As??Used?by??Address?Aliasing?Note
000F_0000h?-?000F_FFFFh???F_seg?/?F_segment???1?Mbit,?2?MBit,?and?4?MBit?BIOS???alias?to?FFFF_0000h?-?FFFF_FFFFh?in?all?chipset?just?after?power-up?
000E_0000h?-?000E_FFFFh??E_seg?/?E_segment??1?Mbit,?2?MBit,?and?4?MBit?BIOS??alias?to?FFFE_0000h?-?FFFE_FFFFh?in?some?chipset?just?after?power-up?
??上面的地址范圍包含了bios代碼和很多的系統(tǒng)特性。所以你不得不參考你的芯片數(shù)據(jù)表來理解它。而且,在bios代碼運(yùn)行后的時間里,注意上面的地址要被bios代碼占據(jù)的是F_seg?i.e.?F_0000h?-?F_FFFFh。無論怎樣,相當(dāng)?shù)牟僮飨到y(tǒng)可能會認(rèn)為這段地址沒有用,而且會把它用于自己的目的。上面提到的地址只是當(dāng)bios代碼訪問或者其他代碼直接訪問bios?rom的時候,反映了bios?rom芯片到系統(tǒng)地址空間映射。就像我們要看到的一樣,這個映射可以通過程序設(shè)計一些芯片寄存器來改變。
??超過1m的Bios芯片,比如2m和4m的芯片有一個非常與眾不同的低bios區(qū)域地址,i.e.?C_seg,?D_seg和其他低"segment(s)"。大多數(shù)情況,這個區(qū)域被映射到了靠近4GB地址范圍。這個地址范圍處理是從類似北橋到PCI地址范圍來解決。這個配置下芯片行為如下:
???北橋作為一個地址傳送裝置:在不同方式和普通內(nèi)存地址比較的狀態(tài)下,它對這個特別的內(nèi)存地址有反應(yīng),內(nèi)存地址直接指向RAM。相反,這個特別的內(nèi)存地址由北橋轉(zhuǎn)到南橋,從而解碼。
???南橋作為地址解碼器:它解碼這個特別的內(nèi)存地址,這個地址指向正確的芯片,比如bios芯片。這方面,如果地址范圍不被允許在南橋控制寄存器解碼,南橋要返回“void”(bus地址周期結(jié)束)。
下面是一個例子:?
Physical?Address??Also?Known?As??Used?by??Address?Aliasing?Note
000F_0000h?-?000F_FFFFh???F_seg?/?F_segment???1?Mbit,?2?MBit,?and?4?Mbit?BIOS???alias?to?FFFF_0000h?-?FFFF_FFFFh?in?all?chipset?just?after?power-up?
000E_0000h?-?000E_FFFFh??E_seg?/?E_segment??1?Mbit,?2?Mbit,?and?4?Mbit?BIOS??alias?to?FFFE_0000h?-?FFFE_FFFFh?in?some?chipset?just?after?power-up?
FFFD_0000h?-?FFFD_FFFFh??D_seg?/?D_segment??2?Mbit,?and?4?Mbit?BIOS??-?
FFFC_0000h?-?FFFC_FFFFh??C_seg?/?C_segment??2?Mbit,?and?4?Mbit?BIOS??-?
FFF8_0000h?-?FFFB_FFFFh??-???4?Mbit?BIOS??-?
結(jié)論是:現(xiàn)代芯片組表現(xiàn)為效法F_seg?and?E_seg?處理。這是一個證據(jù),證明現(xiàn)代x86系統(tǒng)保持著向下兼容。無論如何,賣主已經(jīng)遠(yuǎn)離x86,這些“雜牌電腦(cludge)”往往被認(rèn)為是過去的東西。
??下面是在剛剛系統(tǒng)加電啟動后,VIA693A芯片組(北橋)系統(tǒng)內(nèi)存映射,根據(jù)芯片數(shù)據(jù)表。
Table?4.?System?Memory?Map
Space?Start????Size??Address?Range??????Comment
DOS???0????????640K??00000000-0009FFFF??Cacheable
VGA???640K?????128K??000A0000-000BFFFF??Used?for?SMM
BIOS??768K?????16K???000C0000-000C3FFF??Shadow?Ctrl?1
BIOS??784K?????16K???000C4000-000C7FFF??Shadow?Ctrl?1
BIOS??800K?????16K???000C8000-000CBFFF??Shadow?Ctrl?1
BIOS??816K?????16K???000CC000-000CFFFF??Shadow?Ctrl?1
BIOS??832K?????16K???000D0000-000D3FFF??Shadow?Ctrl?2
BIOS??848K?????16K???000D4000-000D7FFF??Shadow?Ctrl?2
BIOS??864K?????16K???000D8000-000DBFFF??Shadow?Ctrl?2
BIOS??880K?????16K???000DC000-000DFFFF??Shadow?Ctrl?2
BIOS??896K?????64K???000E0000-000EFFFF??Shadow?Ctrl?3
BIOS??960K?????64K???000F0000-000FFFFF??Shadow?Ctrl?3
Sys???1MB???????????00100000-DRAM?Top??Can?have?hole
Bus???D?Top??????????DRAM?Top-FFFEFFFF
Init??4G-64K???64K???FFFEFFFF-FFFFFFFF??000Fxxxx?alias
??最重要的要考慮到的東西是地址別名,比如你看到的FFFE_FFFFh-?FFFF_FFFFh范圍就是000Fxxxxh別名,這個就是bios?rom芯片地址映射的地方(我得主板)。但是,我們不得不認(rèn)為,這個是在啟動階段最初的時候(reset后)。在芯片重新被bios改編程序后,這個地址范圍就會映射到了RAM中。我們認(rèn)為這個是作為加電啟動默認(rèn)值。作為一個標(biāo)記,主要的x86芯片用這個地址作為別名,至少是F-segment地址范圍。
??另外一個事實就是我們不得不考慮:大部分芯片組在加電后,寄存器中,只提供默認(rèn)F-segment地址配置,其他bios?rom段保持不可訪問。這些段的地址配置將要少后由bootblock代碼在改變了相關(guān)芯片組寄存器后配置(大部分是南橋寄存器)。這里研究的芯片屬于這個組。
??現(xiàn)代系統(tǒng)連接bios?rom芯片和南橋芯片是通過LPC(Low?Pin?Count)接口。無論怎樣,本文中的南橋沒有這樣的接口。它是一個老的芯片,使用ISA?bus作為和bios?rom的接口。
3.2.?晦澀的硬件接口(Port)
??下面提到的一些晦澀的硬件接口沒有在芯片數(shù)據(jù)文檔提到。注意,這些信息是從Intel?ICH5,VIA?586B和VIA596B的數(shù)據(jù)表中得到。
I/O?Port?address?????Purpose
92h??????????????????Fast?A20?and?Init?Register
4D0h?????????????????Master?PIC?Edge/Level?Triggered?(R/W)
4D1h?????????????????Slave?PIC?Edge/Level?Triggered?(R/W)
Table?146.?RTC?I/O?Registers?(LPC?I/F桪31:F0)
I/O?Port?Locations????If?U128E?bit?=?0????????????Function
70h?and?74h???????????Also?alias?to?72h?and?76h???Real-Time?Clock?(Standard?RAM)?Index?Register
71h?and?75h???????????Also?alias?to?73h?and?77h???Real-Time?Clock?(Standard?RAM)?Target?Register
72h?and?76h???????????????????????????????????????Extended?RAM?Index?Register?(if?enabled)
73h?and?77h???????????????????????????????????????Extended?RAM?Target?Register?(if?enabled)
注意:
1.??I/O位置的70h和71h是標(biāo)準(zhǔn)的服務(wù)于真實時間時鐘的ISA接口。表格147所示。72h和73h作為訪問擴(kuò)展RAM。擴(kuò)展RAM單元的訪問依然通過索引配置。I/O地址72h作為地址指針,73h作為數(shù)據(jù)寄存器。索引地址127h以上不可用。如果不需要擴(kuò)展RAM,它就變得不可用了。
2.??軟件比如保留地址70h的bit7。當(dāng)順序?qū)懭脒@個地址的時候,軟件必須先讀出這個位置的值,然后寫入現(xiàn)同的值到bit7。注意70h不是可以直接讀取的。唯一的方法是通過alt訪問,讀取相應(yīng)寄存器的值。如果NMI#(不可屏蔽中斷)使能沒有在普通操作下改變,那么軟件能夠二者選一的讀取這個bit一次,然后保留這個值,一邊隨后的所有寫入端口70h操作。
RTC(通路控制)包含了兩個索引寄存器配置,用于被兩個分離索引和目標(biāo)寄存器(70/71h?or?72/73h)訪問,如147表格所示。
Table?147.?RTC?(Standard)?RAM?Bank?(LPC?I/F桪31:F0)
Index???Name
00h?????Seconds
01h?????Seconds?Alarm
02h?????Minutes
03h?????Minutes?Alarm
04h?????Hours
05h?????Hours?Alarm
06h?????Day?of?Week
07h?????Day?of?Month
08h?????Month
09h?????Year
0Ah?????Register?A
0Bh?????Register?B
0Ch?????Register?C
0Dh?????Register?D
0Eh?Fh?114?Bytes?of?User?RAM
3.3.?"可重定位"?硬件Port
??系統(tǒng)I/O空間中,有一些硬件端口種類可以重定位。在這個bios,那些端口包括smbus-related端口和電源管理相關(guān)端口。這些端口當(dāng)然是基本地址。這些所謂的基本地址是通過可以編程的基址寄存器控制的。Smbus由smbus基址寄存器,電源管理由電源管理I/O基址寄存器。所以這些端口是可編程的,bootblock歷程在bios歷程執(zhí)行開始的時候初始化這些地址寄存器的值。由于這些端口的可編程特性,就必需要開始bios?bootblock的逆向工程來查出哪個端口地址用來這些可編程硬件端口。否則,就會搞不清楚稍后逆向工程中怪異端口的事件。例如:
Address????Hex??????????????????Mnemonic
F000:F604?BE?C4?F6??????????????????mov???si,?0F6C4h??????????;?addr?of?chipset?reg?mask
F000:F607?????????????????????????next_PCI_reg:???????????????;?CODE?XREF:?Chipset_Reg_Early_Init+29
F000:F607?2E?8B?0C??????????????????mov???cx,?cs:[si]
F000:F60A?BC?10?F6??????????????????mov???sp,?0F610h
F000:F60D?E9?F8?00??????????????????jmp???Read_PCI_Byte
F000:F60D?????????????????????????;?---------------------------------------------------------------------------
F000:F610?12?F6?????????????????????dw?0F612h
F000:F612?????????????????????????;?---------------------------------------------------------------------------
F000:F612?2E?22?44?02???????????????and???al,?cs:[si+2]
F000:F616?2E?0A?44?03???????????????or????al,?cs:[si+3]
F000:F61A?BC?20?F6??????????????????mov???sp,?0F620h
F000:F61D?E9?02?01??????????????????jmp???Write_PCI_Byte
F000:F61D?????????????????????????;?---------------------------------------------------------------------------
F000:F620?22?F6?????????????????????dw?0F622h
F000:F622?????????????????????????;?---------------------------------------------------------------------------
F000:F622?83?C6?04??????????????????add???si,?4
F000:F625?81?FE?04?F7???????????????cmp???si,?0F704h??????????;?are?we?done?yet?
.........
F000:F6F4?48?3B?????????????????????dw?3B48h??????????????????;?B#0?D#7?F#3:?PwrMngmt&SMBus?-?PwrMngmt?IO?Base?Addr?lo_byte
F000:F6F6?00????????????????????????db?0??????????????????????;?and?mask
F000:F6F7?00????????????????????????db?0??????????????????????;?or?mask
F000:F6F7?????????????????????????????????????????????????????;
F000:F6F8?49?3B?????????????????????dw?3B49h??????????????????;?B#0?D#7?F#3:?PwrMngmt&SMBus?-?PwrMngmt?IO?Base?Addr?hi_byte
F000:F6FA?40????????????????????????db?40h????????????????????;?and?mask
F000:F6FB?40????????????????????????db?40h????????????????????;?PwrMngmt?IO?Base?Addr?=?IO?Port?4000h
.........
F000:F643?B9?90?3B??????????????????mov???cx,?3B90h???????????;?B#0?D#7?F#3:?PwrMngmt&SMBus?-?SMBus?IO?Base?Addr?lo_byte
F000:F646?B0?00?????????????????????mov???al,?0???????????????;?set?SMBus?IO?Base?lo_byte?to?00h
F000:F648?BC?4E?F6??????????????????mov???sp,?0F64Eh
F000:F64B?E9?D4?00??????????????????jmp???Write_PCI_Byte
F000:F64B?????????????????????????;?---------------------------------------------------------------------------
F000:F64E?50?F6?????????????????????dw?0F650h
F000:F650?????????????????????????;?---------------------------------------------------------------------------
F000:F650?B9?91?3B??????????????????mov???cx,?3B91h???????????;?B#0?D#7?F#3:?PwrMngmt&SMBus?-?SMBus?IO?Base?Addr?hi_byte
F000:F653?B0?50?????????????????????mov???al,?50h?;?'P'???????;?set?SMBus?IO?Base?hi_byte?to?50h,
F000:F653?????????????????????????????????????????????????????;?so,?now?SMBus?IO?Base?is?at?port?5000h?!!!
F000:F655?BC?5B?F6??????????????????mov???sp,?0F65Bh
F000:F658?E9?C7?00??????????????????jmp???Write_PCI_Byte
F000:F658?????????????????????????;?---------------------------------------------------------------------------
F000:F65B?5D?F6?????????????????????dw?0F65Dh
.........
F000:F66A?BA?05?40??????????????????mov???dx,?4005h???????????;?access?ACPI?Reg?05h
F000:F66D?B0?80?????????????????????mov???al,?80h?;?'????????;?setting?reserved?bit?
.........
??當(dāng)然,還有更多的可重定向硬件端口,但是至少你已經(jīng)看到了這些提示。所以,一旦逆發(fā)現(xiàn)bios中的代碼有點象訪問怪異的端口,你將會知道它去哪里。
3.4.?Expansion?ROM?Handling
??有一對問題需要考慮到,比如video?bios和其他擴(kuò)展rom處理。這里是基本bios中PCI擴(kuò)展rom處理run-down:
1.??系統(tǒng)bios檢測所有的系統(tǒng)中的pci芯片,初始化他們的BARs(基址寄存器)。一旦初始化結(jié)束,系統(tǒng)就擁有了一個可用的廣闊的系統(tǒng)地址配置。
2.??通過廣闊的系統(tǒng)地址配置,系統(tǒng)bios一個接一個的拷貝需要的PCI擴(kuò)展rom到RAM,這些擴(kuò)展在(C000:0000h?-?D000:FFFFh),并且執(zhí)行每一個模塊或者初始化每一個模塊。
至于ISA擴(kuò)展rom,以后版本文章會討論。
4.一些軟件特性
??在bios代碼中有一些棘手的區(qū)域和rom中一些可執(zhí)行部分有關(guān)。下面介紹:
4.1.call指令特性
??Call指令在rom?bios芯片內(nèi)部的bios代碼執(zhí)行時不可用。這由于call指令使用桟,而我們不能在bios?rom中寫入來使用桟。這里使用桟是因為要壓入call指令執(zhí)行時寫入保存的返回地址。我們很清楚的知道,這個時候地址指針ss:sp指向的時rom:我們不能寫入。DRAM這個時候不能使用。它還沒有被bios代碼檢測。我們根本就不知道有RAM存在!
4.2.?retn?Instruction?Peculiarity
??Retn指令特性,這里有ROM_call宏定義:
ROM_CALL??MACRO????RTN_NAME
??????LOCAL????RTN_ADD
??????mov??sp,offset???DGROUP:RTN_ADD
??????jmp??????RTN_NAME
RTN_ADD:??dw??????DGROUP:$+2
????????????ENDM
例子:
Address????Hex??????????????????Mnemonic
F000:6000???????????????????????F000_6000_read_pci_byte?proc?near??
F000:6000???66?B8?00?00?00?80???mov???eax,?80000000h
F000:6006???8B?C1???????????????mov???ax,?cx??????????;?copy?offset?addr?to?ax
F000:6008???24?FC???????????????and???al,?0FCh????????;?mask?it
F000:600A???BA?F8?0C????????????mov???dx,?0CF8h
F000:600D???66?EF???????????????out???dx,?eax
F000:600F???B2?FC???????????????mov???dl,?0FCh
F000:6011???0A?D1???????????????or????dl,?cl??????????;?get?the?byte?addr
F000:6013???EC??????????????????in????al,?dx??????????;?read?the?byte
F000:6014???C3??????????????????retn??????????????????;?Return?Near?from?Procedure
F000:6014???????????????????????F000_6000_read_pci_byte?endp
......
