Arm command bne. w is changed to B, that is, unconditional jump, armbne. w
Recently, we need to reverse a program and change bne. w to B to jump unconditionally. This article is of great help to me because ios is not like a pc and can directly change Assembly commands in od. After modification through memory write, verify the feasibility and then use ultraedit to modify the binary file to save the executable program. Copy it to the ios device.
Article Source: http://blog.chinaunix.net/uid-22915173-id-225005.html
Meanings of Common commands in ARM
ADD and ADD commands
SUB minus command
STR stores the register content on the stack.
LDR loads the stack content into a register
. W is an optional instruction width specifier. It does not affect the behavior of this command. It only ensures that 32-bit commands are generated. Infocenter.arm.com
BL executes the function call and directs lr to the next instruction of the caller (caller), that is, the return address of the function lr link register.
BLX is the same as above, but switches between ARM and thumb instruction sets.
The CMP command compares the sizes of two operands.
ADD R3, R2, R1, LSR #2; R3R2 + R1 limit 4
ADD R3, R2, R1, LSR R4; R3R2 + R1 20172r4
LDR R0, [R1]; R0 1_[ R1] transfers the data in the memory with the R1 value as the address to R0.
STR R0, [R1]; [R1] 1_r0 transfers the R0 value to the memory where the R1 value is the address.
Base Address addressing
LDR R0, [R1, #4]; R0 1_[ R1 + 4]
LDR R0, [R1, #4]!; R0 1_[ R1 + 4], R1 1_r1 + 4
LDR R0, [R1], #4; R0 1_[ R1], R1 1_r1 + 4
LDR R0, [R1, R2]; R0 1_[ R1 + R2]
LDR R0, [R1, R2, LSL #2]; R0 1_[ R1 + R2 * 4]
Stack addressing
ARM 32-bit command
Stmfd sp! {R0, r1, r3-r5}; r0-r1, r3-r5 into Stack
Ldmfd sp! {R0, r1, r3-r5}; r0-r1, r3-r5 out Stack
Thumb 16-bit command
PUSH {r0, r1, r3-r5}; r0-r1, r3-r5 into Stack
POP {r0, r1, r3-r5}; r0-r1, r3-r5
Full decline stack-into Stack
Stmfd sp !, {R0, r1, r3-r5}
Full decline stack-out Stack
Ldmfd sp !, {R0, r1, r3-r5}
Jump command
B jump command
BL jump command with Link
BLX jump command with Link and status Switch
BX jump command with status Switch
Software interrupt command SWI
SWI 0x2
Breakpoint command (BKPT)
BKPT 0xF02C breakpoint for debugging
Thumb is a 16-bit instruction set.
High code density (the total code size is about 65% of the ARM command)
Performance can be greatly improved when narrow bus memory is used.
Is a subset of the ARM instruction set, not a complete Instruction Set (except Thumb-2)
The core has an execution status-Thumb status.
Switch between ARM and Thumb using the BX command
Http://wenku.baidu.com/link? Url = Response
Others: IDA deeply parses and modifies the so file and ARM assembly
1. What do we want to achieve?
When we reverse the APK, so is always to be modified. However, IDA can modify the assembly code, unlike OD, which can directly modify the Assembly command, and must modify the hexadecimal system through WINHEX and so on. We only know that 00 indicates the code is cleared, and 90 indicates the NOP command, that is, the empty command. However, only deleting a line of code cannot meet the requirements. We need to modify it in depth.
2. Basic knowledge of Intel8086 and ARM
Intel8086 is Intel's 16-bit processor and ARM's 32-bit processor. Each processor corresponds to its own assembly language, so the two processors correspond to 8086 assembly and ARM Assembly respectively. Because of the number of processor digits, the machine code of the 8086 Assembly command is 16 bits, and the machine code of the ARM assembly command is 32 bits. The machine code can be seen as a binary command. In fact, the so-called HEX is called a HEX operating code or a HEX operating code. It is also a BINARY command. It only displays the binary value in hexadecimal format.
3. ARM Assembly is very important
ARM Assembly can do much more in my opinion than 8086 assembly. If you have ARM, you will have mainstream embedded development, then hardware programming, and then robot or mechanical manufacturing. Therefore, ARM is really very important. I hope to study it carefully, not only the ARM instruction set, but also the principle of ARM machine code and the decompilation of the ELF File in linux. The following is a simple explanation.
4. ARM machine code
The ARM machine code is 32-bit. Let's take the jump command BL and BEQ as an example. In fact, we only need to pay attention to the top 8 bits, that is, 24-31 bits. First, let's take a look at the differences between the four digits 28-31 and the four digits under different conditions. Then, in the 27-24 bits, BL and BEQ are both 1010. Therefore, the binary value of the BL command is 11101010, that is, the hexadecimal EA. The hexadecimal value of the same BEQ is 0A.
5. SO
When we put the Assembly Language in SO in the tool to convert it to HEX, we will find that HEX in IDA is sometimes totally different, this is because IDA sometimes decompile SO to use 16-bit ARM, that is, the Thumb command, but sometimes it is a 32-bit command of ARM.
6. Modify the Assembly jump command
This is generally the Thumb command. Generally, a line of code corresponds to two HEX codes.
Example: Change the bne command to the beq command
Through tools, we found that the HEX machine code corresponding to the bne jump command is D1, And the HEX machine code corresponding to beq is D0. Then we modified it with WINHEX and then detected it with IDA.
7. modify data
This is generally an ARM command. Generally, a line of code corresponds to four HEX codes.
Example
So the original ARM code: mov R1, #0x49C8
The maximum value can be changed to 0 XFFFF, that is, 65535. The modified code should be mov R1, #0 xFFFF.
Why is the HEX: C8 19 04 E3 corresponding to the original code similar to 8086 Assembly, that is, the hexadecimal and assembly code are roughly reversed. The final E3 is the MOV Assembly command. Let's make a correct reversal: E3 01 49 C8. Now I understand it! Therefore, we changed to FF 1F 0F E3.
Of course, tools can be used directly for convenience, but such analysis can greatly enhance the ARM analysis capability. But don't worry too much about tools, because in many cases, tools may encounter errors or are inconsistent with the HEX-VIEW in IDA, which is not conducive to learning. Therefore, the tool is only an aid, and it is mainly a brain engine.
8. Modify the string
This situation is relatively simple. The string is a string. You can modify the HEX code of the string by using the ASCII-to-HEX tool. We can compare the two so codes. Of course, the simplest way to modify the string is to use WINHEX to directly modify the string on the right. In fact, this is the same as modifying the text. notepad and notepad can both be used. You can also modify the SO string in the MT, HEXEDITOR, and hex editor on the mobile phone end. We recommend that you use the ADK editor of the Mo xiaokeng brother.