Jump to content
Un_Known

Help me With Instruction logic

Recommended Posts

Posted (edited)

Can anybody explain logic here 

It's ARM instruction set:

Here dword_36BD38 is uninitialized variable in .bss section

LDR       R3, =(dword_36BD38 - 0x19D86C) 

ADD      R3, PC, R3  ; dword_36BD38

CMP      R0, #0

STR       R0, [R3]

MOVLT   R2, #0x7FFFFFFF

STRLT     R2, [R3]

I have a little idea what's happening here but couldn't understand whole logic!

Edited by Un_Known

Share this post


Link to post
Share on other sites

0000	LDR		R3, =(dword_36BD38 - 0x19D86C) -- Load offset to R3
0004	ADD		R3, PC, R3  ; dword_36BD38 -- R3 = PC + Offset (R3)
0008	CMP		R0, #0 -- Check if R0 value equal to 0
000C	STR		R0, [R3] -- Store R0 value into R3 (R3 = dword_36BD38)
0010	MOVLT	R2, #0x7FFFFFFF -- If R0 value less than 0, then put (0x7FFFFFFF) 2147483647 into R2.
0014	STRLT	R2, [R3] -- If R0 value less than 0, then store R2 value which is 2147483647, into R3 (R3 = dword_36BD38)

Conclusion is, if R0 value less than 0.. then put 2147483647 into bss:dword_36BD38.

Anyway, if you not understand about the logic. F5 hotkey may come handy.

Share this post


Link to post
Share on other sites
Posted (edited)

It generally means that value of coins would be highest (because 2147483647 is largest dword) only when value in R0 is less than 0

Okk if  I change MOVLT to MOV

and STRLT to STR

then value will always be 2147483647 because it will bypass condition check 

is it correct

 

and plz elaborate this part =(dword_36BD38 - 0x19D86C)

couldn't understand this That 

What would be value in R3 register

@saiaapiz

 

Edited by Un_Known

Share this post


Link to post
Share on other sites
Quote

 

Okk if  I change MOVLT to MOV

and STRLT to STR

then value will always be 2147483647 because it will bypass condition check 

is it correct

 

Yes, you're correct.

Quote

and plz elaborate this part =(dword_36BD38 - 0x19D86C)

This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address.

Quote

What would be value in R3 register

R3 is address of dword_36BD38

Share this post


Link to post
Share on other sites
1 minute ago, saiaapiz said:

Yes, you're correct.

This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address.

R3 is address of dword_36BD38

ohh thnx buddy once again sorry for disturbing you

Share this post


Link to post
Share on other sites
Posted (edited)
1 hour ago, saiaapiz said:

Yes, you're correct.

This push offset into register, then add it with PC. So PC + Offset lead to dword_36BD38 which is targeted address.

R3 is address of dword_36BD38

What is happening here can u explain? I have highlighted offset pushed to R1 with cursor?

PicsArt_06-26-03_17_12.thumb.jpg.547e671c5d76686a7c7450a3f6e9023e.jpg

what type of sign is between ahighscore and offset is it just a dash ? What is purpose of ahighscore here? 

Any reference guide for arm instruction set ?

Edited by Un_Known

Share this post


Link to post
Share on other sites
Posted (edited)

Above question can be ignored Updated:

I think it is offset is loaded into R1 after subtraction between ahighscore and 0x19D8B4 and their addresses being subtracted!

so Here ahighscore has address =>00319CEC

so 00319CEC - 0x19D8B4 =17C438

So R1, = 17C438 would it be an offset?

Am.i correct or Wrong?

@saiaapiz @Enyby

Edited by Un_Known

Share this post


Link to post
Share on other sites

Offset from PC in LDR location. Useless in any other place.

 

Share this post


Link to post
Share on other sites
2 hours ago, Enyby said:

Offset from PC in LDR location. Useless in any other place.

 

Yep, Ida make we confuse by looking its value pointing directly to target address.

Actually, true opcode look like this LDR R0, [PC, #0x4]

Idk how to explain it, you can find arm opcode documentation on google. They describe how each instruction work.

@Un_Known

Share this post


Link to post
Share on other sites

This is how the ARM architecture works. Most addresses are not absolute, but relative, relative to the PC. This is done to save space in instructions. The instruction size is 4 bytes. The size of the 32-bit pointer is also 4 bytes. An absolute address almost always requires 4 bytes, since the code can be located in different places. A relative address can be encoded with 2 or 3 bytes. This will give the opportunity to refer to the memory near the code, where this code would not be located.
And since .bss is not far from .code (.text), this is enough.

Share this post


Link to post
Share on other sites
Posted (edited)

Let me explain this real quick.

How they load offset, and calculate address ?

