PDA

View Full Version : ARM Opcodes - To Higher Level


Tsongkie
June 17th, 2013, 00:42
Hey guys,

Glad I found this forum. Seems like there are a lot of people here who can help me.

Anyway, I'm trying to get this piece of code translated to a higher language. I have some background in ASM but this piece of code is just flying through my head and I can't seem to understand it.

I would appreciate it if someone can give me an insight on what is happening here. A pseudo code will be much appreciated, but if that's too much, you can just point me to the right direction where I can some kind of explanation as to what is going on here.

Basically, this function requires a string and then returns a modified version of that string. I got this from IDA:

Code:
.text:00015874 ; Scrambler::getInstagramString(char const*)
.text:00015874 EXPORT _ZN9Scrambler18getInstagramStringEPKc
.text:00015874 _ZN9Scrambler18getInstagramStringEPKc ; CODE XREF: Bridge::getInstagramString(_JNIEnv *,_jobject *,_jstring *)+16p
.text:00015874 PUSH {R4-R6,LR}
.text:00015876 LDR R1, =(aA4d1b77bbb1a4a - 0x15880)
.text:00015878 MOVS R4, R0
.text:0001587A MOVS R5, #0
.text:0001587C ADD R1, PC ; "a4d1b77bbb1a4a5ca695ad72c84b77e5"
.text:0001587E BLX strcasecmp
.text:00015882 CMP R0, #0
.text:00015884 BNE loc_1588A
.text:00015886 LDR R5, =(unk_6C19C - 0x1588C)
.text:00015888 ADD R5, PC
.text:0001588A
.text:0001588A loc_1588A ; CODE XREF: Scrambler::getInstagramString(char const*)+10j
.text:0001588A LDR R1, =(aFf19a68d1f4a4c - 0x15892)
.text:0001588C MOVS R0, R4 ; s1
.text:0001588E ADD R1, PC ; "ff19a68d1f4a4c29bf4be67ad2c77f12"
.text:00015890 BLX strcasecmp
.text:00015894 CMP R0, #0
.text:00015896 BNE loc_1589E
.text:00015898 LDR R5, =(unk_6C19C - 0x1589E)
.text:0001589A ADD R5, PC
.text:0001589C ADDS R5, #0x2C
.text:0001589E
.text:0001589E loc_1589E ; CODE XREF: Scrambler::getInstagramString(char const*)+22j
.text:0001589E LDR R1, =(aEd85650e098847 - 0x158A6)
.text:000158A0 MOVS R0, R4 ; s1
.text:000158A2 ADD R1, PC ; "ed85650e09884756a26558259c471af5"
.text:000158A4 BLX strcasecmp
.text:000158A8 CMP R0, #0
.text:000158AA BNE loc_158B2
.text:000158AC LDR R5, =(unk_6C19C - 0x158B2)
.text:000158AE ADD R5, PC
.text:000158B0 ADDS R5, #0x60
.text:000158B2
.text:000158B2 loc_158B2 ; CODE XREF: Scrambler::getInstagramString(char const*)+36j
.text:000158B2 LDR R1, =(aF9c69e10bbb140 - 0x158BA)
.text:000158B4 MOVS R0, R4 ; s1
.text:000158B6 ADD R1, PC ; "f9c69e10bbb140e096e26e3d3f3960ec"
.text:000158B8 BLX strcasecmp
.text:000158BC CMP R0, #0
.text:000158BE BNE loc_158C6
.text:000158C0 LDR R5, =(unk_6C21C - 0x158C6)
.text:000158C2 ADD R5, PC
.text:000158C4 ADDS R5, #0xC
.text:000158C6
.text:000158C6 loc_158C6 ; CODE XREF: Scrambler::getInstagramString(char const*)+4Aj
.text:000158C6 LDR R1, =(aA9fd1ea499854a - 0x158CE)
.text:000158C8 MOVS R0, R4 ; s1
.text:000158CA ADD R1, PC ; "a9fd1ea499854a93bdb89e12d00e56a0"
.text:000158CC BLX strcasecmp
.text:000158D0 CMP R0, #0
.text:000158D2 BNE loc_158DA
.text:000158D4 LDR R5, =(unk_6C21C - 0x158DA)
.text:000158D6 ADD R5, PC
.text:000158D8 ADDS R5, #0x24
.text:000158DA
.text:000158DA loc_158DA ; CODE XREF: Scrambler::getInstagramString(char const*)+5Ej
.text:000158DA LDR R1, =(aDb9f890529814c - 0x158E2)
.text:000158DC MOVS R0, R4 ; s1
.text:000158DE ADD R1, PC ; "db9f890529814cc682dae202eb074521"
.text:000158E0 BLX strcasecmp
.text:000158E4 CMP R0, #0
.text:000158E6 BNE loc_158EE
.text:000158E8 LDR R5, =(unk_6C21C - 0x158EE)
.text:000158EA ADD R5, PC
.text:000158EC ADDS R5, #0x38
.text:000158EE
.text:000158EE loc_158EE ; CODE XREF: Scrambler::getInstagramString(char const*)+72j
.text:000158EE LDR R1, =(aEc06322a460e44 - 0x158F6)
.text:000158F0 MOVS R0, R4 ; s1
.text:000158F2 ADD R1, PC ; "ec06322a460e44a7b8dcadcd49f39374"
.text:000158F4 BLX strcasecmp
.text:000158F8 CMP R0, #0
.text:000158FA BNE loc_15902
.text:000158FC LDR R5, =(unk_6C21C - 0x15902)
.text:000158FE ADD R5, PC
.text:00015900 ADDS R5, #0x5C
.text:00015902
.text:00015902 loc_15902 ; CODE XREF: Scrambler::getInstagramString(char const*)+86j
.text:00015902 LDR R1, =(aB8382364355a42 - 0x1590A)
.text:00015904 MOVS R0, R4 ; s1
.text:00015906 ADD R1, PC ; "b8382364355a42af9b130a7a68feb22a"
.text:00015908 BLX strcasecmp
.text:0001590C CMP R0, #0
.text:0001590E BNE loc_15916
.text:00015910 LDR R5, =(unk_6C29C - 0x15916)
.text:00015912 ADD R5, PC
.text:00015914 ADDS R5, #0x10
.text:00015916
.text:00015916 loc_15916 ; CODE XREF: Scrambler::getInstagramString(char const*)+9Aj
.text:00015916 LDR R1, =(aBdcf8247e5d54d - 0x1591E)
.text:00015918 MOVS R0, R4 ; s1
.text:0001591A ADD R1, PC ; "bdcf8247e5d54dd8a440e77f7c41b208"
.text:0001591C BLX strcasecmp
.text:00015920 CMP R0, #0
.text:00015922 BNE loc_1592A
.text:00015924 LDR R5, =(unk_6C29C - 0x1592A)
.text:00015926 ADD R5, PC
.text:00015928 ADDS R5, #0x44
.text:0001592A
.text:0001592A loc_1592A ; CODE XREF: Scrambler::getInstagramString(char const*)+AEj
.text:0001592A LDR R1, =(aEf9e3381f0a045 - 0x15932)
.text:0001592C MOVS R0, R4 ; s1
.text:0001592E ADD R1, PC ; "ef9e3381f0a045d396ee38292ca5481d"
.text:00015930 BLX strcasecmp
.text:00015934 CMP R0, #0
.text:00015936 BNE loc_1593E
.text:00015938 LDR R5, =(unk_6C29C - 0x1593E)
.text:0001593A ADD R5, PC
.text:0001593C ADDS R5, #0x78
.text:0001593E
.text:0001593E loc_1593E ; CODE XREF: Scrambler::getInstagramString(char const*)+C2j
.text:0001593E LDR R1, =(aDf1c2873b2cf40 - 0x15946)
.text:00015940 MOVS R0, R4 ; s1
.text:00015942 ADD R1, PC ; "df1c2873b2cf408489df344453f9f10e"
.text:00015944 BLX strcasecmp
.text:00015948 CMP R0, #0
.text:0001594A BNE loc_1595A
.text:0001594C LDR R5, =(unk_6C31C - 0x15952)
.text:0001594E ADD R5, PC
.text:00015950 ADDS R5, #0x20
.text:00015952
.text:00015952 loc_15952 ; CODE XREF: Scrambler::getInstagramString(char const*)+EAj
.text:00015952 MOVS R0, R5
.text:00015954 BL _ZN9Scrambler7decryptEPKc ; Scrambler::decrypt(char const*)
.text:00015958
.text:00015958 locret_15958 ; CODE XREF: Scrambler::getInstagramString(char const*)+ECj
.text:00015958 POP {R4-R6,PC}
.text:0001595A ; ---------------------------------------------------------------------------
.text:0001595A
.text:0001595A loc_1595A ; CODE XREF: Scrambler::getInstagramString(char const*)+D6j
.text:0001595A MOVS R0, #0
.text:0001595C CMP R5, #0
.text:0001595E BNE loc_15952
.text:00015960 B locret_15958
.text:00015960 ; End of function Scrambler::getInstagramString(char const*)
.text:00015960

Woodmann
June 17th, 2013, 21:25
Is this Apple stuff ?

Woodmann

Tsongkie
June 17th, 2013, 22:47
Quote:
[Originally Posted by Woodmann;94905]Is this Apple stuff ?

Woodmann


Actually its from an android app but the file I'm trying to reverse is a .so inside an apk file.

I tried to study the opcodes one by one but I'm getting lost at the variables they are using and I am not sure if :

=(unk_6C19C - 0x1589E)

is the value at address unk_6C19C to 0x1589E or should I subtract it. There is very little reference to this online.