IOS underlying principles + reverse article summary
In reverse development, a very important link is static analysis, as we all know, the App installed on the phone is essentially a binary file, and static analysis is based on the analysis of binary. Therefore, before learning the reverse, you need to understand the relevant assembly knowledge in advance
The development of assembly language
Machine language
Is a machine instruction consisting of zeros and ones that represents a specific function, as shown below
Add: 0100 0000 minus: 0100 1000 times: 1111 0111 1110 0000 divided by: 1111 0111 1111 0000Copy the codeAssembly Language
Since it is not easy to remember when using machine language, mnemonics are used instead of machine language, such as addition, subtraction, multiplication and division using mnemonics
Plus: INC EAX via compiler 0100 0000 minus: DEC EAX via compiler 0100 1000 times: MUL EAX via compiler 1111 0111 1110 0000 divided by: DIV EAX via compiler 1111 0111 1111 0000Copy the codeHigh level Programming Language
In the later stage, in order to more efficient programming, on the basis of assembly language, there are more high-level languages, such as C/C++/Java/OC/Swift, etc., which are more close to human natural languages. For example, the C language represents the addition, subtraction, multiplication and division
Plus: A+B via the compiler 0100 0000 minus: a-b via the compiler 0100 1000 times: A*B via the compiler 1111 0111 1110 0000 divided by: A/B via the compiler 1111 0111 1111 0000Copy the codeThis is how the final code is displayed on the terminal device
- 1.
Assembly languagewithMachine languageIs a one-to-one correspondence, each machine instruction has a corresponding assembly instruction - 2,
Assembly languageCan be achieved bycompilegetMachine language.Machine languageCan be achieved byThe disassemblygetAssembly language - 3,
A high-level languageCan be achieved bycompilegetAssembly language/machine language, but assembly/machine language is almost impossible to restore to a high-level language (because different devices correspond to different CPU architectures, which correspond to different instruction sets).
Features of assembly language
Assembly language has the following features:
-
1, can directly access, control a variety of hardware devices, such as memory, CPU, etc., can maximize the function of the hardware
-
2. Complete control over the generated binary code is not restricted by the compiler
-
3, the object code is concise, takes up less memory, fast execution
-
4, assembly instructions are machine instructions mnemonic, with a pair of machine instructions. Each CPU has its own machine instruction set/assembly instruction set, so assembly language is not portable
-
5. The knowledge is too much and the requirements are too high. Developers need to have an understanding of the hardware structure such as CPU, which is not easy to write, debug, and maintain
-
6. Case insensitive, for example, mov and MOV are the same
Assembly language uses
By rights, compilation is so difficult, why still learn, and learn what can do?
The purpose of assembly learning
Any high-level language will eventually be compiled into assembly. Learning the relevant knowledge of assembly can help us better investigate problems and understand the underlying operation mechanism in daily development, learning and exploration. Roughly divided into the following points:
- 1, is the best starting point and the most effective way to understand the entire computer system
- Lay the foundation for writing efficient code
- 3. Understand the nature of the code.
- What is the nature of the function?
- How is the ++ A layer implemented?
- What exactly does the compiler do for us at the bottom?
- What are the differences between DEBUG mode and RELEASE mode that we ignore?
Assembles the scenarios used
- 1, can
Write drivers, operating systemsFor example, some keywords of the Linux kernel - 2, high performance requirements of the program or code snippets, can
Mixed with high-level languages(Called inline assembly) - 3, is used to
Software Security- Virus analysis and prevention
- Reverse, shell, shell, crack, plug-in, do not kill, encryption and decryption, hackers, etc
So to sum up, assembly is a very important language for all programming monkeys to understand, which is why the required courses for students majoring in computer science in universities are like building a house. It takes a firm foundation to build a tall building.
Types of assembly languages
At present, the most discussed marriage languages are as follows
- 1, 8086 assembly (8086 processor is 16bit CPU)
- 2. Win32 assembly
- 3, Win64 assembly
- 4. ARM Assembler (Embedded, Mac, iOS)
- .
