https://soffensive.github.io/tags/arm/Recent content in ARM on soffensive blogHugoenThu, 07 Dec 2017 10:29:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-07-practical-reverse-engineering-exercise-solutions-page-79-exercise-11/Thu, 07 Dec 2017 10:29:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-07-practical-reverse-engineering-exercise-solutions-page-79-exercise-11/<p>Exercise 11 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery11</code> - the last exercise of the ARM chapter:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="err">010185</span><span class="nf">B0</span> <span class="nv">mystery11</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">010185</span><span class="nf">B0</span> <span class="mi">2</span><span class="nv">D</span> <span class="nv">E9</span> <span class="nv">F8</span> <span class="mi">4</span><span class="nv">F</span> <span class="nv">PUSH.W</span> <span class="err">{</span><span class="nv">R3</span><span class="err">–</span><span class="nv">R11</span><span class="p">,</span><span class="nv">LR</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">010185</span><span class="nf">B4</span> <span class="mi">0</span><span class="nv">D</span> <span class="nv">F2</span> <span class="mi">20</span> <span class="mb">0B</span> <span class="nv">ADDW</span> <span class="nv">R11</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x20</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">010185</span><span class="nf">B8</span> <span class="nv">B0</span> <span class="nv">F9</span> <span class="mi">5</span><span class="nv">A</span> <span class="mi">30</span> <span class="nv">LDRSH.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0x5A</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">010185</span><span class="nf">BC</span> <span class="mi">07</span> <span class="mi">46</span> <span class="nv">MOV</span> <span class="nv">R7</span><span class="p">,</span> <span class="nv">R0</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">010185</span><span class="nf">BE</span> <span class="mi">90</span> <span class="mi">46</span> <span class="nv">MOV</span> <span class="nv">R8</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">010185</span><span class="nf">C0</span> <span class="mi">00</span> <span class="nv">EB</span> <span class="mi">83</span> <span class="mi">03</span> <span class="nv">ADD.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span><span class="nv">LSL#2</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="err">010185</span><span class="nf">C4</span> <span class="nv">D3</span> <span class="nv">F8</span> <span class="mi">84</span> <span class="nv">A0</span> <span class="nv">LDR.W</span> <span class="nv">R10</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="err">#</span><span class="mh">0x84</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">010185</span><span class="nf">C8</span> <span class="mi">7</span><span class="nv">B</span> <span class="mi">8</span><span class="nv">F</span> <span class="nv">LDRH</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R7</span><span class="p">,</span><span class="err">#</span><span class="mh">0x3A</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">010185</span><span class="nf">CA</span> <span class="mi">89</span> <span class="mi">46</span> <span class="nv">MOV</span> <span class="nv">R9</span><span class="p">,</span> <span class="nv">R1</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">010185</span><span class="nf">CC</span> <span class="nv">CB</span> <span class="nv">B9</span> <span class="nv">CBNZ</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">loc_1018602</span> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="err">010185</span><span class="nf">CE</span> <span class="nv">B0</span> <span class="nv">F9</span> <span class="mi">5</span><span class="nv">A</span> <span class="mi">40</span> <span class="nv">LDRSH.W</span> <span class="nv">R4</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0x5A</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="err">010185</span><span class="nf">D2</span> <span class="mi">17</span> <span class="nv">F1</span> <span class="mi">20</span> <span class="mi">02</span> <span class="nv">ADDS.W</span> <span class="nv">R2</span><span class="p">,</span> <span class="nv">R7</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x20</span> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="err">010185</span><span class="nf">D6</span> <span class="mi">00</span> <span class="nv">EB</span> <span class="mi">44</span> <span class="mi">03</span> <span class="nv">ADD.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R4</span><span class="p">,</span><span class="nv">LSL#1</span> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="err">010185</span><span class="nf">DA</span> <span class="nv">B3</span> <span class="nv">F8</span> <span class="mi">5</span><span class="nv">C</span> <span class="mi">50</span> <span class="nv">LDRH.W</span> <span class="nv">R5</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="err">#</span><span class="mh">0x5C</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="err">010185</span><span class="nf">DE</span> <span class="mi">00</span> <span class="nv">EB</span> <span class="mi">84</span> <span class="mi">03</span> <span class="nv">ADD.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R4</span><span class="p">,</span><span class="nv">LSL#2</span> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="err">010185</span><span class="nf">E2</span> <span class="nv">D3</span> <span class="nv">F8</span> <span class="mi">84</span> <span class="mi">00</span> <span class="nv">LDR.W</span> <span class="nv">R0</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="err">#</span><span class="mh">0x84</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="err">010185</span><span class="nf">E6</span> <span class="mi">83</span> <span class="mi">89</span> <span class="nv">LDRH</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0xC</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">19:</span> <span class="err">010185</span><span class="nf">E8</span> <span class="mi">06</span> <span class="mi">6</span><span class="nv">C</span> <span class="nv">LDR</span> <span class="nv">R6</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0x40</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">20:</span> <span class="err">010185</span><span class="nf">EA</span> <span class="mi">03</span> <span class="nv">EB</span> <span class="mi">45</span> <span class="mi">03</span> <span class="nv">ADD.