F000:6043?18?00???????????????????GDTR_F000_6043?dw?18h???;?limit?of?GDTR?(3?valid?desc?entry)
F000:6045?49?60?0F?00???????????????dd?0F6049h????????????;?GDT?physical?addr?(below)
F000:6049?00?00?00?00?00?00?00?00???dq?0??????????????????;?null?descriptor
F000:6051?FF?FF?00?00?0F?9F?00?00???dq?9F0F0000FFFFh??????;?code?descriptor:
F000:6051?????????????????????????????????????????????????;?base?addr?=?F?0000h;?limit=FFFFh;?DPL=0;
F000:6051?????????????????????????????????????????????????;?exec/ReadOnly,?conforming,?accessed;
F000:6051?????????????????????????????????????????????????;?granularity=byte;?Present;?16-bit?segment
F000:6059?FF?FF?00?00?00?93?8F?00???dq?8F93000000FFFFh????;?data?descriptor:
F000:6059?????????????????????????????????????????????????;?base?addr?=?00h;?seg_limit=F?FFFFh;?DPL=0;
F000:6059?????????????????????????????????????????????????;?Present;?read-write,?accessed;?
F000:6059?????????????????????????????????????????????????;?granularity?=?4?KByte;?16-bit?segment
......
F000:619B?0F?01?16?43?60????????lgdt??qword?ptr?GDTR_F000_6043?;?Load?Global?Descriptor?Table?Register
F000:61A0?0F?20?C0??????????????mov???eax,?cr0
F000:61A3?0C?01?????????????????or????al,?1???????????;?set?PMode?flag
F000:61A5?0F?22?C0??????????????mov???cr0,?eax
F000:61A8?EA?AD?61?08?00????????jmp???far?ptr?8:61ADh?;?jmp?below?in?16-bit?PMode?(abs?addr?F?61ADh)
F000:61A8?????????????????????????????????????????????????;?(code?segment?with?base?addr?=?F?0000h)
F000:61AD???????????????????????;?---------------------------------------------------------------------
F000:61AD?B8?10?00??????????????mov???ax,?10h?????????;?load?ds?with?valid?data?descriptor
F000:61B0?8E?D8?????????????????mov???ds,?ax??????????;?ds?=?data?descriptor?(GDT?3rd?entry)
......
F000:61BC??B9?6B?00?????????????mov???cx,?6Bh?????????;?DRAM?arbitration?control
F000:61BF??BC?C5?61?????????????mov???sp,?61C5h
F000:61C2??E9?3B?FE?????????????jmp???F000_6000_read_pci_byte?;?Jump
F000:61C2???????????????????????;?------------------------------------------------------------------
F000:61C5??C7?61????????????????dw?61C7h
F000:61C7???????????????????????;?------------------------------------------------------------------
F000:61C7??0C?02????????????????or????al,?2???????????;?enable?VC-DRAM
??你看到的,必需要考慮retn指令被當(dāng)前ss:sp寄存器值影響,ss寄存器還沒有加載到正確的16-bit保護(hù)模式使用!這些代碼怎么會執(zhí)行?答案有點復(fù)雜。讓我們看看ss寄存器的值,它在上述調(diào)用之前就巧妙的處理了。
Address????Hex??????????????????Mnemonic
F000:E060?8C?C8?????????????????mov???ax,?cs
F000:E062?8E?D0?????????????????mov???ss,?ax??????????;?ss?=?cs?(ss?=?F000h?a.k.a?F_segment)
F000:E064???????????????????????assume?ss:F000
Note:?this?routine?is?executed?in?real-mode
??就如你看到的,ss寄存器裝入了f000h(當(dāng)前bios代碼16-bit段在實模式)。這段代碼說明隱藏的描述緩存寄存器(存在為每一個選擇/段寄存器)被加載入ss*16?or?F_0000h?的物理地址值。并且這個值會返回,盡管機(jī)器轉(zhuǎn)變成了上述的16-bit保護(hù)模式,因為ss寄存器沒有重載。Intel?Software?Developer?Manual?Vol.3片斷:
??
8.1.4.?First?Instruction?Executed
The?first?instruction?that?is?fetched?and?executed?following?a?hardware?reset?is?located?at?physical?address?FFFFFFF0H.?This?address?is?16?bytes?below?the?processor抯?uppermost?physical?address.?The?EPROM?containing?the?software-initialization?code?must?be?located?at?this?address.?The?address?FFFFFFF0H?is?beyond?the?1-MByte?addressable?range?of?the?processor?while?in?real-address?mode.?The?processor?is?initialized?to?this?starting?address?as?follows.?The?CS?register?has?two?parts:?the?visible?segment?selector?part?and?the?hidden?base?address?part.?In?real?address?mode,?the?base?address?is?normally?formed?by?shifting?the?16-bit?segment?selector?value?4?bits?to?the?left?to?produce?a?20-bit?base?address.?However,?during?a?hardware?reset,?the?segment?selector?in?the?CS?register?is?loaded?with?F000H?and?the?base?address?is?loaded?with?FFFF0000H.?The?starting?address?is?thus?formed?by?adding?the?base?address?to?the?value?in?the?EIP?register?(that?is,?FFFF0000?+?FFF0H?=?FFFFFFF0H).
The?first?time?the?CS?register?is?loaded?with?a?new?value?after?a?hardware?reset,?the?processor?will?follow?the?normal?rule?for?address?translation?in?real-address?mode?(that?is,?[CS?base?address?=?CS?segment?selector?*?16]).?To?insure?that?the?base?address?in?the?CS?register?remains?unchanged?until?the?EPROM?based?software-initialization?code?is?completed,?the?code?must?not?contain?a?far?jump?or?far?call?or?allow?an?interrupt?to?occur?(which?would?cause?the?CS?selector?value?to?be?changed).
Ddj?(Doctor?Dobbs?Journal)的一個小片斷:
At?power-up,?the?descriptor?cache?registers?are?loaded?with?fixed,?default?values,?the?CPU?is?in?real?mode,?and?all?segments?are?marked?as?read/write?data?segments,?including?the?code?segment?(CS).?According?to?Intel,?each?time?the?CPU?loads?a?segment?register?in?real?mode,?the?base?address?is?16?times?the?segment?value,?while?the?access?rights?and?size?limit?attributes?are?given?fixed,?"real-mode?compatible"?values.?This?is?not?true.?In?fact,?only?the?CS?descriptor?cache?access?rights?get?loaded?with?fixed?values?each?time?the?segment?register?is?loaded?-?and?even?then?only?when?a?far?jump?is?encountered.?Loading?any?other?segment?register?in?real?mode?does?not?change?the?access?rights?or?the?segment?size?limit?attributes?stored?in?the?descriptor?cache?registers.?For?these?segments,?the?access?rights?and?segment?size?limit?attributes?are?honored?from?any?previous?setting?(see?Figure?3).?Thus?it?is?possible?to?have?a?four?giga-byte,?read-only?data?segment?in?real?mode?on?the?80386,?but?Intel?will?not?acknowledge,?or?support?this?mode?of?operation.
??現(xiàn)在,你知道重點在于描述緩存寄存器,特別是它的基地址部分。Ss可見部分只是一個“place?holder”和“register-in-charge”,對于真實地址計算/變換是一個隱藏的描述緩存。無論你對這個描述緩存做什么,?當(dāng)任何代碼、棧或者數(shù)據(jù)值地址被轉(zhuǎn)換計算的時候,它都要受到影響。在我們看來,我們不得不在16-bit保護(hù)模式使用基址是F_0000h的物理地址的“堆棧段”。這不是問題,因為ss描述緩存寄存器的基址已經(jīng)在上面的代碼中賦予了F_0000h值。這就解釋了為什么上面的代碼能夠正確執(zhí)行,下面是一個例子:
Address????Hex??????????????????Mnemonic
F000:61BF??BC?C5?61?????????????mov???sp,?61C5h
F000:61C2??E9?3B?FE?????????????jmp???F000_6000_read_pci_byte?;?Jump
F000:61C2???????????????????????;?------------------------------------------------------------------
F000:61C5??C7?61????????????????dw?61C7h
??這段代碼里面我們已經(jīng)給ss:sp指向F_61C5h,為retn指令服務(wù)。實際上,我們已經(jīng)做了,因為ss包含了F_0000h(它的描述緩存基址部分)和你看到(sp?contains?61C5h)的物理地址,ss:sp是F_0000h+61C5h?,物理地址是F_61C5h。
5.?用到的工具
本節(jié)介紹逆向工程分析所需的工具。將有一節(jié)單獨解釋IDA?Pro反匯編工具。
5.1.?我們的需求
開始進(jìn)行之前,我們需要以下工具:
1、??IDA?Pro反匯編工具。我使用IDA?Pro?V4.3。你可以使用你喜歡的交互式反匯編工具。我覺得IDA?Pro最適合我。我們之所以需要交互式反匯編工具,因為我們要反匯編的BIOS代碼并不是普通的代碼。當(dāng)駐留在ROM中執(zhí)行的一些時候并沒有棧可用,而是使用了一些棧的技巧來進(jìn)行過程/例程調(diào)用。
2、??一個好的二進(jìn)制編輯器。我使用HexWorkshop?ver3.0b。該二進(jìn)制編輯器最大的一個好處是它可以計算打開文件的所選范圍內(nèi)的校驗和。
3、??LHA2.55,用來修改BIOS二進(jìn)制。如果你僅想解壓縮并分析壓縮的BIOS組件,也可使用winzip或其他可以處理LZH/LHA文件的壓縮/解壓縮工具。
4、??BIOS修改工具,例如CBROM,我使用v2.08,v2.07和1.24。以及MODBIN,有兩種:modbin6?for?award?bios?ver.?6和modbin?4.50.xx?for?award?bios?ver.?4.5xPGNM。使用這些工具更容易查看BIOS組件。可從www.biosmods.com下載。
5、??一些芯片集數(shù)據(jù)表,這取決于你要解剖的主板BIOS代碼。www.com.by上有一部分pdf格式的數(shù)據(jù)表。我解剖的主板是VIA693A-596B,我當(dāng)然有這個數(shù)據(jù)表。
6、??Intel?Software?Developer?Manual?Volume?1,?2?and?3。BIOS有時使用一些外來指令集。另外有些很難記住的數(shù)據(jù)結(jié)構(gòu)需要查詢,如GDT、IDT等。
5.2.?IDA?Pro技術(shù)介紹
本小節(jié)介紹使用IDA?Pro。如果抓住了這些概念,你可以方便地使用IDA?pro。
5.2.1.?IDA?Pro介紹
逆向代碼工程通過分析軟件的可執(zhí)行文件來實現(xiàn)對軟件所使用算法的理解。在大多數(shù)情況下,軟件僅發(fā)布它的可執(zhí)行文件而沒有源代碼。BIOS也同樣如此,我們可獲得的僅僅是執(zhí)行代碼。逆向代碼工程在以下工具的幫助下實現(xiàn):調(diào)試器,反匯編工具,二進(jìn)制文件編輯器即二進(jìn)制編輯器,ICE()等。我們在本小節(jié)中僅討論反匯編工具,例如IDA?Pro反匯編工具。
IDA?Pro是一款強(qiáng)大的反匯編工具。它支持插件和腳本組件支持50種以上的處理器結(jié)構(gòu)。但功能強(qiáng)大的工具一般都有缺陷,就是難以掌握使用,IDA?Pro也不例外。
IDA?Pro有多個版本:免費版、標(biāo)準(zhǔn)版和高級版。最新的免費版為IDA?Pro?version?4.3?(AFAIK),可在http://www.dirfile.com/ida_pro_freeware_version.htm下載。
There?are?several?editions?of?IDA?Pro:?freeware?edition,?standard?edition?and?advanced?edition.?The?latest?freeware?edition?is?IDA?Pro?version?4.3?(AFAIK)?and?it抯?available?for?download?at?http://www.dirfile.com/ida_pro_freeware_version.htm.?It抯?the?most?limited?of?all?IDA?Pro?version.?It?only?supports?x86?processor?and?doesn't?come?with?plugin?feature,?but?it?comes?at?no?cost,?that's?why?it's?presented?here.?Fortunately,?it?still?comes?with?scripting?feature.?The?standard?and?advanced?editions?of?IDA?Pro?4.3?of?course?differ?from?this?freeware?edition,?they?come?with?support?for?plugin?and?support?for?much?more?processor?architecture.?We?are?going?to?learn?how?to?use?the?scripting?feature?in?the?next?section.?
Now,?let抯?start?to?use?IDA?Pro?freeware?version?to?open?a?BIOS?binary?file.?First,?IDA?Pro?freeware?version?has?to?be?installed.?After?the?installation?finished,?one?special?step?must?be?carried-out?to?prevent?unwanted?bug?when?this?version?of?IDA?Pro?opens?up?a?BIOS?file?with?*.rom?extension.?To?do?so,?one?must?edit?the?IDA?Pro?configuration?file?that抯?located?in?the?root?directory?of?the?IDA?Pro?installation?directory.?The?name?of?the?file?is?ida.cfg.?Open?this?file?by?using?any?text?editor?(such?as?notepad)?and?look?for?the?following?lines:?
??DEFAULT_PROCESSOR?=?{????
/*?Extension????Processor?*/????
??"com"?:???????"8086"??????????????????//?IDA?will?try?the?specified????
??"exe"?:???????""??????????????????????//?extensions?if?no?extension?is????
??"dll"?:???????""??????????????????????//?given.?????
??"drv"?:???????""????
??"sys"?:???????""????
??"bin"?:???????""??//?Empty?processor?means?the?default?processor????
??"ovl"?:???????""????
??"ovr"?:???????""????
??"ov?"?:???????""????
??"nlm"?:???????""????
??"lan"?:???????""????
??"dsk"?:???????""????
??"obj"?:???????""??
??"prc"?:???????"68000"?????????????????//?PalmPilot?programs??
??"axf"?:???????"arm710a"????
??"h68"?:???????"68000"?????????????????//?MC68000?for?*.H68?files????
??"i51"?:???????"8051"??????????????????//?i8051???for?*.I51?files????
??"sav"?:???????"pdp11"?????????????????//?PDP-11??for?*.SAV?files????
??"rom"?:???????"z80"???????????????????//?Z80?????for?*.ROM?files????
??"cla*":???????"java"????
??"s19":????????"6811"????
??"o":??????????""????
??"*":??????????""??????????????????????//?Default?processor??
}????
Notice?the?line:?"rom"?:?"z80"?//?Z80?for?*.ROM?files
This?line?must?be?removed?or?just?replace?the?"z80"?with?""?in?this?line?to?disable?the?automatic?request?to?load?z80?processor?module?in?IDA?Pro?upon?opening?a?*.rom?file.?The?bug?occurred?if?the?*.rom?file?is?opened?while?this?line?is?not?changed?ince?freeware?IDA?Pro?doesn't?come?with?z80?processor?module.?Thus,?opening?*.rom?file?by?default?will?terminate?IDA?Pro.?Some?motherboard?BIOS?files?comes?with?*.rom?extension?by?default,?even?though?it's?very?clear?that?it?won't?be?executed?in?z80?processor.?Fixing?this?bug?will?ensure?that?we?will?be?able?to?open?motherboard?BIOS?file?with?*.rom?extension?flawlessly.?Note?that?the?steps?needed?to?remove?other?file-extension?to?processor-type?"mapping"?in?this?version?of?IDA?Pro?is?similar?to?the?z80?processor?that?is?just?described.?
Now?let's?proceed?to?open?a?sample?BIOS?file.?This?BIOS?file?is?da8r9025.rom,?BIOS?file?for?Supermicro?H8DAR-8?(OEM?Only)?motherboard.?This?motherboard?used?AMD-8131??HyperTransport??PCI-X?Tunnel?chip?and?AMD-8111??HyperTransport??I/O?Hub?chip.?The?dialog?box?below?will?be?displayed?when?you?start?IDA?Pro?freeware?version?4.3.
?
Just?click?OK?to?proceed.?Then?the?next?dialog?box?shown?below?will?be?displayed.?
?
In?this?dialog?box,?you?can?try?one?of?the?three?options,?but?we?will?just?click?on?the?Go?button.?This?will?start?IDA?Pro?with?empty?workspace?as?shown?below?
?
Then?locate?and?drag?the?file?to?be?disassembled?to?the?IDA?Pro?window?(as?shown?above).?In?this?case,?IDA?Pro?will?show?the?following?dialog?box.?
?
In?this?dialog?box,?we?will?select?Intel?80x86?processors:?athlon?as?the?Processor?type?in?the?drop?down?list?box.?Then?click?on?the?Set?button?to?activate?the?new?processor?selection.?Let?the?other?option?as?it?is.?Code?relocation?will?be?carried?out?by?using?IDA?Pro?scripts?in?later?section,?then?click?OK.?IDA?Pro?then?shows?the?following?dialog?box.?
?
This?dialog?box?asks?us?to?choose?the?default?operating-mode?of?the?x86?compatible?processor?during?the?disassembling?process.?AMD64?Architecture?Programmer抯?Manual?Volume?2:?System?Programming,?February?2005?in?section?14.1.5?page?417?states?that:?
"After?a?RESET#?or?INIT,?the?processor?is?operating?in?16-bit?real?mode."?
In?addition,?IA-32?Intel??Architecture?Software?Developer抯?Manual?Volume?3:?System?Programming?Guide?2004?section?9.1.1?states?that:?
