rVolume Offer - which want share litlle arm reversing project ? - enter then :-)

[gsmVolume]

Hi,

we see that is here nothing interest topics about reversing engineering, then we start a litlle project to show other beginners how is possible analize any arm fragment code and get usefull information from compiled binary code for ARM 7 - 8 family CPUs.

As the example we inlude as the atachment "DWL87.bin" file. This is the old bootloader for Samsung from any old program.

Then just no crazy craps, and go to first lesson.

So get ida pro with a ARM CPU support and open this binary file in ida.

Ida will ask for the processor type then select ARM processors: ARMB (Big endian) and all other setings keep as is default and press OK button.

Three folowing message windows you can skip with the OK button also.

Now you see the code in the collumn representated as the bytes table.

For better orientation you go now to the setings (option/general) and to field "Number of opcode bytes put value 0x04" Is this for showing opcode bytes from which are constructed every command. With this 4bytes is easy check if actualy fragment code is in mode 16bit (thumb) or 32but (arm).
For beginners is too recommendet check the checkbox "autocomments". Now accept and show IDA View-A !

[gsmVolume]

We will continue if will focus for this thread.

[XARiUS]

Very good idea! I'm waiting for this thread to continue...

Best Regards
XARiUS

[Piratos]

Hi

Good idea . . we want continus in this tutorials

WBR

[gsmVolume]

2.

Go to the first adress with a cursor and press key "C" for disassemble the code.

You will see folowing arm assembler code:

ROM:00000000 ; Segment type: Pure code
ROM:00000000 AREA ROM, CODE, READWRITE, ALIGN=0
ROM:00000000 CODE32
ROM:00000000 EA 00 06 34 B loc_18D8
ROM:00000004 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
ROM:00000004 EA 00 06 2A B loc_18B4
ROM:00000008 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
ROM:00000008 EA 00 06 29 B loc_18B4
ROM:0000000C ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
ROM:0000000C EA 00 06 28 B loc_18B4
ROM:00000010 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
ROM:00000010 EA 00 06 27 B loc_18B4
ROM:00000010 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
ROM:00000014 E1 DCB 0xE1 ; ß
ROM:00000015 A0 DCB 0xA0 ; á
ROM:00000016 00 DCB 0
ROM:00000017 00 DCB 0
ROM:00000018 EA DCB 0xEA ; ŕ
ROM:00000019 00 DCB 0


IMPORTANT: ida can't alone recognize if is actualy mode 16 or 32 bit then yu mus switch mode manualy. If you want switch mode to 16bit then press ALT+G and put value 0x01. If you want switch mode to 32bit tnen press the same hotkey but insert value 0x00.

16bit mode = thumb and have TWO opcode bytes, only any exception have four bytes as opcode bytes.

32bit mode = arm and have FOUR opcode bytes every.

structure
[actual adress in memory] [opcode bytes] [arm asm command]
ROM:00000010 EA 00 06 27 B loc_18B4

Your work will now easy, right disassemble full code in this project. You have not check what which command make at this time, only disassemble the code and later we can continue.


Fragment Example :

; ────────────────────────────────────────────────── ─────────────────────────
; File Name : C:\DWL87.bin
; Format : Binary File
; Base Address: 0000h Range: 0000h - 1BF8h Loaded length: 1BF8h

; Processor : ARMB
; Target assembler: Generic assembler for ARM
; Byte sex : Big endian

; ══════════════════════════════════════════════════ ═════════════════════════

; Segment type: Pure code
AREA ROM, CODE, READWRITE, ALIGN=0
CODE32
B loc_18D8
; ────────────────────────────────────────────────── ─────────────────────────
B loc_18B4
; ────────────────────────────────────────────────── ─────────────────────────
B loc_18B4
; ────────────────────────────────────────────────── ─────────────────────────
B loc_18B4
; ────────────────────────────────────────────────── ─────────────────────────
B loc_18B4
; ────────────────────────────────────────────────── ─────────────────────────
NOP
B loc_18B4
; ────────────────────────────────────────────────── ─────────────────────────
B loc_20