In the iPhone, ARM assembler is used, but it can vary from device to device depending on the CPU architecture. Here are the corresponding devices for each architecture in the iPhone
| architecture | equipment |
|---|---|
| armv6 | IPhone, iPhone2, iPhone3G, first generation, second generation iPod Touch |
| armv7 | iPhone3GS, iPhone4, iPhone4S,iPad, iPad2, iPad3(The New iPad), iPad mini, iPod Touch 3G, iPod Touch4 |
| armv7s | iPhone5, iPhone5C, iPad4(iPad with Retina Display) |
| arm64 | IPhone5S after iPhoneX, iPad Air, iPad mini2 |
For common sense
To learn assembly well, you need to have the following cognition
-
1. First, you need to understand the hardware architecture such as CPU
-
2. Execution process of App/ program
- 3, the most important hardware related is CPU/ memory
- 4. In assembly, most instructions are CPU/ memory related
The bus
The bus is the bridge between the CPU and memory, as shown in the image below is the A11 (CPU chip) on the iPhone X.
Bus: a collection of wires
Bus classificationBuses are divided into three categories, as shown in the figure below:
-
1, address bus: THE CPU is through the address bus to specify the storage unit
-
2. Data bus: data transfer channel between CPU and memory/other components
-
3. Control bus: THE CPU controls external devices through the control bus
For example, the CPU reads data from unit 3 of the memory
-
1, the CPU wants to manipulate the data in memory, first needs to find the memory address: the CPU through the address bus, the address 3 to memory, that is, addressed to the memory unit 3
-
2, need to operate the data of 3 units, also need to determine whether to read or write: THE CPU through the control bus to tell memory the operation needs to be performed, suppose it is read
-
3. The memory knows what the CPU wants to do: the memory passes the data in unit 3 to the CPU through the data line
The address bus
-
Its width determines the addressing capability of the CPU, that is, the address bus determines the maximum memory space that the CPU can access. For example, the maximum memory that 10 address lines can access is 2^10 = 1024 bits of binary data (i.e. 1B).
-
The address bus is the sum of the number of address lines
-
The 8086 address bus is 20 wide, so the addressing capability is 1M (i.e. 2^20).
-
The memory address unit is byte (abbreviated as B), each byte can hold 8 bits (bit), the following is a memory bar diagram
Make a distinction between units of quantity and units of capacity
- Quantity unit: 1M= 1024K, 1K =1024
- Capacity unit: Byte (B) 1024B=1KB, 1024KB=1MB. The unit of the independent system of IBM bank is 2 bytes, and that of the commonly used computer is 1 Byte
- Network bandwidth 100M=100Mbpt (bits, 12.5MB/s)
The data bus
-
Its width determines the number of data transfers per CPU (throughput), which is also the data transfer speed between the CPU and the outside world
-
Each data line can only transmit one bit of binary data at a time. For example, 8 data lines can transmit one 8-bit binary data (that is, 1 byte of data) at a time.
