soffensive blog

Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 6

soffensive published on 2017-12-04 included in Practical Reverse Engineering

Exercise 6 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called mystery6:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
01:             mystery6
02: 2D E9 18 48   PUSH.W   {R3,R4,R11,LR}
03: 0D F2 08 0B   ADDW     R11, SP, #8
04: 04 68         LDR      R4, [R0]
05: 00 22         MOVS     R2, #0
06: 00 2C         CMP      R4, #0
07: 06 DD         BLE      loc_103B3B6

08:      loc_103B3A8
09: 50 F8 04 3F   LDR.W    R3, [R0,#4]!
10: 8B 42         CMP      R3, R1
11: 06 D0         BEQ      loc_103B3BE
12: 01 32         ADDS     R2, #1
13: A2 42         CMP      R2, R4
14: F8 DB         BLT      loc_103B3A8

15:      loc_103B3B6
16: 00 20         MOVS     R0, #0
17: 00 21         MOVS     R1, #0

18:      locret_103B3BA
19: BD E8 18 88   POP.W    {R3,R4,R11,PC}

20:      loc_103B3BE
21: B2 F1 20 03   SUBS.W   R3, R2, #0X20
22: 01 21         MOVS     R1, #1
23: 99 40         LSLS     R1, R3
24: 01 23         MOVS     R3, #1
25: 13 FA 02 F0   LSLS.W   R0, R3, R2
26: F5 E7         B        locret_103B3BA
27:             ; End of function mystery6

Due to the presence of 16 bit instructions, instructions having the .W suffix and function prologue and epilogue with PUSH and POP respectively, we are dealing with code in Thumb state.

Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 5

soffensive published on 2017-12-03 included in Practical Reverse Engineering

Exercise 5 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called mystery5:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
01:   mystery5
02: 03 46    MOV   R3, R0
03: 06 2B    CMP   R3, #6
04: 0D D0    BEQ   loc_1032596
05: 07 2B    CMP   R3, #7
06: 09 D0    BEQ   loc_1032592
07: 08 2B    CMP   R3, #8
08: 05 D0    BEQ   loc_103258E
09: 09 2B    CMP   R3, #9
10: 01 D0    BEQ   loc_103258A
11: 09 48    LDR   R0, =aA ; "A"
12: 70 47    BX    LR

13:   loc_103258A
14: 07 48    LDR   R0, =aB ; "B"
15: 70 47    BX    LR

16:   loc_103258E
17: 05 48    LDR   R0, =ac ; "C"
18: 70 47    BX    LR

19:   loc_1032592
20: 03 48    LDR   R0, =aD ; "D"
21: 70 47    BX    LR 

22:   loc_1032596
23: 01 48    LDR   R0, =aE ; "E"
24: 70 47    BX    LR
25:   ; End of function mystery5

All instructions have a width of 16 bits, so we are dealing with code in Thumb state.

Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 4

soffensive published on 2017-12-02 included in Practical Reverse Engineering

Exercise 4 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function mystery4:

1
2
3
4
5
6
7
8
01:             mystery4
02: 08 B9         CBNZ     R0, loc_100C3DA
03: 00 20         MOVS     R0, #0
04: 70 47         BX       LR
05:             loc_100C3DA
06: 50 F8 08 0C   LDR.W    R0, [R0,#–8] 
07: 70 47         BX       LR
08:             ; End of function mystery4

The disassembly is in Thumb mode, as there are instructions having a width of 16 bits and some instructions specific to this mode (e.g. CBNZ and the .W suffix).

Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 3

soffensive published on 2017-12-02 included in Practical Reverse Engineering

Exercise 3 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function mystery3:

1
2
3
4
5
6
7
8
01:             mystery3
02: 83 68         LDR             R3, [R0,#8]
03: 0B 60         STR             R3, [R1]
04: C3 68         LDR             R3, [R0,#0xC]
05: 00 20         MOVS            R0, #0
06: 4B 60         STR             R3, [R1,#4]
07: 70 47         BX              LR
08:             ; End of function mystery3

It is provided in Thumb mode, as we can see from the instruction width, which is consistently 16 bits. Furthermore, the decompilation is greatly facilitated thanks to the lack of any conditional statements. Any kind of NULL-checks, for instance, are omitted.

Practical Reverse Engineering Exercise Solutions: Page 78 / Exercise 2

soffensive published on 2017-12-02 included in Practical Reverse Engineering

Exercise 2 of the ARM chapter has a rather short disassembly compared to the first exercise. Again, we are tasked with the decompilation of the provided function mystery2.

The disassembly is as follows:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
01:             mystery2
02: 28 B1         CBZ      R0, loc_C672

03: 90 F8 63 00   LDRB.W   R0, [R0,#0x63]
04: 00 38         SUBS     R0, #0
05: 18 BF         IT NE
06: 01 20         MOVNE    R0, #1
07: 70 47         BX              LR

08:             loc_C672
09: 01 20         MOVS     R0, #1
10: 70 47         BX              LR
11:             ; End of function mystery2

First of all, we notice that the function has been compiled in Thumb mode, as there are several instructions having a width of 16 bits, which is not possible in ARM mode. Furthermore, the instructions CBZ and IT are specific to Thumb mode and not available in ARM mode.

Practical Reverse Engineering Exercise Solutions: Page 78 / Exercise 1

soffensive published on 2017-12-01 included in Practical Reverse Engineering

This is the first blog post to a series of ARM challenges from the book Practical Reverse Engineering. In addition to the official ARM manual, the following web page turned out to be very helpful when solving the exercises, as it describes the different ARM instructions in great detail.

https://www.heyrick.co.uk/armwiki/Main_Page

Without further ado, let us explore the first function. The extract below shows the ARM disassembly of a function named mystery1, which we are supposed to decompile into C code.