UEFI PE Unicode Strings don't XREF (Possible Memory Addressing issue)

Hardware Motherboards
1

Hi all,

I’m attempting to reverse engineer Lenovo’s UEFI Menu so that I can access the “Hidden” menu so that I can actually install the Operating System I use.

I can see all of the juicy strings however IDA dosen’t seem to link the Unicode strings to logic, I believe this is due to a PE Relocation issue, does anyone have any pointers?

Screenshot_2022-08-06_21-04-30
Screenshot_2022-08-06_21-04-301389×622 168 KB

objdump:

> $ objdump -x Section_PE32_image_DriverSampleDxe_SetupUtility_body.efi                                                                             ⬡ 16.8.0 
objdump: Section_PE32_image_DriverSampleDxe_SetupUtility_body.efi: warning: ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section .text
objdump: Section_PE32_image_DriverSampleDxe_SetupUtility_body.efi: warning: ignoring section flag IMAGE_SCN_MEM_NOT_PAGED in section .data
objdump: Warning: Corrupt debuglink section: 
objdump: Warning: Corrupt debuglink section: 
objdump: Warning: unable to open file '' referenced from .debug_sup section

Section_PE32_image_DriverSampleDxe_SetupUtility_body.efi:     file format pei-x86-64
Section_PE32_image_DriverSampleDxe_SetupUtility_body.efi
architecture: i386:x86-64, flags 0x0000012f:
HAS_RELOC, EXEC_P, HAS_LINENO, HAS_DEBUG, HAS_LOCALS, D_PAGED
start address 0x000000000000049c

Characteristics 0x2022
	executable
	large address aware
	DLL

Time/Date		Thu Jan  1 10:00:00 1970
Magic			020b	(PE32+)
MajorLinkerVersion	14
MinorLinkerVersion	0
SizeOfCode		0000000000027c20
SizeOfInitializedData	000000000004d400
SizeOfUninitializedData	0000000000000000
AddressOfEntryPoint	000000000000049c
BaseOfCode		0000000000000280
ImageBase		0000000000000000
SectionAlignment	00000020
FileAlignment		00000020
MajorOSystemVersion	0
MinorOSystemVersion	0
MajorImageVersion	0
MinorImageVersion	0
MajorSubsystemVersion	0
MinorSubsystemVersion	0
Win32Version		00000000
SizeOfImage		000752a0
SizeOfHeaders		00000280
CheckSum		00000000
Subsystem		0000000b	(EFI boot service driver)
DllCharacteristics	00000000
SizeOfStackReserve	0000000000000000
SizeOfStackCommit	0000000000000000
SizeOfHeapReserve	0000000000000000
SizeOfHeapCommit	0000000000000000
LoaderFlags		00000000
NumberOfRvaAndSizes	00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000075240 00000050 Base Relocation Directory [.reloc]
Entry 6 0000000000072150 0000001c Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved


PE File Base Relocations (interpreted .reloc section contents)

Virtual Address: 00040000 Chunk size 12 (0xc) Number of fixups 2
	reloc    0 offset  ca0 [40ca0] DIR64
	reloc    1 offset  ca8 [40ca8] DIR64

Virtual Address: 00070000 Chunk size 68 (0x44) Number of fixups 30
	reloc    0 offset   e8 [700e8] DIR64
	reloc    1 offset   f0 [700f0] DIR64
	reloc    2 offset  110 [70110] DIR64
	reloc    3 offset  118 [70118] DIR64
	reloc    4 offset  138 [70138] DIR64
	reloc    5 offset  140 [70140] DIR64
	reloc    6 offset  5b0 [705b0] DIR64
	reloc    7 offset  5b8 [705b8] DIR64
	reloc    8 offset  5c0 [705c0] DIR64
	reloc    9 offset  5c8 [705c8] DIR64
	reloc   10 offset  5d0 [705d0] DIR64
	reloc   11 offset  5d8 [705d8] DIR64
	reloc   12 offset  5e0 [705e0] DIR64
	reloc   13 offset  5e8 [705e8] DIR64
	reloc   14 offset  5f0 [705f0] DIR64
	reloc   15 offset  910 [70910] DIR64
	reloc   16 offset  918 [70918] DIR64
	reloc   17 offset  920 [70920] DIR64
	reloc   18 offset  928 [70928] DIR64
	reloc   19 offset  930 [70930] DIR64
	reloc   20 offset  938 [70938] DIR64
	reloc   21 offset  940 [70940] DIR64
	reloc   22 offset  948 [70948] DIR64
	reloc   23 offset  950 [70950] DIR64
	reloc   24 offset  958 [70958] DIR64
	reloc   25 offset  960 [70960] DIR64
	reloc   26 offset  968 [70968] DIR64
	reloc   27 offset  970 [70970] DIR64
	reloc   28 offset  978 [70978] DIR64
	reloc   29 offset  980 [70980] DIR64

There is a debug directory in .data at 0x72150

Type                Size     Rva      Offset
  0         Unknown 00000000 00000000 00000000

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .text         00027c06  0000000000000280  0000000000000280  00000280  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .data         0004ad90  0000000000027ea0  0000000000027ea0  00027ea0  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  2               00001398  0000000000072c40  0000000000072c40  00072c40  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .xdata        0000124c  0000000000073fe0  0000000000073fe0  00073fe0  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .reloc        00000050  0000000000075240  0000000000075240  00075240  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
SYMBOL TABLE:
no symbols

Cheers

2

This topic was automatically closed 273 days after the last reply. New replies are no longer allowed.