Part 31 – Hacking Float Variables

For a complete table of contents of all the lessons please click below as it will give you a brief of each lesson in addition to the topics it will cover. https://github.com/mytechnotalent/Reverse-Engineering-Tutorial

Let’s re-examine our code.

  1. #include <iostream>
  2. int main(void) {
  3. int myNumber = 1337.1;
  4. std::cout << myNumber << std::endl;
  5. return 0;
  6. }

Part 31 – Hacking Float Variables - 图1

Let’s review last week’s tutorial.

Part 31 – Hacking Float Variables - 图2

Let’s break on main+20 and continue to that point.

Part 31 – Hacking Float Variables - 图3

Let’s examine what value is inside r11-8. We clearly see it is 1337.09998 which approximates our value in our original c++ code. Keep in mind a float has roughly 7 decimal digits of precision and that is why we do not see 1337.1 so please remember that as we go forward.

Part 31 – Hacking Float Variables - 图4

We can also see this value in high memory.

Part 31 – Hacking Float Variables - 图5

Let’s break on main+28 and continue.

Part 31 – Hacking Float Variables - 图6

We see a strange new instruction. We see vldr and the value within r11, #8 being moved into s0. So what is s0? We have a math co-processor which has a series of additional registers that work with decimal or floating-point numbers. Here we see an example of such to which the value of 1337.09998 is being moved into s0. The vldr instruction loads a constant value into every element of a single-precision or double-precision register such as s0.

Part 31 – Hacking Float Variables - 图7

We can only see these special registers if we do a info registers all command as we do below.

Part 31 – Hacking Float Variables - 图8

Below we see the value now being moved into s0.

Part 31 – Hacking Float Variables - 图9

Let’s hack!

Part 31 – Hacking Float Variables - 图10

Let’s now look at the registers and see what has transpired.

Part 31 – Hacking Float Variables - 图11

Part 31 – Hacking Float Variables - 图12

As you can see we have hacked the value (less the precision issue of the float variable accurate up to 6 decimal places)!

Part 31 – Hacking Float Variables - 图13

Finally as we continue we see our hacked value echoed back out to the terminal when the c++ cout function executes.

Next week we will dive into Double Variables.