Jump to content

ARM Patching (ADVANCED)


XEKEX
 Share

Recommended Posts

Quick notes:
• R0 -> R7 Are Low Registers :  accessible by all instructions that specify a general-purpose register.
• R8 -> R12 are High Registers : accessible by all 32-bit instructions that specify a general-purpose register and not accessible by all 16-bit instructions.
• Register r13 Stack pointer : used as the Stack Pointer (SP). Because the SP ignores writes to bits [1:0], it is autoaligned to a word, four-byte boundary.
• Register r14 Link register : is the subroutine Link Register (LR) : The LR receives the return address from PC when a Branch and Link (BL) or Branch and Link with Exchange (BLX) instruction is executed. The LR is also used for exception return at all other times, you can treat r14 as a general-purpose register.
• Register r15 : Program Counter (PC)
• FPU : The FPU fully supports single-precision add, subtract, multiply, divide, multiply and accumulate, and square root operations. It also provides conversions between fixed-point and floating-point data formats, and floating-point constant instructions
• FPU registers : 
◘ Sixteen 64-bit doubleword registers, D0-D15.
◘Thirty-two 32-bit single-word registers, S0-S31.


63a087f0-60a5-4512-9d3b-f92196424e68.thumb.png.f10a70bb1b82bbb2ecbc25e240b12b80.png
->Source <-
---------------------------------------------------------------------------------------------------------------------------------
In Arm Patching we are using only Low Registers and the FPU.

True and false Editing.
~A MOV R0, #1
MOV means Move , by this instruction we are telling the proccessor to move the value 1 to register R0 similar when you assign a variable name :
R0 = 1 
in most programing languages the true statment always = 1  and the false statment = 0 so #1 = true and #0 = false
~A BX LR
BX Means branch exit LR or in another way return the value we stored to the caller.

Int Editing :
we can use MOV R0, # aswell for the int value but you need to know the integral data types.
byte : Signed: From −128 to 127

­ ­ ­ ­ ­ ­   ­  ­ ­: Unsigned: From 0 to 255

we can use MOV here if the int value we want is between -128 and 255 so the instruction will be : ~A MOV R0, #-128 or #255 at max

short : Signed: From −32,768 to 32,767
               : Unsigned: From 0 to 65,535

in this case we use MOVW the W stands for Word so same as above the instruction will be : ~A MOVW R0, #−32,768 or #65,535 at max

NOTE :
• Don't forget to return (~A BX LR) 
• We can Use MVN which mean Move Negative so the Max Negative Value will be #255 for Byte and MVNW for Short #65,535 (Don't add "-" since we already telling the proccessor we are dealing with negative number)
• #value will be converted automatically to hex value in the Register means #8 will be 0x00000008 and so on

Int 32 : Signed: From −2,147,483,648 to 2,147,483,647
                : Unsigned: From 0 to 4,294,967,295

the typical DWORD in GG : here we move to the advanced Part of this guide:
as I said in the Note above the values are converted in the register automatically to hex so the max value in short in hex will be 0x0000FFFF

so we have 4 zero's we can't change in the int 32, in this case we use one more instructon MOVT  T stands for Top 
example : MOVW R0, #
22136 -> R0 will be : 0X00005678
                     MOVT R0 , #4660 -> R0 will be : 0x12345678
So in case of INT32 we need 2 things
• Convert the value we want to change to hex value 
• 3 instruction in total
the Same concept here work for QWORD aswell (64 bit) 0x0000000000000001
Note : MVN R0, #2 will change to 0xFFFFFFF2 in hex

MOV R0, #2 or MOV R0, #0x2 are the same


Float and Double:
• Float and Double are IEEE 754 Floating-Point: We need the FPU here and things will get a little bit complicated,
• we need 2 or 3 registers in this case R0 , R1 and S0(for float) or D0(for double)

Suppose the hex value of this float 12.6 is : 0x4149999A
same as the int 32 : 
~A MOVW R0, #0x999A (R0 = 0x0000999A)
~A MOVT R0, #0x4149 (R0 now = 0x4149999A)
now R0 is set but if we return the value (~A BX LR) the result will be : 1095342490 and we don't want that value we want 12.6 as float (This Doesn't Work Because we didn't tell the proccessor that is a float number)
the right way is to use FPU
VMOV S15, R0 ( VMOV is the instruction MOV in the FPU : by that instruction we mean move the register value of R0 to the FPU register R15 )
VMOV.F32 S0, S15 (here we are telling the FPU we are dealing with Float number (F32) and move the value from S15 to S0 )
for double we use the same concept except we use F64 instead and register D16 and D0

Float
so the final code will be : 
~A MOVW R0, #0x999A (R0 = 0x0000999A)
~A MOVT R0, #0x4149 (R0 = 0x4149999A)
~A VMOV S15, R0
~A VMOV.F32 S0, S15
~A BX LR
-----------------

Double
For double the hex value of 12.6 is : 0x4029333333333333 (Same Concept for Big Float Number)
• Here we use R0, R1 , D0 and D16
• divide the hex value 0x4029333333333333 into 2 part 0x40293333 and 0x33333333 one goes for R0 and the other one goes for R1
Be carful of the placement of the hex value we start from the last 4 to the 1st 4 means we start with 0x3333 -> 0x4029
Use same concept of MOVW and  MOVT to get the result.
Result:
~A MOVW R0, #0x3333 (R0 = 0x00003333)
~A MOVT R0, #0x3333 (R0 = 0x33333333)
~A MOVW R1, # 0x3333 (R1 = 0x00003333)
~A MOVT R1,  #0x4029 (R1 = 0x40293333)
~A VMOV D16, R0, R1 (Move value Of R0 and R1 to register D16 Be Careful here R0 last 8 hex 1st then R1 the top 8 hex)
~A VMOV.F64 D0, D16 (here we use F64 and D0 , and D16 instead of F32 , S0 and S15 because the hex value is 64 bit)
~A BX LR

------

This is How you arm patch bool / int / float / double
NOTE : When it comes to function args and returns the only register that give return or args are R0,R1,R2,R3 (and SP)
this is why we use R0 and VMOV S15/D16 to S0/D0


----------------------------------------------> Converting Float and Double to Hex <---------------------------------

This is mainly 
IEEE Standard for Floating-Point Arithmetic. (you can skip this part by using online converter)
> You need : 
• Advanced Lua scripting Knowladge.
• Math Knowladge.
• Binary 32 and 64 Knowladge.
--------------Please read--------------

 

Edited by XEKEX
Correcting a mistake
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.