拆解後的Body才可以拿來逆向分析,而載入的起始位址可以從/proc/iomem得知,Symbols則可以從/proc/kallsyms拿到:
$ file vmlinuz.bin
vmlinuz.bin: data
$ od -A d -t x1 vmlinuz.bin | grep '1f 8b 08'
0014384 1f 8b 08 00 00 00 00 00 02 03 ec bd 0d 74 1c e5
$ dd if=vmlinuz.bin of=head bs=1 count=14384
14384+0 records in
14384+0 records out
14384 bytes (14 kB, 14 KiB) copied, 0.0405731 s, 355 kB/s
$ dd if=vmlinuz.bin of=body bs=1 skip=14384
2710256+0 records in
2710256+0 records out
2710256 bytes (2.7 MB, 2.6 MiB) copied, 5.79015 s, 468 kB/s
$ file body
body: gzip compressed data, max compression, from Unix
$ zcat body > body_ext
$ file body_ext
body_ext: data
$ strings body_ext | grep Linux
Linux version 3.12.0-dingux (steward@debian) (gcc version 4.9.1 (Buildroot 2014.08-g252c9b7dd-dirty) ) #1 Sat May 2 14:36:13 CST 2020
$PLATFORM$Linux$
No init found. Try passing init= option to kernel. See Linux Documentation/init.txt for guidance.
Linux
6Linux video capture interface: v2.00
6Advanced Linux Sound Architecture Driver Initialized.
Advanced Linux Sound Architecture Driver Version k%s.
Linux
P.S. od計算出來的'1f 8b 08'需要加上偏移位置,這個範例剛好是從起始開始,所以是14384 + 0
合併回去原本vmlinuz.bin
$ gzip -9 -n body_ext $ cat head body_ext.gz > vmlinuz_new.bin