Blue Fox – Arm Assembly Internals and Reverse Engineering

MARIA MARKSTEDTER is the CEO and founder of Azeria Labs, offering high-quality training courses on Arm reverse engineering and exploitation. She has an extensive educational background, holding a Bachelor's degree in Corporate Security and a Master's degree in Enterprise Security, and has collaborated with Arm on exploit mitigation research. Maria's outstanding contributions to the cybersecurity industry have earned her a place on Forbes' "30 under 30" list for technology in Europe (2018) and the title of Forbes Person of the Year in Cybersecurity in 2020.

Introduction xxi Part I Arm Assembly Internals 1 Chapter 1 Introduction to Reverse Engineering 3 Introduction to Assembly 3 Bits and Bytes 3 Character Encoding 5 Machine Code and Assembly 6 Assembling 9 Cross- Assemblers 13 High- Level Languages 15 Disassembling 16 Decompilation 17 Chapter 2 ELF File Format Internals 21 Program Structure 21 High- Level vs. Low- Level Languages 22 The Compilation Process 24 Cross- Compiling for Other Architectures 25 Assembling and Linking 27 The ELF File Overview 30 The ELF File Header 31 The ELF File Header Information Fields 32 The Target Platform Fields 33 The Entry Point Field 34 The Table Location Fields 34 ELF Program Headers 34 The PHDR Program Header 36 The INTERP Program Header 36 The LOAD Program Headers 36 The DYNAMIC Program Header 37 The NOTE Program Header 37 The TLS Program Header 38 The GNU_EH_FRAME Program Header 38 The GNU_STACK Program Header 39 The GNU_RELRO Program Header 41 ELF Section Headers 43 The ELF Meta- Sections 45 The String Table Section 46 The Symbol Table Section 46 The Main ELF Sections 46 The .text Section 47 The .data Section 47 The .bss Section 47 The .rodata Section 47 The .tdata and .tbss Sections 48 Symbols 48 Global vs. Local Symbols 50 Weak Symbols 50 Symbol Versions 51 Mapping Symbols 51 The Dynamic Section and Dynamic Loading 52 Dependency Loading (NEEDED) 53 Program Relocations 54 Static Relocations 55 Dynamic Relocations 56 The Global Offset Table (GOT) 57 The Procedure Linkage Table (PLT) 57 The ELF Program Initialization and Termination Sections 58 Initialization and Termination Order 60 Thread- Local Storage 60 The Local- Exec TLS Access Model 65 The Initial- Exec TLS Access Model 65 The General- Dynamic TLS Access Model 66 The Local- Dynamic TLS Access Model 67 Chapter 3 OS Fundamentals 69 OS Architecture Overview 69 User Mode vs. Kernel Mode 70 Processes 70 System Calls 72 Objects and Handles 77 Threads 79 Process Memory Management 80 Memory Pages 82 Memory Protections 82 Anonymous and Memory- Mapped Memory 84 Memory- Mapped Files and Modules 84 Address Space Layout Randomization 87 Stack Implementations 90 Shared Memory 91 Chapter 4 The Arm Architecture 93 Architectures and Profiles 93 The Armv8- A Architecture 95 Exception Levels 96 Armv8- A TrustZone Extension 97 Exception Level Changes 99 Armv8- A Execution States 101 The AArch64 Execution State 102 The A64 Instruction Set 103 AArch64 Registers 104 The Program Counter 106 The Stack Pointer 107 The Zero Register 107 The Link Register 108 The Frame Pointer 109 The Platform Register (x18) 109 The Intraprocedural Call Registers 110 SIMD and Floating- Point Registers 110 System Registers 111 PSTATE 112 The AArch32 Execution State 114 A32 and T32 Instruction Sets 114 The A32 Instruction Set 114 The T32 Instruction Set 115 Switching Between Instruction Sets 115 AArch32 Registers 118 The Program Counter 119 The Stack Pointer 120 The Frame Pointer 120 The Link Register 121 The Intraprocedural Call Register (IP, r12) 121 The Current Program Status Register 121 The Application Program Status Register 122 The Execution State Registers 124 The Instruction Set State Register 124 The IT Block State Register (ITSTATE) 125 Endianness state 126 Mode and Exception Mask Bits 126 Chapter 5 Data Processing Instructions 129 Shift and Rotate Operations 131 Logical Shift Left 132 Logical Shift Right 133 Arithmetic Shift Right 133 Rotate Right 134 Rotate Right with Extend 134 Instruction Forms 135 Shift by a Constant Immediate Form 