"Table?9-1?shows?the?state?of?the?flags?and?other?registers?following?power-up?for?the?Pentium?4,?Intel?Xeon,?P6?family,?and?Pentium?processors.?The?state?of?control?register?CR0?is?60000010H?(see?Figure?9-1),?which?places?the?processor?is?in?real-address?mode?with?paging?disabled."?
Thus,?we?can?conclude?that?any?x86?compatible?processors?start?their?execution?in?16-bit?real?mode?just?after?power-up?and?we?have?to?choose?16-bit?mode?in?this?dialog?box.?It抯?accomplished?by?clicking?No?in?the?dialog?box.?Then?the?following?dialog?box?pops?up.?
?
This?dialog?box?told?us?that?IDA?Pro?can抰?decide?where?the?entry-point?located.?We?have?to?locate?it?ourselves?later.?Just?click?OK?to?continue?to?the?main?window?for?the?disassembly?process.?
?
Up?to?this?point?we?are?able?to?open?the?binary?file?within?IDA?Pro.?This?is?not?a?trivial?task?for?people?new?to?IDA?Pro.?That's?why?it's?presented?in?a?step-by-step?fashion.?However,?the?output?in?the?workspace?is?not?yet?usable.?The?next?step?is?learning?the?scripting?facility?that?IDA?Pro?provides?to?make?sense?about?the?disassembly?database?that?IDA?Pro?generates.?
5.2.2.?IDA?Pro?Scripting?And?Key?Bindings
Now?we?will?proceed?to?try?to?decipher?IDA?Pro?disassembly?database?shown?in?the?previous?sub-section?with?the?help?of?the?scripting?facility.?Before?we?proceed?to?analyze?the?binary,?we?have?to?learn?some?basic?concepts?about?the?IDA?Pro?scripting?facility.?IDA?Pro?scripts?syntax?are?similar?to?C?programming?language.?The?syntax?as?follows:?
1.??IDA?Pro?scripts?only?recognize?one?type?of?variable,?i.e.?auto.?There?are?no?other?variable?types?such?as?int,?char,?etc.?The?declaration?of?variable?in?an?IDA?Pro?script?as?follows:?
auto?variable_name;?
2.??Every?statement?in?an?IDA?Pro?script?ends?with?a?semicolon?(;),?just?like?in?the?C?programming?language.?
3.??Function?can?return?a?value?or?not,?but?there抯?no?return?type?declaration.?The?syntax?as?follows:?
static?function_name(parameter1,?parameter2,?parameter_n,?...)??
4.??Comment?in?an?IDA?Pro?script?starts?with?double-slash?(//).?The?IDA?Pro?scripting?engine?ignores?anything?after?the?comment?in?the?corresponding?line.?
5.??//?comment??????????????????
6.??statement;?//?comment??????????????
7.??IDA?Pro?"exports"?its?internal?functionality?to?the?script?that?we?build?by?using?header?files.?These?header?files?must?be?"included"?in?our?script?so?that?we?are?able?to?access?that?functionality.?At?least?one?header?file?must?be?included?in?any?IDA?Pro?script,?i.e.?idc.idc.?The?header?files?are?located?inside?a?folder?named?idc?in?the?IDA?Pro?installation?directory.?One?must?read?the?*.idc?files?inside?this?directory?to?learn?about?the?functions?that?are?exported?by?IDA?Pro.?The?most?important?header?file?to?learn?is?idc.idc.?The?syntax?used?to?include?a?header?file?in?an?IDA?Pro?script?is:?
8.??#include?<?header_file_name?>????????????
9.??The?entry?point?of?an?IDA?Pro?script?is?the?main?function,?just?as?in?the?C?programming?language.?
Now?is?the?time?to?put?the?theory?into?a?simple?working?example,?an?IDA?Pro?sample?script.?
#include?<idc.idc>????
//?relocate?one?segment??
static?relocate_seg(src,?dest)??
{????
??auto?ea_src,?ea_dest,?hi_limit;??
????
??hi_limit?=?src?+?0x10000;??
??ea_dest?=?dest;??
????
??for(ea_src?=?src;?ea_src?<?hi_limit?;?ea_src?=?ea_src?+?4?)????
????{??
????PatchDword(?ea_dest,?Dword(ea_src));??
????ea_dest?=?ea_dest?+?4;??
???}??
?????
??Message("segment?relocation?finished?(inside?relocate_seg?function)../n");??
}????
????
static?main()??
{????
??Message("creating?target?segment?(inside?entry?point?function?main).../n");??
??SegCreate([0xF000,?0],?[0x10000,?0],?0xF000,?0,?0,?0);??
??SegRename([0xF000,?0],?"_F000");??
????
??relocate_seg([0x7000,0],?[0xF000,?0]);??
}????
The?square?bracket,?i.e.?[?]?in?the?script?above?is?an?operator?used?to?form?the?linear?address?from?its?parameters?by?shifting?the?first?parameter?to?left?four?bits?and?then?adding?the?second?parameter?into?the?result,?for?example:?[0x7000,?0]?means?(0x7000?<<?4)?+?0?,?i.e.?0x7_0000?linear?address.?This?operator?is?just?the?same?as?MK_FP(?,?)?operator?in?previous?versions?of?IDA?Pro.?One?must?read?idc.idc?file?to?see?the?"exported"?function?definition?to?understand?this?script?completely,?such?as?the?Message,?SegCreate?and?SegRename?function.?Another?"exported"?function?that?maybe?of?interest?can?be?found?in?numerous?*.idc?file?in?the?idc?directory?of?IDA?Pro?installation?folder.?To?be?able?to?use?the?function,?its?definition?have?to?be?looked?up?in?the?exported?function?definition?in?the?corresponding?*.idc?header?file.?For?example,?SegCreate?function?is?defined?in?idc.idc?as?follows:?
//?Create?a?new?segment??
//??????startea??-?linear?address?of?the?start?of?the?segment??
//??????endea????-?linear?address?of?the?end?of?the?segment??
//?????????????????this?address?will?not?belong?to?the?segment??
//?????????????????'endea'?should?be?higher?than?'startea'??
//??????base?????-?base?paragraph?or?selector?of?the?segment.??
//?????????????????a?paragraph?is?16byte?memory?chunk.??
//????????????If?a?selector?value?is?specified,?the?selector?should?be??
//?????????????????already?defined.??
//??????use32????-?0:?16bit?segment,?1:?32bit?segment??
//??????align????-?segment?alignment.?see?below?for?alignment?values??
//??????comb??-?segment?combination.?see?below?for?combination?values.??
//?returns:?0-failed,?1-ok??
????
success?SegCreate(?long?startea,long?endea,long?base,??long?use32,???
??????????????long?align,long?comb);???
A?512KB?BIOS?binary?file?must?be?opened?in?IDA?Pro?with?the?loading?address?set?to?0000h?to?be?able?to?execute?the?sample?script?above.?This?loading?scheme?is?the?same?as?explained?in?the?previous?sub-section.?In?this?case,?we?will?just?open?the?binary?file?of?Supermicro?H8DAR-8?motherboard?as?in?the?previous?sub-section?and?then?execute?the?script.?First,?we?must?type?the?script?above?in?a?plain?text?file.?We?can?use?notepad?or?another?ASCII?file?editor?for?this?purpose.?We?will?name?the?file?as?function.idc.?The?script?then?executed?by?clicking?on?the?File?|?IDC?file...?menu?or?by?pressing?F2,?then?the?dialog?box?below?will?be?shown.
?
Just?select?the?file?and?click?open?to?execute?the?script.?If?there抯?any?mistake?in?the?script,?IDA?Pro?will?warn?you?with?a?warning?dialog?box.?Executing?the?script?will?display?the?corresponding?message?in?the?message?pane?of?IDA?Pro?as?shown?below.?
?
The?script?above?relocates?the?last?segment?(64KB)?of?the?Supermicro?H8DAR-8?BIOS?code?to?the?right?place.?One?must?be?aware?that?IDA?Pro?is?only?an?advanced?tool?to?help?the?reverse?code?engineering?task,?it抯?not?a?magical?tool?that抯?going?to?reveal?the?overall?structure?of?the?BIOS?binary?without?us?being?significantly?involve?in?the?process.?The?script?relocates/copies?BIOS?code?from?physical/linear?address?0x7_0000-0x7_FFFF?to?0xF_0000-0xF_FFFF.?The?logical?reason?behind?this?algorithm?is?explained?below.?
AMD-8111?HyperTransport?IO?Hub?Datasheet?chapter?4?page?153?says?that:?
Note:?The?following?ranges?are?always?specified?as?BIOS?address?ranges.?See?DevB:0x80?for?more?information?about?how?access?to?BIOS?spaces?may?be?controlled.?
Size??Host?Address?Range[31:0]??Address?translation?for?LPC?bus
64K?bytes??FFFF_0000h??FFFF_FFFFh??FFFF_0000h??FFFF_FFFFh
64K?bytes??000F_0000h??000F_FFFFh??FFFF_0000h??FFFF_FFFFh
In?addition,?AMD64?Architecture?Programmer抯?Manual?Volume?2:?System?Programming,?February?2005?in?section?14.1.5?page?417?says?that:?
"Normally?within?real?mode,?the?code-segment?base?address?is?formed?by?shifting?the?CS-selector?value?left?four?bits.?The?base?address?is?then?added?to?the?value?in?EIP?to?form?the?physical?address?into?memory.?As?a?result,?the?processor?can?only?address?the?first?1?Mbyte?of?memory?when?in?real?mode.?However,?immediately?following?RESET#?or?INIT,?the?CS?selector?register?is?loaded?with?F000h,?but?the?CS?base-address?is?not?formed?by?left-shifting?the?selector.?Instead,?the?CS?base?address?is?initialized?to?FFFF_0000h.?EIP?is?initialized?to?FFF0h.?Therefore,?the?first?instruction?fetched?from?memory?is?located?at?physical-address?FFFF_FFF0h?(FFFF_0000h+0000_FFF0h).?The?CS?base-address?remains?at?this?initial?value?until?the?CS?selector?register?is?loaded?by?software.?This?can?occur?as?a?result?of?executing?a?far?jump?instruction?or?call?instruction,?for?example.?When?CS?is?loaded?by?software,?the?new?base-address?value?is?established?as?defined?for?real?mode?(by?left?shifting?the?selector?value?four?bits)."?
From?the?references?above,?we?conclude?that?address?000F_0000h??000F_FFFFh?is?an?alias?to?address?FFFF_0000h??FFFF_FFFFh,?i.e.?they?both?points?to?the?same?physical?address?range.?Whenever?the?host?(CPU)?accesses?some?value?in?000F_0000h??000F_FFFFh?address?range,?it's?actually?accessing?the?value?at?FFFF_0000h??FFFF_FFFFh?range?and?the?reverse?is?also?true.?From?this?fact,?we?know?that?we?have?to?relocate?64KB?of?the?uppermost?BIOS?code?to?address?000F_0000h??000F_FFFFh?for?further?investigation.?This?decision?is?made?based?on?my?previous?experience?with?various?BIOS?binary?files,?they?generally?references?address?with?F000h?used?as?the?segment?value?within?the?BIOS?code.?Also,?note?that?the?last?64KB?of?the?BIOS?binary?file?is?mapped?to?last?64KB?of?the?4GB?address?space,?i.e.?4GB-64KB?to?4GB,?that's?why?we?have?to?relocate?the?last?64KB.?
Simple?script?that?is?only?several?lines?can?be?typed?and?executed?directly?within?IDA?Pro?without?opening?a?text?editor.?IDA?Pro?provides?a?specific?dialog?box?for?this?purpose?and?it?can?be?accessed?by?pressing?Shift+F2.?This?is?more?practical?for?simple?task,?but?as?the?number?of?the?routine?grows,?one?might?consider?coding?the?script?as?described?in?the?previous?explanation?due?to?limitation?of?the?number?of?instruction?that?can?be?entered?in?the?dialog?box.?In?this?dialog?box,?enter?the?script?to?be?executed?and?click?OK?to?execute?the?script.?Below?is?an?example?script.?
?
Note?that?there?is?no?need?for?#include?statement?in?the?beginning?of?the?script,?since?by?default?all?of?the?functions?that?are?exported?by?IDA?Pro?in?its?scripts?header?files?(*.idc)?is?accessible?within?the?scripting?dialog?box?shown?above.?The?main?function?is?also?doesn抰?need?to?be?defined.?In?fact,?anything?you?write?within?the?dialog?box?entry?will?behave?as?if?it's?written?inside?the?main?function?in?an?IDA?Pro?script?file.?
Anyway,?you?might?want?to?go?to?the?IDA?Palace?for?more?IDA?Pro?script?samples.?It?will?take?a?while?to?grasp?them,?but?IDA?Palace?is?definitely?the?place?to?go?if?you're?curious?about?IDA?Pro?scripting.?
At?present,?we?are?able?to?relocate?the?binary?within?IDA?Pro;?the?next?step?is?to?disassemble?the?binary?within?IDA?Pro.?Before?that,?we?need?to?know?how?the?default?key?binding?works?in?IDA?Pro.?Key?binding?is?the?"mapping"?between?the?keyboard?button?and?the?command?carried-out?when?the?corresponding?key?is?pressed.?The?cursor?must?be?placed?in?the?workspace?before?any?command?is?carried-out?in?IDA?Pro.?The?key?binding?is?defined?in?idagui.cfg?file?that's?located?in?IDA?Pro?installation?directory.?An?excerpt?of?the?key?binding?(hot?key)?is?provided?below.?
"MakeCode"??????????????=???????'C'????????????
"MakeData"??????????????=???????'D'????????????
"MakeAscii"?????????????=???????'A'????????????
"MakeUnicode"???????????=???????0???????????//?create?unicode?string??
"MakeArray"?????????????=???????"Numpad*"??????????
"MakeUnknown"???????????=???????'U'????????????
??????????????????????
"MakeName"??????????????=???????'N'????????????
//"MakeAnyName"???????????=???????"Ctrl-N"??????????
"ManualOperand"?????????=???????"Alt-F1"??????????
??????????????????????
"MakeFunction"??????????=???????'P'????????????
"EditFunction"??????????=???????"Alt-P"????????????
"DelFunction"???????????=???????0????????????
"FunctionEnd"???????????=???????'E'????????????
One?can?alter?idagui.cfg?to?change?the?default?key?binding,?but?we?will?only?consider?the?default?key?binding.?Now?we?have?grasped?the?key?binding?concept,?let's?see?how?to?use?it?in?our?binary.?In?the?previous?example,?we?are?creating?a?new?segment,?i.e.?0xF000.?Now,?we?will?go?to?the?first?instruction?that's?executed?in?the?BIOS?within?that?segment,?i.e.?address?0xF000:0xFFF0.?Press?G,?the?dialog?box?below?will?be?shown.?
?
In?this?dialog?box,?enter?the?destination?address.?You?must?enter?the?address?in?complete?form?(segment:offset)?as?shown?above,?i.e.?F000:FFF0.?Then,?click?OK?to?go?to?the?intended?address.?Note?that?you?don't?have?to?type?the?leading?0x?character,?since?by?default,?the?value?within?the?input?box?is?in?hexadecimal.?The?result?will?be?as?shown?below?(inside?IDA?Pro?workspace).?
?
The?next?step?to?do?is?to?convert?the?value?in?this?address?into?a?meaningful?machine?instruction.?To?do?so,?press?C.?The?result?is?as?shown?below.?
?
Then,?we?can?follow?the?jump?by?pressing?Enter.?The?result?is?as?shown?below.?
?
We?can?return?from?the?jump?that?we've?just?made?by?pressing?Esc.
Up?to?this?point,?you've?gained?significant?intuition?to?use?IDA?Pro.?You?just?need?to?consult?the?key?bindings?in?idagui.cfg?in?case?want?to?do?something?and?don't?know?what?key?to?press.?
________________________________________
Now?we're?armed.?What?we?need?to?do?next?is?to?understand?the?basic?stuff?by?using?the?hex?editor?before?proceeding?through?the?disassembling?session.?
6.?Award?BIOS?文件結(jié)構(gòu)
6.1.壓縮部分
內(nèi)存映射16進(jìn)制表:?
1.??0000h?-?3AACh?:?XGROUP?ROM?(awardext.rom),?Award擴(kuò)展rom.?包含由system?bios調(diào)用的例程,比如original.tmp。
2.??3AADh?-?97AFh?:?CPUCODE.BIN,?bios的微代碼。
3.??97B0h?-?A5CFh?:?ACPITBL.BIN,?acpi?表。
4.??A5D0h?-?A952h?:?Iwill.bmp,?BMP?logo。
5.??A953h?-?B3B1h?:?nnoprom.bin,?I?haven't?know?yet?what?this?component's?role。
6.??B3B2h?-?C86Ch?:?Antivir.bin,?bootsector?防病毒。
7.??C86Dh?-?1BEDCh?:?ROSUPD.BIN,?我得bios中的自定義部分,用于顯示自定義的啟動logo和提示符。
8.??2_0000h?-?3_5531h?:?original.tmp,?我得特殊的bios中的system?BIOS部分。大多數(shù)的2m的bios在2_0000h?-?3_xxxxh?(if?you?look?from?within?hex?editor)都有original.tmp。?有一些4M的bios有original.tmp在bios二進(jìn)制文件的最開始的部分,比如0000h。
注意:
a.??在壓縮的?ROSUPD.BIN?和?original.tmp?之間有填充?FFh?bytes.?這些填充bytes?在壓縮?original.tmp?和純二進(jìn)制BIOS?部分之后都有發(fā)現(xiàn)。一個例子:?
