Results 1 to 7 of 7
Discuss Disassemble SpringBaord, help needed! at the General - Hackint0sh.org; Hey, I'm disassembling SpringBoard, there're some instructions which IDA does'nt disassemble, following is an example: ...
  1. #1
    Senior Professional Array n000b's Avatar

    Join Date
    Mar 2007
    Posts
    117
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    16

    Default Disassemble SpringBaord, help needed!

    Hey, I'm disassembling SpringBoard, there're some instructions which IDA does'nt disassemble, following is an example:

    __text:0001F69C loc_1F69C ; DATA XREF: __inst_meth:00095DF0
    __text:0001F69C LDR R1, =ofs_IsDeviceLocked ; Load from Memory
    __text:0001F6A0 STMFD SP!, {R4-R7,LR} ; Store Block to Memory
    __text:0001F6A4 ADD R7, SP, #0xC ; Rd = Op1 + Op2
    __text:0001F6A8 LDR R1, [R1] ; Load from Memory
    __text:0001F6AC MOV R4, R0 ; Rd = Op2
    __text:0001F6B0 MOV R6, R3 ; Rd = Op2
    __text:0001F6B0 ; ----------------------------------------------------------------------
    __text:0001F6B4 DCD 0xE6EF5072
    __text:0001F6B8 ; ----------------------------------------------------------------------
    __text:0001F6B8 BL _objc_msgSend ; Branch with Link
    __text:0001F6BC LDRB R3, [R4,#0x49] ; Load from Memory
    __text:0001F6C0 TST R3, #2 ; Set cond. codes on Op1 & Op2
    __text:0001F6C0 ; ----------------------------------------------------------------------
    __text:0001F6C4 DCD 0xE6EF0070
    __text:0001F6C8 ; ----------------------------------------------------------------------
    __text:0001F6C8 BEQ loc_1F6E8 ; Branch
    __text:0001F6CC LDR R0, =off_90DC0 ; Load from Memory
    __text:0001F6D0 LDR R1, off_1F830+4 ; Load from Memory
    I think the DCD definitions are actually instructions and I've checked the ARM Instruction Set but didn't find any instruction associated with 0xE6, can any one help me out ?
    Last edited by n000b; 09-15-2007 at 01:42 PM.



  2. #2
    Professional Array Darkmen's Avatar

    Join Date
    Aug 2007
    Posts
    61
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    11

    Default

    This is ARM11 instruction codes

    DCD 0xE6EF5072 = uunpk8to32 r5, r2
    DCD 0xE6EF0070 = uunpk8to32 r0, r0

  3. #3
    Professional Array

    Join Date
    Jul 2007
    Posts
    59
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    9

    Default

    I know nothing about assembler but Googling "ARM DCD" I found a couple of code examples and one mentioned that it was an assembler directive. Googling "ARM DCD Directive" turned up this word document which defines it as:

    DCD

    This declares one or more words. In this case each DCD stores a single word - the address of a routine to handle a particular clause of the jumptable. This can then be used to implement the jump using:

    LDR pc, [r3,r0,LSL#2]

    This instruction causes the address of the required clause of the jump table be loaded into the PC. This is done by multiplying the clause number by 4 (to give a word offset), adding this to the address of the jump table, and then loading the contents of the combined address into the PC (from the appropriate DCD).

  4. #4
    Senior Professional Array n000b's Avatar

    Join Date
    Mar 2007
    Posts
    117
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    16

    Default

    Quote Originally Posted by Darkmen View Post
    This is ARM11 instruction codes

    DCD 0xE6EF5072 = uunpk8to32 r5, r2
    DCD 0xE6EF0070 = uunpk8to32 r0, r0
    Thanks. Any clue where I can get a copy of the full ARM11 instruction set document?

  5. #5
    Senior Professional Array n000b's Avatar

    Join Date
    Mar 2007
    Posts
    117
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    16

    Default

    Quote Originally Posted by cuzco View Post
    I know nothing about assembler but Googling "ARM DCD" I found a couple of code examples and one mentioned that it was an assembler directive. Googling "ARM DCD Directive" turned up this word document which defines it as:
    Thanks. But I doubt it's the case here, 'cuz if it is, then the codes following it will never get a chance to execute.


  6. #6
    iPhone DevTeam Array

    Join Date
    Aug 2007
    Location
    Always sunny Los Angeles, California
    Posts
    421
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    34

    Default

    This is an Apple-defined extended instruction. It throws an exception that's handled by the "Undefined instruction" vector at 0x00000004, which then interprets the encoding.

    Bits 27:25=011 and Bit 4=1. That is precisely the format of the "undefined instruction". See section 3.13 of the ARM Architecture Reference Manual for more details. http://www.arm.com/community/university/eulaarmarm.html

    You'll need to dig down into the exception handler to see how Apple has defined that instruction.

  7. #7
    Professional Array Darkmen's Avatar

    Join Date
    Aug 2007
    Posts
    61
    Post Thanks / Like
    Downloads
    0
    Uploads
    0
    Rep Power
    11

    Default

    Not in this case man

    DCD 0xE6EF5072 = uunpk8to32 r5, r2 = mov r5, byte(r2)
    DCD 0xE6EF0070 = uunpk8to32 r0, r0 = mov r0, byte(r0)

 

 

Similar Threads

  1. disassemble and reassemble iphone apps
    By truehybridx in forum iPhone Developer Exchange
    Replies: 1
    Last Post: 07-24-2010, 08:32 AM
  2. Disassemble UIKit
    By toohtik in forum iPhone Developer Exchange
    Replies: 0
    Last Post: 02-23-2009, 03:14 PM
  3. Replies: 2
    Last Post: 03-17-2008, 04:07 PM
  4. proper way to disassemble iphone
    By malefactor in forum General
    Replies: 11
    Last Post: 08-28-2007, 04:52 AM
  5. How to disassemble with IDA? (was Disassembley)
    By Joe.lipinski in forum General
    Replies: 3
    Last Post: 07-28-2007, 02:58 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin®
Copyright © 2014 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO
(c) 2006-2012 Hackint0sh.org
All times are GMT +2. The time now is 12:44 AM.
twitter, follow us!