Jump to content
  • 0

Help me With Instruction logic


Un_Known
 Share

Question

Can anybody explain logic here 

It's ARM instruction set:

Here dword_36BD38 is uninitialized variable in .bss section

LDR       R3, =(dword_36BD38 - 0x19D86C) 

ADD      R3, PC, R3  ; dword_36BD38

CMP      R0, #0

STR       R0, [R3]

MOVLT   R2, #0x7FFFFFFF

STRLT     R2, [R3]

I have a little idea what's happening here but couldn't understand whole logic!

Edited by Un_Known
Link to comment
Share on other sites

Recommended Posts

  • 0
0000	LDR		R3, =(dword_36BD38 - 0x19D86C) -- Load offset to R3
0004	ADD		R3, PC, R3  ; dword_36BD38 -- R3 = PC + Offset (R3)
0008	CMP		R0, #0 -- Check if R0 value equal to 0
000C	STR		R0, [R3] -- Store R0 value into R3 (R3 = dword_36BD38)
0010	MOVLT	R2, #0x7FFFFFFF -- If R0 value less than 0, then put (0x7FFFFFFF) 2147483647 into R2.
0014	STRLT	R2, [R3] -- If R0 value less than 0, then store R2 value which is 2147483647, into R3 (R3 = dword_36BD38)

Conclusion is, if R0 value less than 0.. then put 2147483647 into bss:dword_36BD38.

Anyway, if you not understand about the logic. F5 hotkey may come handy.

Link to comment
Share on other sites

  • 0

It generally means that value of coins would be highest (because 2147483647 is largest dword) only when value in R0 is less than 0

Okk if  I change MOVLT to MOV

and STRLT to STR

then value will always be 2147483647 because it will bypass condition check 

is it correct

 

and plz elaborate this part =(dword_36BD38 - 0x19D86C)

couldn't understand this That 

What would be value in R3 register

@saiaapiz

 

Edited by Un_Known
Link to comment
Share on other sites

  • 0
Quote

 

Okk if  I change MOVLT to MOV

and STRLT to STR

then value will always be 2147483647 because it will bypass condition check 

is it correct

 

Yes, you're correct.

Quote

and plz elaborate this part =(dword_36BD38 - 0x19D86C)

This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address.

Quote

What would be value in R3 register

R3 is address of dword_36BD38

Link to comment
Share on other sites

  • 0
1 minute ago, saiaapiz said:

Yes, you're correct.

This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address.

R3 is address of dword_36BD38

ohh thnx buddy once again sorry for disturbing you

Link to comment
Share on other sites

  • 0
1 hour ago, saiaapiz said:

Yes, you're correct.

This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address.

R3 is address of dword_36BD38

What is happening here can u explain? I have highlighted offset pushed to R1 with cursor?

PicsArt_06-26-03_17_12.thumb.jpg.547e671c5d76686a7c7450a3f6e9023e.jpg

what type of sign is between ahighscore and offset is it just a dash ? What is purpose of ahighscore here? 

Any reference guide for arm instruction set ?

Edited by Un_Known
Link to comment
Share on other sites

  • 0

Above question can be ignored Updated:

I think it is offset is loaded into R1 after subtraction between ahighscore and 0x19D8B4 and their addresses being subtracted!

so Here ahighscore has address =>00319CEC

so 00319CEC - 0x19D8B4 =17C438

So R1, = 17C438 would it be an offset?

Am.i correct or Wrong?

@saiaapiz @Enyby

Edited by Un_Known
Link to comment
Share on other sites

  • 0
2 hours ago, Enyby said:

Offset from PC in LDR location. Useless in any other place.

 

Yep, Ida make we confuse by looking its value pointing directly to target address.

Actually, true opcode look like this LDR R0, [PC, #0x4]

Idk how to explain it, you can find arm opcode documentation on google. They describe how each instruction work.

