Blue Fox: Arm Assembly Internals and Reverse Engineering (Paperback)

Introduction xxi

Part I Arm Assembly Internals 1

Chapter 1 Introduction to Reverse Engineering 3

Introduction to Assembly 3

Bits and Bytes 3

Character Encoding 5

Machine Code and Assembly 6

Assembling 9

Cross- Assemblers 13

High- Level Languages 15

Disassembling 16

Decompilation 17

Chapter 2 ELF File Format Internals 21

Program Structure 21

High- Level vs. Low- Level Languages 22

The Compilation Process 24

Cross- Compiling for Other Architectures 25

Assembling and Linking 27

The ELF File Overview 30

The ELF File Header 31

The ELF File Header Information Fields 32

The Target Platform Fields 33

The Entry Point Field 34

The Table Location Fields 34

ELF Program Headers 34

The PHDR Program Header 36

The INTERP Program Header 36

The LOAD Program Headers 36

The DYNAMIC Program Header 37

The NOTE Program Header 37

The TLS Program Header 38

The GNU_EH_FRAME Program Header 38

The GNU_STACK Program Header 39

The GNU_RELRO Program Header 41

ELF Section Headers 43

The ELF Meta- Sections 45

The String Table Section 46

The Symbol Table Section 46

The Main ELF Sections 46

The .text Section 47

The .data Section 47

The .bss Section 47

The .rodata Section 47

The .tdata and .tbss Sections 48

Symbols 48

Global vs. Local Symbols 50

Weak Symbols 50

Symbol Versions 51

Mapping Symbols 51

The Dynamic Section and Dynamic Loading 52

Dependency Loading (NEEDED) 53

Program Relocations 54

Static Relocations 55

Dynamic Relocations 56

The Global Offset Table (GOT) 57

The Procedure Linkage Table (PLT) 57

The ELF Program Initialization and Termination Sections 58

Initialization and Termination Order 60

Thread- Local Storage 60

The Local- Exec TLS Access Model 65

The Initial- Exec TLS Access Model 65

The General- Dynamic TLS Access Model 66

The Local- Dynamic TLS Access Model 67

Chapter 3 OS Fundamentals 69

OS Architecture Overview 69

User Mode vs. Kernel Mode 70

Processes 70

System Calls 72

Objects and Handles 77

Threads 79

Process Memory Management 80

Memory Pages 82

Memory Protections 82

Anonymous and Memory- Mapped Memory 84

Memory- Mapped Files and Modules 84

Address Space Layout Randomization 87

Stack Implementations 90

Shared Memory 91

Chapter 4 The Arm Architecture 93

Architectures and Profiles 93

The Armv8- A Architecture 95

Exception Levels 96

Armv8- A TrustZone Extension 97

Exception Level Changes 99

Armv8- A Execution States 101

The AArch64 Execution State 102

The A64 Instruction Set 103

AArch64 Registers 104

The Program Counter 106

The Stack Pointer 107

The Zero Register 107

The Link Register 108

The Frame Pointer 109

The Platform Register (x18) 109

The Intraprocedural Call Registers 110

SIMD and Floating- Point Registers 110

System Registers 111

PSTATE 112

The AArch32 Execution State 114

A32 and T32 Instruction Sets 114

The A32 Instruction Set 114

The T32 Instruction Set 115

Switching Between Instruction Sets 115

AArch32 Registers 118

The Program Counter 119

The Stack Pointer 120

The Frame Pointer 120

The Link Register 121

The Intraprocedural Call Register (IP, r12) 121

The Current Program Status Register 121

The Application Program Status Register 122

The Execution State Registers 124

The Instruction Set State Register 124

The IT Block State Register (ITSTATE) 125

Endianness state 126

Mode and Exception Mask Bits 126

Chapter 5 Data Processing Instructions 129

Shift and Rotate Operations 131

Logical Shift Left 132

Logical Shift Right 133

Arithmetic Shift Right 133

Rotate Right 134

Rotate Right with Extend 134

Instruction Forms 135

Shift by a Constant Immediate Form 136

Shift by Register Form 138

Bitfield Manipulation Operations 140

Bitfield Move 141

Sign- and Zero- Extend Operations 145

Bitfield Extract and Insert 150

Logical Operations 153

Bitwise AND 153

The TST Instruction 154

Bitwise Bit Clear 155

Bitwise OR 155

Bitwise OR NOT 156