136 Shift by Register Form 138 Bitfield Manipulation Operations 140 Bitfield Move 141 Sign- and Zero- Extend Operations 145 Bitfield Extract and Insert 150 Logical Operations 153 Bitwise AND 153 The TST Instruction 154 Bitwise Bit Clear 155 Bitwise OR 155 Bitwise OR NOT 156 Bitwise Exclusive OR 158 The TEQ instruction 158 Exclusive OR NOT 159 Arithmetic Operations 159 Addition and Subtraction 159 Reverse Subtract 161 Compare 162 CMP Instruction Operation Behavior 163 Multiplication Operations 165 Multiplications on A64 166 Multiplications on A32/T32 167 Least Significant Word Multiplications 169 Most Significant Word Multiplications 171 Halfword Multiplications 173 Vector (Dual) Multiplications 176 Long (64- Bit) Multiplications 179 Division Operations 186 Move Operations 187 Move Constant Immediate 188 Move Immediate and MOVT on A32/T32 188 Move Immediate, MOVZ, and MOVK on A64 189 Move Register 190 Move with NOT 192 Chapter 6 Memory Access Instructions 195 Instructions Overview 195 Addressing Modes and Offset Forms 197 Offset Addressing 200 Constant Immediate Offset 201 Register Offsets 207 Pre- Indexed Mode 209 Pre- Indexed Mode Example 210 Post- Indexed Addressing 212 Post- Indexed Addressing Example 213 Literal (PC- Relative) Addressing 214 Loading Constants 215 Loading an Address into a Register 218 Load and Store Instructions 222 Load and Store Word or Doubleword 222 Load and Store Halfword or Byte 224 Example Using Load and Store 226 Load and Store Multiple (A32) 228 Example for STM and LDM 235 A More Complicated Example Using STM and LDM 237 Load and Store Pair (A64) 238 Chapter 7 Conditional Execution 243 Conditional Execution Overview 243 Conditional Codes 244 The NZCV Condition Flags 245 Signed vs. Unsigned Integer Overflows 246 Condition Codes 248 Conditional Instructions 249 The If- Then (IT) Instruction in Thumb 250 Flag- Setting Instructions 252 The Instruction "S" Suffix 253 The S Suffix on Add and Subtract Instructions 253 The S Suffix on Logical Shift Instructions 256 The S Suffix on Multiply Instructions 257 The S Suffix on Other Instructions 257 Test and Comparison Instructions 257 Compare (CMP) 258 Compare Negative (CMN) 260 Test Bits (TST) 261 Test Equality (TEQ) 264 Conditional Select Instructions 265 Conditional Comparison Instructions 268 Boolean AND Conditionals Using CCMP 269 Boolean OR Conditionals Using CCMP 272 Chapter 8 Control Flow 275 Branch Instructions 275 Conditional Branches and Loops 277 Test and Compare Branches 281 Table Branches (T32) 282 Branch and Exchange 284 Subroutine Branches 288 Functions and Subroutines 290 The Procedure Call Standard 291 Volatile vs. Nonvolatile Registers 293 Arguments and Return Values 293 Passing Larger Values 295 Leaf and Nonleaf Functions 298 Leaf Functions 298 Nonleaf Functions 299 Prologue and Epilogue 299 Part II Reverse Engineering 305 Chapter 9 Arm Environments 307 Arm Boards 308 Emulation with QEMU 310 QEMU User- Mode Emulation 310 QEMU Full- System Emulation 314 Firmware Emulation 315 Chapter 10 Static Analysis 321 Static Analysis Tools 322 Command- Line Tools 322 Disassemblers and Decompilers 322 Binary Ninja Cloud 323 Call- By- Reference Example 328 Control Flow Analysis 334 Main Function 336 Subroutine 336 Converting to char 341 if Statement 343 Quotient Division 345 for Loop 347 Analyzing an Algorithm 349 Chapter 11 Dynamic Analysis 363 Command- Line Debugging 364 GDB Commands 365 GDB Multiuser 366 GDB Extension: GEF 368 Installation 369 Interface 370 Useful GEF Commands 370 Examine Memory 374 Watch Memory Regions 376 Vulnerability Analyzers 377 checksec 379 Radare2 381 Debugging 382 Remote Debugging 385 Radare2 386 IDA Pro 388 Debugging a Memory Corruption 390 Debugging a Process with GDB 398 Chapter 12 Reversing arm64 macOS Malware 405 Background 406 macOS arm64 Binaries 407 macOS Hello World (arm64) 410 Hunting for Malicious arm64 Binaries 413 Analyzing arm64 Malware 419 Anti- Analysis Techniques 420 Anti- Debugging Logic (via ptrace) 421 Anti- Debugging Logic (via sysctl) 425 Anti- VM Logic (via SIP Status and the Detection of VM Artifacts) 429 Conclusion 435 Index 437