Reverse Engineering Obfuscated Firmware for Vulnerability Scanning


Extract target files from firmware executable

To begin our analysis, we will target the apc_hw05_aos682_rpdu2g680_bootmon109.exe file, which contains firmware compatible with a large number of APC PDUs and UPSs.
If we launch this executable file, we can observe that it is more of an archive file than an executable. In fact, it extracts eight files, of which three are of interest to us:


They represent the APC Operating System (AOS), Boot Loader, and Network Management Card firmware respectively.

We started our analysis on the AOS binary, but, once loaded into IDA, we encounter our first problem: determining what the target processor is. Even opening the case of the device, we could not identify the processor model. After some searching on the internet forum, we found that the PDU is used to adopt Intel 16bit CPU. We tried a different target and found that a generic x86 16-bit protected-mode processor had the best code readability. At this point, we were able to find strings and lots of code, but the disassembler couldn’t find any cross-references.

After another extensive internet search, we were able to find an article from JSOF that addressed our issue. From this article, we learned that the processor is a Turbo186: this processor operates in extended mode, using the 24-bit addressing capability, so the target address of a remote call can be calculated as (segment_base

Another important piece of information found in the JSOF article was the header structure of each APC firmware module. Figure 1 shows the header of the apc_hw05_aos_682.bin file. In this image, several fields are highlighted; in particular, what interests us is the “Image base” field, which indicates the starting address of each firmware module.


About Author

Comments are closed.