soffensive blog

Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 8

soffensive published on 2017-12-05 included in Practical Reverse Engineering

Exercise 8 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called mystery8:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
01:             mystery8
02: 2D E9 78 48   PUSH.W   {R3–R6,R11,LR}
03: 0D F2 10 0B   ADDW     R11, SP, #0x10
04: 0C 4E         LDR      R6, =byteArray
05: 09 E0         B        loc_100E34C

06:      loc_100E338
07: 05 78         LDRB     R5, [R0]
08: 01 3A         SUBS     R2, #1
09: 4D B1         CBZ      R5, loc_100E352
10: 0B 78         LDRB     R3, [R1]
11: 9C 5D         LDRB     R4, [R3,R6]
12: AB 5D         LDRB     R3, [R5,R6]
13: A3 42         CMP      R3, R4
14: 04 D1         BNE      loc_100E352 
15: 01 30         ADDS     R0, #1
16: 01 31         ADDS     R1, #1

17:      loc_100E34C
18: 00 2A         CMP      R2, #0
19: F3 DC         BGT      loc_100E338
20: 01 3A         SUBS     R2, #1

21:      loc_100E352
22: 00 2A         CMP      R2, #0
23: 01 DA         BGE      loc_100E35A
24: 00 20         MOVS     R0, #0
25: 04 E0         B        locret_100E364

26:      loc_100E35A
27: 0B 78         LDRB     R3, [R1]
28: 9A 5D         LDRB     R2, [R3,R6]
29: 03 78         LDRB     R3, [R0]
30: 9B 5D         LDRB     R3, [R3,R6]
31: 98 1A         SUBS     R0, R3, R2

32:      locret_100E364
33: BD E8 78 88   POP.W    {R3–R6,R11,PC}
34:             ; End of function mystery8

The function was compiled in Thumb mode, as we can see from the presence of 16 bit instructions, PUSH and POP instructions and Thumb-specific instructions, e.g. CBZ and instructions with the .W suffix.

Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 7

soffensive published on 2017-12-04 included in Practical Reverse Engineering

Exercise 7 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called mystery7:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
01:             mystery7
02: 02 46         MOV      R2, R0
03: 08 B9         CBNZ     R0, loc_100E1D8
04: 00 20         MOVS     R0, #0
05: 70 47         BX       LR 

06:      loc_100E1D8
07: 90 F9 00 30   LDRSB.W  R3, [R0]
08: 02 E0         B        loc_100E1E4

09:      loc_100E1DE
10: 01 32         ADDS     R2, #1
11: 92 F9 00 30   LDRSB.W  R3, [R2]

12:      loc_100E1E4
13: 00 2B         CMP      R3, #0
14: FA D1         BNE      loc_100E1DE
15: 10 1A         SUBS     R0, R2, R0
16: 6F F3 9F 70   BFC.W    R0, #0x1E, #2
17: 70 47         BX       LR
18:             ; End of function mystery7

Again, the function provided is executed in Thumb mode, due to several 16 bit instructions and instructions specific to Thumb mode such as CBNZ and the .W suffix such as in line 7, 11 and 16.

Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 6

soffensive published on 2017-12-04 included in Practical Reverse Engineering

Exercise 6 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called mystery6:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
01:             mystery6
02: 2D E9 18 48   PUSH.W   {R3,R4,R11,LR}
03: 0D F2 08 0B   ADDW     R11, SP, #8
04: 04 68         LDR      R4, [R0]
05: 00 22         MOVS     R2, #0
06: 00 2C         CMP      R4, #0
07: 06 DD         BLE      loc_103B3B6

08:      loc_103B3A8
09: 50 F8 04 3F   LDR.W    R3, [R0,#4]!
10: 8B 42         CMP      R3, R1
11: 06 D0         BEQ      loc_103B3BE
12: 01 32         ADDS     R2, #1
13: A2 42         CMP      R2, R4
14: F8 DB         BLT      loc_103B3A8

15:      loc_103B3B6
16: 00 20         MOVS     R0, #0
17: 00 21         MOVS     R1, #0

18:      locret_103B3BA
19: BD E8 18 88   POP.W    {R3,R4,R11,PC}

20:      loc_103B3BE
21: B2 F1 20 03   SUBS.W   R3, R2, #0X20
22: 01 21         MOVS     R1, #1
23: 99 40         LSLS     R1, R3
24: 01 23         MOVS     R3, #1
25: 13 FA 02 F0   LSLS.W   R0, R3, R2
26: F5 E7         B        locret_103B3BA
27:             ; End of function mystery6

Due to the presence of 16 bit instructions, instructions having the .W suffix and function prologue and epilogue with PUSH and POP respectively, we are dealing with code in Thumb state.

Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 5

soffensive published on 2017-12-03 included in Practical Reverse Engineering

Exercise 5 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called mystery5:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
01:   mystery5
02: 03 46    MOV   R3, R0
03: 06 2B    CMP   R3, #6
04: 0D D0    BEQ   loc_1032596
05: 07 2B    CMP   R3, #7
06: 09 D0    BEQ   loc_1032592
07: 08 2B    CMP   R3, #8
08: 05 D0    BEQ   loc_103258E
09: 09 2B    CMP   R3, #9
10: 01 D0    BEQ   loc_103258A
11: 09 48    LDR   R0, =aA ; "A"
12: 70 47    BX    LR

13:   loc_103258A
14: 07 48    LDR   R0, =aB ; "B"
15: 70 47    BX    LR

16:   loc_103258E
17: 05 48    LDR   R0, =ac ; "C"
18: 70 47    BX    LR

19:   loc_1032592
20: 03 48    LDR   R0, =aD ; "D"
21: 70 47    BX    LR 

22:   loc_1032596
23: 01 48    LDR   R0, =aE ; "E"
24: 70 47    BX    LR
25:   ; End of function mystery5

All instructions have a width of 16 bits, so we are dealing with code in Thumb state.

Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 4

soffensive published on 2017-12-02 included in Practical Reverse Engineering

Exercise 4 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function mystery4:

1
2
3
4
5
6
7
8
01:             mystery4
02: 08 B9         CBNZ     R0, loc_100C3DA
03: 00 20         MOVS     R0, #0
04: 70 47         BX       LR
05:             loc_100C3DA
06: 50 F8 08 0C   LDR.W    R0, [R0,#–8] 
07: 70 47         BX       LR
08:             ; End of function mystery4

The disassembly is in Thumb mode, as there are instructions having a width of 16 bits and some instructions specific to this mode (e.g. CBNZ and the .W suffix).

Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 3

soffensive published on 2017-12-02 included in Practical Reverse Engineering

Exercise 3 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function mystery3:

1
2
3
4
5
6
7
8
01:             mystery3
02: 83 68         LDR             R3, [R0,#8]
03: 0B 60         STR             R3, [R1]
04: C3 68         LDR             R3, [R0,#0xC]
05: 00 20         MOVS            R0, #0
06: 4B 60         STR             R3, [R1,#4]
07: 70 47         BX              LR
08:             ; End of function mystery3

It is provided in Thumb mode, as we can see from the instruction width, which is consistently 16 bits. Furthermore, the decompilation is greatly facilitated thanks to the lack of any conditional statements. Any kind of NULL-checks, for instance, are omitted.