Thiết kế website giá rẻ

Question

I am stuck analyzing an .efi file (extracted from a UEFI BIOS .exe package). I have commented and renamed most of the parts I am interested in, but I am having some troubles finding the last parameters I need.

The decompiled snippet code look like this:

<code> isModelWhenZero = isModel_X_or_Y(MODEL_SERVICE_TAG_4);

if ((isModelWhenZero == 0xffff) ||

(*(longlong *)(&ADDR_ENCODE_PARAMS_X + isModelWhenZero * 24) == 0)) {

resultInfo = L'x02';

}

else {

initArrayMemoryZero((undefined8 *)INITIAL_DATA,16);

initArrayMemoryZero(ENC_BLOCK_SERIAL_TAG,32);

copyArrayContent(ENC_BLOCK_SERIAL_TAG,MODEL_SERIAL_7,size);

charCodeAt(local_74,(ulonglong)MODEL_SERVICE_TAG_4,4);

copyArrayContent((undefined8 *)((longlong)ENC_BLOCK_SERIAL_TAG + size),(undefined8 *)local_74 ,4)

;

encoderModel_X(INITIAL_DATA,(longlong)ENC_BLOCK_SERIAL_TAG,rol,F2,F3,F4,F5,

*(uint **)(&ADDR_ENCODE_PARAMS_X + isModelWhenZero * 24));

applySHA256ToCoded((byte *)INITIAL_DATA,16,(undefined8 *)FINAL_CODE_RESULT,local_78,(byte *)0 x0,

0);

calculateSuffix_8FC8(SUFFIX_TYPE_CHAR,SUFFIX_SIZE_?,FINAL_CODE_RESULT,MODEL_SERVICE_TAG_4);

resultInfo = 0;

}

</code>

<code> isModelWhenZero = isModel_X_or_Y(MODEL_SERVICE_TAG_4); if ((isModelWhenZero == 0xffff) || (*(longlong *)(&ADDR_ENCODE_PARAMS_X + isModelWhenZero * 24) == 0)) { resultInfo = L'x02'; } else { initArrayMemoryZero((undefined8 *)INITIAL_DATA,16); initArrayMemoryZero(ENC_BLOCK_SERIAL_TAG,32); copyArrayContent(ENC_BLOCK_SERIAL_TAG,MODEL_SERIAL_7,size); charCodeAt(local_74,(ulonglong)MODEL_SERVICE_TAG_4,4); copyArrayContent((undefined8 *)((longlong)ENC_BLOCK_SERIAL_TAG + size),(undefined8 *)local_74 ,4) ; encoderModel_X(INITIAL_DATA,(longlong)ENC_BLOCK_SERIAL_TAG,rol,F2,F3,F4,F5, *(uint **)(&ADDR_ENCODE_PARAMS_X + isModelWhenZero * 24)); applySHA256ToCoded((byte *)INITIAL_DATA,16,(undefined8 *)FINAL_CODE_RESULT,local_78,(byte *)0 x0, 0); calculateSuffix_8FC8(SUFFIX_TYPE_CHAR,SUFFIX_SIZE_?,FINAL_CODE_RESULT,MODEL_SERVICE_TAG_4); resultInfo = 0; } </code>

  isModelWhenZero = isModel_X_or_Y(MODEL_SERVICE_TAG_4);
  if ((isModelWhenZero == 0xffff) ||
     (*(longlong *)(&ADDR_ENCODE_PARAMS_X + isModelWhenZero * 24) == 0)) {
    resultInfo = L'x02';
  }
  else {
    initArrayMemoryZero((undefined8 *)INITIAL_DATA,16);
    initArrayMemoryZero(ENC_BLOCK_SERIAL_TAG,32);
    copyArrayContent(ENC_BLOCK_SERIAL_TAG,MODEL_SERIAL_7,size);
    charCodeAt(local_74,(ulonglong)MODEL_SERVICE_TAG_4,4);
    copyArrayContent((undefined8 *)((longlong)ENC_BLOCK_SERIAL_TAG + size),(undefined8 *)local_74 ,4)
    ;
    encoderModel_X(INITIAL_DATA,(longlong)ENC_BLOCK_SERIAL_TAG,rol,F2,F3,F4,F5,
                      *(uint **)(&ADDR_ENCODE_PARAMS_X + isModelWhenZero * 24));
    applySHA256ToCoded((byte *)INITIAL_DATA,16,(undefined8 *)FINAL_CODE_RESULT,local_78,(byte *)0 x0,
                       0);
    calculateSuffix_8FC8(SUFFIX_TYPE_CHAR,SUFFIX_SIZE_?,FINAL_CODE_RESULT,MODEL_SERVICE_TAG_4);
    resultInfo = 0;
  }