loc_20
SUB LR, LR, #4
STMFD SP!, {R0-R3,LR}
LDR R8, =0xFFFF8100
LDRB R9, [R8,#0x1F]
MRS R10, SPSR
STMFD SP!, {R10}
MOV R0, R9
MOV R2, #0xDF ; '▀'
MSR CPSR_cf, R2
STMFD SP!, {R12,LR}
MOV R2, #0x9F ; 'č'
MSR CPSR_cf, R2
BL sub_18C0
MOV R2, #0xDF ; '▀'
MSR CPSR_cf, R2
LDMFD SP!, {R12,LR}
MOV R2, #0xD1 ; 'Đ'
MSR CPSR_cf, R2
LDMFD SP!, {R10}
LDMFD SP!, {R0-R3}
MSR SPSR_cf, R10
LDMFD SP!, {PC}^
; ────────────────────────────────────────────────── ─────────────────────────
dword_78 DCD 0xFFFF8100 ; DATA XREF: ROM:00000028r
CODE16

; ███████████████ S U B R O U T I N E ███████████████████████████████████████


sub_7C ; CODE XREF: ROM:000000BEp
LDR R1, =aVar_5178_tdon_
LDR R0, =0x100000
LDR R2, =loc_1E4
ADD R2, R1, R2
B loc_8E
; ────────────────────────────────────────────────── ─────────────────────────

loc_86 ; CODE XREF: sub_7C+14j
LDR R3, [R1]
STR R3, [R0]
ADD R1, #4
ADD R0, #4

loc_8E ; CODE XREF: sub_7C+8j
CMP R1, R2
BLS loc_86
LDR R0, =0x1001E4
LDR R1, =0x17F38
ADD R2, R0, R1
MOV R1, #0
B loc_A0
; ────────────────────────────────────────────────── ─────────────────────────

loc_9C ; CODE XREF: sub_7C+26j
STR R1, [R0]
ADD R0, #4

loc_A0 ; CODE XREF: sub_7C+1Ej
CMP R0, R2
BNE loc_9C
BX LR
; End of function sub_7C

; ────────────────────────────────────────────────── ─────────────────────────
DCB 0
DCB 0
off_A8 DCD aVar_5178_tdon_ ; DATA XREF: sub_7Cr
; "@(#) | | | | var_5178_tdon_nano_gprs"...
dword_AC DCD 0x100000 ; DATA XREF: sub_7C+2r
off_B0 DCD loc_1E4 ; DATA XREF: sub_7C+4r
dword_B4 DCD 0x1001E4 ; DATA XREF: sub_7C+16r
dword_B8 DCD 0x17F38 ; DATA XREF: sub_7C+18r
; ────────────────────────────────────────────────── ─────────────────────────
CODE16

loc_BC ; CODE XREF: ROM:000018D0j
; DATA XREF: ROMff_18D4o
PUSH {LR}
BL sub_7C
LDR R0, =0x28D0
LDR R1, =0xFFFF9500
STRH R0, [R1,#0x12]
LDR R1, =0xFFFF8000
MOV R0, #0x78 ; 'x'
STRB R0, [R1,#3]
LDR R0, =0xFFFF9000
MOV R1, #0
STRB R1, [R0,#3]
STRB R1, [R0,#2]
STRB R1, [R0,#7]
STRB R1, [R0,#6]
STRB R1, [R0,#0xB]
MOV R1, #0xFF
STRB R1, [R0,#0xE]
MOV R1, #0xEB ; 'Ű'
STRB R1, [R0,#0xF]
MOV R1, #0xD0 ; 'đ'
STRB R1, [R0,#3]
MOV R1, #0x1B
STRB R1, [R0,#2]
MOV R1, #2
STRB R1, [R0,#0xB]
MOV R0, #0xA0 ; 'á'
BL sub_510
MOV R0, #3
BL sub_510
MOV R0, #0
BL sub_510
BL sub_11C
POP {R3}
BX R3
; ────────────────────────────────────────────────── ─────────────────────────
DCB 0
DCB 0
dword_10C DCD 0x28D0 ; DATA XREF: ROM:000000C2r
dword_110 DCD 0xFFFF9500 ; DATA XREF: ROM:000000C4r
dword_114 DCD 0xFFFF8000 ; DATA XREF: ROM:000000C8r
dword_118 DCD 0xFFFF9000 ; DATA XREF: ROM:000000CEr



Any offset segments mus't be every asm code. If is any file compiled, mus be included in this filke all as code, bytes tables, word tables, dword tables, then if any code have not a sense (chaotic code or like) you can this code select as the

byte - 1 byte = 1x key "D"
word - 2 bytes = 2x key "D"
dword - 4 bytes = 1x key "Q"

but before try also switch the code to another MODE with ALT+G combination. If you are sure that the code is not real core select it as byte, word, or dword.