??Address??Hex?????????????????????????????????????ASCII
00037D00?2A42?4253?532A?0060?0070?0060?0060?00A0?*BBSS*.`.p.`.`..
00037D10?3377?4670?8977?ACCF?C4CF?0100?00FF?FFFF?3wFp.w..........
00037D20?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?................
00037D30?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?................
b.??這些壓縮了的部分可以很容易的,通過拷貝和粘貼到新的二進(jìn)制文件,通過Hexworkshop?。然后,解壓這個新的文件,用LHA2.55或者winzip。如果我們使用winzip,那么改編擴(kuò)展名為.lzh,這樣winzip就可以自動識別了。識別我們剪切的部分非常簡單,只要看到“-lh5-”字符串就可以了。2?bytes的“-lh5-”在文件的最前面,文件最后面總是00h,正好在下一個壓縮了的文件前面,正好在填充bytes或者某些checksum前面。我要給你兩個例子下面。高亮的bytes是要所的文件的最初和最后的標(biāo)志。
我得bios中的壓縮的CPUCODE.BIN:?
Address??Hex?????????????????????????????????????ASCII
00003AA0?4E61?19E6?9775?2B46?BA55?85F0?0024?382D?Na...u+F.U...$8-
00003AB0?6C68?352D?DC5C?0000?00A0?0000?0000?0140?lh5-./.........@
00003AC0?2001?0B43?5055?434F?4445?2E42?494E?BCAA??..CPUCODE.BIN..
00003AD0?2000?0038?3894?9700?52C4?A2CF?F040?0000??..88...R....@..
00003AE0?4000?0000?0000?0000?0000?0000?0000?0000?@...............
........
000097A0?0E3C?8FA7?FFF4?FFFE?9FFF?D3FF?FFFB?FF00?.<..............
000097B0?24D9?2D6C?6835?2DFA?0D00?00A6?2100?0000?$.-lh5-.....!...
我得bios中的壓縮的?ORIGINAL.TMP:
Address??Hex?????????????????????????????????????ASCII
0001FFF0?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?................
00020000?251A?2D6C?6835?2D09?5501?0000?0002?0000?%.-lh5-.U.......
00020010?0000?5020?010C?6F72?6967?696E?616C?2E74?..P?..original.t
00020020?6D70?0CD9?2000?002D?7888?F0FD?D624?A5BA?mp..?..-x....$..
........
00035510?019E?6E67?BF11?8582?88D9?4E7C?BEC8?C34C?..ng......N|...L
00035520?401D?189F?BDD0?A176?17F0?4383?1D73?BF99?@......v..C..s..
00035530?00C9?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?................
00035540?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?................
6.2.?純二進(jìn)制部分
內(nèi)存印象:
1.??3_6000h?-?3_6C4Ah?:?這個例程初始化DRAM控制器(在host?btidge中的),和我的bios中的DRAM時鐘。?
2.??3_7000h?-?3_7D1Ch?:?解壓縮例程部分。這個例程包含了LZH解壓引擎,可以解壓縮上面的bios壓縮部分。
3.??3_C000h?-?3_CFE4h?:?這個區(qū)域包含了不同的例程,低128KB是bios地址解碼啟動,默認(rèn)的VGA初始化(如果系統(tǒng)bios錯誤執(zhí)行),剩下的是Hostbridge初始化例程。
4.??3_E000h?-?3_FFFFh?:?包含Boot?Block代碼。?
注意:一些部分之間是填充.?一些是FFh?bytes?一些是?00h?bytes.
6.3.?真實系統(tǒng)(Mainboard)中的內(nèi)存印象
??我們已經(jīng)注意到了內(nèi)存映象,前面提到了bios二進(jìn)制代碼的。在主板bios芯片中,有一點不太一樣,并且更加復(fù)雜。我得主板的映象如下(和你的可能不一樣,參考芯片組文檔):
1.Bios二進(jìn)制文件中的0_0000h?-?3_FFFFh映射到了系統(tǒng)內(nèi)存中的FFFC_0000h?-?FFFF_FFFFh。由于我得系統(tǒng)中的北橋,地址FFFF_0000h-FFFF_FFFFh?只是F_0000h?-?F_FFFFh?的別名或者也可以說是在“實模式行話”?F000:0000h?-?F000:FFFFh。注意這個映射適合在加電后,因為它是芯片組加電默認(rèn)的值。在芯片組被bios重新編程后,不保證是否有效。有一些“kludge(雜牌電腦)”,它們是由系統(tǒng)決定的。你不得不參考Intel?Software?Developer?Manual?Volume?3(system?programming)和你的芯片數(shù)據(jù)表。
2.歸功于第一點的解釋,bios中的純二進(jìn)制部分映射如下(加電后):
1)BootBlock?:?F000:E000h?-?F000:FFFFh?
2)Decompression?Block?:?F000:7000h?-?F000:7D1Ch?
3)早期?DRAM?控制器?和?DRAM?初始化?:?F000:6000h?-?F000:6C4Ah
3.壓縮的bios部分在他們通過不同方式被釋放后映射到系統(tǒng)內(nèi)存空間。他們依靠這個解壓模塊例程,但是不同的bios文件中,他們的映射很少有看起來相同的。這些映射(我得如下,你的可能不一樣,但是段地址很可能相同):
1)original.tmp?a.k.a?System?BIOS?:?E000:0000h?-?F000:FFFFh?
2)awardext.rom?a.k.a?Award?擴(kuò)展?ROM?:?4100:0000h?-?4100:xxxxh。稍后被original.tmp重新部署到6000:0000h?-?6000:xxxxh,比如在它執(zhí)行之前。
??在我們進(jìn)行我們的旅途中,我們必需要注意這樣的映射。
注意:
??由于完全復(fù)雜的映射到真實系統(tǒng)bios二進(jìn)制地址,我們很容易迷路。但是,有一個技巧可以方便我們的工作,在我們反匯編進(jìn)程中,通過使用IDA?Pro:
??從純二進(jìn)制部分開始反匯編進(jìn)程。在地址F000:FFF0h?(3_FFF0h?從hex?editor看二進(jìn)制)開始反匯編。為了做到這個,用IDA?Pro打開二進(jìn)制文件(VD30728.BIN?,?i.e.?Iwill?VD133?BIOS?binary),然后反匯編這個文件,通過設(shè)置它的地址映射到C000:0000h?,記住讓段名無效,那樣我們就可以在系統(tǒng)中,執(zhí)行的時候看到實模式地址。通過IDA?Pro的Scripts調(diào)整另外的段地址,記住調(diào)整地址配置來符合芯片數(shù)據(jù)表。
7.?反匯編BIOS
??由于Intel?system?programming?Guide,我們就要開始在f000:fff0h地址反匯編了(看看上面的內(nèi)存映射,調(diào)整IDA?Pro來適應(yīng)它)。你可能會問:這怎么可能?Intel?Software?Developer?Manual?Vol.?3?(PROCESSOR?MANAGEMENT?AND?INITIALIZATION?-?First?Instruction?Executed)?介紹:
??在硬件reset后得到并執(zhí)行的第一條指令所在的物理地址是FFFFFFF0H。
??答案是:北橋芯片組使用000F_xxxxh?作為FFFE_FFFFh-FFFF_FFFFh?的別名。而且,注意在這個地址的轉(zhuǎn)移之后南橋沒有意義。它只是直接將地址傳到Bios?Rom芯片。因此,在加電reset后,地址FFFF_FFF0h?和?F_FFF0h?(or?F000:FFF0?in?"real-mode?lingo")沒有什么困難。它是那么簡單。這個是BootBlock區(qū)域。它總是有一個far?jump跳入bootblock區(qū)域,主要的在F000:E05Bh?。從這點看,我們能夠繼續(xù)主要的純二進(jìn)制部分的反匯編。實際上,很多純二進(jìn)制部分代碼沒有執(zhí)行,因為你的系統(tǒng)bios很少錯誤,并且Bootblock?POST進(jìn)程發(fā)生了,除非你把它搞糟了。
7.1.?Bootblock
??從這點看,我們可以返匯編bootblock例程了。現(xiàn)在,我要給你一些不明顯的和重要的在已經(jīng)反匯編了的bios代碼區(qū)域。這個是關(guān)于我的bios,你的可能不同,但是恕我直言很相近。??
7.1.1.?"Virtual?Shutdown"?routine?
Address????Hex?????????????????????Mnemonic
F000:E07F?BC?0B?F8???????????????mov???sp,?0F80Bh??????????;?ret?from?this?jmp?redirected?to?0E103h?(F000:E103h)
F000:E082?E9?7B?15??????????????????jmp???Chipset_Reg_Early_Init
7.1.2.?Chipset_Reg_Early_Init?routine?
Address????Hex???????????????????????Mnemonic
F000:F600?????????????????????????Chipset_Reg_Early_Init?proc?near?;?CODE?XREF:?F000:E082j
F000:F600?66?C1?E4?10???????????????shl???esp,?10h
F000:F604?BE?C4?F6??????????????????mov???si,?0F6C4h??????????;?addr?of?chipset?reg?mask
F000:F607?????????????????????????next_PCI_reg:???????????????;?CODE?XREF:?Chipset_Reg_Early_Init+29j
F000:F607?2E?8B?0C??????????????????mov???cx,?cs:[si]
F000:F60A?BC?10?F6??????????????????mov???sp,?0F610h
F000:F60D?E9?F8?00??????????????????jmp???Read_PCI_Byte
F000:F60D?????????????????????????;?---------------------------------------------------------------------------
F000:F610?12?F6?????????????????????dw?0F612h
F000:F612?????????????????????????;?---------------------------------------------------------------------------
F000:F612?2E?22?44?02???????????????and???al,?cs:[si+2]
F000:F616?2E?0A?44?03???????????????or????al,?cs:[si+3]
F000:F61A?BC?20?F6??????????????????mov???sp,?0F620h
F000:F61D?E9?02?01??????????????????jmp???Write_PCI_Byte
F000:F61D?????????????????????????;?---------------------------------------------------------------------------
F000:F620?22?F6?????????????????????dw?0F622h
F000:F622?????????????????????????;?---------------------------------------------------------------------------
F000:F622?83?C6?04??????????????????add???si,?4
F000:F625?81?FE?04?F7???????????????cmp???si,?0F704h??????????;?are?we?done?yet?
F000:F629?75?DC?????????????????????jnz???next_PCI_reg
F000:F62B?BA?D0?04??&nbs
作 者: beiyu
時 間: 2007-04-05,10:15
鏈 接: http://bbs.pediy.com/showthread.php?threadid=42166
Pinczakko的AwardBIOS逆向工程指導(dǎo)
作者:Pinczakko
翻譯:beiyu?http://beiyu.bokee.com
Email:?beiyuly@gmail.com
時間:2006.6.6
ida的使用和最后展望沒有翻譯,希望有興趣的朋友能夠補(bǔ)上。
目錄
Pinczakko的AwardBios逆向工程指導(dǎo)??1
1.序言??2
2.準(zhǔn)備工作??2
2.1.PCI?BUS??3
2.2.ISA?BUS??4
3.一些硬件特性??4
3.1.?BIOS?芯片地址??5
3.2.?晦澀的硬件接口(Port)??6
3.3.?"可重定位"?硬件Port??8
3.4.?Expansion?ROM?Handling??9
4.一些軟件特性??10
4.1.call指令特性??10
4.2.?retn?Instruction?Peculiarity??10
5.?用到的工具??13
5.1.?我們的需求??13
5.2.?IDA?Pro技術(shù)介紹??13
5.2.1.?IDA?Pro介紹??13
5.2.2.?IDA?Pro?Scripting?And?Key?Bindings??19
6.?Award?BIOS?文件結(jié)構(gòu)??26
6.1.壓縮部分??26
6.2.?純二進(jìn)制部分??27
6.3.?真實系統(tǒng)(Mainboard)中的內(nèi)存印象??27
7.?反匯編BIOS??28
7.1.?Bootblock??29
7.1.1.?"Virtual?Shutdown"?routine??29
7.1.2.?Chipset_Reg_Early_Init?routine??29
7.1.3.?Init_Interrupt_n_PwrMgmt?routine??35
7.1.4.?Call?To?"Early?Silicon?Support"?Routine??36
7.1.5.?Bootblock?Is?Copied?And?Executed?In?RAM??37
7.1.6.?Call?to?bios?decompression?routine?and?the?jump?into?decompressed?system?bios??39
7.1.6.1.?Enable?FFF80000h-FFFDFFFFh?decoding??40
7.1.6.2.?Copy?lower?128KB?of?BIOS?code?from?ROM?chip?into?RAM??40
7.1.6.3.?Disable?FFF8_0000h-FFFD_FFFFh?decoding??40
7.1.6.4.?Verify?checksum?of?the?whole?compressed?BIOS?image??40
7.1.6.5.?Look?for?the?decompression?engine??41
7.1.6.6.?Decompress?the?compressed?BIOS?components??41
7.1.6.7.?Shadow?the?BIOS?code??60
7.1.6.8.?Enable?the?microprocessor?cache?then?jump?into?the?decompressed?system?BIOS??60
7.2.?System?BIOS?a.k.a?Original.tmp??61
7.2.1.?Entry?point?from?"Bootblock?in?RAM"??61
7.2.2.?The?awardext.rom?and?Extension?BIOS?Components?(lower?128KB?bios-code)?Relocation?Routine??62
7.2.3.?Call?to?the?POST?routine?a.k.a?"POST?jump?table?execution"??64
7.2.4.?The?"segment?vector"?Routines??68
7.2.5.?"chksum_ROM"?Procedure??72
7.2.6.?Original.tmp?Decompression?Routine?for?The?"Extension_BIOS?Components"??72
7.2.7.?Microcode?Update?Routine??90
8.?激昂展望??92
9.?結(jié)束語??92
1.序言
我非常歡迎你能夠來實踐復(fù)雜的Award?Bios的代碼研究工作。本文不是一篇官方的Award?Bios逆向工程的文章,也不是由Award公司內(nèi)部人員編輯的。我只是一個好奇的普通人,我真的很喜歡搞清楚我的電腦的Bios是怎樣工作的。我寫這篇文章的是為了公開我的發(fā)現(xiàn)和研究,從而回報那些我所犯的錯誤,都是我在逆向工程進(jìn)程當(dāng)中所犯的。你有幾個可能性來讀這篇文章,也許你是一個老資格的黑客,也許你是一個像我一樣的系統(tǒng)程序設(shè)計愛好者,也許你只是一個好奇的外行。只有一點是肯定的,你肯定可以從這篇文章有所收獲,可以提高你的技巧。無論如何,我已經(jīng)寫了一個準(zhǔn)備章節(jié),來保證你吸收這篇文章所具備的知識。
除非你自己反匯編了Bios的文件,你是不會理解搞清楚BIOS的工作的。
??這篇文章的目的是消除疑惑,定位好你自己,在開始對BIOS的逆向工程工作中,為你提供一個參考。
2.準(zhǔn)備工作
??1.我必須承認(rèn),這個工作需要x86的知識。
??2.保護(hù)模式下的編成開發(fā)知識。你必須學(xué)會怎樣讓x86機(jī)器從實模式轉(zhuǎn)移到保護(hù)模式。也就是說,你必須學(xué)會初步的x86保護(hù)模式OS開發(fā)。www.osdever.net是一個很好的學(xué)習(xí)這方面知識的網(wǎng)站。最重要的事情是保護(hù)模式的數(shù)據(jù)結(jié)構(gòu)是怎樣工作的。我的意思是GDT、IDT、x86控制寄存器和段寄存器是怎樣工作的,特別是award?bios用他們來實現(xiàn)他的奇妙的地方——稍后文章解釋。
??3.什么是x86的不真實模式。他是一個x86機(jī)器在真是模式和保護(hù)模式之間的的狀態(tài)——稍后文章解釋。
??4.X86直接硬件編程開發(fā)。你需要知道怎樣編程直接制硬件,特別是在你主板上面的。你可以聯(lián)系這個,通過windows上的直接訪問硬件程序開發(fā)練習(xí)。這個不是必需的,但是如果你懂的話,會給你帶來很多方便。你也需要知道一些x86總線協(xié)議,比如PCI和ISA——稍后文章解釋。
??5.你必須理解大部分你的主板芯片的手冊。比如北橋和南橋控制寄存器。
2.1.PCI?BUS
??官方的PCI總線標(biāo)準(zhǔn)系統(tǒng)是由PCISIG(PCI?Special?Interest?Group)維持的。他可能是某種公司,他介于Intel和其他大公司,比如Microsoft。他將要被Arapahoe?(PCI-Express?a.k.a?PCI-e)?and?Hypertransport代替。但是PCI曾經(jīng)是在保持一種標(biāo)準(zhǔn)。Hypertransport向后兼容PCI。Arapahoe也是一樣。只是這個PCI的標(biāo)準(zhǔn)是沒有公開的。
??首先,PCI?BUS是一個32位寬度的總線。通訊需要32bit的地址模式。讀寫操作需要32位地址。64位PCI?Bus不是天生就是,他使用了雙重地址回路實現(xiàn)。所以你可以說PCI就是一個32位總線的系統(tǒng)。
??其次,這個總線系統(tǒng)定義位置是,控制端口PORT?CF8h?–?CFBh,數(shù)據(jù)端口CFCh?–?CFFh。這些端口用來配置相應(yīng)的PCI芯片,比如讀寫PCI芯片的配置寄存器值。
??第三,這個總線系統(tǒng)強(qiáng)制我們和PCI通訊需要遵守下面的法則(從用戶CPU觀點):
1.??寫目標(biāo)總線號,設(shè)備號,功能號和偏移/寄存器號到配置地質(zhì)端口,然后使能bit置1。通俗講就是,寫寄存器的地址到你想要寫入的PCI地址端口。
2.??從一個配置數(shù)據(jù)端口執(zhí)行一個one-byte,?two-byte,?or?four-byte?I/O讀操作或者寫操作。通俗講就是,讀寫數(shù)據(jù)從你想要讀寫的PCI端口。
作為一個提示,據(jù)我所知,每一個今天用到的BUS/通訊協(xié)議,使用簡單的法則來使芯片互相通訊,而這些芯片有一個復(fù)雜的總線協(xié)議。
有了上面的定義,這里提供一個x86的匯編碼片斷,來說明怎樣使用這些配置端口。
No.??Mnemonic?(masm?syntax)??Comment
1??Pushad??保存所有通用寄存器的值
2??mov?eax,80000064h??把將要訪問的PCI芯片寄存器的地址放入eax
(offset?64h?device?00:00:00?or?hostbridge)
3??mov?dx,0CF8h??地址端口放入dx。因為是PCI,我們用CF8h作為端口,來打開訪問這個設(shè)備。
4??out?dx,eax??發(fā)送PCI地址端口到processor的I/O空間
5??mov?dx,0CFCh??數(shù)據(jù)端口放入dx。因為是PCI,我們用CFCh作為端口,來和這個設(shè)備數(shù)據(jù)通信。
6??in?eax,dx??將從這個設(shè)備讀出的數(shù)據(jù)放入eax
7??or?eax,?00020202??改變數(shù)據(jù)(this?is?only?example,?don't?try?this?in?your?machine,?it?may?hang?or?even?destroy?your?machine)
8??out?dx,eax??將數(shù)據(jù)發(fā)送回設(shè)備
9??............??-
10??Popad??出棧所有寄存器值
11??Ret??返回?
