拆解後的Body才可以拿來逆向分析,而載入的起始位址可以從/proc/iomem得知,Symbols則可以從/proc/kallsyms拿到:
$ file arch/arm/boot/zImage arch/arm/boot/zImage: Linux kernel ARM boot executable zImage (little-endian) $ od -A d -t x1 arch/arm/boot/zImage | grep '1f 8b 08' 0028512 72 65 67 00 1f 8b 08 00 00 00 00 00 02 03 ec dd $ dd if=arch/arm/boot/zImage of=head bs=1 count=28516 28516+0 records in 28516+0 records out 28516 bytes (29 kB, 28 KiB) copied, 0.0867219 s, 329 kB/s $ dd if=arch/arm/boot/zImage of=body bs=1 skip=28516 2325188+0 records in 2325188+0 records out 2325188 bytes (2.3 MB, 2.2 MiB) copied, 4.17515 s, 557 kB/s $ file body body: gzip compressed data, max compression, from Unix $ zcat body > body_ext gzip: body: decompression OK, trailing garbage ignored $ file body_ext body_ext: data $ strings body_ext | grep Linux Linux version 4.14.0-miyoo (steward@debian) (gcc version 7.3.0 (Buildroot 2018.02.9)) #1 Sun May 3 11:45:22 CST 2020 No working init found. Try passing init= option to kernel. See Linux Documentation/admin-guide/init.rst for guidance. 6Booting Linux on physical CPU 0x%x 0-0 Linux [kernel] Warning! Received an indication that the LUN assignments on this target have changed. The Linux SCSI layer does not automatically remap LUN assignments. Warning! Received an indication that the operating parameters on this target have changed. The Linux SCSI layer does not automatically adjust these parameters. 6Advanced Linux Sound Architecture Driver Initialized. Advanced Linux Sound Architecture Driver Version k%s. Linux
P.S. od計算出來的'1f 8b 08'需要加上偏移位置,所以是28512 + 4
合併回去原本zImage
$ gzip -9 -n body_ext $ cat head body_ext.gz > zImage