All help about hotkeys seting you can find in ida help. We too presumption that you litlle know programming in C++ and equivalents programing languages. Not vb, maybe delphi, but for completing understanding is best c++.

In next lesson we set memory segmentation for easy use in analizing and comment core, and we make last changes before alone analizing core functions.

Question to this lesson are welcome.

[sebi_surse]

Thank you. At last someone who likes what it does.
Question : after dissasambing i get this code only ... where did you get the long code ? I ask this becouse from at beggining i have
ROM:00000000 ;
ROM:00000000 ; +-------------------------------------------------------------------------+
ROM:00000000 ; ¦ This file is generated by The Interactive Disassembler (IDA) ¦
ROM:00000000 ; ¦ Copyright (c) 2002 by DataRescue sa/nv, <ida@datarescue.com> ¦
ROM:00000000 ; ¦ Licensed to: Thomas Wright, DVDMods, 1 user, special ¦
ROM:00000000 ; +-------------------------------------------------------------------------+
ROM:00000000 ;
ROM:00000000 ; ---------------------------------------------------------------------------
ROM:00000000 ; File Name : C:\Documents and Settings\eRogue\Desktop\DWL87\DWL87.bin
ROM:00000000 ; Format : Binary File
ROM:00000000 ; Base Address: 0000h Range: 0000h - 1BF8h Loaded length: 1BF8h
ROM:00000000
ROM:00000000 ; Processor : ARMB
ROM:00000000 ; Target assembler: Generic assembler for ARM
ROM:00000000 ; Byte sex : Big endian
ROM:00000000
ROM:00000000 ; ---------------------------------------------------------------------------
ROM:00000000
ROM:00000000 ; Segment type: Pure code
ROM:00000000 AREA ROM, CODE, READWRITE, ALIGN=0
ROM:00000000 CODE32
ROM:00000000 EA 00 06 34 B loc_18D8 ; Branch
ROM:00000000 ; -------------------------------
and after from 00000004 to ROM:000018D8 i have only some DBC .... and after the code below also only DCB................. please help. Thank you in advance...

