Reverse Engineering ARM binaries

Synopsis

Like any language, Assembly consists of a vast vocabulary, with a fairly simple grammar. And, as with our languages, a relatively small and manageable subset of "words" (instructions) can help achieve every day fluency in it. This course aims to do just that - offering its participants a chance to learn in a bootcamp style course with many hands on exercises. All ARM "dialects" (ARM32, Thumb and ARM64) are discussed, with a heavy leaning towards ARM64, the architecture of the future. The unique approach is demonstrating these assemblies all at the same time, side by side - gaining immediate understanding of the common commands, and juxtaposing similarities and differences. Commands are inspected in both binary encoding and mnemonic form, and the logic behind them is explained in emticulous detail.

Target Audience

Developers wishing to go below the C/C++ level and understand the low level assembly of their code. Reverse Engineers who face object dumps and want to learn how to make sense of them

Prerequisites

Solid knowledge of C-level code, as most examples are coded in C before subjected to assembler.
Working with a debugger (GDB or LLDB)
Familiarity with Intel (i386 or x86_64) assembly helpful, but not required.

Objectives

Describe the ARM family of processors, and their features
Gain moderate familiarity understanding of the ARMv7 ARM32 and Thumb instruction set
Gain a solid understanding and fluency in the commonly used instructions of the ARMv8 instruction set
Understand the new features introduced in ARMv8.1, ARMv8.2 and ARMv8.3

Exercises

Nearly every module in this course has exercises, involve a bit of assembly coding and a lot of reversing. Participants are welcome to use a disassembler of their choice (IDA, Binary Ninja, Hopper, etc), or use the free tools provided in the class.

Modules

1.	Some Assembly Required
	4 hours

What does a processor look like, at the assembly level? In particular, how is ARM assembly treating CPU registers, coprocessors, special registers, and more?

The logical view of a CPU
Core Registers - ARM32's r0-r15, ARM64's X0-X31
The Stack and Frame Pointers
The CPSR and PSTATE registers
ARM32 Processor modes and ARM64 Exception Levels
State transitions - SMC, HVC and SMC
ARM vs. x86
Instruction groups and encoding principles

2.	Register this
	1 hours

Basic vocabulary of ARMv7 32, Thumb, and ARMv8 architectures - Part I - using registers

MOV and variants
ADD and variants
LDR and variants

Exercises include:

Creating a small calculator in C and inline assembly

3.	Go with the Flow
	1 hours

Basic vocabulary of ARMv7 32, Thumb, and ARMv8 architectures - Part II - Flow control

CMP, TST
ARM32 conditional instructions
Conditional branches
Switch statements - sparse and dense
Function calls
VTable and register based calls

Exercises include:

Decompiling a sample program

4.	Float away
	1 hours

Float, Double, and Vector instructions

Floating point registers
Vector instructions
Use in memory optimizations

Day 2

5.	Systematic view
	2 hours

Explanation of the system call ABI and calling conventions on several architectures, including

Android 32/64-bit
iOS 32-bit (legacy) and 64-bit

Exercises include:

Disassembling libC and libSystem
Implementing a raw syscall wrapper

6.	All hands on deck
	4 hours

Reversing a few case study binaries back to C source

Exercises include:

Multiple binaries as case study samples

7.	ROP/JOP
	1 hours

The module examines two specific exploitation techniques which rely on careful manipulation of assembly commands.

Shellcodes
Return Oriented Programming
Jump Oriented Programming

Day 3

8.	PACa PACa
	2 hours

Architectural extensions of ARMv8.1-ARMv9

ARMv8.1 Atomics & PAN
ARMv8.2 UAO and Hypervisor extensions
ARMv8.3 PAC (Pointer Authentication)
ARMv8.5 MTE (Memory Tagging Extensins)
ARMv9 extensions

Exercises include:

Compilation into specific extension and analyzing resulting assembly

9.	Advanced Topics
	8 hours

Instructions only available in supervisor mode (SVC/EL1) or higher

Special registers (TTBR, ESR, VBAR, and more)
Exception handling in ARMv7 and ARMv8
Memory paging - an introduction
Trustzone - an introduction

Home

Training

Consulting

Products (NEW)

Contact Us

Frequently Asked Questions