iOS Program Cracking——ARM Assembly Basics

1. Thumb instructions and ARM instructions

Thumb instructions are 16 bits, so the code storage density is high and the storage space is saved. However, the functions are not complete. It is just a supplement to the ARM instruction (32-bit) set and a subset of the ARM instruction set. At the primary stage, we do not need to understand this knowledge, as long as we have a concept to know that there is such a thing.

2. Preliminary understanding of ARM registers

　　R0-R3: used for passing function parameters and return values. If there are more than 4 parameters, the other parameters are stored in the stack. In ARM, the stack grows downward. R0 can also be used as a return value.

　　R4-R6, R8, R10-R11: No special rules, just general registers
　　R7: Stack frame pointer, pointing to the boundary between the parent function and the called child function in the stack.
　　R9: Reserved by the operating system in iOS3.0
　　R12: Internal procedure call register, used during dynamic linking, no need to delve into it
　　R13: SP (stack pointer), the top pointer of the stack
　　R14: LR (link register), stores the return address of the function.
　　R15: PC (program counter), points to the current instruction address.
　　CPSR: Current program status register, stores flags such as condition flags and interrupt disable in user mode.

　　There are also VFP (vector floating point operation) related registers, which are not listed here.

3. Commonly used compilation

　　Mnemonic Description 
　　ADC Addition with carry
　　ADD Addition
　　AND Logical AND
　　B Branch jump, rarely used alone
　　BL Branch jump, the return address is stored in r14 after the jump
　　BX Branch jump, and switch instruction mode (Thumb/ARM)
　　CMP Compare values, the result is stored in the program status register, generally used for branch judgment
　　BEQ Jump if the result is 0
　　BNE Jump if the result is not 0
　　LDR Load register, load from memory to register  
　　LDRB Load byte to register  
　　LDRH Load halfword to register (a word is 32 bits)
　　LSL Logical left shift This is an option, not an instruction
　　LSR Logical right shift This is an option, not an instruction
　　MOV Move value/register to a register 
　　STR Store a register, store register value in memory 
　　STRB Store a byte
　　STRH Store a halfword
　　SUB Subtraction
　　PUSH POP Stack operation

4. Function call

　　The function's parameters, local variables, and return address are all stored on the stack. This part of the stack memory is called a stack frame. Together with R0~R15 (not necessarily all), CPSR, etc., it forms the function's operating environment. The system allocates a stack frame for each function, and the system automatically reclaims it after execution. Each function considers R0~R15, CPSR and other CPU-related registers to be its own, so some necessary operations must be performed.

　　For example: suppose A calls B, then A needs to save its own operating environment (save the scene), and after B is executed, it needs to restore A's operating environment (restore the scene); in addition, A can also pass parameters through R0-R4, and more than 4 parameters can be passed through the stack. When B returns, the return value can be passed through R0. The main operations involved are stack operations and register operations. The following figure shows the layout of the stack before and after the function call. The left side is before the call, and the right side is after the call. When B returns, it should return to the state on the left (the state before A called B, just like B was not called).

　　In the figure above, in addition to the parameter area, linkage area, and local storage area mentioned above, a stack frame also has a saved frame pointer area and a saved registers area. The stack frame pointer has been introduced above (R7); the register storage area: saves non-volatile registers (R4, R5, R6, R8, R10, R11), which will be introduced in the following assembly code examples.

　　Start calling (context protection):

　　1) LR is pushed into the stack;

　　2) R7 is pushed onto the stack, including the registers to be restored;

　　3) R7 = SP address;

　　4) Push registers that will be modified by the callee and need to be restored when returning to the caller onto the stack;

　　5) Allocate stack space for the subroutine to use.

　　The following figure is the assembly code (decompiled using hopper disassemble), the analysis is as follows:

　　First line: Push LR, R7, R4-R6 onto the stack;

　　The second line: r7 = sp-0xc (pointing to old R7), the reason for subtracting 0xc is that after PUSH, r4, r5, r6 occupy 12 bytes;

　　The third line: save the registers to be restored;

　　Line 4: Allocate stack space for the current function.

　　Function returns (restore the scene):

　　1) Release stack space;

　　2) Restore the saved registers;

　　3) Restore R7;

　　4) Pop the previously stored LR from the stack to the PC, and the function returns.

　　The following figure is the assembly code (decompiled using hopper disassemble), the analysis is as follows:

　　The first line: release the stack space;

　　Line 2: Restore the saved registers;

　　Line 3: Restore the saved registers, restore R7, and pop the previously stored LR from the stack to PC.