flat assembler
Message board for the users of flat assembler.

Index > Non-x86 architectures > [ARM] Encoding T2 for the B instruction

Author
Thread Post new topic Reply to topic
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode 08 Jan 2013, 08:06
semi branchless snippet to calculate the +/- address label of the
T2_B instruction, obviously untested Smile
bit 11,12 always 0 ?

Code:
;--- IN EBX current T2_B instruction_address ;--- exmple 0x408
;--- IN EDX opcodes_T2_B ;--- example 0xE797
;--- RET EAX 0x33A

T2_B:
 mov eax,edx
 neg eax
 mov ecx,edx
 and eax,7FFh
 and ecx,7FFh
 neg eax
 test dh,4
 cmovnz ecx,eax
 lea eax,[ecx+ecx+ebx+4]
 nop
 ret
    


Cheers,

_________________
⠓⠕⠏⠉⠕⠙⠑
Post 08 Jan 2013, 08:06
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20425
Location: In your JS exploiting you and your system
revolution 08 Jan 2013, 12:44
Where is this useful/used? What is this for? Some context? Question
Post 08 Jan 2013, 12:44
View user's profile Send private message Visit poster's website Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode 08 Jan 2013, 14:13
dont know, should be ok; because i am doing it from empirical
calculations by debugging, because not yet much time to dig accurately into the ARMv7 manual Smile follows ARM code during debugging
Code:
0x00000560  0xBF00  NOP
0x00000562  0xBF00  NOP
0x00000564  0xE7FF  B  0x00000566 ;<--- 
0x00000566  0xBF00  NOP
0x00000568  ...
    

useful because snippet doesnt touch EBX/EDX, and return in EAX the address. in this case giving in EBX 0x00000564 and in EDX 0xE7FF, it returns
in EAX 0x00000566. it works relative addressing.
my question is about bit 11,12

_________________
⠓⠕⠏⠉⠕⠙⠑
Post 08 Jan 2013, 14:13
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 08 Jan 2013, 16:08
Also untested Very Happy
Code:
T2_B:
 mov eax,edx
 mov ecx,edx
 or  eax, not 7FFh
 and ecx,7FFh
 test dh,4
 cmovnz ecx,eax
 lea eax,[ecx+ecx+ebx+4]
 nop
 ret    
Post 08 Jan 2013, 16:08
View user's profile Send private message Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode 08 Jan 2013, 16:42
LocoDelAssembly wrote:
Also untested Very Happy
Code:
T2_B:
 mov eax,edx
 mov ecx,edx
 or  eax, not 7FFh
 and ecx,7FFh
 test dh,4
 cmovnz ecx,eax
 lea eax,[ecx+ecx+ebx+4]
 nop
 ret    

it works! cool Smile this should be named T2_B_dest
because it calculates the target address of a B instruction. now the reverse,
given a target address i want to opcode and the current address of a B instruction (no condition)
Code:
T2_B_enc:
 ;--- in EBX cur_addr of the B instruction
 ;--- in EAX destination target address i want to opcode
 ;--- ret in EAX the opcoded instruction
 sub eax,ebx
 sub eax,4
 cdq
 and edx,400h
 and eax,7FFh
 shr eax,1
 or eax,edx
 or eax,0E000h
 nop
 ret
    
it may be imbroved with a LEA instead of sub,sub. ok, for example
giving in EBX 0x00000564, and in EAX 0x00000566, return EAX 0xE7FF

ARM code as reference to make some tests,
Code:
0x00000560  0xbf00 NOP
0x00000562  0xbf00 NOP
0x00000564  0xe7ff B 0x00000566 ;<----
0x00000566  0xbf00 NOP
0x00000568  0xe7ff B 0x0000056a
0x0000056a  0xbf00 NOP
0x0000056c  0xbf00 NOP
0x0000056e  0xe7fe B 0x0000056e
0x00000570  0xbf00 NOP
0x00000572  0xbf00 NOP
0x00000574  0xe7fd B 0x00000572
0x00000576  0xbf00 NOP
...
0x00000000  0xE00E ;<--- this will cause code to jump to address 20h
0x00000020
...
    
well, i forgot to say my goal. once compiled with fasm, i load them in memory as a library, and execute them from my ide, so that by debugging ARM i can encode instructions in a simple way avoiding every time to do calculations again.

_________________
⠓⠕⠏⠉⠕⠙⠑
Post 08 Jan 2013, 16:42
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20425
Location: In your JS exploiting you and your system
revolution 08 Jan 2013, 18:53
The encoding for the unconditional 16bit thumb B is just a simple 2s complement value of 11 bits with an offset of 4. You can simply truncate the value to 11 bits.
Post 08 Jan 2013, 18:53
View user's profile Send private message Visit poster's website Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode 09 Jan 2013, 18:05
fine Very Happy encoding may be rewritten as following
Code:
T2_B_enc:
 mov ebx,cur_instr_addr
 mov eax,target_addr
 sub eax,ebx
 sub eax,4
 shr eax,1
 and eax,07FFh
 or ah,0E0h
 ret
    

_________________
⠓⠕⠏⠉⠕⠙⠑
Post 09 Jan 2013, 18:05
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20425
Location: In your JS exploiting you and your system
revolution 09 Jan 2013, 18:38
There are three other encodings for Thumb mode B. You can look at the fasmarm source to see how the others are encoded there, but the best place to go is the ARM manual. It seems to be a very slow way to work by reverse engineering something when the full manual is available.
Post 09 Jan 2013, 18:38
View user's profile Send private message Visit poster's website Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode 09 Jan 2013, 19:57
revolution wrote:
...You can look at the fasmarm source to see how the others are encoded there, but the best place to go is the ARM manual
yeap, sure, both in my plan, (also, fasmarm code too) accurately in my next "opcoding" stage. for example, how could be resolved jumps over +/- 16Mb on T4 encooding of B, and whether possible.
i am expressly delaying the manual to the end of this month, while enjoining the direct access to the hardware, very new for me, such a powerful flashing impact Very Happy

_________________
⠓⠕⠏⠉⠕⠙⠑
Post 09 Jan 2013, 19:57
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.