如何从 ARM ASM 位中提取值?
在 IDA Pro 中,我看到下面列出了 ARM ASM。 IDA 使用哪些位来获得 7200?
A3 F5 E1 53 SUB.W R3, R3 #7200
为方便起见,二进制值如下
7200 = 0x1c20 = 0001 1100 0010 0000
0xA3F5E153 = 1010 0011 1111 0101 1110 0001 0101 0011
编辑:在IDA选择中加载文件。 Mach-O 文件 (DYLIB) ARMv7[macho.lhc]
In IDA Pro I see the ARM ASM listed below. What bits is IDA using to get 7200?
A3 F5 E1 53 SUB.W R3, R3 #7200
For convenience the values are binary are as follows
7200 = 0x1c20 = 0001 1100 0010 0000
0xA3F5E153 = 1010 0011 1111 0101 1110 0001 0101 0011
Edit: Load the file in IDA selecting. Mach-O file (DYLIB) ARMv7[macho.lhc]
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
ARM ARM(ARM 架构参考手册)是一个很好的资源,特别是对于 ARM 和拇指指令编码。对于thumb2,请查找ARMv7-M TRM(技术参考手册),两者均可免费下载。
(我知道我以 0x7200 十六进制开始,而不是十进制 7200,没关系,最终一切顺利)。
子 r3,r3, #0x7200 编码如下(对于 ARM)。
e2433c72 子 r3,r3,#29184 ; 0x7200
E 表示始终执行
2 的高三位表示数据处理立即,没有其他固定位
2 位的低位和 4 位的高 3 位是 0010,表示 sub。
4 的低位是 s 位,表示更新标志(如果设置了该位,则将是一条 subs 指令)。接下来的两个半字节 3 和 3 是 r3 的两个实例,接下来的 4 位,c 是旋转字段,低 8 位是立即数。
移位器操作数是 immed_8rotate_right(rotate_immed *2) 所以这将是
0x72 右移(24 位),这与左移 32-24 位相同,因此会得到立即数 0x7200。
对于thumb2(sub.w 的来源,编码如下:
f5a3 43e4 sub.wr3, r3, #29184 ;0x7200
T3 编码
0xF1A00000 带或不带一些位是 SUB.W rd,rd 的基线编码,#const(具有 12 位立即数,T4 也具有 12 位立即数
0x4 位 )。 0x5 中的 i 位已设置,因此我们需要知道,s 位未设置,它是 sub 而非 subs。0x..4... 半字节是 imm3 字段,低 8 位是使用arm表示法的imm8字段,我们的立即数是1:100:11100100
取这些位的前五位,i,imm3和高imm8位11001
这意味着取位模式 11100100 并将其右移 1001 位
00000000011100100......
0000 0000 0111 0010 0......
常量是
0x00720000 它偏移了 256,必须弄清楚
嗯,我在做0x7200 你正在做十进制 7200 作为你提到的是 0x1C20
所以看看你的工具告诉你什么工具告诉你
A3 F5 E1 53
我们知道我们需要 0xF5A3 所以也许其他部分也被交换了。
0xF5A353E1
这就是你我得到的:
f5a3 53e1 sub.w r3, r3, #7200 ; 0x1c20
相同的 t3 编码
0xF5A3 表示 sub.w 某物,r3,具有 i 位设置的某物
0x53E1 表示 sub.w r3,r3,something ,const 是
1:101:11100001
高5位11011
这意味着将 11100001 右移 0b1011 位,即 11
0000000000011100001000
0000 0000 0001 1100 0010 0000 0000 0000
0x001C2000
如果您足够大,知道 Seinfeld 这属于雅达,雅达类别。
armv7-m TRM 的 A5.3.2(修改了拇指指令中的立即常量)。
01010 它们显示为填充了两位(这五位中的 mnopq 丢弃了第二个 n,留下 mopq 作为移位量或在本例中为 0b0010)。
他们还有……其他东西,yada yada,然后
11111 变成了 23 位的移位/填充
11110 是焊盘 22
11101是pad 21,但是之间的区域不是线性的,那里有一些魔力
如果我们继续向后工作
11100是pad 20,
11011 是 pad 19,
这就是我们在 1 和较低的 7 个 immed8 位之前寻找 19 的 pad。
0x00001C20
因此,thumb2 12 位常量编码有点难以理解,您可以优化许多有趣的常量。设置了 imm3 的高位的这一特定模式为您留下了 4 位,即 16 个模式/值。但是我们可能想要填充最多 24 位,但我们无法到达那里。显然,如果 i 位为零,则从顶部向下填充,如果设置了 i 位,则从中间点填充,看起来像这样。
那么查看armv7 trm中的SUB指令。对 t3 进行编码与您想要做的事情一致。描述说拇指移位值是 i:imm3:imm8,取这些位
到同一手册的a.5节并查看表a5-1,T3编码将其称为const而不是imm12,imm12编码看起来位于a5-1表之后的伪代码中。
另请注意,您没有使用 ARM 指令,您正在查看thumb2 指令。是的,属于 ARM 系列,但指令集或模式不同。
The ARM ARM (ARM Architectural reference manual) is a good resource, esp for ARM and thumb instruction encoding. For thumb2 though look for the ARMv7-M TRM (technical reference manual) both are free downloads.