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R5</span><span class="p">,</span><span class="nv">LSL#1</span> </span></span><span class="line"><span class="cl"><span class="err">21:</span> <span class="err">010185</span><span class="nf">EE</span> <span class="mi">9</span><span class="nv">B</span> <span class="mi">19</span> <span class="nv">ADDS</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R6</span> </span></span><span class="line"><span class="cl"><span class="err">22:</span> <span class="err">010185</span><span class="nf">F0</span> <span class="mi">1</span><span class="nv">C</span> <span class="mi">78</span> <span class="nv">LDRB</span> <span class="nv">R4</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">23:</span> <span class="err">010185</span><span class="nf">F2</span> <span class="mi">5</span><span class="nv">B</span> <span class="mi">78</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="err">#</span><span class="mi">1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">24:</span> <span class="err">010185</span><span class="nf">F4</span> <span class="mi">43</span> <span class="nv">EA</span> <span class="mi">04</span> <span class="mi">24</span> <span class="nv">ORR.W</span> <span class="nv">R4</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R4</span><span class="p">,</span><span class="nv">LSL#8</span> </span></span><span class="line"><span class="cl"><span class="err">25:</span> <span class="err">010185</span><span class="nf">F8</span> <span class="mi">43</span> <span class="mi">8</span><span class="nv">A</span> <span class="nv">LDRH</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0x12</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">26:</span> <span class="err">010185</span><span class="nf">FA</span> <span class="mi">23</span> <span class="mi">40</span> <span class="nv">ANDS</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">27:</span> <span class="err">010185</span><span class="nf">FC</span> <span class="mi">99</span> <span class="mi">19</span> <span class="nv">ADDS</span> <span class="nv">R1</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R6</span> </span></span><span class="line"><span class="cl"><span class="err">28:</span> <span class="err">010185</span><span class="nf">FE</span> <span class="nv">FD</span> <span class="nv">F7</span> <span class="mi">8</span><span class="nv">D</span> <span class="nv">FF</span> <span class="nb">BL</span> <span class="nv">sub_101651C</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">29:</span> <span class="err">01018602</span> <span class="nf">loc_1018602</span> </span></span><span class="line"><span class="cl"><span class="err">30:</span> <span class="err">01018602</span> <span class="nf">BA</span> <span class="mi">8</span><span class="nv">E</span> <span class="nv">LDRH</span> <span class="nv">R2</span><span class="p">,</span> <span class="p">[</span><span class="nv">R7</span><span class="p">,</span><span class="err">#</span><span class="mh">0x34</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">31:</span> <span class="err">01018604</span> <span class="nf">BB</span> <span class="mi">6</span><span class="nv">A</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R7</span><span class="p">,</span><span class="err">#</span><span class="mh">0x28</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">32:</span> <span class="err">01018606</span> <span class="nf">D0</span> <span class="mi">18</span> <span class="nv">ADDS</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R2</span><span class="p">,</span> <span class="nv">R3</span> </span></span><span class="line"><span class="cl"><span class="err">33:</span> <span class="err">01018608</span> <span class="err">9</span><span class="nf">A</span> <span class="nv">F8</span> <span class="mi">02</span> <span class="mi">30</span> <span class="nv">LDRB.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R10</span><span class="p">,</span><span class="err">#</span><span class="mi">2</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">34:</span> <span class="err">0101860</span><span class="nf">C</span> <span class="mb">0B</span> <span class="nv">B1</span> <span class="nv">CBZ</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">loc_1018612</span> </span></span><span class="line"><span class="cl"><span class="err">35:</span> <span class="err">0101860</span><span class="nf">E</span> <span class="mi">00</span> <span class="mi">22</span> <span class="nv">MOVS</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">36:</span> <span class="err">01018610</span> <span class="err">00</span> <span class="nf">E0</span> <span class="nv">B</span> <span class="nv">loc_1018614</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">37:</span> <span class="err">01018612</span> <span class="nf">loc_1018612</span> </span></span><span class="line"><span class="cl"><span class="err">38:</span> <span class="err">01018612</span> <span class="err">3</span><span class="nf">A</span> <span class="mi">6</span><span class="nv">A</span> <span class="nv">LDR</span> <span class="nv">R2</span><span class="p">,</span> <span class="p">[</span><span class="nv">R7</span><span class="p">,</span><span class="err">#</span><span class="mh">0x20</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">39:</span> <span class="err">01018614</span> <span class="nf">loc_1018614</span> </span></span><span class="line"><span class="cl"><span class="err">40:</span> <span class="err">01018614</span> <span class="nf">FB</span> <span class="mi">8</span><span class="nv">E</span> <span class="nv">LDRH</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R7</span><span class="p">,</span><span class="err">#</span><span class="mh">0x36</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">41:</span> <span class="err">01018616</span> <span class="nf">B8</span> <span class="nv">F1</span> <span class="mi">00</span> <span class="mi">0</span><span class="nv">F</span> <span class="nv">CMP.W</span> <span class="nv">R8</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">42:</span> <span class="err">0101861</span><span class="nf">A</span> <span class="mi">01</span> <span class="nv">D0</span> <span class="nv">BEQ</span> <span class="nv">loc_1018620</span> </span></span><span class="line"><span class="cl"><span class="err">43:</span> <span class="err">0101861</span><span class="nf">C</span> <span class="mi">80</span> <span class="mi">18</span> <span class="nv">ADDS</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"><span class="err">44:</span> <span class="err">0101861</span><span class="nf">E</span> <span class="mi">9</span><span class="nv">B</span> <span class="mi">1</span><span class="nv">A</span> <span class="nv">SUBS</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">45:</span> <span class="err">01018620</span> <span class="nf">loc_1018620</span> </span></span><span class="line"><span class="cl"><span class="err">46:</span> <span class="err">01018620</span> <span class="nf">C9</span> <span class="nv">F8</span> <span class="mi">00</span> <span class="mi">30</span> <span class="nv">STR.