Hacking C++ ARM 64 (Part 16 - Debugging Float Primitive Datatype)

Hacking C++ ARM 64 (Part 16 - Debugging Float Primitive Datatype)

For a complete table of contents of all the lessons please click below as it will give you a brief of each lesson in addition to the topics it will cover. https://github.com/mytechnotalent/hacking_c-_arm64

Today we are going to debug our very simple float primitive datatype.

To begin let's open up our binary in Radare2.

radare2 ./0x05_asm64_float_primitive_datatype

Let's take advantage of Radare2's auto analysis feature.

aaa

The next thing we want to do logically is fire up the program in debug mode so it maps the raw machine code from disk to a running process.

ood

Now that we have a running instance we can seek to the main entry point of the binary.

s main

Let us take an initial examination by doing the following.

v

When dealing with floating point numbers in ARM64 we have to understand that we want to locate where the fmov instruction occurs where we take a value from our w0 register and move it into the floating point s0 register. Here is where all the magic happens!

Let us define a break point right below the fmov instruction. REMEMBER with ASLR your addresses will be different than this example.

[0x557931c9b4]> db 0x557931c9c8
[0x557931c9b4]> dc
[0x557931c9b4]> hit breakpoint at: 0x557931c9c8
[0x557931c9c8]> ds
[0x557931c9c8]> dr w0
0x4121999a
[0x557931c9c8]>

OK so we see this strange value which if you look at the code below, the lsl which is logical shift left, is moving the byte order of which we are using the movz and movk instructions which movz will move 0x999a into w0 and then the movk will move 0x4121, lsl 16 into w0 therefore putting 4121 at the higher order byte locations and the 999a at the lower order byte locations.

movz w0, 0x999a
movk w0, 0x4121, lsl 16
fmov s0, w0

We move our w0 register into s0 so we HAVE to change these values here before letting it get into s0 otherwise it will be significantly harder to hack in the next lesson.

Lets continue to show our value.

[0x557931c9c8]> dc
10.1
(237691) Process exited with status=0x0
[0x7fb948407c]>

In our next lesson we will hack this value!

要查看或添加评论,请登录

社区洞察

其他会员也浏览了