Arm Assembly Internals & Reverse Engineering

Maria Markstedter is the founder and CEO of Azeria Labs, which provides training courses on Arm reverse engineering and exploitation. Previously, she worked in the fields of pentesting and threat intelligence and served as the chief product officer of the virtualization startup Corellium, Inc Cover Title Page Copyright Page Contents at a Glance Contents Introduction Part I Arm Assembly Internals Chapter 1 Introduction to Reverse Engineering Introduction to Assembly Bits and Bytes Character Encoding Machine Code and Assembly Assembling Cross-Assemblers High-Level Languages Disassembling Decompilation Chapter 2 ELF File Format Internals Program Structure High-Level vs. Low-Level Languages The Compilation Process Cross-Compiling for Other Architectures Assembling and Linking The ELF File Overview The ELF File Header The ELF File Header Information Fields The Target Platform Fields The Entry Point Field The Table Location Fields ELF Program Headers The PHDR Program Header The INTERP Program Header The LOAD Program Headers The DYNAMIC Program Header The NOTE Program Header The TLS Program Header The GNU_EH_FRAME Program Header The GNU_STACK Program Header The GNU_RELRO Program Header ELF Section Headers The ELF Meta-Sections The String Table Section The Symbol Table Section The Main ELF Sections The .text Section The .data Section The .bss Section The .rodata Section The .tdata and .tbss Sections Symbols Global vs. Local Symbols Weak Symbols Symbol Versions Mapping Symbols The Dynamic Section and Dynamic Loading Dependency Loading (NEEDED) Program Relocations Static Relocations Dynamic Relocations The Global Offset Table (GOT) The Procedure Linkage Table (PLT) The ELF Program Initialization and Termination Sections Initialization and Termination Order Thread-Local Storage The Local-Exec TLS Access Model The Initial-Exec TLS Access Model The General-Dynamic TLS Access Model The Local-Dynamic TLS Access Model Chapter 3 OS Fundamentals OS Architecture Overview User Mode vs. Kernel Mode Processes System Calls Objects and Handles Threads Process Memory Management Memory Pages Memory Protections Anonymous and Memory-Mapped Memory Memory-MappedFiles and Modules Address Space Layout Randomization Stack Implementations Shared Memory Chapter 4 The Arm Architecture Architectures and Profiles The Armv8-A Architecture Exception Levels Armv8-ATrustZone Extension Exception Level Changes Armv8-A Execution States The AArch64 Execution State The A64 Instruction Set AArch64 Registers The Program Counter The Stack Pointer The Zero Register The Link Register The Frame Pointer The Platform Register (x18) The Intraprocedural Call Registers SIMD and Floating-PointRegisters System Registers PSTATE The AArch32 Execution State A32 and T32 Instruction Sets The A32 Instruction Set The T32 Instruction Set Switching Between Instruction Sets AArch32 Registers The Program Counter The Stack Pointer The Frame Pointer The Link Register The Intraprocedural Call Register (IP, r12) The Current Program Status Register The Application Program Status Register The Execution State Registers The Instruction Set State Register The IT Block State Register (ITSTATE) Endianness state Mode and Exception Mask Bits Chapter 5 Data Processing Instructions Shift and Rotate Operations Logical Shift Left Logical Shift Right Arithmetic Shift Right Rotate Right Rotate Right with Extend Instruction Forms Shift by a Constant Immediate Form Shift by Register Form Bitfield Manipulation Operations Bitfield Move Sign-and Zero-Extend Operations Bitfield Extract and Insert Logical Operations Bitwise AND The TST Instruction Bitwise Bit Clear Bitwise OR Bitwise OR NOT Bitwise Exclusive OR The TEQ instruction Exclusive OR NOT Arithmetic Operations Addition and Subtraction Reverse Subtract Compare CMP Instruction Operation Behavior Multiplication Operations Multiplications on A64 Multiplications on A32/T32 Least Significant Word Multiplications Most Significant Word Multiplications Halfword Multiplications Vector (Dual) Multiplications Long (64-Bit) Multiplications Division Operations Move Operations Move Constant Immediate Move Immediate and MOVT on A32/T32 Move Immediate, MOVZ, and MOVK on A64 Move Register Move with NOT Chapter 6 Memory Access Instructions Instructions Overview Addressing Modes and Offset Forms Offset Addressing Constant Immediate Offset Register Offsets Pre-Indexed Mode Pre-Indexed Mode Example Post-Indexed Addressing Post-Indexed Addressing Example Literal (PC-Relative) Addressing Loading Constants Loading an Address into a Register Load and Store Instructions Load and Store Word or Doubleword Load and Store Halfword or Byte Example Using Load and Store Load and Store Multiple (A32) Example for STM and LDM A More Complicated Example Using STM and LDM Load and Store Pair (A64) Chapter 7 Conditional Execution Conditional Execution Overview Conditional Codes The NZCV Condition Flags Signed vs. Unsigned Integer Overflows Condition Codes Conditional Instructions The If-Then (IT) Instruction in Thumb Flag-Setting Instructions The Instruction “S” Suffix The S Suffix on Add and Subtract Instructions The S Suffix on Logical Shift Instructions The S Suffix on Multiply Instructions The S Suffix on Other Instructions Test and Comparison Instructions Compare Negative (CMN) Test Bits (TST) Test Equality (TEQ) Conditional Select Instructions Conditional Comparison Instructions Boolean AND Conditionals Using CCMP Boolean OR Conditionals Using CCMP Chapter 8 Control Flow Branch Instructions Conditional Branches and Loops Test and Compare Branches Table Branches (T32) Branch and Exchange Subroutine Branches Functions and Subroutines The Procedure Call Standard Volatile vs. Nonvolatile Registers Arguments and Return Values Passing Larger Values Leaf and Nonleaf Functions Leaf Functions Nonleaf Functions Prologue and Epilogue Part II Reverse Engineering Chapter 9 Arm Environments Arm Boards Emulation with QEMU QEMU User-Mode Emulation QEMU Full-System Emulation Firmware Emulation Chapter 10 Static Analysis Static Analysis Tools Command-Line Tools Disassemblers and Decompilers Binary Ninja Cloud Call-By-Reference Example Control Flow Analysis Main Function Subroutine Converting to char if Statement Quotient Division for Loop Analyzing an Algorithm Chapter 11 Dynamic Analysis Command-Line Debugging GDB Commands GDB Multiuser GDB Extension: GEF Installation Interface Useful GEF Commands Examine Memory Watch Memory Regions Vulnerability Analyzers checksec Radare2 Remote Debugging Radare2 IDA Pro Debugging a Memory Corruption Debugging a Process with GDB Chapter 12 Reversing arm64 macOS Malware Background macOS arm64 Binaries macOS Hello World (arm64) Hunting for Malicious arm64 Binaries Analyzing arm64 Malware Anti-Analysis Techniques Anti-Debugging Logic (via ptrace) Anti-Debugging Logic (via sysctl) Anti-VM Logic (via SIP Status and the Detection of VM Artifacts) Conclusion Index EULA