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R9</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">47:</span> <span class="err">01018624</span> <span class="nf">BD</span> <span class="nv">E8</span> <span class="nv">F8</span> <span class="mi">8</span><span class="nv">F</span> <span class="nv">POP.W</span> <span class="err">{</span><span class="nv">R3</span><span class="err">–</span><span class="nv">R11</span><span class="p">,</span><span class="nv">PC</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">48:</span> <span class="err">01018624</span> <span class="c1">; End of function mystery11</span> </span></span></code></pre></td></tr></table> </div> </div><p>According to the exercise description, the called subroutine <code>sub_101651C</code> in line 28 takes three arguments and does not return anything. Thus, we know the registers <code>R0</code>, <code>R1</code> and <code>R2</code> are prepared and passed to the function.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-06-practical-reverse-engineering-exercise-solutions-page-79-exercise-10/Wed, 06 Dec 2017 06:19:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-06-practical-reverse-engineering-exercise-solutions-page-79-exercise-10/<p>Exercise 10 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery10</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery10</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">2</span><span class="nf">D</span> <span class="nv">E9</span> <span class="mi">70</span> <span class="mi">48</span> <span class="nv">PUSH.W</span> <span class="err">{</span><span class="nv">R4</span><span class="err">–</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">LR</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">0</span><span class="nf">D</span> <span class="nv">F2</span> <span class="mi">0</span><span class="nv">C</span> <span class="mb">0B</span> <span class="nv">ADDW</span> <span class="nv">R11</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mh">0xC</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">37</span> <span class="nf">F0</span> <span class="nv">CC</span> <span class="nv">F9</span> <span class="nb">BL</span> <span class="nv">__security_push_cookie</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">84</span> <span class="nf">B0</span> <span class="nv">SUB</span> <span class="nb">SP</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x10</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">0</span><span class="nf">D</span> <span class="mi">46</span> <span class="nv">MOV</span> <span class="nv">R5</span><span class="p">,</span> <span class="nv">R1</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">00</span> <span class="err">24</span> <span class="nf">MOVS</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="err">10</span> <span class="err">2</span><span class="nf">D</span> <span class="nv">CMP</span> <span class="nv">R5</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x10</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">16</span> <span class="err">46</span> <span class="nf">MOV</span> <span class="nv">R6</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">0</span><span class="nf">C</span> <span class="nv">D3</span> <span class="nv">BCC</span> <span class="nv">loc_1010786</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">1</span><span class="nf">A</span> <span class="mi">4</span><span class="nv">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">=</span><span class="nv">__imp_GetSystemTime</span> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="err">68</span> <span class="err">46</span> <span class="nf">MOV</span> <span class="nv">R0</span><span class="p">,</span> <span class="nb">SP</span> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="err">1</span><span class="nf">B</span> <span class="mi">68</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="err">98</span> <span class="err">47</span> <span class="nf">BLX</span> <span class="nv">R3</span> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="err">00</span> <span class="err">9</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nb">SP</span><span class="p">,</span><span class="err">#</span><span class="mh">0x1C</span><span class="o">+</span><span class="nv">var_1C</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="err">10</span> <span class="err">24</span> <span class="nf">MOVS</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x10</span> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="err">33</span> <span class="err">60</span> <span class="nf">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="err">01</span> <span class="err">9</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nb">SP</span><span class="p">,</span><span class="err">#</span><span class="mh">0x1C</span><span class="o">+</span><span class="nv">var_18</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">19:</span> <span class="err">73</span> <span class="err">60</span> <span class="nf">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">,</span><span class="err">#</span><span class="mi">4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">20:</span> <span class="err">02</span> <span class="err">9</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nb">SP</span><span class="p">,</span><span class="err">#</span><span class="mh">0x1C</span><span class="o">+</span><span class="nv">var_14</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">21:</span> <span class="nf">B3</span> <span class="mi">60</span> <span class="nv">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">,</span><span class="err">#</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">22:</span> <span class="err">03</span> <span class="err">9</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nb">SP</span><span class="p">,</span><span class="err">#</span><span class="mh">0x1C</span><span class="o">+</span><span class="nv">var_10</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">23:</span> <span class="nf">F3</span> <span class="mi">60</span> <span class="nv">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">,</span><span class="err">#</span><span class="mh">0xC</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">24:</span> <span class="nf">loc_1010786</span> </span></span><span class="line"><span class="cl"><span class="err">25:</span> <span class="err">2</span><span class="nf">B</span> <span class="mb">1B</span> <span class="nv">SUBS</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R5</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">26:</span> <span class="err">04</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">4</span> </span></span><span class="line"><span class="cl"><span class="err">27:</span> <span class="err">04</span> <span class="nf">D3</span> <span class="nv">BCC</span> <span class="nv">loc_1010796</span> </span></span><span class="line"><span class="cl"><span class="err">28:</span> <span class="err">11</span> <span class="err">4</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">=</span><span class="nv">__imp_GetCurrentProcessId</span> </span></span><span class="line"><span class="cl"><span class="err">29:</span> <span class="err">1</span><span class="nf">B</span> <span class="mi">68</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">30:</span> <span class="err">98</span> <span class="err">47</span> <span class="nf">BLX</span> <span class="nv">R3</span> </span></span><span class="line"><span class="cl"><span class="err">31:</span> <span class="err">30</span> <span