Fix TE binaries

[XVilka]

From fractalg:

This seems to be the procedure for te binaries

• The program image base should be set to the uin64t field ImageBase.
• The .text segment address should be: BaseOfCode - (StrippedSize - sizeof(EFI_TE_IMAGE_HEADER))
• The entrypoint address should be: BaseOfCode - (StrippedSize - sizeof(EFI_TE_IMAGE_HEADER)) + AddressOfEntryPoint The same formula is valid to process the segments virtual address: Start: BaseOfCode - (StrippedSize - sizeof(EFI_TE_IMAGE_HEADER))) + IMAGE_SECTION_HEADER->VirtualAddress End: start + IMAGE_SECTION_HEADER->Size of Raw Data (because alignment???)

[NikolajSchlej]

I haven't used r2 to work with TE images (yet), but I can add some info about them that was gathered during TE2PE development:

In fact, there are 2 different kinds of TE files, let's call them old and new ones. Old ones were made using EDK1 GenFw tool (or similar code borrowed from that tool), they are popular and the chances that a given TE file is the old one are pretty high. The entry point address for such image types is calculated using this formula:

ImageBase = teHeader->ImageBase - teHeader->StrippedSize + sizeof(EFI_IMAGE_TE_HEADER);

BaseOfCode and BaseAddress are the same as set in TE header.

The new TE images are generated using the latest version of EDK2's GenFw utility and have different methods. Their ImageBase is stored in TE header and doesn't require calculations, which is a spec-defined behaviour right now, but I've only found a pair of UEFI images with such type of TE files.

I don't know the way to distinguish between old and new ones based only on TE binary (it can be done if the real image base is known, which can be calculated using as a difference between VTF file end address 0xFFFFFFFF and a backward-offset to the beginning of the TE image from the end of VTF file), so I don't have a solution to this problem right now.

[XVilka]

@NikolajSchlej Thank you! I'll check on all kinds of TE images.

[NikolajSchlej]

NP, let's make it working for both kind on TE images. Here is an image with new ones.

[radare]

The image can be loaded with r2 -B0 file, to force the base address to 0.

Anyone have a backup of the scripts I pasted on irc to load this file properly with r2? I cannot find them now

[radare]

# ================================
# r2 -m 0x150 -i efi.r2 -n -s 0x150+0xce2 07.te
# ================================

pf.EFI_GUID xww[8]b
pf.pei x?p flags (EFI_GUID)guid ppi

f entry0 = 0x150+0xce2
pf.pei @ 0x1c04

[radare]

moving to 1.0?

[XVilka]

Nope, I'll fix it, I promise, before the 0.9.9

[radare]

http://cdn.niketalk.com/d/d5/d529a02f_g9pepl.jpeg

[radare]

hello?

[XVilka]

Added ability to see TE headers via pf.te_header @ te_header. Still thinking how to distinguish between those formats. Will be fixed anyway today or tomorrow.

[radare]

Awesome!

On 19 Apr 2015, at 22:42, Anton Kochkov notifications@github.com wrote:

Added ability to see TE headers via pf.te_header @ te_header. Still thinking how to distinguish between those formats. Will be fixed anyway today or tomorrow.

— Reply to this email directly or view it on GitHub.

[jvoisin]

@XVilka ping?

[radare]

@XVilka hello?

[XVilka]

@radare its' working now, but you have to manually see the pf header. I have no other solution yet. I think it is safe to postpone it to the 1.0.0

[radare]

ok moved to 1.0

[radare]

moved to 1.2 because i dont think you are gonna fix it

[radare]

moving to 1.3 :D

[radare]

faith--

[radare]

moving for 9999

faith is under -9000