8

I am disassembling and reverse engineering the logic of an assembly routine written in ARMv7 (hope I'm using the right terminology, as I'm a newbie for this particular processor).

In doing so, I came across this site: Introduction to ARM. In order to determine how much code I need to disassemble, first, I need to determine the length of the code. It is my understanding that I only need to look for [Bxx][2] (branch) instructions and instructions that alter the PC (program counter), for example,

  • MOV PC, r14
  • POP {r4, r5, pc}

Can someone please advise if I have missed out any instructions that I need to look out for? Thank you.

perror
  • 19,083
  • 29
  • 87
  • 150
chuacw
  • 273
  • 2
  • 8

2 Answers2

7

Here's what IDA considers a return in ARM:

  • RET (=MOV PC, LR)
  • POP {reglist} if reglist includes LR or PC
  • LDMFD SP, {reglist}, LDMED SP, {reglist} or LDMDB R11, {reglist} if reglist includes LR or PC
  • LDR PC, [SP], #4
  • BX LR
  • BX reg if preceded by POP {reglist} and reglist includes reg.
Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115
2

In fact, there may be something like:

.text:00192CB6                 POP             {R4}
.text:00192CB8                 B.W             sub_268508
.text:00192CB8 ; End of function XXX::YYY::zZz(void)

IIRC I also have seen conditional branches leading outside of what I would expect to be function boundaries, but I cannot find any example now.

18446744073709551615
  • 595
  • 1
  • 6
  • 16