Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 7
Exercise 7 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called mystery7
:
|
|
Again, the function provided is executed in Thumb mode, due to several 16 bit instructions and instructions specific to Thumb mode such as CBNZ
and the .W
suffix such as in line 7, 11 and 16.
mystery7()
takes one argument, which is a pointer to a structure in memory. Load operations from this address solely read a single byte and the address read from is always increased by 1. Thus, the function argument is probably a pointer to a character array, i.e. a string. The return value is yet to be determined, but it is generated by manipulating the address of the input argument, so it will be a 32 bit value. Our preliminary function prototype:
|
|
There is also an interesting instruction in line 16 - BFC
. BFC
stands for Bit Field Clear and clears a certain number of bits in the destination register. The instruction at hand is BFC.W R0, #0x1E, #2
and clears two bits starting at the least significant bit #0x1E
(=30), i.e. the two most significant bits 30 and 31.
In line 3, the input argument is inspected for nullness, in which case the function returns 0.
If it is not null, the character stored at the address pointed to by the input argument is loaded (line 11) and compared to 0 (line 13). When it is not 0, the next character is loaded and compared again to 0 and this process is repeated in a loop. Presumably we are searching the end of a string, which is delimited by the null-character 0.
When the loaded character value matches 0, the address of the start of the array is subtracted from the address where the first 0-character was found. Thereby, we calculate the length of the string and store it in register R0
. The last instruction before leaving mystery7()
involves clearing the two most significant bits. It does not make immediately sense why the two most significant bits are cleared - maybe there is a maximum string length imposed by the compiler.
We are now ready to fully decompile mystery7
to:
|
|