??
??我想上面的代碼已經(jīng)非常清晰了。這里有一個PCI寄存器地址格式例子:
mov?eax,80000064h
??the?80000064h?is?the?address.?The?meaning?of?these?bits?are:?
bit?position??31??30??29??28??27??26??25??24??23??22??21??20??19??18??17??16??15??14??13??12??11??10??9??8??7??6??5??4??3??2??1??0
binary?value??1??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??0??1??1??0??0??1??0??0
hexadecimal?value??8??0??0??0??0??0??6??4
???Bit?31是一個使能標(biāo)志。如果這個位置設(shè)置了,我們就給與PCI?bus讀寫通信的權(quán)利了,否則就是禁止。那就是為什么我們在最左邊有一個8的原因。
???Bits?30?-?24?保留?bits。
???Bits?23?-?16?是?PCI?Bus?號。
???Bits?15?-?11是PCI?設(shè)備號。?
???Bits?10?-?8?是PCI?功能號。
???Bits?7?-?0?是偏移地址。
80000064h的意思就是我們通訊的設(shè)備是bus?0,?device?0,?function?0,?偏移地址是64h。實際上這個是我們主板上面的北橋芯片中的存儲控制配置寄存器。大多數(shù)環(huán)境下,bus?0,?device?0,?function?0是Hostbridge,你需要參考自己的芯片數(shù)據(jù)表來改變這個。大概來講,他們要作如下工作:讀取偏移地址,改寫數(shù)據(jù),寫回設(shè)備。
2.2.ISA?BUS
??AFAIK(恕我直言),ISA?bus?不是標(biāo)準(zhǔn)的總線。因此,實際上任何ISA設(shè)備可以存在于系統(tǒng)的16-bit?I/O地址空間。我對ISA?bus的經(jīng)驗很有限(CMOS?chip?,mainboard's?hardware?monitoring?chip-?Winbond?W83781D)。這兩個芯片用了上面提到的PCI?bus通用算法:
1.??先送出你想要讀寫的設(shè)備的地址。只有那樣,你才可以通過這個設(shè)備的數(shù)據(jù)端口發(fā)送接收數(shù)據(jù)。
2.??通過數(shù)據(jù)端口,發(fā)送接收將要通過設(shè)備讀寫的數(shù)據(jù)。
我的硬件監(jiān)視芯片用端口295h作為地址端口,296h作為數(shù)據(jù)端口。CMOS用70h作為地址端口,71h作為數(shù)據(jù)端口。
3.一些硬件特性
X86平臺存在很多hack,特別是他的bios。這個要歸功于向下兼容。這章要討論一對在我BIOS反匯編中遇到的問題。
3.1.?BIOS?芯片地址
??最重要的負(fù)責(zé)bios代碼處理的芯片是南橋和北橋芯片。由于這方面,北橋負(fù)責(zé)系統(tǒng)地址空間管理,比如bios?shadowing,處理訪問RAM和處理事務(wù),用bios?ROM作為南橋的目標(biāo),南橋最后積存bios?rom。南橋主要負(fù)責(zé)使能rom解碼控制,這將要寄存要訪問的bios?rom的存儲地址。下面展示的地址可以存在于系統(tǒng)DRAM和bios?rom芯片中的任何一個,這取決于在bios代碼執(zhí)行時,南橋和北橋寄存器的設(shè)置。
Physical?Address??Also?Known?As??Used?by??Address?Aliasing?Note
000F_0000h?-?000F_FFFFh???F_seg?/?F_segment???1?Mbit,?2?MBit,?and?4?MBit?BIOS???alias?to?FFFF_0000h?-?FFFF_FFFFh?in?all?chipset?just?after?power-up?
000E_0000h?-?000E_FFFFh??E_seg?/?E_segment??1?Mbit,?2?MBit,?and?4?MBit?BIOS??alias?to?FFFE_0000h?-?FFFE_FFFFh?in?some?chipset?just?after?power-up?
??上面的地址范圍包含了bios代碼和很多的系統(tǒng)特性。所以你不得不參考你的芯片數(shù)據(jù)表來理解它。而且,在bios代碼運(yùn)行后的時間里,注意上面的地址要被bios代碼占據(jù)的是F_seg?i.e.?F_0000h?-?F_FFFFh。無論怎樣,相當(dāng)?shù)牟僮飨到y(tǒng)可能會認(rèn)為這段地址沒有用,而且會把它用于自己的目的。上面提到的地址只是當(dāng)bios代碼訪問或者其他代碼直接訪問bios?rom的時候,反映了bios?rom芯片到系統(tǒng)地址空間映射。就像我們要看到的一樣,這個映射可以通過程序設(shè)計一些芯片寄存器來改變。
??超過1m的Bios芯片,比如2m和4m的芯片有一個非常與眾不同的低bios區(qū)域地址,i.e.?C_seg,?D_seg和其他低"segment(s)"。大多數(shù)情況,這個區(qū)域被映射到了靠近4GB地址范圍。這個地址范圍處理是從類似北橋到PCI地址范圍來解決。這個配置下芯片行為如下:
???北橋作為一個地址傳送裝置:在不同方式和普通內(nèi)存地址比較的狀態(tài)下,它對這個特別的內(nèi)存地址有反應(yīng),內(nèi)存地址直接指向RAM。相反,這個特別的內(nèi)存地址由北橋轉(zhuǎn)到南橋,從而解碼。
???南橋作為地址解碼器:它解碼這個特別的內(nèi)存地址,這個地址指向正確的芯片,比如bios芯片。這方面,如果地址范圍不被允許在南橋控制寄存器解碼,南橋要返回“void”(bus地址周期結(jié)束)。
下面是一個例子:?
Physical?Address??Also?Known?As??Used?by??Address?Aliasing?Note
000F_0000h?-?000F_FFFFh???F_seg?/?F_segment???1?Mbit,?2?MBit,?and?4?Mbit?BIOS???alias?to?FFFF_0000h?-?FFFF_FFFFh?in?all?chipset?just?after?power-up?
000E_0000h?-?000E_FFFFh??E_seg?/?E_segment??1?Mbit,?2?Mbit,?and?4?Mbit?BIOS??alias?to?FFFE_0000h?-?FFFE_FFFFh?in?some?chipset?just?after?power-up?
FFFD_0000h?-?FFFD_FFFFh??D_seg?/?D_segment??2?Mbit,?and?4?Mbit?BIOS??-?
FFFC_0000h?-?FFFC_FFFFh??C_seg?/?C_segment??2?Mbit,?and?4?Mbit?BIOS??-?
FFF8_0000h?-?FFFB_FFFFh??-???4?Mbit?BIOS??-?
結(jié)論是:現(xiàn)代芯片組表現(xiàn)為效法F_seg?and?E_seg?處理。這是一個證據(jù),證明現(xiàn)代x86系統(tǒng)保持著向下兼容。無論如何,賣主已經(jīng)遠(yuǎn)離x86,這些“雜牌電腦(cludge)”往往被認(rèn)為是過去的東西。
??下面是在剛剛系統(tǒng)加電啟動后,VIA693A芯片組(北橋)系統(tǒng)內(nèi)存映射,根據(jù)芯片數(shù)據(jù)表。
Table?4.?System?Memory?Map
Space?Start????Size??Address?Range??????Comment
DOS???0????????640K??00000000-0009FFFF??Cacheable
VGA???640K?????128K??000A0000-000BFFFF??Used?for?SMM
BIOS??768K?????16K???000C0000-000C3FFF??Shadow?Ctrl?1
BIOS??784K?????16K???000C4000-000C7FFF??Shadow?Ctrl?1
BIOS??800K?????16K???000C8000-000CBFFF??Shadow?Ctrl?1
BIOS??816K?????16K???000CC000-000CFFFF??Shadow?Ctrl?1
BIOS??832K?????16K???000D0000-000D3FFF??Shadow?Ctrl?2
BIOS??848K?????16K???000D4000-000D7FFF??Shadow?Ctrl?2
BIOS??864K?????16K???000D8000-000DBFFF??Shadow?Ctrl?2
BIOS??880K?????16K???000DC000-000DFFFF??Shadow?Ctrl?2
BIOS??896K?????64K???000E0000-000EFFFF??Shadow?Ctrl?3
BIOS??960K?????64K???000F0000-000FFFFF??Shadow?Ctrl?3
Sys???1MB???????????00100000-DRAM?Top??Can?have?hole
Bus???D?Top??????????DRAM?Top-FFFEFFFF
Init??4G-64K???64K???FFFEFFFF-FFFFFFFF??000Fxxxx?alias
??最重要的要考慮到的東西是地址別名,比如你看到的FFFE_FFFFh-?FFFF_FFFFh范圍就是000Fxxxxh別名,這個就是bios?rom芯片地址映射的地方(我得主板)。但是,我們不得不認(rèn)為,這個是在啟動階段最初的時候(reset后)。在芯片重新被bios改編程序后,這個地址范圍就會映射到了RAM中。我們認(rèn)為這個是作為加電啟動默認(rèn)值。作為一個標(biāo)記,主要的x86芯片用這個地址作為別名,至少是F-segment地址范圍。
??另外一個事實就是我們不得不考慮:大部分芯片組在加電后,寄存器中,只提供默認(rèn)F-segment地址配置,其他bios?rom段保持不可訪問。這些段的地址配置將要少后由bootblock代碼在改變了相關(guān)芯片組寄存器后配置(大部分是南橋寄存器)。這里研究的芯片屬于這個組。
??現(xiàn)代系統(tǒng)連接bios?rom芯片和南橋芯片是通過LPC(Low?Pin?Count)接口。無論怎樣,本文中的南橋沒有這樣的接口。它是一個老的芯片,使用ISA?bus作為和bios?rom的接口。
3.2.?晦澀的硬件接口(Port)
??下面提到的一些晦澀的硬件接口沒有在芯片數(shù)據(jù)文檔提到。注意,這些信息是從Intel?ICH5,VIA?586B和VIA596B的數(shù)據(jù)表中得到。
I/O?Port?address?????Purpose
92h??????????????????Fast?A20?and?Init?Register
4D0h?????????????????Master?PIC?Edge/Level?Triggered?(R/W)
4D1h?????????????????Slave?PIC?Edge/Level?Triggered?(R/W)
Table?146.?RTC?I/O?Registers?(LPC?I/F桪31:F0)
I/O?Port?Locations????If?U128E?bit?=?0????????????Function
70h?and?74h???????????Also?alias?to?72h?and?76h???Real-Time?Clock?(Standard?RAM)?Index?Register
71h?and?75h???????????Also?alias?to?73h?and?77h???Real-Time?Clock?(Standard?RAM)?Target?Register
72h?and?76h???????????????????????????????????????Extended?RAM?Index?Register?(if?enabled)
73h?and?77h???????????????????????????????????????Extended?RAM?Target?Register?(if?enabled)
注意:
1.??I/O位置的70h和71h是標(biāo)準(zhǔn)的服務(wù)于真實時間時鐘的ISA接口。表格147所示。72h和73h作為訪問擴(kuò)展RAM。擴(kuò)展RAM單元的訪問依然通過索引配置。I/O地址72h作為地址指針,73h作為數(shù)據(jù)寄存器。索引地址127h以上不可用。如果不需要擴(kuò)展RAM,它就變得不可用了。
2.??軟件比如保留地址70h的bit7。當(dāng)順序?qū)懭脒@個地址的時候,軟件必須先讀出這個位置的值,然后寫入現(xiàn)同的值到bit7。注意70h不是可以直接讀取的。唯一的方法是通過alt訪問,讀取相應(yīng)寄存器的值。如果NMI#(不可屏蔽中斷)使能沒有在普通操作下改變,那么軟件能夠二者選一的讀取這個bit一次,然后保留這個值,一邊隨后的所有寫入端口70h操作。
RTC(通路控制)包含了兩個索引寄存器配置,用于被兩個分離索引和目標(biāo)寄存器(70/71h?or?72/73h)訪問,如147表格所示。
Table?147.?RTC?(Standard)?RAM?Bank?(LPC?I/F桪31:F0)
Index???Name
00h?????Seconds
01h?????Seconds?Alarm
02h?????Minutes
03h?????Minutes?Alarm
04h?????Hours
05h?????Hours?Alarm
06h?????Day?of?Week
07h?????Day?of?Month
08h?????Month
09h?????Year
0Ah?????Register?A
0Bh?????Register?B
0Ch?????Register?C
0Dh?????Register?D
0Eh?Fh?114?Bytes?of?User?RAM
3.3.?"可重定位"?硬件Port
??系統(tǒng)I/O空間中,有一些硬件端口種類可以重定位。在這個bios,那些端口包括smbus-related端口和電源管理相關(guān)端口。這些端口當(dāng)然是基本地址。這些所謂的基本地址是通過可以編程的基址寄存器控制的。Smbus由smbus基址寄存器,電源管理由電源管理I/O基址寄存器。所以這些端口是可編程的,bootblock歷程在bios歷程執(zhí)行開始的時候初始化這些地址寄存器的值。由于這些端口的可編程特性,就必需要開始bios?bootblock的逆向工程來查出哪個端口地址用來這些可編程硬件端口。否則,就會搞不清楚稍后逆向工程中怪異端口的事件。例如:
Address????Hex??????????????????Mnemonic
F000:F604?BE?C4?F6??????????????????mov???si,?0F6C4h??????????;?addr?of?chipset?reg?mask
F000:F607?????????????????????????next_PCI_reg:???????????????;?CODE?XREF:?Chipset_Reg_Early_Init+29
F000:F607?2E?8B?0C??????????????????mov???cx,?cs:[si]
F000:F60A?BC?10?F6??????????????????mov???sp,?0F610h
F000:F60D?E9?F8?00??????????????????jmp???Read_PCI_Byte
F000:F60D?????????????????????????;?---------------------------------------------------------------------------
F000:F610?12?F6?????????????????????dw?0F612h
F000:F612?????????????????????????;?---------------------------------------------------------------------------
F000:F612?2E?22?44?02???????????????and???al,?cs:[si+2]
F000:F616?2E?0A?44?03???????????????or????al,?cs:[si+3]
F000:F61A?BC?20?F6??????????????????mov???sp,?0F620h
F000:F61D?E9?02?01??????????????????jmp???Write_PCI_Byte
F000:F61D?????????????????????????;?---------------------------------------------------------------------------
F000:F620?22?F6?????????????????????dw?0F622h
F000:F622?????????????????????????;?---------------------------------------------------------------------------
F000:F622?83?C6?04??????????????????add???si,?4
F000:F625?81?FE?04?F7???????????????cmp???si,?0F704h??????????;?are?we?done?yet?
