Hypn.za.net
Hacking, Coding and Gaming | @[email protected]
January 3, 2017
MIPSEL reverse engineering in Docker

While I'm not much a reverse engineer myself, there have been times when I've needed to poke at a MIPSEL binary - be it for a hacking challenge or just some firmware I'm looking at - and while there are tools to identify and reverse engineer these binaries on a different host architecture, sometimes it really helps to be able to run and watch the files more natively.

Luckily qemu can emulate MIPSEL, and "aurel32" has put together a MIPSEL Debian image we can boot. I've packaged those together in to a docker container to make things a bit easier: https://hub.docker.com/r/hypnza/qemu_debian_mipsel/

And have also pre-installed some common reverse engineering tools in a separate container image: https://hub.docker.com/r/hypnza/qemu_debian_mipsel_reverse_engineering_tools/

Tools:

  • binutils
  • build-essential
  • gcc
  • gdb
  • git
  • ngrep
  • strace
  • tcpdump
  • perl 5
  • python 2.7.3
  • glibc6

To make use of it, put the files you want to use inside the qemu MIPSEL in a directory and navigate in to it, then (with Docker installed) run:

docker run -ti -v `pwd`:/hostshare hypnza/qemu_debian_mipsel_reverse_engineering_tools

To start the container (you should be in a bash terminal, inside the the "/root" directory with your directory mapped under "/hostshare"), then run:

./start_qemu.sh

This will start the MIPSEL Debian in qemu, and also expose the "/hostshare" directory to it for sharing. It will likely take a while before you're shown the login prompt, showing "turn off boot console early0" for a while.

At the login prompt, login with "root" with a password of "root", and then to map the shared directory run:

./enable_share.sh

You should then have access to your files and be able to run them or the tools you need, eg:

root@debian-mipsel:~# ./enable_share.sh


root@debian-mipsel:~# file /hostshare/decrypt
/hostshare/decrypt: ELF 32-bit LSB executable, MIPS, MIPS-II version 1, dynamically
linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0x3344f8a723ed...


root@debian-mipsel:~# strings /hostshare/decrypt
/lib/ld.so.1
D3@T
__libc_csu_init
__libc_csu_fini
__libc_start_main
...
Pass the 16 character key
e.g. ./decrypt example123456789
messages.enc


root@debian-mipsel:~# strace /hostshare/decrypt
execve("/hostshare/decrypt", ["/hostshare/decrypt"], [/* 12 vars */]) = 0
brk(0) = 0xa32000
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x77b16000
uname({sys="Linux", node="debian-mipsel", ...}) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
...
write(1, "Pass the 16 character key \n", 27Pass the 16 character key
) = 27
write(1, "e.g. ./decrypt example123456789\n", 32e.g. ./decrypt example123456789
) = 32
exit_group(0)


root@debian-mipsel:~# /hostshare/decrypt
Pass the 16 character key
e.g. ./decrypt example123456789