@Un_Known

Link to comment
Share on other sites

  • 0
  • Administrators

This is how the ARM architecture works. Most addresses are not absolute, but relative, relative to the PC. This is done to save space in instructions. The instruction size is 4 bytes. The size of the 32-bit pointer is also 4 bytes. An absolute address almost always requires 4 bytes, since the code can be located in different places. A relative address can be encoded with 2 or 3 bytes. This will give the opportunity to refer to the memory near the code, where this code would not be located.
And since .bss is not far from .code (.text), this is enough.

Link to comment
Share on other sites

  • 0

Let me explain this real quick.

How they load offset, and calculate address ?

Explanation: 
* PC = (Current Instruction Address + 0x8)

00000000         LDR     R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0.
00000004         ADD     R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020)
00000008         MOV     R1, #0x1234; Move 0x1234 into R1
0000000C         STR     R1, [R0]; Store R1:0x1234 value into R0:00000020 address.
00000010         BX      LR; Jump into LR (LR is register that store address of this function caller.)
00000014         ALIGN 0x10
00000020 MyValue DCD 0x0
00000024 Offset  DCD 0x14


You can find lot of information here, The ARM instruction set

Edited by saiaapiz
Link to comment
Share on other sites

  • 0
50 minutes ago, saiaapiz said:

Let me explain this real quick.

How they load offset, and calculate address ?


Explanation: 
* PC = (Current Instruction Address + 0x8)

00000000         LDR     R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0.
00000004         ADD     R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020)
00000008         MOV     R1, #0x1234; Move 0x1234 into R1
0000000C         STR     R1, [R0]; Store R1:0x1234 value into R0:00000020 address.
00000010         BX      LR; Jump into LR (LR is register that store address of this function caller.)
00000014         ALIGN 0x10
00000020 MyValue DCD 0x0
00000024 Offset  DCD 0x14


You can find lot of information here, The ARM instruction set

Thnx buddy for putting a lot of effort just to helpme!

Link to comment
Share on other sites

  • 0
3 hours ago, saiaapiz said:

Let me explain this real quick.

How they load offset, and calculate address ?


Explanation: 
* PC = (Current Instruction Address + 0x8)

00000000         LDR     R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0.
00000004         ADD     R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020)
00000008         MOV     R1, #0x1234; Move 0x1234 into R1
0000000C         STR     R1, [R0]; Store R1:0x1234 value into R0:00000020 address.
00000010         BX      LR; Jump into LR (LR is register that store address of this function caller.)
00000014         ALIGN 0x10
00000020 MyValue DCD 0x0
00000024 Offset  DCD 0x14


You can find lot of information here, The ARM instruction set

Why pc is pointing to 0x8 shouldn't it be pointing to  0x4 from current address! 

As next  instruction would always be at 0x4 from current address

as instructions are of 32 bits (exclude thumb instruction set here )@saiaapiz

Edited by Un_Known
Link to comment
Share on other sites

  • 0
19 hours ago, Un_Known said:

Why pc is pointing to 0x8 shouldn't it be pointing to  0x4 from current address! 

As next  instruction would always be at 0x4 from current address

as instructions are of 32 bits (exclude thumb instruction set here )@saiaapiz

Idk, it just works.

I didn't read hundred pages of arm documentation.

Link to comment
Share on other sites

  • 0
On 6/27/2019 at 2:30 AM, Un_Known said:

Why pc is pointing to 0x8 shouldn't it be pointing to  0x4 from current address! 

As next  instruction would always be at 0x4 from current address

as instructions are of 32 bits (exclude thumb instruction set here )@saiaapiz

So finally I Got answer to this thnx to @saiaapiz .

Posting Answer here because it can help many!

The Program Counter is automatically incremented by the size of the instruction executed. This size is always 4 bytes in ARM state and 2 bytes in THUMB mode. When a branch instruction is being executed, the PC holds the destination address. During execution, PC stores the address of the current instruction plus 8 (two ARM instructions) in ARM state, and the current instruction plus 4 (two Thumb instructions) in Thumb(v1) state. This is different from x86 where PC always points to the next instruction to be executed. 

Edited by Un_Known
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.