.........
F000:F6F4?48?3B?????????????????????dw?3B48h??????????????????;?B#0?D#7?F#3:?PwrMngmt&SMBus?-?PwrMngmt?IO?Base?Addr?lo_byte
F000:F6F6?00????????????????????????db?0??????????????????????;?and?mask
F000:F6F7?00????????????????????????db?0??????????????????????;?or?mask
F000:F6F7?????????????????????????????????????????????????????;
F000:F6F8?49?3B?????????????????????dw?3B49h??????????????????;?B#0?D#7?F#3:?PwrMngmt&SMBus?-?PwrMngmt?IO?Base?Addr?hi_byte
F000:F6FA?40????????????????????????db?40h????????????????????;?and?mask
F000:F6FB?40????????????????????????db?40h????????????????????;?PwrMngmt?IO?Base?Addr?=?IO?Port?4000h
.........
F000:F643?B9?90?3B??????????????????mov???cx,?3B90h???????????;?B#0?D#7?F#3:?PwrMngmt&SMBus?-?SMBus?IO?Base?Addr?lo_byte
F000:F646?B0?00?????????????????????mov???al,?0???????????????;?set?SMBus?IO?Base?lo_byte?to?00h
F000:F648?BC?4E?F6??????????????????mov???sp,?0F64Eh
F000:F64B?E9?D4?00??????????????????jmp???Write_PCI_Byte
F000:F64B?????????????????????????;?---------------------------------------------------------------------------
F000:F64E?50?F6?????????????????????dw?0F650h
F000:F650?????????????????????????;?---------------------------------------------------------------------------
F000:F650?B9?91?3B??????????????????mov???cx,?3B91h???????????;?B#0?D#7?F#3:?PwrMngmt&SMBus?-?SMBus?IO?Base?Addr?hi_byte
F000:F653?B0?50?????????????????????mov???al,?50h?;?'P'???????;?set?SMBus?IO?Base?hi_byte?to?50h,
F000:F653?????????????????????????????????????????????????????;?so,?now?SMBus?IO?Base?is?at?port?5000h?!!!
F000:F655?BC?5B?F6??????????????????mov???sp,?0F65Bh
F000:F658?E9?C7?00??????????????????jmp???Write_PCI_Byte
F000:F658?????????????????????????;?---------------------------------------------------------------------------
F000:F65B?5D?F6?????????????????????dw?0F65Dh
.........
F000:F66A?BA?05?40??????????????????mov???dx,?4005h???????????;?access?ACPI?Reg?05h
F000:F66D?B0?80?????????????????????mov???al,?80h?;?'????????;?setting?reserved?bit?
.........
??當(dāng)然,還有更多的可重定向硬件端口,但是至少你已經(jīng)看到了這些提示。所以,一旦逆發(fā)現(xiàn)bios中的代碼有點象訪問怪異的端口,你將會知道它去哪里。
3.4.?Expansion?ROM?Handling
??有一對問題需要考慮到,比如video?bios和其他擴(kuò)展rom處理。這里是基本bios中PCI擴(kuò)展rom處理run-down:
1.??系統(tǒng)bios檢測所有的系統(tǒng)中的pci芯片,初始化他們的BARs(基址寄存器)。一旦初始化結(jié)束,系統(tǒng)就擁有了一個可用的廣闊的系統(tǒng)地址配置。
2.??通過廣闊的系統(tǒng)地址配置,系統(tǒng)bios一個接一個的拷貝需要的PCI擴(kuò)展rom到RAM,這些擴(kuò)展在(C000:0000h?-?D000:FFFFh),并且執(zhí)行每一個模塊或者初始化每一個模塊。
至于ISA擴(kuò)展rom,以后版本文章會討論。
4.一些軟件特性
??在bios代碼中有一些棘手的區(qū)域和rom中一些可執(zhí)行部分有關(guān)。下面介紹:
4.1.call指令特性
??Call指令在rom?bios芯片內(nèi)部的bios代碼執(zhí)行時不可用。這由于call指令使用桟,而我們不能在bios?rom中寫入來使用桟。這里使用桟是因為要壓入call指令執(zhí)行時寫入保存的返回地址。我們很清楚的知道,這個時候地址指針ss:sp指向的時rom:我們不能寫入。DRAM這個時候不能使用。它還沒有被bios代碼檢測。我們根本就不知道有RAM存在!
4.2.?retn?Instruction?Peculiarity
??Retn指令特性,這里有ROM_call宏定義:
ROM_CALL??MACRO????RTN_NAME
??????LOCAL????RTN_ADD
??????mov??sp,offset???DGROUP:RTN_ADD
??????jmp??????RTN_NAME
RTN_ADD:??dw??????DGROUP:$+2
????????????ENDM
例子:
Address????Hex??????????????????Mnemonic
F000:6000???????????????????????F000_6000_read_pci_byte?proc?near??
F000:6000???66?B8?00?00?00?80???mov???eax,?80000000h
F000:6006???8B?C1???????????????mov???ax,?cx??????????;?copy?offset?addr?to?ax
F000:6008???24?FC???????????????and???al,?0FCh????????;?mask?it
F000:600A???BA?F8?0C????????????mov???dx,?0CF8h
F000:600D???66?EF???????????????out???dx,?eax
F000:600F???B2?FC???????????????mov???dl,?0FCh
F000:6011???0A?D1???????????????or????dl,?cl??????????;?get?the?byte?addr
F000:6013???EC??????????????????in????al,?dx??????????;?read?the?byte
F000:6014???C3??????????????????retn??????????????????;?Return?Near?from?Procedure
F000:6014???????????????????????F000_6000_read_pci_byte?endp
......
F000:6043?18?00???????????????????GDTR_F000_6043?dw?18h???;?limit?of?GDTR?(3?valid?desc?entry)
F000:6045?49?60?0F?00???????????????dd?0F6049h????????????;?GDT?physical?addr?(below)
F000:6049?00?00?00?00?00?00?00?00???dq?0??????????????????;?null?descriptor
F000:6051?FF?FF?00?00?0F?9F?00?00???dq?9F0F0000FFFFh??????;?code?descriptor:
F000:6051?????????????????????????????????????????????????;?base?addr?=?F?0000h;?limit=FFFFh;?DPL=0;
F000:6051?????????????????????????????????????????????????;?exec/ReadOnly,?conforming,?accessed;
F000:6051?????????????????????????????????????????????????;?granularity=byte;?Present;?16-bit?segment
F000:6059?FF?FF?00?00?00?93?8F?00???dq?8F93000000FFFFh????;?data?descriptor:
F000:6059?????????????????????????????????????????????????;?base?addr?=?00h;?seg_limit=F?FFFFh;?DPL=0;
F000:6059?????????????????????????????????????????????????;?Present;?read-write,?accessed;?
F000:6059?????????????????????????????????????????????????;?granularity?=?4?KByte;?16-bit?segment
......
F000:619B?0F?01?16?43?60????????lgdt??qword?ptr?GDTR_F000_6043?;?Load?Global?Descriptor?Table?Register
F000:61A0?0F?20?C0??????????????mov???eax,?cr0
F000:61A3?0C?01?????????????????or????al,?1???????????;?set?PMode?flag
F000:61A5?0F?22?C0??????????????mov???cr0,?eax
F000:61A8?EA?AD?61?08?00????????jmp???far?ptr?8:61ADh?;?jmp?below?in?16-bit?PMode?(abs?addr?F?61ADh)
F000:61A8?????????????????????????????????????????????????;?(code?segment?with?base?addr?=?F?0000h)
F000:61AD???????????????????????;?---------------------------------------------------------------------
F000:61AD?B8?10?00??????????????mov???ax,?10h?????????;?load?ds?with?valid?data?descriptor
F000:61B0?8E?D8?????????????????mov???ds,?ax??????????;?ds?=?data?descriptor?(GDT?3rd?entry)
......
F000:61BC??B9?6B?00?????????????mov???cx,?6Bh?????????;?DRAM?arbitration?control
F000:61BF??BC?C5?61?????????????mov???sp,?61C5h
F000:61C2??E9?3B?FE?????????????jmp???F000_6000_read_pci_byte?;?Jump
F000:61C2???????????????????????;?------------------------------------------------------------------
F000:61C5??C7?61????????????????dw?61C7h
F000:61C7???????????????????????;?------------------------------------------------------------------
F000:61C7??0C?02????????????????or????al,?2???????????;?enable?VC-DRAM
??你看到的,必需要考慮retn指令被當(dāng)前ss:sp寄存器值影響,ss寄存器還沒有加載到正確的16-bit保護(hù)模式使用!這些代碼怎么會執(zhí)行?答案有點復(fù)雜。讓我們看看ss寄存器的值,它在上述調(diào)用之前就巧妙的處理了。
Address????Hex??????????????????Mnemonic
F000:E060?8C?C8?????????????????mov???ax,?cs
F000:E062?8E?D0?????????????????mov???ss,?ax??????????;?ss?=?cs?(ss?=?F000h?a.k.a?F_segment)
F000:E064???????????????????????assume?ss:F000
Note:?this?routine?is?executed?in?real-mode
??就如你看到的,ss寄存器裝入了f000h(當(dāng)前bios代碼16-bit段在實模式)。這段代碼說明隱藏的描述緩存寄存器(存在為每一個選擇/段寄存器)被加載入ss*16?or?F_0000h?的物理地址值。并且這個值會返回,盡管機(jī)器轉(zhuǎn)變成了上述的16-bit保護(hù)模式,因為ss寄存器沒有重載。Intel?Software?Developer?Manual?Vol.3片斷:
??
8.1.4.?First?Instruction?Executed
The?first?instruction?that?is?fetched?and?executed?following?a?hardware?reset?is?located?at?physical?address?FFFFFFF0H.?This?address?is?16?bytes?below?the?processor抯?uppermost?physical?address.?The?EPROM?containing?the?software-initialization?code?must?be?located?at?this?address.?The?address?FFFFFFF0H?is?beyond?the?1-MByte?addressable?range?of?the?processor?while?in?real-address?mode.?The?processor?is?initialized?to?this?starting?address?as?follows.?The?CS?register?has?two?parts:?the?visible?segment?selector?part?and?the?hidden?base?address?part.?In?real?address?mode,?the?base?address?is?normally?formed?by?shifting?the?16-bit?segment?selector?value?4?bits?to?the?left?to?produce?a?20-bit?base?address.?However,?during?a?hardware?reset,?the?segment?selector?in?the?CS?register?is?loaded?with?F000H?and?the?base?address?is?loaded?with?FFFF0000H.?The?starting?address?is?thus?formed?by?adding?the?base?address?to?the?value?in?the?EIP?register?(that?is,?FFFF0000?+?FFF0H?=?FFFFFFF0H).
The?first?time?the?CS?register?is?loaded?with?a?new?value?after?a?hardware?reset,?the?processor?will?follow?the?normal?rule?for?address?translation?in?real-address?mode?(that?is,?[CS?base?address?=?CS?segment?selector?*?16]).?To?insure?that?the?base?address?in?the?CS?register?remains?unchanged?until?the?EPROM?based?software-initialization?code?is?completed,?the?code?must?not?contain?a?far?jump?or?far?call?or?allow?an?interrupt?to?occur?(which?would?cause?the?CS?selector?value?to?be?changed).
Ddj?(Doctor?Dobbs?Journal)的一個小片斷:
At?power-up,?the?descriptor?cache?registers?are?loaded?with?fixed,?default?values,?the?CPU?is?in?real?mode,?and?all?segments?are?marked?as?read/write?data?segments,?including?the?code?segment?(CS).?According?to?Intel,?each?time?the?CPU?loads?a?segment?register?in?real?mode,?the?base?address?is?16?times?the?segment?value,?while?the?access?rights?and?size?limit?attributes?are?given?fixed,?"real-mode?compatible"?values.?This?is?not?true.?In?fact,?only?the?CS?descriptor?cache?access?rights?get?loaded?with?fixed?values?each?time?the?segment?register?is?loaded?-?and?even?then?only?when?a?far?jump?is?encountered.?Loading?any?other?segment?register?in?real?mode?does?not?change?the?access?rights?or?the?segment?size?limit?attributes?stored?in?the?descriptor?cache?registers.?For?these?segments,?the?access?rights?and?segment?size?limit?attributes?are?honored?from?any?previous?setting?(see?Figure?3).?Thus?it?is?possible?to?have?a?four?giga-byte,?read-only?data?segment?in?real?mode?on?the?80386,?but?Intel?will?not?acknowledge,?or?support?this?mode?of?operation.
??現(xiàn)在,你知道重點在于描述緩存寄存器,特別是它的基地址部分。Ss可見部分只是一個“place?holder”和“register-in-charge”,對于真實地址計算/變換是一個隱藏的描述緩存。無論你對這個描述緩存做什么,?當(dāng)任何代碼、棧或者數(shù)據(jù)值地址被轉(zhuǎn)換計算的時候,它都要受到影響。在我們看來,我們不得不在16-bit保護(hù)模式使用基址是F_0000h的物理地址的“堆棧段”。這不是問題,因為ss描述緩存寄存器的基址已經(jīng)在上面的代碼中賦予了F_0000h值。這就解釋了為什么上面的代碼能夠正確執(zhí)行,下面是一個例子:
Address????Hex??????????????????Mnemonic
F000:61BF??BC?C5?61?????????????mov???sp,?61C5h
F000:61C2??E9?3B?FE?????????????jmp???F000_6000_read_pci_byte?;?Jump
F000:61C2???????????????????????;?------------------------------------------------------------------
F000:61C5??C7?61????????????????dw?61C7h
??這段代碼里面我們已經(jīng)給ss:sp指向F_61C5h,為retn指令服務(wù)。實際上,我們已經(jīng)做了,因為ss包含了F_0000h(它的描述緩存基址部分)和你看到(sp?contains?61C5h)的物理地址,ss:sp是F_0000h+61C5h?,物理地址是F_61C5h。
5.?用到的工具
本節(jié)介紹逆向工程分析所需的工具。將有一節(jié)單獨解釋IDA?Pro反匯編工具。
5.1.?我們的需求
開始進(jìn)行之前,我們需要以下工具:
1、??IDA?Pro反匯編工具。我使用IDA?Pro?V4.3。你可以使用你喜歡的交互式反匯編工具。我覺得IDA?Pro最適合我。我們之所以需要交互式反匯編工具,因為我們要反匯編的BIOS代碼并不是普通的代碼。當(dāng)駐留在ROM中執(zhí)行的一些時候并沒有棧可用,而是使用了一些棧的技巧來進(jìn)行過程/例程調(diào)用。
2、??一個好的二進(jìn)制編輯器。我使用HexWorkshop?ver3.0b。該二進(jìn)制編輯器最大的一個好處是它可以計算打開文件的所選范圍內(nèi)的校驗和。
3、??LHA2.55,用來修改BIOS二進(jìn)制。如果你僅想解壓縮并分析壓縮的BIOS組件,也可使用winzip或其他可以處理LZH/LHA文件的壓縮/解壓縮工具。
4、??BIOS修改工具,例如CBROM,我使用v2.08,v2.07和1.24。以及MODBIN,有兩種:modbin6?for?award?bios?ver.?6和modbin?4.50.xx?for?award?bios?ver.?4.5xPGNM。使用這些工具更容易查看BIOS組件。可從www.biosmods.com下載。
5、??一些芯片集數(shù)據(jù)表,這取決于你要解剖的主板BIOS代碼。www.com.by上有一部分pdf格式的數(shù)據(jù)表。我解剖的主板是VIA693A-596B,我當(dāng)然有這個數(shù)據(jù)表。
6、??Intel?Software?Developer?Manual?Volume?1,?2?and?3。BIOS有時使用一些外來指令集。另外有些很難記住的數(shù)據(jù)結(jié)構(gòu)需要查詢,如GDT、IDT等。
5.2.?IDA?Pro技術(shù)介紹
本小節(jié)介紹使用IDA?Pro。如果抓住了這些概念,你可以方便地使用IDA?pro。
5.2.1.?IDA?Pro介紹
逆向代碼工程通過分析軟件的可執(zhí)行文件來實現(xiàn)對軟件所使用算法的理解。在大多數(shù)情況下,軟件僅發(fā)布它的可執(zhí)行文件而沒有源代碼。BIOS也同樣如此,我們可獲得的僅僅是執(zhí)行代碼。逆向代碼工程在以下工具的幫助下實現(xiàn):調(diào)試器,反匯編工具,二進(jìn)制文件編輯器即二進(jìn)制編輯器,ICE()等。我們在本小節(jié)中僅討論反匯編工具,例如IDA?Pro反匯編工具。
IDA?Pro是一款強(qiáng)大的反匯編工具。它支持插件和腳本組件支持50種以上的處理器結(jié)構(gòu)。但功能強(qiáng)大的工具一般都有缺陷,就是難以掌握使用,IDA?Pro也不例外。
IDA?Pro有多個版本:免費版、標(biāo)準(zhǔn)版和高級版。最新的免費版為IDA?Pro?version?4.3?(AFAIK),可在http://www.dirfile.com/ida_pro_freeware_version.htm下載。
There?are?several?editions?of?IDA?Pro:?freeware?edition,?standard?edition?and?advanced?edition.?The?latest?freeware?edition?is?IDA?Pro?version?4.3?(AFAIK)?and?it抯?available?for?download?at?http://www.dirfile.com/ida_pro_freeware_version.htm.?It抯?the?most?limited?of?all?IDA?Pro?version.?It?only?supports?x86?processor?and?doesn't?come?with?plugin?feature,?but?it?comes?at?no?cost,?that's?why?it's?presented?here.?Fortunately,?it?still?comes?with?scripting?feature.?The?standard?and?advanced?editions?of?IDA?Pro?4.3?of?course?differ?from?this?freeware?edition,?they?come?with?support?for?plugin?and?support?for?much?more?processor?architecture.?We?are?going?to?learn?how?to?use?the?scripting?feature?in?the?next?section.?
