Saturday, 2 December 2017

Practical Reverse Engineering Exercise Solutions: Page 79 / Exercise 3

Exercise 3 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function mystery3:

01:             mystery3
02: 83 68         LDR             R3, [R0,#8]
03: 0B 60         STR             R3, [R1]
04: C3 68         LDR             R3, [R0,#0xC]
05: 00 20         MOVS            R0, #0
06: 4B 60         STR             R3, [R1,#4]
07: 70 47         BX              LR
08:             ; End of function mystery3

It is provided in Thumb mode, as we can see from the instruction width, which is consistently 16 bits. Furthermore, the decompilation is greatly facilitated thanks to the lack of any conditional statements. Any kind of NULL-checks, for instance, are omitted.

The function mystery3 takes two arguments in r0 and r1, as these registers are accessed without prior initialization. Both arguments are pointers to some unknown structure, as they are accessed in memory load and store operations with different offsets. The return value is always 0, as 0 is put into register r0 before exiting. Thus far, we arrive at the following function prototype:

BOOL mystery3 (struct1* arg1, struct2* arg2);

As far as the data types of the arguments are concerned, we can make the following statements about their composition:

struct1:
field08_i //32 bit value
field0C_i //32 bit value

struct2:
field00_i //32 bit value
field04_i //32 bit value

The function copies values of the first argument's structure into the second element's structure:

BOOL copyFirstToSecond(struct1* arg1, struct2* arg2) {
arg2->field00  = arg1->field08;
arg2->field04 = arg1->field0C;
return 0;
}

No comments:

Post a Comment