class="err">51</span> <span class="nf">STR</span> <span class="nv">R0</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">32:</span> <span class="err">04</span> <span class="err">34</span> <span class="nf">ADDS</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mi">4</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">33:</span> <span class="nf">loc_1010796</span> </span></span><span class="line"><span class="cl"><span class="err">34:</span> <span class="err">2</span><span class="nf">B</span> <span class="mb">1B</span> <span class="nv">SUBS</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R5</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">35:</span> <span class="err">04</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">4</span> </span></span><span class="line"><span class="cl"><span class="err">36:</span> <span class="err">04</span> <span class="nf">D3</span> <span class="nv">BCC</span> <span class="nv">loc_10107A6</span> </span></span><span class="line"><span class="cl"><span class="err">37:</span> <span class="err">0</span><span class="nf">C</span> <span class="mi">4</span><span class="nv">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">=</span><span class="nv">__imp_GetTickCount</span> </span></span><span class="line"><span class="cl"><span class="err">38:</span> <span class="err">1</span><span class="nf">B</span> <span class="mi">68</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">39:</span> <span class="err">98</span> <span class="err">47</span> <span class="nf">BLX</span> <span class="nv">R3</span> </span></span><span class="line"><span class="cl"><span class="err">40:</span> <span class="err">30</span> <span class="err">51</span> <span class="nf">STR</span> <span class="nv">R0</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">41:</span> <span class="err">04</span> <span class="err">34</span> <span class="nf">ADDS</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mi">4</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">42:</span> <span class="nf">loc_10107A6</span> </span></span><span class="line"><span class="cl"><span class="err">43:</span> <span class="err">2</span><span class="nf">B</span> <span class="mb">1B</span> <span class="nv">SUBS</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R5</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">44:</span> <span class="err">08</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">8</span> </span></span><span class="line"><span class="cl"><span class="err">45:</span> <span class="err">09</span> <span class="nf">D3</span> <span class="nv">BCC</span> <span class="nv">loc_10107C0</span> </span></span><span class="line"><span class="cl"><span class="err">46:</span> <span class="err">07</span> <span class="err">4</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">=</span><span class="nv">__imp_QueryPerformanceCounter</span> </span></span><span class="line"><span class="cl"><span class="err">47:</span> <span class="err">68</span> <span class="err">46</span> <span class="nf">MOV</span> <span class="nv">R0</span><span class="p">,</span> <span class="nb">SP</span> </span></span><span class="line"><span class="cl"><span class="err">48:</span> <span class="err">1</span><span class="nf">B</span> <span class="mi">68</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">49:</span> <span class="err">98</span> <span class="err">47</span> <span class="nf">BLX</span> <span class="nv">R3</span> </span></span><span class="line"><span class="cl"><span class="err">50:</span> <span class="err">00</span> <span class="err">9</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nb">SP</span><span class="p">,</span><span class="err">#</span><span class="mh">0x1C</span><span class="o">+</span><span class="nv">var_1C</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">51:</span> <span class="err">32</span> <span class="err">19</span> <span class="nf">ADDS</span> <span class="nv">R2</span><span class="p">,</span> <span class="nv">R6</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">52:</span> <span class="err">33</span> <span class="err">51</span> <span class="nf">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">53:</span> <span class="err">01</span> <span class="err">9</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nb">SP</span><span class="p">,</span><span class="err">#</span><span class="mh">0x1C</span><span class="o">+</span><span class="nv">var_18</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">54:</span> <span class="err">08</span> <span class="err">34</span> <span class="nf">ADDS</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mi">8</span> </span></span><span class="line"><span class="cl"><span class="err">55:</span> <span class="err">53</span> <span class="err">60</span> <span class="nf">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R2</span><span class="p">,</span><span class="err">#</span><span class="mi">4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">56:</span> <span class="nf">loc_10107C0</span> </span></span><span class="line"><span class="cl"><span class="err">57:</span> <span class="err">20</span> <span class="err">46</span> <span class="nf">MOV</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">58:</span> <span class="err">04</span> <span class="nf">B0</span> <span class="nv">ADD</span> <span class="nb">SP</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x10</span> </span></span><span class="line"><span class="cl"><span class="err">59:</span> <span class="err">37</span> <span class="nf">F0</span> <span class="nv">A4</span> <span class="nv">F9</span> <span class="nb">BL</span> <span class="nv">__security_pop_cookie</span> </span></span><span class="line"><span class="cl"><span class="err">60:</span> <span class="nf">BD</span> <span class="nv">E8</span> <span class="mi">70</span> <span class="mi">88</span> <span class="nv">POP.W</span> <span class="err">{</span><span class="nv">R4</span><span class="err">–</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">PC</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">61:</span> <span class="c1">; End of function mystery10</span> </span></span></code></pre></td></tr></table> </div> </div><p>Although the function looks complicated at first, we notice it does not contain any kind of loops and only executes sequentially with a couple of conditionals.