ARMv7 Word补丁(CBNZ)
[英]ARMv7 Word Patch (CBNZ)
问题描述
I have an iPhone app that I am disassembling. 
我有一个我正在拆卸的iPhone应用程序。
It is my understanding that a CBNZ instruction is "Compare and Branch on Non-Zero." 据我所知,CBNZ指令是“比较并在非零上分支”。 and a CBZ is "Compare and Branch on Zero" 和CBZ是“比较和分支零”
I can not find anywhere online to confirm this but to me it seems that CBNZ is represented by B9 in an address like so "0x B9 DC" and CBZ is "0x B3 DC". 我无法在网上找到任何地方来确认这一点,但对我而言,似乎CBNZ由B9代表地址如此“0x B9 DC”而CBZ是“0x B3 DC”。
The full address is: DC B9 53 48 03 99 78 44 00 68 BF F1 74 EE 51 49 完整地址为:DC B9 53 48 03 99 78 44 00 68 BF F1 74 EE 51 49
I am modifying it to: DC B3 53 48 03 99 78 44 00 68 BF F1 74 EE 51 49 我将其修改为:DC B3 53 48 03 99 78 44 00 68 BF F1 74 EE 51 49
Previously I had patched this same check in ARMv6 though it was represented by a BNE "0x D1 30" that I patched to a B "0x E0 32" 以前我在ARMv6中修补了相同的检查,虽然它由BNE“0x D1 30”表示,我修补了B“0x E0 32”
This: 32 D1 5B 48 5C 49 78 44 79 44 00 68 09 68 AC F1 这:32 D1 5B 48 5C 49 78 44 79 44 00 68 09 68 AC F1
To: 32 E0 5B 48 5C 49 78 44 79 44 00 68 09 68 AC F1 至:32 E0 5B 48 5C 49 78 44 79 44 00 68 09 68 AC F1
This behaved exactly how I expected to, taking the branch and continuing on as I wanted it to. 这完全符合我的预期,采取分支并继续我想要的。 Normally it only takes such branch if it passes a check. 通常情况下,如果通过检查,它只需要这样的分支。
I figured patching a CBNZ to a CBZ would have similar results though it seems not. 我认为将CBNZ修补到CBZ会有类似的结果,虽然看起来不是。
Hope someone can help me understand. 希望有人能帮助我理解。 Sorry if this is not a forum where I should post questions like this though it seems like a good place to ask. 对不起,如果这不是一个论坛,我应该发布这样的问题虽然它似乎是一个好地方问。 If you need more info I will be happy to provide. 如果您需要更多信息,我将很乐意提供。
1 个解决方案
解决方案1
11 已采纳 2012-02-14 18:59:21
To understand the assembly, you need to go to bit level. 要了解程序集,您需要转到位级别。 If you don't want to spend time to understand the ARM encoding, get a disassembler (eg otool -tV ) and an assembler (eg as ) and they will figure out the instruction encoding/decoding for you. 如果您不想花时间了解ARM编码,请获取反汇编程序(例如otool -tV )和汇编程序(例如as ),他们将为您找出指令编码/解码。
The encoding of the CBZ/CBNZ instructions are CBZ / CBNZ指令的编码是
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 <-- bit
1 0 1 1 op 0 i 1 [ imm5][ Rn] <-- meaning
where op = 1 means CBNZ, op = 0 means CBZ, ' i : imm5 :0' is the relative address to jump, and Rn is the register to check (see ARMv7-ARM §A8.6.27). 其中op = 1表示CBNZ, op = 0表示CBZ,' i : imm5 :0'是跳转的相对地址, Rn是要检查的寄存器(参见ARMv7-ARM§A8.6.27)。
Therefore, the word B9DC, in binary, 因此,单词B9DC,二进制,
(1 0 1 1 op 0 i 1 [ imm5][ Rn])
1 0 1 1 1 0 0 1 [1 1 0 1 1][1 0 0]
means 手段
- op = 1 op = 1
- i = 0 i = 0
- imm5 = 11011 imm5 = 11011
- Rn = 100 Rn = 100
means 手段
CBNZ R4, (PC+54) ; 54 = 0b0110110
while B3DC, in binary, 而B3DC,二进制,
(1 0 1 1 op 0 i 1 [ imm5][ Rn])
1 0 1 1 0 0 1 1 [1 1 0 1 1][1 0 0]
means 手段
- op = 0 op = 0
- i = 1 i = 1
- imm5 = 11011 imm5 = 11011
- Rn = 100 Rn = 100
means 手段
CBZ R4, (PC+118) ; 118 = 0b1110110
Note that your patch B9 → B3 changed the i bit as well, which changed the address it should jump to. 请注意,您的补丁B9 → B3也改变了i位,这改变了它应跳转到的地址。 You should only change the op bit, meaning you should patch the byte as B1 . 您应该只更改操作位,这意味着您应该将字节修补为B1 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.