Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 4

Exercise 4 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function mystery4:

1
2
3
4
5
6
7
8

01:             mystery4
02: 08 B9         CBNZ     R0, loc_100C3DA
03: 00 20         MOVS     R0, #0
04: 70 47         BX       LR
05:             loc_100C3DA
06: 50 F8 08 0C   LDR.W    R0, [R0,#–8] 
07: 70 47         BX       LR
08:             ; End of function mystery4

The disassembly is in Thumb mode, as there are instructions having a width of 16 bits and some instructions specific to this mode (e.g. CBNZ and the .W suffix).

Mystery4 takes one argument in r0 and the argument is a pointer to an unknown data structure. The function either returns 0 or a 32 bit value stored in memory at address (r0-8). We know it reads a 32 bit value due to the .W suffix of the LDR instruction in line 6.

This is all we can say about the function and therefore its overall meaning remains a mystery to us:

1
2
3
4
5
6
7
8

long mystery4 (unknownDataStructure* arg) {
 if (arg==null) {
  return 0;
 }
 else {
  return *(arg-8);
 }
}