Now,?let抯?start?to?use?IDA?Pro?freeware?version?to?open?a?BIOS?binary?file.?First,?IDA?Pro?freeware?version?has?to?be?installed.?After?the?installation?finished,?one?special?step?must?be?carried-out?to?prevent?unwanted?bug?when?this?version?of?IDA?Pro?opens?up?a?BIOS?file?with?*.rom?extension.?To?do?so,?one?must?edit?the?IDA?Pro?configuration?file?that抯?located?in?the?root?directory?of?the?IDA?Pro?installation?directory.?The?name?of?the?file?is?ida.cfg.?Open?this?file?by?using?any?text?editor?(such?as?notepad)?and?look?for?the?following?lines:?
??DEFAULT_PROCESSOR?=?{????
/*?Extension????Processor?*/????
??"com"?:???????"8086"??????????????????//?IDA?will?try?the?specified????
??"exe"?:???????""??????????????????????//?extensions?if?no?extension?is????
??"dll"?:???????""??????????????????????//?given.?????
??"drv"?:???????""????
??"sys"?:???????""????
??"bin"?:???????""??//?Empty?processor?means?the?default?processor????
??"ovl"?:???????""????
??"ovr"?:???????""????
??"ov?"?:???????""????
??"nlm"?:???????""????
??"lan"?:???????""????
??"dsk"?:???????""????
??"obj"?:???????""??
??"prc"?:???????"68000"?????????????????//?PalmPilot?programs??
??"axf"?:???????"arm710a"????
??"h68"?:???????"68000"?????????????????//?MC68000?for?*.H68?files????
??"i51"?:???????"8051"??????????????????//?i8051???for?*.I51?files????
??"sav"?:???????"pdp11"?????????????????//?PDP-11??for?*.SAV?files????
??"rom"?:???????"z80"???????????????????//?Z80?????for?*.ROM?files????
??"cla*":???????"java"????
??"s19":????????"6811"????
??"o":??????????""????
??"*":??????????""??????????????????????//?Default?processor??
}????
Notice?the?line:?"rom"?:?"z80"?//?Z80?for?*.ROM?files
This?line?must?be?removed?or?just?replace?the?"z80"?with?""?in?this?line?to?disable?the?automatic?request?to?load?z80?processor?module?in?IDA?Pro?upon?opening?a?*.rom?file.?The?bug?occurred?if?the?*.rom?file?is?opened?while?this?line?is?not?changed?ince?freeware?IDA?Pro?doesn't?come?with?z80?processor?module.?Thus,?opening?*.rom?file?by?default?will?terminate?IDA?Pro.?Some?motherboard?BIOS?files?comes?with?*.rom?extension?by?default,?even?though?it's?very?clear?that?it?won't?be?executed?in?z80?processor.?Fixing?this?bug?will?ensure?that?we?will?be?able?to?open?motherboard?BIOS?file?with?*.rom?extension?flawlessly.?Note?that?the?steps?needed?to?remove?other?file-extension?to?processor-type?"mapping"?in?this?version?of?IDA?Pro?is?similar?to?the?z80?processor?that?is?just?described.?
Now?let's?proceed?to?open?a?sample?BIOS?file.?This?BIOS?file?is?da8r9025.rom,?BIOS?file?for?Supermicro?H8DAR-8?(OEM?Only)?motherboard.?This?motherboard?used?AMD-8131??HyperTransport??PCI-X?Tunnel?chip?and?AMD-8111??HyperTransport??I/O?Hub?chip.?The?dialog?box?below?will?be?displayed?when?you?start?IDA?Pro?freeware?version?4.3.
?
Just?click?OK?to?proceed.?Then?the?next?dialog?box?shown?below?will?be?displayed.?
?
In?this?dialog?box,?you?can?try?one?of?the?three?options,?but?we?will?just?click?on?the?Go?button.?This?will?start?IDA?Pro?with?empty?workspace?as?shown?below?
?
Then?locate?and?drag?the?file?to?be?disassembled?to?the?IDA?Pro?window?(as?shown?above).?In?this?case,?IDA?Pro?will?show?the?following?dialog?box.?
?
In?this?dialog?box,?we?will?select?Intel?80x86?processors:?athlon?as?the?Processor?type?in?the?drop?down?list?box.?Then?click?on?the?Set?button?to?activate?the?new?processor?selection.?Let?the?other?option?as?it?is.?Code?relocation?will?be?carried?out?by?using?IDA?Pro?scripts?in?later?section,?then?click?OK.?IDA?Pro?then?shows?the?following?dialog?box.?
?
This?dialog?box?asks?us?to?choose?the?default?operating-mode?of?the?x86?compatible?processor?during?the?disassembling?process.?AMD64?Architecture?Programmer抯?Manual?Volume?2:?System?Programming,?February?2005?in?section?14.1.5?page?417?states?that:?
"After?a?RESET#?or?INIT,?the?processor?is?operating?in?16-bit?real?mode."?
In?addition,?IA-32?Intel??Architecture?Software?Developer抯?Manual?Volume?3:?System?Programming?Guide?2004?section?9.1.1?states?that:?
"Table?9-1?shows?the?state?of?the?flags?and?other?registers?following?power-up?for?the?Pentium?4,?Intel?Xeon,?P6?family,?and?Pentium?processors.?The?state?of?control?register?CR0?is?60000010H?(see?Figure?9-1),?which?places?the?processor?is?in?real-address?mode?with?paging?disabled."?
Thus,?we?can?conclude?that?any?x86?compatible?processors?start?their?execution?in?16-bit?real?mode?just?after?power-up?and?we?have?to?choose?16-bit?mode?in?this?dialog?box.?It抯?accomplished?by?clicking?No?in?the?dialog?box.?Then?the?following?dialog?box?pops?up.?
?
This?dialog?box?told?us?that?IDA?Pro?can抰?decide?where?the?entry-point?located.?We?have?to?locate?it?ourselves?later.?Just?click?OK?to?continue?to?the?main?window?for?the?disassembly?process.?
?
Up?to?this?point?we?are?able?to?open?the?binary?file?within?IDA?Pro.?This?is?not?a?trivial?task?for?people?new?to?IDA?Pro.?That's?why?it's?presented?in?a?step-by-step?fashion.?However,?the?output?in?the?workspace?is?not?yet?usable.?The?next?step?is?learning?the?scripting?facility?that?IDA?Pro?provides?to?make?sense?about?the?disassembly?database?that?IDA?Pro?generates.?
5.2.2.?IDA?Pro?Scripting?And?Key?Bindings
Now?we?will?proceed?to?try?to?decipher?IDA?Pro?disassembly?database?shown?in?the?previous?sub-section?with?the?help?of?the?scripting?facility.?Before?we?proceed?to?analyze?the?binary,?we?have?to?learn?some?basic?concepts?about?the?IDA?Pro?scripting?facility.?IDA?Pro?scripts?syntax?are?similar?to?C?programming?language.?The?syntax?as?follows:?
1.??IDA?Pro?scripts?only?recognize?one?type?of?variable,?i.e.?auto.?There?are?no?other?variable?types?such?as?int,?char,?etc.?The?declaration?of?variable?in?an?IDA?Pro?script?as?follows:?
auto?variable_name;?
2.??Every?statement?in?an?IDA?Pro?script?ends?with?a?semicolon?(;),?just?like?in?the?C?programming?language.?
3.??Function?can?return?a?value?or?not,?but?there抯?no?return?type?declaration.?The?syntax?as?follows:?
static?function_name(parameter1,?parameter2,?parameter_n,?...)??
4.??Comment?in?an?IDA?Pro?script?starts?with?double-slash?(//).?The?IDA?Pro?scripting?engine?ignores?anything?after?the?comment?in?the?corresponding?line.?
5.??//?comment??????????????????
6.??statement;?//?comment??????????????
7.??IDA?Pro?"exports"?its?internal?functionality?to?the?script?that?we?build?by?using?header?files.?These?header?files?must?be?"included"?in?our?script?so?that?we?are?able?to?access?that?functionality.?At?least?one?header?file?must?be?included?in?any?IDA?Pro?script,?i.e.?idc.idc.?The?header?files?are?located?inside?a?folder?named?idc?in?the?IDA?Pro?installation?directory.?One?must?read?the?*.idc?files?inside?this?directory?to?learn?about?the?functions?that?are?exported?by?IDA?Pro.?The?most?important?header?file?to?learn?is?idc.idc.?The?syntax?used?to?include?a?header?file?in?an?IDA?Pro?script?is:?
8.??#include?<?header_file_name?>????????????
9.??The?entry?point?of?an?IDA?Pro?script?is?the?main?function,?just?as?in?the?C?programming?language.?
Now?is?the?time?to?put?the?theory?into?a?simple?working?example,?an?IDA?Pro?sample?script.?
#include?<idc.idc>????
//?relocate?one?segment??
static?relocate_seg(src,?dest)??
{????
??auto?ea_src,?ea_dest,?hi_limit;??
????
??hi_limit?=?src?+?0x10000;??
??ea_dest?=?dest;??
????
??for(ea_src?=?src;?ea_src?<?hi_limit?;?ea_src?=?ea_src?+?4?)????
????{??
????PatchDword(?ea_dest,?Dword(ea_src));??
????ea_dest?=?ea_dest?+?4;??
???}??
?????
??Message("segment?relocation?finished?(inside?relocate_seg?function)../n");??
}????
????
static?main()??
{????
??Message("creating?target?segment?(inside?entry?point?function?main).../n");??
??SegCreate([0xF000,?0],?[0x10000,?0],?0xF000,?0,?0,?0);??
??SegRename([0xF000,?0],?"_F000");??
????
??relocate_seg([0x7000,0],?[0xF000,?0]);??
}????
The?square?bracket,?i.e.?[?]?in?the?script?above?is?an?operator?used?to?form?the?linear?address?from?its?parameters?by?shifting?the?first?parameter?to?left?four?bits?and?then?adding?the?second?parameter?into?the?result,?for?example:?[0x7000,?0]?means?(0x7000?<<?4)?+?0?,?i.e.?0x7_0000?linear?address.?This?operator?is?just?the?same?as?MK_FP(?,?)?operator?in?previous?versions?of?IDA?Pro.?One?must?read?idc.idc?file?to?see?the?"exported"?function?definition?to?understand?this?script?completely,?such?as?the?Message,?SegCreate?and?SegRename?function.?Another?"exported"?function?that?maybe?of?interest?can?be?found?in?numerous?*.idc?file?in?the?idc?directory?of?IDA?Pro?installation?folder.?To?be?able?to?use?the?function,?its?definition?have?to?be?looked?up?in?the?exported?function?definition?in?the?corresponding?*.idc?header?file.?For?example,?SegCreate?function?is?defined?in?idc.idc?as?follows:?
//?Create?a?new?segment??
//??????startea??-?linear?address?of?the?start?of?the?segment??
//??????endea????-?linear?address?of?the?end?of?the?segment??
//?????????????????this?address?will?not?belong?to?the?segment??
//?????????????????'endea'?should?be?higher?than?'startea'??
//??????base?????-?base?paragraph?or?selector?of?the?segment.??
//?????????????????a?paragraph?is?16byte?memory?chunk.??
//????????????If?a?selector?value?is?specified,?the?selector?should?be??
//?????????????????already?defined.??
//??????use32????-?0:?16bit?segment,?1:?32bit?segment??
//??????align????-?segment?alignment.?see?below?for?alignment?values??
//??????comb??-?segment?combination.?see?below?for?combination?values.??
//?returns:?0-failed,?1-ok??
????
success?SegCreate(?long?startea,long?endea,long?base,??long?use32,???
??????????????long?align,long?comb);???
A?512KB?BIOS?binary?file?must?be?opened?in?IDA?Pro?with?the?loading?address?set?to?0000h?to?be?able?to?execute?the?sample?script?above.?This?loading?scheme?is?the?same?as?explained?in?the?previous?sub-section.?In?this?case,?we?will?just?open?the?binary?file?of?Supermicro?H8DAR-8?motherboard?as?in?the?previous?sub-section?and?then?execute?the?script.?First,?we?must?type?the?script?above?in?a?plain?text?file.?We?can?use?notepad?or?another?ASCII?file?editor?for?this?purpose.?We?will?name?the?file?as?function.idc.?The?script?then?executed?by?clicking?on?the?File?|?IDC?file...?menu?or?by?pressing?F2,?then?the?dialog?box?below?will?be?shown.
?
Just?select?the?file?and?click?open?to?execute?the?script.?If?there抯?any?mistake?in?the?script,?IDA?Pro?will?warn?you?with?a?warning?dialog?box.?Executing?the?script?will?display?the?corresponding?message?in?the?message?pane?of?IDA?Pro?as?shown?below.?
?
The?script?above?relocates?the?last?segment?(64KB)?of?the?Supermicro?H8DAR-8?BIOS?code?to?the?right?place.?One?must?be?aware?that?IDA?Pro?is?only?an?advanced?tool?to?help?the?reverse?code?engineering?task,?it抯?not?a?magical?tool?that抯?going?to?reveal?the?overall?structure?of?the?BIOS?binary?without?us?being?significantly?involve?in?the?process.?The?script?relocates/copies?BIOS?code?from?physical/linear?address?0x7_0000-0x7_FFFF?to?0xF_0000-0xF_FFFF.?The?logical?reason?behind?this?algorithm?is?explained?below.?
AMD-8111?HyperTransport?IO?Hub?Datasheet?chapter?4?page?153?says?that:?
Note:?The?following?ranges?are?always?specified?as?BIOS?address?ranges.?See?DevB:0x80?for?more?information?about?how?access?to?BIOS?spaces?may?be?controlled.?
Size??Host?Address?Range[31:0]??Address?translation?for?LPC?bus
64K?bytes??FFFF_0000h??FFFF_FFFFh??FFFF_0000h??FFFF_FFFFh
64K?bytes??000F_0000h??000F_FFFFh??FFFF_0000h??FFFF_FFFFh
In?addition,?AMD64?Architecture?Programmer抯?Manual?Volume?2:?System?Programming,?February?2005?in?section?14.1.5?page?417?says?that:?
"Normally?within?real?mode,?the?code-segment?base?address?is?formed?by?shifting?the?CS-selector?value?left?four?bits.?The?base?address?is?then?added?to?the?value?in?EIP?to?form?the?physical?address?into?memory.?As?a?result,?the?processor?can?only?address?the?first?1?Mbyte?of?memory?when?in?real?mode.?However,?immediately?following?RESET#?or?INIT,?the?CS?selector?register?is?loaded?with?F000h,?but?the?CS?base-address?is?not?formed?by?left-shifting?the?selector.?Instead,?the?CS?base?address?is?initialized?to?FFFF_0000h.?EIP?is?initialized?to?FFF0h.?Therefore,?the?first?instruction?fetched?from?memory?is?located?at?physical-address?FFFF_FFF0h?(FFFF_0000h+0000_FFF0h).?The?CS?base-address?remains?at?this?initial?value?until?the?CS?selector?register?is?loaded?by?software.?This?can?occur?as?a?result?of?executing?a?far?jump?instruction?or?call?instruction,?for?example.?When?CS?is?loaded?by?software,?the?new?base-address?value?is?established?as?defined?for?real?mode?(by?left?shifting?the?selector?value?four?bits)."?
From?the?references?above,?we?conclude?that?address?000F_0000h??000F_FFFFh?is?an?alias?to?address?FFFF_0000h??FFFF_FFFFh,?i.e.?they?both?points?to?the?same?physical?address?range.?Whenever?the?host?(CPU)?accesses?some?value?in?000F_0000h??000F_FFFFh?address?range,?it's?actually?accessing?the?value?at?FFFF_0000h??FFFF_FFFFh?range?and?the?reverse?is?also?true.?From?this?fact,?we?know?that?we?have?to?relocate?64KB?of?the?uppermost?BIOS?code?to?address?000F_0000h??000F_FFFFh?for?further?investigation.?This?decision?is?made?based?on?my?previous?experience?with?various?BIOS?binary?files,?they?generally?references?address?with?F000h?used?as?the?segment?value?within?the?BIOS?code.?Also,?note?that?the?last?64KB?of?the?BIOS?binary?file?is?mapped?to?last?64KB?of?the?4GB?address?space,?i.e.?4GB-64KB?to?4GB,?that's?why?we?have?to?relocate?the?last?64KB.?
