Determining the Image Base of ARM Firmware by Matching Function Addresses

<table class="algorithm-group"><tr><td><table class="algorithm" id="alg2"><tr><td colspan="2">Input: binaryFile</td></tr><tr><td colspan="2">Output: The addressees loaded by LDR instruction in Thumb state.</td></tr><tr><td colspan="2">function Find_Thumb_LDR(binaryFile)</td></tr><tr><td colspan="2">  bin[fileSize] ⟵ binaryFile</td></tr><tr><td colspan="2">  offset ⟵0</td></tr><tr><td colspan="2">   while(0 ≤ offset &lt; fileSize) do</td></tr><tr><td colspan="2">     opcode ⟵ bin[offset+1]</td></tr><tr><td colspan="2">     opcode ⟵ opcode &amp; (11111000)2</td></tr><tr><td colspan="2">     if( opcode == (01001000)2)</td></tr><tr><td colspan="2">      PC ⟵ offset +4</td></tr><tr><td colspan="2">      immed_8 ⟵ bit[7,…,0]</td></tr><tr><td colspan="2">      address ⟵ (PC &amp; 0xFFFFFFFC) + (immed_8<svg height="6.01072pt" id="M6" style="vertical-align:-0.04980993pt" version="1.1" viewbox="-0.0498162 -5.96091 7.75925 6.01072" width="7.75925pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M471 153C471 170 463 194 452 212C400 220 373 229 322 255C373 281 400 290 452 298C463 316 471 339 471 357C456 366 431 371 410 370C377 329 356 310 308 279C311 336 317 364 336 413C326 432 310 451 294 459C279 451 262 432 252 413C271 364 277 336 280 279C232 310 211 329 178 370C157 371 132 367 117 357C117 340 125 316 136 298C188 290 215 281 266 255C215 229 188 220 136 212C125 194 117 171 117 153C132 144 157 139 178 140C211 181 232 200 280 231C277 174 271 146 252 97C262 78 278 59 294 51C309 59 326 78 336 97C317 146 311 174 308 231C356 200 377 181 410 140C431 139 456 143 471 153Z"></path></g></svg>4)</td></tr><tr><td colspan="2">      Rd ⟵ Memory[address, 4]</td></tr><tr><td colspan="2">      Output: Rd</td></tr><tr><td colspan="2">     end if</td></tr><tr><td colspan="2">     offset ⟵ offset +2</td></tr><tr><td colspan="2">   end while</td></tr><tr><td colspan="2">end function</td></tr></table></td></tr></table>

Wireless Communications and Mobile Computing

alg2

Algorithm 2

Algorithm 2: Determining the Image Base of ARM Firmware by Matching Function Addresses 