(I know I start this with 0x7200 hex not 7200 decimal, thats okay it all works out in the end).
A sub r3,r3, #0x7200 is encoded as follows (for ARM).
e2433c72 sub r3, r3, #29184 ; 0x7200
the E means always execute
the upper three bits of the 2 indicate data processing immediate with no other fixed bits
the lower bit of the two and upper 3 bits of the 4 are 0010 which means sub.
the lower bit of 4 is the s bit meaning update the flags (would be a subs instruction if that bit were set). the next two nibbles 3 and 3 are the two instances of r3 the next 4 bits, c are the rotate field and the lower 8 bits are the immediate.
the shifter operand is immed_8 rotate_right(rotate_immed *2) so that would be
0x72 rotated right (24 bits), which is the same as rotating left 32-24 bits, so that would make the immediate 0x7200.
For thumb2 (which is where the sub.w comes from is encoded as follows:
f5a3 43e4 sub.w r3, r3, #29184 ; 0x7200
T3 encoding
0xF1A00000 with or without some bits is the baseline encoding for a SUB.W rd,rd,#const (with a 12 bit immediate, T4 has a 12 bit immed as well).
The 0x4 bit in 0x5 is the i bit and is set so we need to know that, s bit is not set, it is a sub not subs. the lower three bits in the 0x....4... nibble is the imm3 field, the lower 8 bits are the imm8 field using arm notation our immediate is 1:100:11100100
Taking the top five of those bits, i, imm3 and the upper imm8 bit 11001
That means take the bit pattern 11100100 and shift it right 1001 bits
00000000011100100......
0000 0000 0111 0010 0......
and the constant is
0x00720000 it is off by 256, have to figure that out
Hmm, I was doing 0x7200 you are doing decimal 7200 which as you mentioned is 0x1C20
So looking at what your tool is telling you tool is telling you
A3 F5 E1 53
We know we need a 0xF5A3 so maybe the other part is swapped too.
0xF5A353E1
Which is what you I get:
f5a3 53e1 sub.w r3, r3, #7200 ; 0x1c20
same t3 encoding
0xF5A3 means sub.w something,r3,something with the i bit set
0x53E1 means sub.w r3,r3,something and the const is
1:101:11100001
the upper 5 bits 11011
which means shift 11100001 right 0b1011 bits which is an 11
0000000000011100001000
0000 0000 0001 1100 0010 0000 0000 0000
0x001C2000
If you are old enough to know Seinfeld this falls into the yada, yada category.
A5.3.2 of the armv7-m TRM (Modified immediate constants in thumb instructions).
01010 they show as having two bits padded (of those five bits mnopq throw out the second one n leaving mopq as the shift amount or 0b0010 in this case).
and they have a ... other stuff, yada yada, then
11111 becomes a shift/pad 23 bits
11110 is pad 22
11101 is pad 21, but the area in between is not linear, there is some magic there
if we keep working backward
11100 is pad 20,
11011 is pad 19,
And that is what we were looking for a pad of 19 before the 1 and lower 7 immed8 bits.
0x00001C20
So the thumb2 12 bit constant encoding is a bit painful to follow, lots of interesting constants you can optimize for. This particular one where the upper bit of imm3 is set leaves you with 4 bits, or 16 patterns/values. but we have up to 24 bits we might want to pad, we cant get there. Apparently if the i bit is zero you pad down from the top, if the i bit is set you pad from the midway point it looks like.
So look at the SUB instruction in the armv7 trm. Encoding t3 lines up with what you are trying to do. the description says the thumb shift value is i:imm3:imm8, take those bits
to section a.5 of the same manual and look at table a5-1 the T3 encoding called it a const not an imm12, the imm12 encoding looks to be in the pseudo code after that a5-1 table.
Also note you are not using ARM instructions you are looking at thumb2 instructions. Yes, part of the ARM family but different instruction sets or modes.