-
A data bus is the sum of the number of data lines
-
The data bus width of the 8086 is 16, so a maximum of 2 bytes of data can be passed at a time
We often talk about 32-bit (4 bytes) and 64-bit (8 bytes) CPUS, where 32 and 64 refer to data throughput
Control bus
-
Its width determines the ability of the CPU to control other devices, how many kinds of control, that is, the ability of the CPU to control external devices
-
The control bus is the sum of the number of control lines
memory
-
The CPU is connected to the hardware through a bus
-
Memory has RAM main memory, RAM main memory (memory bar)
- The following figure shows the memory divided by physical address. There are main memory, video memory address, video card address, and network card address
Where in memoryLower addressIs to giveThe user to useThe,High addressIs to giveThe system use, as shown below
-
The size of the memory address space is limited by the width of the CPU address bus. The 8086 address bus has a width of 20 and can locate 2^20 different memory cells (memory address range 0x00000 to 0xFFFFF), so the memory space size of the 8086 is 1MB
-
0x00000 to 0x9FFFF: Primary memory, readable and writable
-
0xA0000 to 0xBFFFF: Write data to the video memory. The data will be output by the video card to the monitor and can be read and written
-
0xC0000~0xFFFFF: Stores various hardware/system information and is read-only
Into the system
Each base is perfect, and we usually think about other bases based on the decimal system, always converting to the decimal system first, and then converting to the other bases, which is wrong. So to learn the base system well, you need to first forget the decimal system, and then forget the conversion between bases
The definition of the base
- Octal consists of eight symbols: 0 1 2 3 4 5 6 7
Every eight into one - The decimal system consists of 10 symbols: 0 1 2 3 4 5 6 7 8 9
Dot into one - Base N is composed of N symbols: every N carries one
<! -- Exercise --> -1 +1 = 3 <! The decimal system consists of 10 symbols: 0 1 3 2 8 A B E S 7 decimal 1 If the decimal system is defined so that 1+1 equals 3 <! Traditional decimal is not the same as custom decimal. If you don't tell someone about the symbol table, they can't get the specific data. This application scenario is mainly used for encryptionCopy the codeBase operations
Octal addition table
0 12 3 4 5 6 7 10 11 12 13 14 15 16 17 20 21 22 23 24 25 26 27... 1+1 = 2 1+2 = 3 2+2 = 4 1+3 = 4 2+3 = 5 3+3 = 6 1+4 = 5 2+4 = 7 4+4 = 10 1+5 = 6 2+5 = 7 3+4 = 10 4+5 = 11 5+5 = 5 12 1+6 = 7 2+6 = 10 3+6 = 11 4+6 = 12 5+6 = 13 6+6 =14 1+7 = 10 2+7 = 11 4+7 = 13 5+7 =14 6+7 =15 7+7 = 16Copy the codeOctal multiplication table
0 12 3 4 5 6 7 10 11 12 13 14 15 16 17 20 21 22 23 24 25 26 27... 1*1 = 11 *2 = 2 2*2 = 4 1*3 = 3 2*3 = 6 3*3 = 11 1*4 = 4 2*4 = 10 3*4 = 14 4*4 = 20 1*5 = 5 2*5 = 12 3*5 = 17 4*5 = 24 5*5 = 31 1*6 = 6 2*6 = 14 3*6 = 22 4*6 = 30 5*6 = 36 6*6 = 44 1*7 = 7 2*7 = 16 3*7 = 25 4*7 = 34 5*7 = 43 6*7 = 52 7*7 = 7 61Copy the codeDo a practice
- 2 + 3 = __, 2 * 3 = __,4 + 5 = __,4 * 5 = __.
- 277 + 333 = __, 276 * 54 = __, 237-54 = __, 234/4 = __.