Simple?script?that?is?only?several?lines?can?be?typed?and?executed?directly?within?IDA?Pro?without?opening?a?text?editor.?IDA?Pro?provides?a?specific?dialog?box?for?this?purpose?and?it?can?be?accessed?by?pressing?Shift+F2.?This?is?more?practical?for?simple?task,?but?as?the?number?of?the?routine?grows,?one?might?consider?coding?the?script?as?described?in?the?previous?explanation?due?to?limitation?of?the?number?of?instruction?that?can?be?entered?in?the?dialog?box.?In?this?dialog?box,?enter?the?script?to?be?executed?and?click?OK?to?execute?the?script.?Below?is?an?example?script.?
?
Note?that?there?is?no?need?for?#include?statement?in?the?beginning?of?the?script,?since?by?default?all?of?the?functions?that?are?exported?by?IDA?Pro?in?its?scripts?header?files?(*.idc)?is?accessible?within?the?scripting?dialog?box?shown?above.?The?main?function?is?also?doesn抰?need?to?be?defined.?In?fact,?anything?you?write?within?the?dialog?box?entry?will?behave?as?if?it's?written?inside?the?main?function?in?an?IDA?Pro?script?file.?
Anyway,?you?might?want?to?go?to?the?IDA?Palace?for?more?IDA?Pro?script?samples.?It?will?take?a?while?to?grasp?them,?but?IDA?Palace?is?definitely?the?place?to?go?if?you're?curious?about?IDA?Pro?scripting.?
At?present,?we?are?able?to?relocate?the?binary?within?IDA?Pro;?the?next?step?is?to?disassemble?the?binary?within?IDA?Pro.?Before?that,?we?need?to?know?how?the?default?key?binding?works?in?IDA?Pro.?Key?binding?is?the?"mapping"?between?the?keyboard?button?and?the?command?carried-out?when?the?corresponding?key?is?pressed.?The?cursor?must?be?placed?in?the?workspace?before?any?command?is?carried-out?in?IDA?Pro.?The?key?binding?is?defined?in?idagui.cfg?file?that's?located?in?IDA?Pro?installation?directory.?An?excerpt?of?the?key?binding?(hot?key)?is?provided?below.?
"MakeCode"??????????????=???????'C'????????????
"MakeData"??????????????=???????'D'????????????
"MakeAscii"?????????????=???????'A'????????????
"MakeUnicode"???????????=???????0???????????//?create?unicode?string??
"MakeArray"?????????????=???????"Numpad*"??????????
"MakeUnknown"???????????=???????'U'????????????
??????????????????????
"MakeName"??????????????=???????'N'????????????
//"MakeAnyName"???????????=???????"Ctrl-N"??????????
"ManualOperand"?????????=???????"Alt-F1"??????????
??????????????????????
"MakeFunction"??????????=???????'P'????????????
"EditFunction"??????????=???????"Alt-P"????????????
"DelFunction"???????????=???????0????????????
"FunctionEnd"???????????=???????'E'????????????
One?can?alter?idagui.cfg?to?change?the?default?key?binding,?but?we?will?only?consider?the?default?key?binding.?Now?we?have?grasped?the?key?binding?concept,?let's?see?how?to?use?it?in?our?binary.?In?the?previous?example,?we?are?creating?a?new?segment,?i.e.?0xF000.?Now,?we?will?go?to?the?first?instruction?that's?executed?in?the?BIOS?within?that?segment,?i.e.?address?0xF000:0xFFF0.?Press?G,?the?dialog?box?below?will?be?shown.?
?
In?this?dialog?box,?enter?the?destination?address.?You?must?enter?the?address?in?complete?form?(segment:offset)?as?shown?above,?i.e.?F000:FFF0.?Then,?click?OK?to?go?to?the?intended?address.?Note?that?you?don't?have?to?type?the?leading?0x?character,?since?by?default,?the?value?within?the?input?box?is?in?hexadecimal.?The?result?will?be?as?shown?below?(inside?IDA?Pro?workspace).?
?
The?next?step?to?do?is?to?convert?the?value?in?this?address?into?a?meaningful?machine?instruction.?To?do?so,?press?C.?The?result?is?as?shown?below.?
?
Then,?we?can?follow?the?jump?by?pressing?Enter.?The?result?is?as?shown?below.?
?
We?can?return?from?the?jump?that?we've?just?made?by?pressing?Esc.
Up?to?this?point,?you've?gained?significant?intuition?to?use?IDA?Pro.?You?just?need?to?consult?the?key?bindings?in?idagui.cfg?in?case?want?to?do?something?and?don't?know?what?key?to?press.?
________________________________________
Now?we're?armed.?What?we?need?to?do?next?is?to?understand?the?basic?stuff?by?using?the?hex?editor?before?proceeding?through?the?disassembling?session.?
6.?Award?BIOS?文件結(jié)構(gòu)
6.1.壓縮部分
內(nèi)存映射16進(jìn)制表:?
1.??0000h?-?3AACh?:?XGROUP?ROM?(awardext.rom),?Award擴(kuò)展rom.?包含由system?bios調(diào)用的例程,比如original.tmp。
2.??3AADh?-?97AFh?:?CPUCODE.BIN,?bios的微代碼。
3.??97B0h?-?A5CFh?:?ACPITBL.BIN,?acpi?表。
4.??A5D0h?-?A952h?:?Iwill.bmp,?BMP?logo。
5.??A953h?-?B3B1h?:?nnoprom.bin,?I?haven't?know?yet?what?this?component's?role。
6.??B3B2h?-?C86Ch?:?Antivir.bin,?bootsector?防病毒。
7.??C86Dh?-?1BEDCh?:?ROSUPD.BIN,?我得bios中的自定義部分,用于顯示自定義的啟動logo和提示符。
8.??2_0000h?-?3_5531h?:?original.tmp,?我得特殊的bios中的system?BIOS部分。大多數(shù)的2m的bios在2_0000h?-?3_xxxxh?(if?you?look?from?within?hex?editor)都有original.tmp。?有一些4M的bios有original.tmp在bios二進(jìn)制文件的最開始的部分,比如0000h。
注意:
a.??在壓縮的?ROSUPD.BIN?和?original.tmp?之間有填充?FFh?bytes.?這些填充bytes?在壓縮?original.tmp?和純二進(jìn)制BIOS?部分之后都有發(fā)現(xiàn)。一個例子:?
??Address??Hex?????????????????????????????????????ASCII
00037D00?2A42?4253?532A?0060?0070?0060?0060?00A0?*BBSS*.`.p.`.`..
00037D10?3377?4670?8977?ACCF?C4CF?0100?00FF?FFFF?3wFp.w..........
00037D20?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?................
00037D30?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?................
b.??這些壓縮了的部分可以很容易的,通過拷貝和粘貼到新的二進(jìn)制文件,通過Hexworkshop?。然后,解壓這個新的文件,用LHA2.55或者winzip。如果我們使用winzip,那么改編擴(kuò)展名為.lzh,這樣winzip就可以自動識別了。識別我們剪切的部分非常簡單,只要看到“-lh5-”字符串就可以了。2?bytes的“-lh5-”在文件的最前面,文件最后面總是00h,正好在下一個壓縮了的文件前面,正好在填充bytes或者某些checksum前面。我要給你兩個例子下面。高亮的bytes是要所的文件的最初和最后的標(biāo)志。
我得bios中的壓縮的CPUCODE.BIN:?
Address??Hex?????????????????????????????????????ASCII
00003AA0?4E61?19E6?9775?2B46?BA55?85F0?0024?382D?Na...u+F.U...$8-
00003AB0?6C68?352D?DC5C?0000?00A0?0000?0000?0140?lh5-./.........@
00003AC0?2001?0B43?5055?434F?4445?2E42?494E?BCAA??..CPUCODE.BIN..
00003AD0?2000?0038?3894?9700?52C4?A2CF?F040?0000??..88...R....@..
00003AE0?4000?0000?0000?0000?0000?0000?0000?0000?@...............
........
000097A0?0E3C?8FA7?FFF4?FFFE?9FFF?D3FF?FFFB?FF00?.<..............
000097B0?24D9?2D6C?6835?2DFA?0D00?00A6?2100?0000?$.-lh5-.....!...
我得bios中的壓縮的?ORIGINAL.TMP:
Address??Hex?????????????????????????????????????ASCII
0001FFF0?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?................
00020000?251A?2D6C?6835?2D09?5501?0000?0002?0000?%.-lh5-.U.......
00020010?0000?5020?010C?6F72?6967?696E?616C?2E74?..P?..original.t
00020020?6D70?0CD9?2000?002D?7888?F0FD?D624?A5BA?mp..?..-x....$..
........
00035510?019E?6E67?BF11?8582?88D9?4E7C?BEC8?C34C?..ng......N|...L
00035520?401D?189F?BDD0?A176?17F0?4383?1D73?BF99?@......v..C..s..
00035530?00C9?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?................
00035540?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?FFFF?................
6.2.?純二進(jìn)制部分
內(nèi)存印象:
1.??3_6000h?-?3_6C4Ah?:?這個例程初始化DRAM控制器(在host?btidge中的),和我的bios中的DRAM時鐘。?
2.??3_7000h?-?3_7D1Ch?:?解壓縮例程部分。這個例程包含了LZH解壓引擎,可以解壓縮上面的bios壓縮部分。
3.??3_C000h?-?3_CFE4h?:?這個區(qū)域包含了不同的例程,低128KB是bios地址解碼啟動,默認(rèn)的VGA初始化(如果系統(tǒng)bios錯誤執(zhí)行),剩下的是Hostbridge初始化例程。
4.??3_E000h?-?3_FFFFh?:?包含Boot?Block代碼。?
注意:一些部分之間是填充.?一些是FFh?bytes?一些是?00h?bytes.
6.3.?真實系統(tǒng)(Mainboard)中的內(nèi)存印象
??我們已經(jīng)注意到了內(nèi)存映象,前面提到了bios二進(jìn)制代碼的。在主板bios芯片中,有一點不太一樣,并且更加復(fù)雜。我得主板的映象如下(和你的可能不一樣,參考芯片組文檔):
1.Bios二進(jìn)制文件中的0_0000h?-?3_FFFFh映射到了系統(tǒng)內(nèi)存中的FFFC_0000h?-?FFFF_FFFFh。由于我得系統(tǒng)中的北橋,地址FFFF_0000h-FFFF_FFFFh?只是F_0000h?-?F_FFFFh?的別名或者也可以說是在“實模式行話”?F000:0000h?-?F000:FFFFh。注意這個映射適合在加電后,因為它是芯片組加電默認(rèn)的值。在芯片組被bios重新編程后,不保證是否有效。有一些“kludge(雜牌電腦)”,它們是由系統(tǒng)決定的。你不得不參考Intel?Software?Developer?Manual?Volume?3(system?programming)和你的芯片數(shù)據(jù)表。
2.歸功于第一點的解釋,bios中的純二進(jìn)制部分映射如下(加電后):
1)BootBlock?:?F000:E000h?-?F000:FFFFh?
2)Decompression?Block?:?F000:7000h?-?F000:7D1Ch?
3)早期?DRAM?控制器?和?DRAM?初始化?:?F000:6000h?-?F000:6C4Ah
3.壓縮的bios部分在他們通過不同方式被釋放后映射到系統(tǒng)內(nèi)存空間。他們依靠這個解壓模塊例程,但是不同的bios文件中,他們的映射很少有看起來相同的。這些映射(我得如下,你的可能不一樣,但是段地址很可能相同):
1)original.tmp?a.k.a?System?BIOS?:?E000:0000h?-?F000:FFFFh?
2)awardext.rom?a.k.a?Award?擴(kuò)展?ROM?:?4100:0000h?-?4100:xxxxh。稍后被original.tmp重新部署到6000:0000h?-?6000:xxxxh,比如在它執(zhí)行之前。
??在我們進(jìn)行我們的旅途中,我們必需要注意這樣的映射。
注意:
??由于完全復(fù)雜的映射到真實系統(tǒng)bios二進(jìn)制地址,我們很容易迷路。但是,有一個技巧可以方便我們的工作,在我們反匯編進(jìn)程中,通過使用IDA?Pro:
??從純二進(jìn)制部分開始反匯編進(jìn)程。在地址F000:FFF0h?(3_FFF0h?從hex?editor看二進(jìn)制)開始反匯編。為了做到這個,用IDA?Pro打開二進(jìn)制文件(VD30728.BIN?,?i.e.?Iwill?VD133?BIOS?binary),然后反匯編這個文件,通過設(shè)置它的地址映射到C000:0000h?,記住讓段名無效,那樣我們就可以在系統(tǒng)中,執(zhí)行的時候看到實模式地址。通過IDA?Pro的Scripts調(diào)整另外的段地址,記住調(diào)整地址配置來符合芯片數(shù)據(jù)表。
7.?反匯編BIOS
??由于Intel?system?programming?Guide,我們就要開始在f000:fff0h地址反匯編了(看看上面的內(nèi)存映射,調(diào)整IDA?Pro來適應(yīng)它)。你可能會問:這怎么可能?Intel?Software?Developer?Manual?Vol.?3?(PROCESSOR?MANAGEMENT?AND?INITIALIZATION?-?First?Instruction?Executed)?介紹:
??在硬件reset后得到并執(zhí)行的第一條指令所在的物理地址是FFFFFFF0H。
??答案是:北橋芯片組使用000F_xxxxh?作為FFFE_FFFFh-FFFF_FFFFh?的別名。而且,注意在這個地址的轉(zhuǎn)移之后南橋沒有意義。它只是直接將地址傳到Bios?Rom芯片。因此,在加電reset后,地址FFFF_FFF0h?和?F_FFF0h?(or?F000:FFF0?in?"real-mode?lingo")沒有什么困難。它是那么簡單。這個是BootBlock區(qū)域。它總是有一個far?jump跳入bootblock區(qū)域,主要的在F000:E05Bh?。從這點看,我們能夠繼續(xù)主要的純二進(jìn)制部分的反匯編。實際上,很多純二進(jìn)制部分代碼沒有執(zhí)行,因為你的系統(tǒng)bios很少錯誤,并且Bootblock?POST進(jìn)程發(fā)生了,除非你把它搞糟了。
7.1.?Bootblock
??從這點看,我們可以返匯編bootblock例程了。現(xiàn)在,我要給你一些不明顯的和重要的在已經(jīng)反匯編了的bios代碼區(qū)域。這個是關(guān)于我的bios,你的可能不同,但是恕我直言很相近。??
7.1.1.?"Virtual?Shutdown"?routine?
Address????Hex?????????????????????Mnemonic
F000:E07F?BC?0B?F8???????????????mov???sp,?0F80Bh??????????;?ret?from?this?jmp?redirected?to?0E103h?(F000:E103h)
F000:E082?E9?7B?15??????????????????jmp???Chipset_Reg_Early_Init
7.1.2.?Chipset_Reg_Early_Init?routine?
Address????Hex???????????????????????Mnemonic
F000:F600?????????????????????????Chipset_Reg_Early_Init?proc?near?;?CODE?XREF:?F000:E082j
F000:F600?66?C1?E4?10???????????????shl???esp,?10h
F000:F604?BE?C4?F6??????????????????mov???si,?0F6C4h??????????;?addr?of?chipset?reg?mask
F000:F607?????????????????????????next_PCI_reg:???????????????;?CODE?XREF:?Chipset_Reg_Early_Init+29j
F000:F607?2E?8B?0C??????????????????mov???cx,?cs:[si]
F000:F60A?BC?10?F6??????????????????mov???sp,?0F610h
F000:F60D?E9?F8?00??????????????????jmp???Read_PCI_Byte
F000:F60D?????????????????????????;?---------------------------------------------------------------------------
F000:F610?12?F6?????????????????????dw?0F612h
F000:F612?????????????????????????;?---------------------------------------------------------------------------
F000:F612?2E?22?44?02???????????????and???al,?cs:[si+2]
F000:F616?2E?0A?44?03???????????????or????al,?cs:[si+3]
F000:F61A?BC?20?F6??????????????????mov???sp,?0F620h
F000:F61D?E9?02?01??????????????????jmp???Write_PCI_Byte
F000:F61D?????????????????????????;?---------------------------------------------------------------------------
F000:F620?22?F6?????????????????????dw?0F622h
F000:F622?????????????????????????;?---------------------------------------------------------------------------
F000:F622?83?C6?04??????????????????add???si,?4
F000:F625?81?FE?04?F7???????????????cmp???si,?0F704h??????????;?are?we?done?yet?
F000:F629?75?DC?????????????????????jnz???next_PCI_reg
F000:F62B?BA?D0?04??&nbs
再分享一下我老師大神的人工智能教程吧。零基礎(chǔ)!通俗易懂!風(fēng)趣幽默!還帶黃段子!希望你也加入到我們?nèi)斯ぶ悄艿年犖橹衼?#xff01;https://blog.csdn.net/jiangjunshow
總結(jié)
以上是生活随笔為你收集整理的Pinczakko的AwardBIOS逆向工程指导的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 前端学习(809):api简介
- 下一篇: 【教程】Win10安装SQLServer