Part 18 – Debugging ADDS
For a complete table of contents of all the lessons please click below as it will give you a brief of each lesson in addition to the topics it will cover. https://github.com/mytechnotalent/Reverse-Engineering-Tutorial
Let’s re-examine our code:
We again add 100 decimal into r1, 4,294,967,295 into r2. We then add r1 and r2 and place in r0.
Lets debug:
We again see adds which sets the flags in the CPSR. We have to remember when we debug in GDB, the value of the CPSR is in hex. In order to see what flags are set, we must convert the hex to binary. This will make sense as we start to debug and hack this example in the coming tutorials.
We need to remember that bits 31, 20, 29 and 28 in the CPSR indicate the following:
bit 31 - N = Negative Flag
bit 30 - Z = Zero Flag
bit 29 - C = Carry Flag
bit 28 - V = Overflow Flag
We see the CPSR at 10 hex. 10 hex in binary is 0001.
Therefore if the value in binary was 0001 of bit 31, 30, 29 and 28 (NZCV) that would mean:
Negative Flag NOT Set
Zero Flag NOT SET
Carry Flag NOT SET
Overflow Flag Set
There is nothing in code above which set the Overflow Flag however in it’s natural state upon executing this binary it is set.
Lets step through the program:
We see 64 hex or 100 decimal moved into r1 as expected. No change in the CPSR. Lets step some more.
We see the addition that transpires above and notice the value in r0 is 99 decimal after 100 decimal and 4294967295 decimal were added together. How is that possible? The answer is simple, we overflowed the 32-bit register of r0 from this addition.
If we examine the CPSR we now see 20000010 hex or 0010 0000 0000 0000 0000 0000 0001 0000 binary. We only have to focus on the most significant bits which are 0010:
The value in binary is 0010 of bit 31, 30, 29 and 28 (NZCV) that would mean:
Negative Flag NOT Set
Zero Flag NOT SET
Carry Flag SET
Overflow Flag NOT Set
We see that the Carry Flag was set and the Overflow Flag was NOT set. Why is that?
The Carry Flag is a flag set when two unsigned numbers were added and the result is larger than the register where it is saved. We are dealing with a 32-bit register. We are also dealing with unsigned numbers therefore the CF is set and the OF was not as the OF flag deals with signed numbers.
Next week we will dive into Hacking ADDS.