IOS program cracking-ARM Assembly basics and iosarm Assembly Basics
Here: http://www.cnblogs.com/mddblog/p/4951650.html
I. Thumb and ARM commands
The Thumb command is 16 bits, so the storage code density is high, saving storage space. However, the function is incomplete. It is only a supplement to the ARM Instruction Set (32-bit) and is a subset of the ARM instruction set. In the initial stage, we do not need to understand this knowledge, as long as there is a concept to know that there is such a thing.
II. Introduction to ARM registers
R0-R3: used for function parameters and return value transfer, more than four parameters, other parameters exist in the stack, in ARM stack is down, R0 can also be used as the return value.
R4-R6, R8, R10-R11: General registers
R7: stack frame pointer, pointing to the junction between the primary function and the called subfunction in the stack.
R9: reserved by the operating system in iOS3.0
R12: internal process call register, which is used for dynamic links.
R13: SP (stack pointer), which is the top pointer of the stack.
R14: LR (link register), which stores the return address of the function.
R15: PC (program counter), pointing to the current instruction address.
CPSR: the current program Status Register, which stores signs such as the condition flag interrupt and disable in the user State.
In addition, registers related to VFP (vector floating point operation) are not listed.
Iii. Common Assembly
Note
Addition of ADC incoming bits
ADD Addition
AND logic AND
B branch jump, rarely used separately
BL branch jump. After the jump, the return address is saved to r14.
BX Branch jump, and switch the command mode (Thumb/ARM)
CMP comparison value. The result has a program Status Register, which is generally used for Branch judgment.
Jump if the BEQ result is 0
The BNE result is not 0 jump
LDR load registers, from memory to registers
LDRB loads bytes to registers
LDRH loads half-Word to the Register (one word is 32-bit)
LSL logic shifts left. This is an option, not an instruction.
LSR logic shifts right. This is an option, not a command.
MOV transfer value/register to a register
STR stores a register, and the register value is stored in the memory.
STRB stores one byte
STRH stores a half word
SUB Subtraction
Push pop stack operation
For more instructions, refer to here
Iv. function call
Function parameters, local variables, and return addresses are all stored on the stack. The memory on this part of the stack is called Stack frames. And R0 ~ R15 (not all) and CPSR constitute the runtime environment of the function. Each function system allocates a stack frame, which is automatically withdrawn after execution. Every function assumes R0 ~ R15, CPSR, and other CPU-related registers are enjoyed by one user, so do some necessary operations.
For example, assume that when A calls B, A needs to save its own running environment (Save the site), and B needs to restore A's running environment (restore the site) after execution ); in addition, A can pass parameters through the R0-R4, more than four parameters can be passed through the stack, B can return through R0 to pass the return value. Stack operations and register operations are mainly involved. It is the layout of the stack before and after the function call, the left is before the call, and the right is after the call. When B returns, it should return to the Left State (A is before B is called, just like calling B ).
In a stack frame, apart from the previously mentioned parameter area, link area, and local storage area) besides, the stack frame pointer storage area (saved frame pointer) and the register storage area (saved registers area) have been introduced above (R7); the register storage area: save non-loss-prone registers (R4, R5, R6, R8, R10, R11). The following assembly code example will be introduced.
Start calling (on-site protection ):
1) LR inbound stack;
2) R7 is added to the stack, and the registers to be restored are stored in the stack;
3) R7 = SP address;
4) Add the registers that callee will modify and need to be restored when the caller is returned to the stack;
5) Allocate stack space for subprograms.
For the Assembly Code (the decompiled code using hopper disassemble), the analysis is as follows:
The first line: Put LR, R7, R4-R6 into the stack;
The second line: r7 = sp-0xc (pointing to old R7), the reason why 0xc is subtracted because after PUSH, r4, r5, r6 occupies 12 bytes;
Row 3: Save the registers to be restored;
Row 4: Open up stack space for the current function.
Function return (recovery site ):
1) Release stack space;
2) recover the saved registers;
3) Restore R7;
4) pop up the previously stored LR from the stack to the PC, so that the function will return.
For the Assembly Code (the decompiled code using hopper disassemble), the analysis is as follows:
Row 1: Release stack space;
Row 2: restores the saved register;
Row 3: Restore the saved register, R7, and pop up the previously stored LR from the stack to the PC.
For more details about function calls, refer to here
For iOS memory partition, refer to here