Reverse Engineering boot.efi

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Reverse Engineering boot.efi

Postby sdytlm » Wed Aug 26, 2015 1:12 am

Hi,

Could you please offer some tips, tools for reverse engineering boot.efi like dump the disassembler of boot.efi? Really appreciate it. :lol:
sdytlm
 
Posts: 2
Joined: Wed Aug 26, 2015 1:06 am

Re: Reverse Engineering boot.efi

Postby morpheus » Wed Aug 26, 2015 12:27 pm

Absolutely. Loading boot.efi into a disassembler such as IDA you'll see that it is actually a pretty easy binary to disassemble, with a lot of the debug messages still intact. For example (from the 10.10.4 /System/Library/CoreServices/boot.efi:

Code: Select all
.text:0000000000003A4B                 public start
.text:0000000000003A4B start           proc near
.text:0000000000003A4B                 push    rbp
.text:0000000000003A4C                 mov     rbp, rsp
.text:0000000000003A4F                 push    r15
.text:0000000000003A51                 push    r14
.text:0000000000003A53                 push    rsi
.text:0000000000003A54                 push    rdi
.text:0000000000003A55                 push    rbx
.text:0000000000003A56                 sub     rsp, 178h
.text:0000000000003A5D                 mov     r14, rdx
.text:0000000000003A60                 mov     r15, rcx
.text:0000000000003A63                 mov     [rbp+var_120], 0
.text:0000000000003A6E                 mov     [rbp+var_128], 0
.text:0000000000003A79                 mov     [rbp+var_130], 0
.text:0000000000003A84                 mov     [rbp+var_138], 0
.text:0000000000003A8F                 mov     [rbp+var_140], 0
.text:0000000000003A9A                 mov     [rbp+var_148], 0
.text:0000000000003AA5                 mov     [rbp+var_150], 0
.text:0000000000003AB0                 call    sub_12220
.text:0000000000003AB5                 mov     cs:qword_8AF68, rax
.text:0000000000003ABC                 mov     rcx, r15
.text:0000000000003ABF                 mov     rdx, r14
.text:0000000000003AC2                 call    sub_1B412
.text:0000000000003AC7                 xor     ecx, ecx
.text:0000000000003AC9                 xor     edx, edx
.text:0000000000003ACB                 call    sub_12B3C
.text:0000000000003AD0                 lea     rcx, aStart     ; "Start"
.text:0000000000003AD7                 call    sub_12D18
.text:0000000000003ADC                 mov     cs:qword_8AF08, r15
.text:0000000000003AE3                 call    sub_985D
.text:0000000000003AE8                 test    rax, rax
.text:0000000000003AEB                 jns     short loc_3AF9
.text:0000000000003AED                 lea     rcx, aCanNotInitiali ; "Can not initialize console\n"
.text:0000000000003AF4                 call    sub_6AE2
...


That tells you that sub_12D18 is a logger, and sub_6AE2 is an error reporter. By tracking calls to logger you'll get a lot of "start...end" logs, which actually tell you the name of the functions used (e.g. sub_44e7, "InitDeviceTree", sub_7da6 "DrawColorRectangle", etc). Note some may be inlined. _error are likewise valuable, as they provide for you an explanation of what was attempted, and failed (e.g. kernel entry, console init, etc). And there are tons. It might seem like two simple tips, but they speed up reversing. One other thing, note that the arguments start get are per the EFI spec (BootServices, RuntimeServices, etc) as a table, and you have to follow the offsets from there. Sub_6a6d is printf (as indicated by "%s" somewhere as an arg). _1A448 opens files. That's also a good start (with 1A46b doing all the work)

When it comes to another important component - EFI and Apple proprietary GUIDs used - that's a bit more complicated. I've provided a fairly well detailed account of the 10.7 boot.fi in ch 6 of the book, and I am going to update it (possibly with a companion article at some time) for 10.11.

To get a dump of the NVRAM (with more GUIDs), I suggest using the GNU EFI Toolkit and my sample program (ibid), which works well to get you the same environment variables which are then used by the boot.efi itself.

If you have other specific questions, you've come to the right place to ask.

J
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Reverse Engineering boot.efi

Postby sdytlm » Wed Aug 26, 2015 4:09 pm

It's really really .. helpful. Thank you so much. :D
sdytlm
 
Posts: 2
Joined: Wed Aug 26, 2015 1:06 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests