Part 18 – Debugging ADDS

For a complete table of contents of all the lessons please click below as it will give you a brief of each lesson in addition to the topics it will cover. https://github.com/mytechnotalent/Reverse-Engineering-Tutorial

Let’s re-examine our code:

We again add 100 decimal into r1, 4,294,967,295 into r2. We then add r1 and r2 and place in r0.

Lets debug:

We again see adds which sets the flags in the CPSR. We have to remember when we debug in GDB, the value of the CPSR is in hex. In order to see what flags are set, we must convert the hex to binary. This will make sense as we start to debug and hack this example in the coming tutorials.

We need to remember that bits 31, 20, 29 and 28 in the CPSR indicate the following:

bit 31 - N = Negative Flag

bit 30 - Z = Zero Flag

bit 29 - C = Carry Flag

bit 28 - V = Overflow Flag

We see the CPSR at 10 hex. 10 hex in binary is 00010000.

Therefore if the value in binary was 00010000 of bit 31, 30, 29 and 28 (NZCV) that would mean:

Negative Flag NOT Set

Zero Flag NOT SET

Carry Flag NOT SET

Overflow Flag Set

There is nothing in code above which set the Overflow Flag however in it’s natural state upon executing this binary it is set.

Lets step through the program:

We see 64 hex or 100 decimal moved into r1 as expected. No change in the CPSR. Lets step some more.

We see the addition that transpires above and notice the value in r0 is 99 decimal after 100 decimal and 4294967295 decimal were added together. How is that possible? The answer is simple, we overflowed the 32-bit register of r0 from this addition.

If we examine the CPSR we now see 20000010 hex or 0010 0000 0000 0000 0000 0000 0001 0000 binary. We only have to focus on the most significant bits which are 0010:

The value in binary is 0010 of bit 31, 30, 29 and 28 (NZCV) that would mean:

Negative Flag NOT Set

Zero Flag NOT SET

Carry Flag SET

Overflow Flag NOT Set

We see that the Carry Flag was set and the Overflow Flag was NOT set. Why is that?

The Carry Flag is a flag set when two unsigned numbers were added and the result is larger than the register where it is saved. We are dealing with a 32-bit register. We are also dealing with unsigned numbers therefore the CF is set and the OF was not as the OF flag deals with signed numbers.

Next week we will dive into Hacking ADDS.

results matching ""

    No results matching ""