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-05-practical-reverse-engineering-exercise-solutions-page-79-exercise-9/Tue, 05 Dec 2017 06:47:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-05-practical-reverse-engineering-exercise-solutions-page-79-exercise-9/<p>Exercise 9 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery9</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery9</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">2</span><span class="nf">D</span> <span class="nv">E9</span> <span class="mi">30</span> <span class="mi">48</span> <span class="nv">PUSH.W</span> <span class="err">{</span><span class="nv">R4</span><span class="p">,</span><span class="nv">R5</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">LR</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">0</span><span class="nf">D</span> <span class="nv">F2</span> <span class="mi">08</span> <span class="mb">0B</span> <span class="nv">ADDW</span> <span class="nv">R11</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mi">8</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">09</span> <span class="err">4</span><span class="nf">D</span> <span class="nv">LDR</span> <span class="nv">R5</span><span class="p">,</span> <span class="err">=</span><span class="kt">byte</span><span class="nv">Array</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">06</span> <span class="nf">E0</span> <span class="nv">B</span> <span class="nv">loc_100E312</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="nf">loc_100E304</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">0</span><span class="nf">B</span> <span class="mi">78</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="err">5</span><span class="nf">A</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R2</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R5</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">63</span> <span class="err">5</span><span class="nf">D</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R4</span><span class="p">,</span><span class="nv">R5</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">93</span> <span class="err">42</span> <span class="nf">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">04</span> <span class="nf">D1</span> <span class="nv">BNE</span> <span class="nv">loc_100E318</span> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="err">01</span> <span class="err">30</span> <span class="nf">ADDS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="err">01</span> <span class="err">31</span> <span class="nf">ADDS</span> <span class="nv">R1</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="nf">loc_100E312</span> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="err">04</span> <span class="err">78</span> <span class="nf">LDRB</span> <span class="nv">R4</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="err">00</span> <span class="err">2</span><span class="nf">C</span> <span class="nv">CMP</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="nf">F5</span> <span class="nv">D1</span> <span class="nv">BNE</span> <span class="nv">loc_100E304</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="nf">loc_100E318</span> </span></span><span class="line"><span class="cl"><span class="err">19:</span> <span class="err">0</span><span class="nf">B</span> <span class="mi">78</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">20:</span> <span class="err">5</span><span class="nf">A</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R2</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R5</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">21:</span> <span class="err">03</span> <span class="err">78</span> <span class="nf">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">22:</span> <span class="err">5</span><span class="nf">B</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R5</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">23:</span> <span class="err">98</span> <span class="err">1</span><span class="nf">A</span> <span class="nv">SUBS</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"><span class="err">24:</span> <span class="nf">BD</span> <span class="nv">E8</span> <span class="mi">30</span> <span class="mi">88</span> <span class="nv">POP.W</span> <span class="err">{</span><span class="nv">R4</span><span class="p">,</span><span class="nv">R5</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">PC</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">25:</span> <span class="c1">; End of function mystery9</span> </span></span></code></pre></td></tr></table> </div> </div><p>First of all, <code>mystery9</code> has a striking similarity to the previously decompiled function <code>mystery8</code>. Its disassembly uses Thumb mode, as we can see for instance from the 16 bit instruction width.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-05-practical-reverse-engineering-exercise-solutions-page-79-exercise-8/Tue, 05 Dec 2017 02:30:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-05-practical-reverse-engineering-exercise-solutions-page-79-exercise-8/<p>Exercise 8 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery8</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery8</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">2</span><span class="nf">D</span> <span class="nv">E9</span> <span class="mi">78</span> <span class="mi">48</span> <span class="nv">PUSH.W</span> <span class="err">{</span><span class="nv">R3</span><span class="err">–</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">LR</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">0</span><span class="nf">D</span> <span class="nv">F2</span> <span class="mi">10</span> <span class="mb">0B</span> <span class="nv">ADDW</span> <span class="nv">R11</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x10</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">0</span><span class="nf">C</span> <span class="mi">4</span><span class="nv">E</span> <span class="nv">LDR</span> <span class="nv">R6</span><span class="p">,</span> <span class="err">=</span><span class="kt">byte</span><span class="nv">Array</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">09</span> <span class="nf">E0</span> <span class="nv">B</span> <span class="nv">loc_100E34C</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="nf">loc_100E338</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">05</span> <span class="err">78</span> <span class="nf">LDRB</span> <span class="nv">R5</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="err">01</span> <span class="err">3</span><span class="nf">A</span> <span class="nv">SUBS</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">4</span><span class="nf">D</span> <span class="nv">B1</span> <span class="nv">CBZ</span> <span class="nv">R5</span><span class="p">,</span> <span class="nv">loc_100E352</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">0</span><span class="nf">B</span> <span class="mi">78</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">9</span><span class="nf">C</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R4</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R6</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="nf">AB</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R5</span><span class="p">,</span><span class="nv">R6</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="nf">A3</span> <span class="mi">42</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="err">04</span> <span class="nf">D1</span> <span class="nv">BNE</span> <span class="nv">loc_100E352</span> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="err">01</span> <span class="err">30</span> <span class="nf">ADDS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="err">01</span> <span