Using arm assembler to crack IOS program basic knowledge sharing _ios

First, thumb instructions and arm instructions

The thumb instruction is 16 bits, so the storage code is highly dense and saves storage space. But the function is not complete, it is only the arm instruction (32 bit) set supplement, is a subset under the arm instruction set. In the early stages we don't need to know this knowledge, as long as there is a concept to know that there is such a thing.

Second, ARM's register preliminary understanding

R0-R3: For function parameters and return value of the transfer, more than 4 parameters, other parameters exist in the stack, in the arm stack is down, R0 can also be used as a return value.
R4-R6, R8,r10-r11: There is no special provision, is the general General register
R7: Stack frame pointer, pointing to the interface between the parent function and the called child function in the stack.
R9: Reserved by operating system in iOS3.0
R12: Internal procedure Call registers, dynamic link will be used, do not need to delve into
R13:SP (stack pointer), is the top of the stack pointer
R14:LR (link register), which holds the return address of the function.
R15:PC (program counter), pointing to the current instruction address.
CPSR: The current program status register, in the user status, such as the condition flag interrupt disabled.
In addition, VFP (vector floating-point operations) related registers, not listed.

Iii. Common Compilations

Mnemonics description
ADC-carrying addition
Add addition
and Logic and
B Branch jump, rarely used alone
BL Branch Jump, return address deposit after jump R14
BX Branch jump, and switch instruction mode (THUMB/ARM)
CMP comparison value, resulting in a program state register, generally used for branch judgment
BEQ result is 0 jump
BNE result is not 0 jump
LDR register, load from memory to register
LDRB load byte to register
LDRH load half Word to register (one word is 32 bits)
LSL logic left this is an option, not an instruction
LSR logical Move Right this is an option, not an instruction
MOV Transfer value/register to a register
STR stores a register with register values stored in memory
STRB Store One byte
STRH Store a half word
SUB Subtraction
PUSH POP Stack operation

Four, function call

function parameters, local variables, return addresses are stored on the stack, this part of the stack memory is called the stack frame. and r0~r15 (not necessarily all), CPSR and so on together constitute the function of the operating environment. Each function system allocates a stack frame, and the system is automatically retracted after the execution is completed. Each function thinks r0~r15, CPSR and so on CPU related registers for oneself one person to enjoy, therefore must do some necessary operation.

For example: Suppose a calls B, then a to save its own operating environment (save the site), b after the execution, to restore A's operating environment (restore site); In addition, a can also pass the parameters by R0-R4, more than 4 parameters can be passed through the stack, B return can pass the return value by R0. One of the main concerns is the operation of the stack and register operation. The following figure is the layout of the stack before and after the function call, the left is before the call, and the right is called, and when B returns it should go back to the left state (a state before B, like no b is called).

In the above illustration, a stack frame has a stack frame pointer storage area (saved frame pointer) in addition to the already mentioned parameter region (parameter area), Link region (linkage area), and local variable storage (area storage). Register store (saved registers area), the stack frame register is no longer explained, register Store: Save nonvolatile Register (R4,R5,R6,R8,R10,R11), the following assembly code examples will be introduced.

Start Call (Field protection):

1) LR into the stack;

2) R7 into the stack, save to restore the register into the stack;

3) R7 = SP address;

4) will callee will be modified and in return caller need to restore the register into the stack;

5 Allocate stack space for subroutine use.

The following figure is an assembly code (code that uses hopper disassemble to decompile) and is analyzed as follows:

The first line: Will LR, R7, r4-r6 into the stack;

The second line: r7=sp-0xc (pointing to Old R7), the reason is minus 0xc because of push, r4,r5,r6 accounted for 12 bytes;

The third line: Save the Register to restore;

Line four: Open stack space for current function.

function return (Restore site):

1) free stack space;

2) to restore the saved registers;

3) restoration of R7;

4 the previously stored LR is ejected from the stack onto the PC, so the function is returned.

The following figure is an assembly code (code that uses hopper disassemble to decompile) and is analyzed as follows:

The first line: free stack space;

Second line: Restore the saved registers;

The third line: Restore the saved registers, restore the R7, and pop the LR from the stack onto the PC.