Explanation: 
* PC = (Current Instruction Address + 0x8)

00000000         LDR     R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0.
00000004         ADD     R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020)
00000008         MOV     R1, #0x1234; Move 0x1234 into R1
0000000C         STR     R1, [R0]; Store R1:0x1234 value into R0:00000020 address.
00000010         BX      LR; Jump into LR (LR is register that store address of this function caller.)
00000014         ALIGN 0x10
00000020 MyValue DCD 0x0
00000024 Offset  DCD 0x14


You can find lot of information here, The ARM instruction set

Edited by saiaapiz

Share this post


Link to post
Share on other sites
50 minutes ago, saiaapiz said:

Let me explain this real quick.

How they load offset, and calculate address ?


Explanation: 
* PC = (Current Instruction Address + 0x8)

00000000         LDR     R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0.
00000004         ADD     R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020)
00000008         MOV     R1, #0x1234; Move 0x1234 into R1
0000000C         STR     R1, [R0]; Store R1:0x1234 value into R0:00000020 address.
00000010         BX      LR; Jump into LR (LR is register that store address of this function caller.)
00000014         ALIGN 0x10
00000020 MyValue DCD 0x0
00000024 Offset  DCD 0x14


You can find lot of information here, The ARM instruction set

Thnx buddy for putting a lot of effort just to helpme!

Share this post


Link to post
Share on other sites
Posted (edited)
3 hours ago, saiaapiz said:

Let me explain this real quick.

How they load offset, and calculate address ?


Explanation: 
* PC = (Current Instruction Address + 0x8)

00000000         LDR     R0, [PC, 0x1C]; Its calculated like this, R0 = (PC:00000008 + 0x1C = 00000024). Read val at 00000024 which is 0x14, then put into R0.
00000004         ADD     R0, PC, R0 ; Again, R0 = (PC:0000000C + 0x14 (Offset) = 00000020)
00000008         MOV     R1, #0x1234; Move 0x1234 into R1
0000000C         STR     R1, [R0]; Store R1:0x1234 value into R0:00000020 address.
00000010         BX      LR; Jump into LR (LR is register that store address of this function caller.)
00000014         ALIGN 0x10
00000020 MyValue DCD 0x0
00000024 Offset  DCD 0x14


You can find lot of information here, The ARM instruction set

Why pc is pointing to 0x8 shouldn't it be pointing to  0x4 from current address! 

As next  instruction would always be at 0x4 from current address

as instructions are of 32 bits (exclude thumb instruction set here )@saiaapiz

Edited by Un_Known

Share this post


Link to post
Share on other sites
19 hours ago, Un_Known said:

Why pc is pointing to 0x8 shouldn't it be pointing to  0x4 from current address! 

As next  instruction would always be at 0x4 from current address

as instructions are of 32 bits (exclude thumb instruction set here )@saiaapiz

Idk, it just works.

I didn't read hundred pages of arm documentation.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By Un_Known
      I found a value in Game located at  libgame.so + 0x8AE13.
      But when I would open lib in IDA what should be base address to which I have to add this offset to find that value?
      would it be 0000000 OR something else
    • By Un_Known
      While lib files on android can be analysed statically very easily but dynamic lib debugging is also another option to get to know what is happening during runtime.
      When static analysis may take up alot of time dynamic analysis is always a better option!
      So how to debug libs?
      lib files are not independent they need a running process to be debugged.
      Let's Start:
      Perquisites:
      IDA PRO
      ADB 
      Rooted Device
      USB cable
      Note: Enable usb debugging
      And don't select Filetransfer mode select PTP mode otherwise device won't be listed by ADB
      Google if you don't Know how to Connect  to PC using ADB
      Now
      Load lib in IDA PRO first which is to be analysed.
      Now connect your device to PC over ADB 
      Go to IDA PRO installation directory and from folder dbgsrv copy file android_server to adb folder
      And execute following commands:
      adb devices  [To make sure device is connected ]
      adb push android_server /local/data/tmp
      adb shell
      su
      cd /data/local/tmp
      ll [To Get list of files incurrent  directory]
      chmod 755 android_server 
      ./android_server
      Minimizethe windows where android_server is running and open a new command prompt window and run following command:
      adb forward tcp:23946 tcp:23946
       
      select the "Remote ARM Linux/Android debugger", go into "ProcessOptions" in the debugger menu, and set the hostname to localhost.And port : 23946
      Now Run the apk on your device from which this lib was extracted!
      And In IDA go to:
      Debugger menu Choose attach to process and from list of processes select the process of your apk.
      Thnx 
      Any correction and suggetion would be welcomed!
       
    • By Un_Known
      Can somebody explain following post indexing example from ARM 
      instruction set
      LDR  r0, [r1] ,r2,  lsl#3
×
×
  • Create New...