I am stuck in the ADDR_ENCODE_PARAMS_X data. That address is passed to the encoderModel_X() as a parameter, and inside that function is accessed like this:

<code> A = A | *ADDR_ENCODE_PARAMS_X ;

B = B ^ ADDR_ENCODE_PARAMS_X [1];

C = C | ADDR_ENCODE_PARAMS_X [2] - p;

D = D ^ ADDR_ENCODE_PARAMS_X [3] + p;

A = A | ENCODE_PARAMS[4];

B = B ^ ENCODE_PARAMS[5];

C = C | ENCODE_PARAMS[6] - p;

D = D ^ ENCODE_PARAMS[7] + p;

if (ADDR_ENCODE_PARAMS_X [10] != 0) {

j = ADDR_ENCODE_PARAMS_X [11];

</code>

<code> A = A | *ADDR_ENCODE_PARAMS_X ; B = B ^ ADDR_ENCODE_PARAMS_X [1]; C = C | ADDR_ENCODE_PARAMS_X [2] - p; D = D ^ ADDR_ENCODE_PARAMS_X [3] + p; A = A | ENCODE_PARAMS[4]; B = B ^ ENCODE_PARAMS[5]; C = C | ENCODE_PARAMS[6] - p; D = D ^ ENCODE_PARAMS[7] + p; if (ADDR_ENCODE_PARAMS_X [10] != 0) { j = ADDR_ENCODE_PARAMS_X [11]; </code>

      A = A | *ADDR_ENCODE_PARAMS_X ;
      B = B ^ ADDR_ENCODE_PARAMS_X [1];
      C = C | ADDR_ENCODE_PARAMS_X [2] - p;
      D = D ^ ADDR_ENCODE_PARAMS_X [3] + p;

      A = A | ENCODE_PARAMS[4];
      B = B ^ ENCODE_PARAMS[5];
      C = C | ENCODE_PARAMS[6] - p;
      D = D ^ ENCODE_PARAMS[7] + p;

if (ADDR_ENCODE_PARAMS_X [10] != 0) {

j = ADDR_ENCODE_PARAMS_X [11];

So by the look of it, I would say it is an array and when I look in the memory map I see this on that address:

<code>ADDR_ENCODE_PARAMS_X

0000a9c8 00 ?? 00h

0000a9c9 00 ?? 00h

0000a9ca 00 ?? 00h

0000a9cb 00 ?? 00h

0000a9cc 00 ?? 00h

0000a9cd 00 ?? 00h

0000a9ce 00 ?? 00h

0000a9cf 00 ?? 00h

PTR_TABLE_SUFFIX_X

0000a9d0 80 a2 00 ds * s_0Q2drGk99WLJ1...

</code>

<code>ADDR_ENCODE_PARAMS_X 0000a9c8 00 ?? 00h 0000a9c9 00 ?? 00h 0000a9ca 00 ?? 00h 0000a9cb 00 ?? 00h 0000a9cc 00 ?? 00h 0000a9cd 00 ?? 00h 0000a9ce 00 ?? 00h 0000a9cf 00 ?? 00h PTR_TABLE_SUFFIX_X 0000a9d0 80 a2 00 ds * s_0Q2drGk99WLJ1... </code>

ADDR_ENCODE_PARAMS_X                         
        0000a9c8 00              ??         00h
        0000a9c9 00              ??         00h
        0000a9ca 00              ??         00h
        0000a9cb 00              ??         00h
        0000a9cc 00              ??         00h
        0000a9cd 00              ??         00h
        0000a9ce 00              ??         00h
        0000a9cf 00              ??         00h

PTR_TABLE_SUFFIX_X                      
        0000a9d0 80  a2  00      ds *       s_0Q2drGk99WLJ1...

So an array of size 8, but what I don’t understand is the references to the index > 7. For example, ADDR_ENCODE_PARAMS_X [10]. What is this accessing? The next part PTR_TABLE_SUFFIX_X? Or I am missing something here?

Thank you in advance for any help!!

Thiết kế website giá rẻ

Danh mục

Accessing Indices Beyond Array Size in Decompiled UEFI BIOS Code