ROM:000018CC ; ---------------------------------------------------------------------------
ROM:000018CC
ROM:000018CC loc_18CC ; CODE XREF: ROM:00001950j
ROM:000018CC E5 9F C0 00 LDR R12, =unk_BD ; Load from Memory
ROM:000018D0 E1 2F FF 1C BX R12 ; Branch to/from Thumb mode
ROM:000018D0 ; ---------------------------------------------------------------------------
ROM:000018D4 00 00 00 BD off_18D4 DCD unk_BD ; DATA XREF: ROM:000018CCr
ROM:000018D8 ; ---------------------------------------------------------------------------
ROM:000018D8
ROM:000018D8 loc_18D8 ; CODE XREF: ROM:00000000j
ROM:000018D8 E1 A0 60 00 MOV R6, R0 ; Rd = Op2
ROM:000018DC 72
ROM:000018DC CODE32
ROM:000018DC E5 9F 00 70 LDR R0, =0x11711C ; Load from Memory
ROM:000018E0 E2 80 0A 01 ADD R0, R0, #0x1000 ; Rd = Op1 + Op2
ROM:000018E4 E3 A0 30 D3 MOV R3, #0xD3 ; '+' ; Rd = Op2
ROM:000018E8 E1 21 F0 03 MSR CPSR_c, R3 ; Transfer Register to PSR
ROM:000018EC E1 A0 D0 00 MOV SP, R0 ; Rd = Op2
ROM:000018F0 E2 40 0C 01 SUB R0, R0, #0x100 ; Rd = Op1 - Op2
ROM:000018F4 E3 A0 30 D2 MOV R3, #0xD2 ; '-' ; Rd = Op2
ROM:000018F8 E1 21 F0 03 MSR CPSR_c, R3 ; Transfer Register to PSR
ROM:000018FC E1 A0 D0 00 MOV SP, R0 ; Rd = Op2
ROM:00001900 E2 40 0C 01 SUB R0, R0, #0x100 ; Rd = Op1 - Op2
ROM:00001904 E3 A0 30 D7 MOV R3, #0xD7 ; '+' ; Rd = Op2
ROM:00001908 E1 21 F0 03 MSR CPSR_c, R3 ; Transfer Register to PSR
ROM:0000190C E1 A0 D0 00 MOV SP, R0 ; Rd = Op2
ROM:00001910 E2 40 0C 01 SUB R0, R0, #0x100 ; Rd = Op1 - Op2
ROM:00001914 E3 A0 30 DB MOV R3, #0xDB ; '¦' ; Rd = Op2
ROM:00001918 E1 21 F0 03 MSR CPSR_c, R3 ; Transfer Register to PSR
ROM:0000191C E1 A0 D0 00 MOV SP, R0 ; Rd = Op2
ROM:00001920 E2 40 0C 01 SUB R0, R0, #0x100 ; Rd = Op1 - Op2
ROM:00001924 E3 A0 30 D1 MOV R3, #0xD1 ; '-' ; Rd = Op2
ROM:00001928 E1 21 F0 03 MSR CPSR_c, R3 ; Transfer Register to PSR
ROM:0000192C E1 A0 D0 00 MOV SP, R0 ; Rd = Op2
ROM:00001930 E2 40 0C 01 SUB R0, R0, #0x100 ; Rd = Op1 - Op2
ROM:00001934 E3 A0 30 1F MOV R3, #0x1F ; Rd = Op2
ROM:00001938 E1 21 F0 03 MSR CPSR_c, R3 ; Transfer Register to PSR
ROM:0000193C E1 A0 D0 00 MOV SP, R0 ; Rd = Op2
ROM:00001940 E5 9F 00 10 LDR R0, =0xFFFF8003 ; Load from Memory
ROM:00001944 E5 D0 10 00 LDRB R1, [R0] ; Load from Memory
ROM:00001948 E3 81 10 70 ORR R1, R1, #0x70 ; Rd = Op2 | Op1
ROM:0000194C E5 C0 10 00 STRB R1, [R0] ; Store to Memory
ROM:00001950 EA FF FF DD B loc_18CC ; Branch
ROM:00001950 ; ---------------------------------------------------------------------------
ROM:00001954 00 11 71 1C dword_1954 DCD 0x11711C ; DATA XREF: ROM:000018DCr
ROM:00001958 FF FF 80 03 dword_1958 DCD 0xFFFF8003 ; DATA XREF: ROM:00001940r
ROM:0000195C 47 DCB 0x47 ; G
ROM:0000195D 78 DCB 0x78 ; x
ROM:0000195E 46 DCB 0x46 ; F

[gsmVolume]

You mus press hotkey "C" everytime if program stop dissasemble.Not only once. Then you go to first byte press "C". Program construc command B (Blanch). Again "C" on next undissasembled bytes till end.

[balu_dark]

i think firstly need to understand some basic math algo
as multiply ,addition etc
example :
mov r0,12 put into r0 value 12(decimal)
mov r1,r0,lsl 4 multiply 12 at 16(192 dec) and put result to r1
add r0,r0,r1 add 192 and 12 and put in r0
this is example of multiply by 17

http://www.finesse.demon.co.uk/steven/sqrt.html arm square root routines
second info:
http://www.peter-teichmann.de/ahinte.html

[gsmVolume]

all about syntaxe and arm cpu family you find on www.arm.com

[balu_dark]

easy for understand basic for arm asm here:
http://k2pts.home.comcast.net/gbaguy/gbaasm.htm
i think best and very simply arm7 assembler you find here:
http://www.goldroad.co.uk/
many info about arm7 and programming here:
http://gbadev.org/index.php

[sebi_surse]

balu, i worked with 80c86 asm and i do have some knowledge of asm. Also some background experience like programmer. Anyway thank's for the info.

by the way a newer version of idapro where can i get ? i have 4.07 i think ... (not on my current computer right now). I've visitet the idapro section of this forum but there is no link working.

thank you againd friends

[say2k]

@rVolume
continue please...
thanks

[gsmVolume]

Quote:

Originally Posted by sebi_surse

balu, i worked with 80c86 asm and i do have some knowledge of asm. Also some background experience like programmer. Anyway thank's for the info.

by the way a newer version of idapro where can i get ? i have 4.07 i think ... (not on my current computer right now). I've visitet the idapro section of this forum but there is no link working.

thank you againd friends

try this link -
http://soft.0zones.com/SoftView/SoftView_15573.html

[sebi_surse]

@rVolume would you like to continue ??? please ... don't play like the cat and mouse please

[sebi_surse]

rvolume thank you for the link ... pleaseeeeeeee continue ....