![]() ![]() ![]() We can also try to extract the PE files and LZMA compressed block using the -e flag with binwalk. Via binvis.io (pink is high entropy, black is low entropy): There is a large region of high entropy within the binary, indicating that compression or encryption is present, so it seems likely that the LZMA signature binwalk detected is a true positive. ![]() Here is the signature scan output for your file: $ binwalk EFI64.ROMĠ 0x0 UEFI PI Firmware Volume, volume size: 2097152, header size: 0, revision: 0, EFI Firmware File System v2, GUID: 8C8CE578-8A3D-4F1C-3599-896185C32DD3ģ32 0x14C Microsoft executable, portable (PE)ģ6864 0x9000 Microsoft executable, portable (PE)ĩ0112 0x16000 Microsoft executable, portable (PE)ġ22880 0x1E000 Microsoft executable, portable (PE)ġ55648 0x26000 Microsoft executable, portable (PE)Ģ21184 0x36000 Microsoft executable, portable (PE)Ģ49924 0x3D044 Microsoft executable, portable (PE)Ĥ01408 0圆2000 Microsoft executable, portable (PE)Ĥ34176 0圆A000 Microsoft executable, portable (PE)Ĥ62936 0x71058 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 4636688 bytesĪccording to binwalk, this is a UEFI Platform Inititalization volume containing several PE files and a large LZMA-compressed block. Probably the fastest and easiest way to get started with analyzing binaries such this is to begin with using binwalk to scan the file. ![]()
0 Comments
Leave a Reply. |