class="err">31</span> <span class="nf">ADDS</span> <span class="nv">R1</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="nf">loc_100E34C</span> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="err">00</span> <span class="err">2</span><span class="nf">A</span> <span class="nv">CMP</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">19:</span> <span class="nf">F3</span> <span class="nv">DC</span> <span class="nv">BGT</span> <span class="nv">loc_100E338</span> </span></span><span class="line"><span class="cl"><span class="err">20:</span> <span class="err">01</span> <span class="err">3</span><span class="nf">A</span> <span class="nv">SUBS</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">21:</span> <span class="nf">loc_100E352</span> </span></span><span class="line"><span class="cl"><span class="err">22:</span> <span class="err">00</span> <span class="err">2</span><span class="nf">A</span> <span class="nv">CMP</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">23:</span> <span class="err">01</span> <span class="nf">DA</span> <span class="nv">BGE</span> <span class="nv">loc_100E35A</span> </span></span><span class="line"><span class="cl"><span class="err">24:</span> <span class="err">00</span> <span class="err">20</span> <span class="nf">MOVS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">25:</span> <span class="err">04</span> <span class="nf">E0</span> <span class="nv">B</span> <span class="nv">locret_100E364</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">26:</span> <span class="nf">loc_100E35A</span> </span></span><span class="line"><span class="cl"><span class="err">27:</span> <span class="err">0</span><span class="nf">B</span> <span class="mi">78</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">28:</span> <span class="err">9</span><span class="nf">A</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R2</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R6</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">29:</span> <span class="err">03</span> <span class="err">78</span> <span class="nf">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">30:</span> <span class="err">9</span><span class="nf">B</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R6</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">31:</span> <span class="err">98</span> <span class="err">1</span><span class="nf">A</span> <span class="nv">SUBS</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">32:</span> <span class="nf">locret_100E364</span> </span></span><span class="line"><span class="cl"><span class="err">33:</span> <span class="nf">BD</span> <span class="nv">E8</span> <span class="mi">78</span> <span class="mi">88</span> <span class="nv">POP.W</span> <span class="err">{</span><span class="nv">R3</span><span class="err">–</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">PC</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">34:</span> <span class="c1">; End of function mystery8</span> </span></span></code></pre></td></tr></table> </div> </div><p>The function was compiled in Thumb mode, as we can see from the presence of 16 bit instructions, <code>PUSH</code> and <code>POP</code> instructions and Thumb-specific instructions, e.g. <code>CBZ</code> and instructions with the <code>.W</code> suffix.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-04-practical-reverse-engineering-exercise-solutions-page-79-exercise-7/Mon, 04 Dec 2017 06:14:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-04-practical-reverse-engineering-exercise-solutions-page-79-exercise-7/<p>Exercise 7 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery7</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery7</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">02</span> <span class="err">46</span> <span class="nf">MOV</span> <span class="nv">R2</span><span class="p">,</span> <span class="nv">R0</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">08</span> <span class="nf">B9</span> <span class="nv">CBNZ</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">loc_100E1D8</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">00</span> <span class="err">20</span> <span class="nf">MOVS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="nf">loc_100E1D8</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">90</span> <span class="nf">F9</span> <span class="mi">00</span> <span class="mi">30</span> <span class="nv">LDRSB.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="err">02</span> <span class="nf">E0</span> <span class="nv">B</span> <span class="nv">loc_100E1E4</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="nf">loc_100E1DE</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">01</span> <span class="err">32</span> <span class="nf">ADDS</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">92</span> <span class="nf">F9</span> <span class="mi">00</span> <span class="mi">30</span> <span class="nv">LDRSB.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R2</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="nf">loc_100E1E4</span> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="err">00</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="nf">FA</span> <span class="nv">D1</span> <span class="nv">BNE</span> <span class="nv">loc_100E1DE</span> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="err">10</span> <span class="err">1</span><span class="nf">A</span> <span class="nv">SUBS</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R2</span><span class="p">,</span> <span class="nv">R0</span> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="err">6</span><span class="nf">F</span> <span class="nv">F3</span> <span class="mi">9</span><span class="nv">F</span> <span class="mi">70</span> <span class="nv">BFC.W</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x1E</span><span class="p">,</span> <span class="err">#</span><span class="mi">2</span> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="c1">; End of function mystery7</span> </span></span></code></pre></td></tr></table> </div> </div><p>Again, the function provided is executed in Thumb mode, due to several 16 bit instructions and instructions specific to Thumb mode such as <code>CBNZ</code> and the <code>.W</code> suffix such as in line 7, 11 and 16.