Research On Key Techniques For Firm-Code Reverse Analysis

Firm-code reverse analysis is one of the important branches in the field of software reverse engineering. By means of processor type recognition, format restoration and structure analysis for the firm executable code, the logical and functional of firm-code can be unscrambled, redound to analyzing the composing principle and techniques of device and improving the ability to dissect. Especially as the evolution of network techniques and broad application of network cipher, reverse analysis for the key network devices, such as routers and cipher machines, is of importance to national security and intelligence acquirement.The core component of embedded electrical device is processor. Because of universality and uncertainty of embedding application, the selection for processor has multiformity, requesting that the method and tools of firm-code reverse analysis must have the ability to adapt in multiprocessors or multiple instruction-set systems; on the other hand, along with more and more processor types, the uncertainty of processor type boosts up increasingly, so the code analyzing tools must have addition (especially addition for users).However, all of the commercial executable format restoring tools and analyzing techniques cannot adapt in multiprocessors or multiple instruction-set systems very well, having poor ability that the code structure is given out visually and structure analysis is done in the way of man-machine conversation, lacking of addition for users. And the corresponding research on instruction-set recognition is also unseen in public achievement reports.In allusion to the above issues, the dissertation explores and studies the theories and techniques about firm-code reverse analysis, and especially for the key techniques applied in firm-code reverse analysis, it proposes effective methods. The detail is shown as follows:1. According to analysis for the mainstream processors and instruction system structure, the dissertation puts forward a kind of processor structure and instruction system denotation template based upon multidimensional alterable descriptive table, and makes use of database technique in order to realize the management for processor structure information and instruction system. This can solve the applicability of multiprocessors or multiple instruction-set systems, making sure that the reverse analysis system for firm-code has addition for users.2. According to studying on the characteristic of firm-code structure, the dissertation puts forward a disassembly strategy based upon the program static flow traversing graph and program flow implication graph, and designs a disassembly engine on the basis of instruction category and hash matching in order to increase the speed and exactness of disassembly. 3. The dissertation advances multi-linked list, which denotes subroutine structure and subroutine calling relationship, and is displayed by the way of hierarchy structure tree. And according to this, the dissertation designs an algorithm to abstract and adjust the code structure and flows. The visual hierarchy structure display supports logical and functional analysis in the way of man-machine conversation, strengthen the ability to directly perceive through the sense when analyzing codes.4. On the basis of digging the inhere characteristics implied in the firm-code, the dissertation builds up the code characteristics model adapted on instruction type recognition and designs the corresponding algorithm, which abstracts the code characteristics based on multi-attribute decisional technique, effectively recognizing the unidentified processor type when dissecting on electrical devices.The dissertation also shows the real verifying environment. The result indicates that the methods for the above key techniques are effective and available.