Hacking C++ ARM 64 (Part 16 - Debugging Float Primitive Datatype)
Kevin Thomas
Director of Test Automation and Author of the world’s most popular Reverse Engineering Tutorial
For a complete table of contents of all the lessons please click below as it will give you a brief of each lesson in addition to the topics it will cover. https://github.com/mytechnotalent/hacking_c-_arm64
Today we are going to debug our very simple float primitive datatype.
To begin let's open up our binary in Radare2.
radare2 ./0x05_asm64_float_primitive_datatype
Let's take advantage of Radare2's auto analysis feature.
aaa
The next thing we want to do logically is fire up the program in debug mode so it maps the raw machine code from disk to a running process.
ood
Now that we have a running instance we can seek to the main entry point of the binary.
s main
Let us take an initial examination by doing the following.
v
When dealing with floating point numbers in ARM64 we have to understand that we want to locate where the fmov instruction occurs where we take a value from our w0 register and move it into the floating point s0 register. Here is where all the magic happens!
Let us define a break point right below the fmov instruction. REMEMBER with ASLR your addresses will be different than this example.
[0x557931c9b4]> db 0x557931c9c8 [0x557931c9b4]> dc [0x557931c9b4]> hit breakpoint at: 0x557931c9c8 [0x557931c9c8]> ds [0x557931c9c8]> dr w0 0x4121999a [0x557931c9c8]>
OK so we see this strange value which if you look at the code below, the lsl which is logical shift left, is moving the byte order of which we are using the movz and movk instructions which movz will move 0x999a into w0 and then the movk will move 0x4121, lsl 16 into w0 therefore putting 4121 at the higher order byte locations and the 999a at the lower order byte locations.
movz w0, 0x999a movk w0, 0x4121, lsl 16 fmov s0, w0
We move our w0 register into s0 so we HAVE to change these values here before letting it get into s0 otherwise it will be significantly harder to hack in the next lesson.
Lets continue to show our value.
[0x557931c9c8]> dc 10.1 (237691) Process exited with status=0x0 [0x7fb948407c]>
In our next lesson we will hack this value!