Hi all,
I’m attempting to reverse engineer Lenovo’s UEFI Menu so that I can access the “Hidden” menu so that I can actually install the Operating System I use.
I can see all of the juicy strings however IDA dosen’t seem to link the Unicode strings to logic, I believe this is due to a PE Relocation issue, does anyone have any pointers?
objdump:
> $ objdump -x Section_PE32_image_DriverSampleDxe_SetupUtility_body.efi ⬡ 16.8.0
objdump: Section_PE32_image_DriverSampleDxe_SetupUtility_body.efi: warning: ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section .text
objdump: Section_PE32_image_DriverSampleDxe_SetupUtility_body.efi: warning: ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section .data
objdump: Warning: Corrupt debuglink section:
objdump: Warning: Corrupt debuglink section:
objdump: Warning: unable to open file '' referenced from .debug_sup section
Section_PE32_image_DriverSampleDxe_SetupUtility_body.efi: file format pei-x86-64
Section_PE32_image_DriverSampleDxe_SetupUtility_body.efi
architecture: i386:x86-64, flags 0x0000012f:
HAS_RELOC, EXEC_P, HAS_LINENO, HAS_DEBUG, HAS_LOCALS, D_PAGED
start address 0x000000000000049c
Characteristics 0x2022
executable
large address aware
DLL
Time/Date Thu Jan 1 10:00:00 1970
Magic 020b (PE32+)
MajorLinkerVersion 14
MinorLinkerVersion 0
SizeOfCode 0000000000027c20
SizeOfInitializedData 000000000004d400
SizeOfUninitializedData 0000000000000000
AddressOfEntryPoint 000000000000049c
BaseOfCode 0000000000000280
ImageBase 0000000000000000
SectionAlignment 00000020
FileAlignment 00000020
MajorOSystemVersion 0
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 0
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 000752a0
SizeOfHeaders 00000280
CheckSum 00000000
Subsystem 0000000b (EFI boot service driver)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000000000
SizeOfStackCommit 0000000000000000
SizeOfHeapReserve 0000000000000000
SizeOfHeapCommit 0000000000000000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010
The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000075240 00000050 Base Relocation Directory [.reloc]
Entry 6 0000000000072150 0000001c Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved
PE File Base Relocations (interpreted .reloc section contents)
Virtual Address: 00040000 Chunk size 12 (0xc) Number of fixups 2
reloc 0 offset ca0 [40ca0] DIR64
reloc 1 offset ca8 [40ca8] DIR64
Virtual Address: 00070000 Chunk size 68 (0x44) Number of fixups 30
reloc 0 offset e8 [700e8] DIR64
reloc 1 offset f0 [700f0] DIR64
reloc 2 offset 110 [70110] DIR64
reloc 3 offset 118 [70118] DIR64
reloc 4 offset 138 [70138] DIR64
reloc 5 offset 140 [70140] DIR64
reloc 6 offset 5b0 [705b0] DIR64
reloc 7 offset 5b8 [705b8] DIR64
reloc 8 offset 5c0 [705c0] DIR64
reloc 9 offset 5c8 [705c8] DIR64
reloc 10 offset 5d0 [705d0] DIR64
reloc 11 offset 5d8 [705d8] DIR64
reloc 12 offset 5e0 [705e0] DIR64
reloc 13 offset 5e8 [705e8] DIR64
reloc 14 offset 5f0 [705f0] DIR64
reloc 15 offset 910 [70910] DIR64
reloc 16 offset 918 [70918] DIR64
reloc 17 offset 920 [70920] DIR64
reloc 18 offset 928 [70928] DIR64
reloc 19 offset 930 [70930] DIR64
reloc 20 offset 938 [70938] DIR64
reloc 21 offset 940 [70940] DIR64
reloc 22 offset 948 [70948] DIR64
reloc 23 offset 950 [70950] DIR64
reloc 24 offset 958 [70958] DIR64
reloc 25 offset 960 [70960] DIR64
reloc 26 offset 968 [70968] DIR64
reloc 27 offset 970 [70970] DIR64
reloc 28 offset 978 [70978] DIR64
reloc 29 offset 980 [70980] DIR64
There is a debug directory in .data at 0x72150
Type Size Rva Offset
0 Unknown 00000000 00000000 00000000
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00027c06 0000000000000280 0000000000000280 00000280 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .data 0004ad90 0000000000027ea0 0000000000027ea0 00027ea0 2**4
CONTENTS, ALLOC, LOAD, DATA
2 00001398 0000000000072c40 0000000000072c40 00072c40 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .xdata 0000124c 0000000000073fe0 0000000000073fe0 00073fe0 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .reloc 00000050 0000000000075240 0000000000075240 00075240 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
SYMBOL TABLE:
no symbols
Cheers