Bitwise Exclusive OR 158

The TEQ instruction 158

Exclusive OR NOT 159

Arithmetic Operations 159

Addition and Subtraction 159

Reverse Subtract 161

Compare 162

CMP Instruction Operation Behavior 163

Multiplication Operations 165

Multiplications on A64 166

Multiplications on A32/T32 167

Least Significant Word Multiplications 169

Most Significant Word Multiplications 171

Halfword Multiplications 173

Vector (Dual) Multiplications 176

Long (64- Bit) Multiplications 179

Division Operations 186

Move Operations 187

Move Constant Immediate 188

Move Immediate and MOVT on A32/T32 188

Move Immediate, MOVZ, and MOVK on A64 189

Move Register 190

Move with NOT 192

Chapter 6 Memory Access Instructions 195

Instructions Overview 195

Addressing Modes and Offset Forms 197

Offset Addressing 200

Constant Immediate Offset 201

Register Offsets 207

Pre- Indexed Mode 209

Pre- Indexed Mode Example 210

Post- Indexed Addressing 212

Post- Indexed Addressing Example 213

Literal (PC- Relative) Addressing 214

Loading Constants 215

Loading an Address into a Register 218

Load and Store Instructions 222

Load and Store Word or Doubleword 222

Load and Store Halfword or Byte 224

Example Using Load and Store 226

Load and Store Multiple (A32) 228

Example for STM and LDM 235

A More Complicated Example Using STM and LDM 237

Load and Store Pair (A64) 238

Chapter 7 Conditional Execution 243

Conditional Execution Overview 243

Conditional Codes 244

The NZCV Condition Flags 245

Signed vs. Unsigned Integer Overflows 246

Condition Codes 248

Conditional Instructions 249

The If- Then (IT) Instruction in Thumb 250

Flag- Setting Instructions 252

The Instruction “S” Suffix 253

The S Suffix on Add and Subtract Instructions 253

The S Suffix on Logical Shift Instructions 256

The S Suffix on Multiply Instructions 257

The S Suffix on Other Instructions 257

Test and Comparison Instructions 257

Compare (CMP) 258

Compare Negative (CMN) 260

Test Bits (TST) 261

Test Equality (TEQ) 264

Conditional Select Instructions 265

Conditional Comparison Instructions 268

Boolean AND Conditionals Using CCMP 269

Boolean OR Conditionals Using CCMP 272

Chapter 8 Control Flow 275

Branch Instructions 275

Conditional Branches and Loops 277

Test and Compare Branches 281

Table Branches (T32) 282

Branch and Exchange 284

Subroutine Branches 288

Functions and Subroutines 290

The Procedure Call Standard 291

Volatile vs. Nonvolatile Registers 293

Arguments and Return Values 293

Passing Larger Values 295

Leaf and Nonleaf Functions 298

Leaf Functions 298

Nonleaf Functions 299

Prologue and Epilogue 299

Part II Reverse Engineering 305

Chapter 9 Arm Environments 307

Arm Boards 308

Emulation with QEMU 310

QEMU User- Mode Emulation 310

QEMU Full- System Emulation 314

Firmware Emulation 315

Chapter 10 Static Analysis 321

Static Analysis Tools 322

Command- Line Tools 322

Disassemblers and Decompilers 322

Binary Ninja Cloud 323

Call- By- Reference Example 328

Control Flow Analysis 334

Main Function 336

Subroutine 336

Converting to char 341

if Statement 343

Quotient Division 345

for Loop 347

Analyzing an Algorithm 349

Chapter 11 Dynamic Analysis 363

Command- Line Debugging 364

GDB Commands 365

GDB Multiuser 366

GDB Extension: GEF 368

Installation 369

Interface 370

Useful GEF Commands 370

Examine Memory 374

Watch Memory Regions 376

Vulnerability Analyzers 377

checksec 379

Radare2 381

Debugging 382

Remote Debugging 385

Radare2 386

IDA Pro 388

Debugging a Memory Corruption 390

Debugging a Process with GDB 398

Chapter 12 Reversing arm64 macOS Malware 405

Background 406

macOS arm64 Binaries 407

macOS Hello World (arm64) 410

Hunting for Malicious arm64 Binaries 413

Analyzing arm64 Malware 419

Anti- Analysis Techniques 420

Anti- Debugging Logic (via ptrace) 421

Anti- Debugging Logic (via sysctl) 425

Anti- VM Logic (via SIP Status and the Detection of VM Artifacts) 429

Conclusion 435

Index 437