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-04-practical-reverse-engineering-exercise-solutions-page-79-exercise-6/Mon, 04 Dec 2017 03:17:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-04-practical-reverse-engineering-exercise-solutions-page-79-exercise-6/<p>Exercise 6 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery6</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery6</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">2</span><span class="nf">D</span> <span class="nv">E9</span> <span class="mi">18</span> <span class="mi">48</span> <span class="nv">PUSH.W</span> <span class="err">{</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R4</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">LR</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">0</span><span class="nf">D</span> <span class="nv">F2</span> <span class="mi">08</span> <span class="mb">0B</span> <span class="nv">ADDW</span> <span class="nv">R11</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mi">8</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">04</span> <span class="err">68</span> <span class="nf">LDR</span> <span class="nv">R4</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">00</span> <span class="err">22</span> <span class="nf">MOVS</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">00</span> <span class="err">2</span><span class="nf">C</span> <span class="nv">CMP</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">06</span> <span class="kd">DD</span> <span class="nb">BL</span><span class="nv">E</span> <span class="nv">loc_103B3B6</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="nf">loc_103B3A8</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">50</span> <span class="nf">F8</span> <span class="mi">04</span> <span class="mi">3</span><span class="nv">F</span> <span class="nv">LDR.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mi">4</span><span class="p">]</span><span class="err">!</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">8</span><span class="nf">B</span> <span class="mi">42</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R1</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">06</span> <span class="nf">D0</span> <span class="nv">BEQ</span> <span class="nv">loc_103B3BE</span> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="err">01</span> <span class="err">32</span> <span class="nf">ADDS</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="nf">A2</span> <span class="mi">42</span> <span class="nv">CMP</span> <span class="nv">R2</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="nf">F8</span> <span class="nv">DB</span> <span class="nb">BL</span><span class="nv">T</span> <span class="nv">loc_103B3A8</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="nf">loc_103B3B6</span> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="err">00</span> <span class="err">20</span> <span class="nf">MOVS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="err">00</span> <span class="err">21</span> <span class="nf">MOVS</span> <span class="nv">R1</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="nf">locret_103B3BA</span> </span></span><span class="line"><span class="cl"><span class="err">19:</span> <span class="nf">BD</span> <span class="nv">E8</span> <span class="mi">18</span> <span class="mi">88</span> <span class="nv">POP.W</span> <span class="err">{</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R4</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">PC</span><span class="err">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">20:</span> <span class="nf">loc_103B3BE</span> </span></span><span class="line"><span class="cl"><span class="err">21:</span> <span class="nf">B2</span> <span class="nv">F1</span> <span class="mi">20</span> <span class="mi">03</span> <span class="nv">SUBS.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mh">0X20</span> </span></span><span class="line"><span class="cl"><span class="err">22:</span> <span class="err">01</span> <span class="err">21</span> <span class="nf">MOVS</span> <span class="nv">R1</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">23:</span> <span class="err">99</span> <span class="err">40</span> <span class="nf">LSLS</span> <span class="nv">R1</span><span class="p">,</span> <span class="nv">R3</span> </span></span><span class="line"><span class="cl"><span class="err">24:</span> <span class="err">01</span> <span class="err">23</span> <span class="nf">MOVS</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">25:</span> <span class="err">13</span> <span class="nf">FA</span> <span class="mi">02</span> <span class="nv">F0</span> <span class="nv">LSLS.W</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"><span class="err">26:</span> <span class="nf">F5</span> <span class="nv">E7</span> <span class="nv">B</span> <span class="nv">locret_103B3BA</span> </span></span><span class="line"><span class="cl"><span class="err">27:</span> <span class="c1">; End of function mystery6</span> </span></span></code></pre></td></tr></table> </div> </div><p>Due to the presence of 16 bit instructions, instructions having the <code>.W</code> suffix and function prologue and epilogue with <code>PUSH</code> and <code>POP</code> respectively, we are dealing with code in Thumb state.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-03-practical-reverse-engineering-exercise-solutions-page-79-exercise-5/Sun, 03 Dec 2017 00:01:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-03-practical-reverse-engineering-exercise-solutions-page-79-exercise-5/<p>Exercise 5 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery5</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery5</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">03</span> <span class="err">46</span> <span class="nf">MOV</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R0</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">06</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">6</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">0</span><span class="nf">D</span> <span class="nv">D0</span> <span class="nv">BEQ</span> <span class="nv">loc_1032596</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">07</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">7</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">09</span> <span class="nf">D0</span> <span class="nv">BEQ</span> <span class="nv">loc_1032592</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">08</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">8</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="err">05</span> <span class="nf">D0</span> <span class="nv">BEQ</span> <span class="nv">loc_103258E</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">09</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">9</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">01</span> <span class="nf">D0</span> <span class="nv">BEQ</span> <span class="nv">loc_103258A</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">09</span> <span class="err">48</span> <span class="nf">LDR</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">=</span><span class="nv">aA</span> <span class="c1">; &#34;A&#34;</span> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="nf">loc_103258A</span> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="err">07</span> <span class="err">48</span> <span class="nf">LDR</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">=</span><span class="nv">aB</span> <span class="c1">; &#34;B&#34;</span> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="nf">loc_103258E</span> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="err">05</span> <span class="err">48</span> <span class="nf">LDR</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">=</span><span class="nv">ac</span> <span class="c1">; &#34;C&#34;</span> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">19:</span> <span class="nf">loc_1032592</span> </span></span><span class="line"><span class="cl"><span class="err">20:</span> <span class="err">03</span> <span class="err">48</span> <span class="nf">LDR</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">=</span><span class="nv">aD</span> <span class="c1">; &#34;D&#34;</span> </span></span><span class="line"><span class="cl"><span class="err">21:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">22:</span> <span class="nf">loc_1032596</span> </span></span><span class="line"><span class="cl"><span class="err">23:</span> <span class="err">01</span> <span class="err">48</span> <span class="nf">LDR</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">=</span><span class="nv">aE</span> <span class="c1">; &#34;E&#34;</span> </span></span><span class="line"><span class="cl"><span class="err">24:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"><span class="err">25:</span> <span class="c1">; End of function mystery5</span> </span></span></code></pre></td></tr></table> </div> </div><p>All instructions have a width of 16 bits, so we are dealing with code in Thumb state.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-02-practical-reverse-engineering-exercise-solutions-page-79-exercise-4/Sat, 02 Dec 2017 05:21:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-02-practical-reverse-engineering-exercise-solutions-page-79-exercise-4/<p>Exercise 4 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function <code>mystery4</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery4</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">08</span> <span class="nf">B9</span> <span class="nv">CBNZ</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">loc_100C3DA</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">00</span> <span class="err">20</span> <span class="nf">MOVS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="nf">loc_100C3DA</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">50</span> <span class="nf">F8</span> <span class="mi">08</span> <span class="mi">0</span><span class="nv">C</span> <span class="nv">LDR.W</span> <span class="nv">R0</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#–</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="c1">; End of function mystery4</span> </span></span></code></pre></td></tr></table> </div> </div><p>The disassembly is in Thumb mode, as there are instructions having a width of 16 bits and some instructions specific to this mode (e.g. <code>CBNZ</code> and the <code>.W</code> suffix).</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-02-practical-reverse-engineering-exercise-solutions-page-79-exercise-3/Sat, 02 Dec 2017 05:20:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-02-practical-reverse-engineering-exercise-solutions-page-79-exercise-3/<p>Exercise 3 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function <code>mystery3</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery3</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">83</span> <span class="err">68</span> <span class="nf">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">0</span><span class="nf">B</span> <span class="mi">60</span> <span class="nv">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="nf">C3</span> <span class="mi">68</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0xC</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">00</span> <span class="err">20</span> <span class="nf">MOVS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">4</span><span class="nf">B</span> <span class="mi">60</span> <span class="nv">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R1</span><span class="p">,</span><span class="err">#</span><span class="mi">4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="c1">; End of function mystery3</span> </span></span></code></pre></td></tr></table> </div> </div><p>It is provided in Thumb mode, as we can see from the instruction width, which is consistently 16 bits. Furthermore, the decompilation is greatly facilitated thanks to the lack of any conditional statements. Any kind of NULL-checks, for instance, are omitted.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-02-practical-reverse-engineering-exercise-solutions-page-78-exercise-2/Sat, 02 Dec 2017 04:40:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-02-practical-reverse-engineering-exercise-solutions-page-78-exercise-2/<p>Exercise 2 of the ARM chapter has a rather short disassembly compared to the first exercise. Again, we are tasked with the decompilation of the provided function <code>mystery2</code>.</p> <p>The disassembly is as follows:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery2</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">28</span> <span class="nf">B1</span> <span class="nv">CBZ</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">loc_C672</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">90</span> <span class="nf">F8</span> <span class="mi">63</span> <span class="mi">00</span> <span class="nv">LDRB.W</span> <span class="nv">R0</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0x63</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">00</span> <span class="err">38</span> <span class="nf">SUBS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">18</span> <span class="nf">BF</span> <span class="nv">IT</span> <span class="nv">NE</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">01</span> <span class="err">20</span> <span class="nf">MOVNE</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="nf">loc_C672</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">01</span> <span class="err">20</span> <span class="nf">MOVS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="c1">; End of function mystery2</span> </span></span></code></pre></td></tr></table> </div> </div><p>First of all, we notice that the function has been compiled in Thumb mode, as there are several instructions having a width of 16 bits, which is not possible in ARM mode. Furthermore, the instructions <code>CBZ</code> and <code>IT</code> are specific to Thumb mode and not available in ARM mode.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-01-practical-reverse-engineering-exercise-solutions-page-78-exercise-1/Fri, 01 Dec 2017 04:59:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-01-practical-reverse-engineering-exercise-solutions-page-78-exercise-1/<p>This is the first blog post to a series of ARM challenges from the book Practical Reverse Engineering. In addition to the official ARM manual, the following web page turned out to be very helpful when solving the exercises, as it describes the different ARM instructions in great detail.</p> <p><a href="https://www.heyrick.co.uk/armwiki/Main_Page" target="_blank" rel="noopener noreffer ">https://www.heyrick.co.uk/armwiki/Main_Page</a></p> <p>Without further ado, let us explore the first function. The extract below shows the ARM disassembly of a function named mystery1, which we are supposed to decompile into C code.</p>