We can draw a good conclusion from the calculation of the first row, but how to calculate the second row when the data involved is large? Take 277+333 as an example, and the calculation process is as follows
Four operational operations
277 236 276 234 + 333-54 * 54/4 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 47 + 1666 632 162 1370Copy the codeShort for binary
Binary: 1011 1011 100 Three binary groups: 101 110 111 100 Octal: 5 6 7 4 Four binary groups: 1011 1011 1100 Hexadecimal: B b CCopy the codeUsing binary to write from 0 to 1111: 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 So let’s change it to A simpler notation 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 A, B, C, D, E, F so that’s hexadecimal
Width of data
In mathematics, there is no limit to the size of a number. It can be infinitely large. However, in computers, due to hardware constraints, data has a length limit (called the data width), and data beyond the maximum width is discarded
#import <UIKit/UIKit.h> #import "AppDelegate.h" int test(){ int cTemp = 0x1FFFFFFFF; return cTemp; } int main(int argc, char * argv[]) { printf("%x\n",test()); @autoreleasepool { return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); }}Copy the codeBreakpoint debugging results are as follows, you can find 1 overflow
Debug-Debug Workflow-ViewMemoryEnter the address to view
A data width common in computers
(Bit): one bit is one binary bit, that is, 0 or 1Byte: A Byte consists of eight bits. It is the smallest Byte unit in memoryWord (Word): A word consists of two bytes (16 bits), the second byte is called the high byte and the low byte respectivelyDoubleWordA double word consisting of two words (32 bits)
So the computer stores the data and it divides it intoA signed numberandUnsigned number, as shown in the figure below
- Unsigned numbers, direct conversion
- A signed number. The sign is placed in the first digit. The first digit is 0, which is a positive number, or 1, which is a negative number:
- Positive numbers: 0 1 2 3 4 5 6 7
- Negative: F E D B C A 9 8 indicates: – 1-2-3-4-5-6-7-8
Custom base notation
Exercise 1: now there are 10 numbers in base 10. The 10 symbols are: 2,9,1,7,6,5,4, 8,3, A on 10. Then: 123 + 234 = ____ (AA6)
Decimal: 0 1 2 3 4 5 6 7 8 9 Custom: 2 91 76 5 4 8 3 A (decimal 10)92 99 91 97 96 95 94 98 93 9A 12 19 11 17 16 15 14 18 13 1A 72 79 71 77 76 75 74 78 73 7A 62 69 61 67 66 65 64 68 63 6A 52 59 51 57 56 55 54 58 53 5A 42 49 41 47 46 45 44 48 43 4A 82 89 81 87 86 85 84 88 83 8A 32 39 31 37 36 35 34 38 33 3A 922 (00)2 (01)9 (02)1 (03)7 (04)6 (05)5 (06)4 (07)8 (08)3 (09)A (10)92 (11)99 (12)91 (13)97 (14)96 (15)95 (16)94 (17)98 (18)93 (19)9A (20)12 (21)19 (22)11 (23)17 (24)16 (25)15 (26)14 (27)18 (28)13 (29)1A (30)72 (31)79 (32)71 (33)77 (34)76 (35)75 (36)74 (37)78 (38)73 (39)7A (40)62 (41)69 (42)61 (43)67 (44)66 (45)65 (46)64 (47)68 (48)63 (49)6A (50)52 59 51 57 56 55 54 58 53 5A (60)42 49 41 47 46 45 44 48 43 4A (70)82 89 81 87 86 85 84 88 83 8A (80)32 39 31 37 36 35 34 38 33 3A (90)922Copy the codeJust through the 10 base operation can be converted, and then look up the table, but if it is other bases, you can not convert, learn to directly look up the table
Exercise 2: now there are 9 bases: 2, 9, 1, 7, 6, 5, 4, 8,3 in 9, so: 123 + 234 = ____(9926)
Decimal: 0 1 2 3 4 5 6 7 8 Custom: 2 91 76 5 4 8 3 92 99 91 97 96 95 94 98 93 12 19 11 17 16 15 14 18 13 72 79 71 77 76 75 74 78 73 62 69 61 67 66 65 64 68 63 52 59 51 57 56 55 54 58 53 42 49 41 47 46 45 44 48 43 82 89 81 87 86 85 84 88 83 32 39 31 37 36 35 34 38 33 922 (00) 2 (01) 9 (02) 1 (03) 7 (4) 6 (05) 5 (6) 4 (07) 8 (08) 3 (10), 92 (11), 99 (12), 91 (13), 97 (14) (15) (16) 94 95 96 98 (18) 93 (17) (20)12 19 11 17 16 15 14 18 13 (30)72 79 71 77 76 75 74 78 73 (40)62 69 61 67 66 65 64 68 63 (50)52 59 51 57 56 55 54 58 53 (60)42 49 41 47 46 45 44 48 43 (70)82 89 81 87 86 85 84 88 83 (80)32 39 31 37 36 35 34 38 33 (90)922Copy the codeCPU & Register
The internal components are connected by a bus, as shown in the figure below
-
CPU in addition to the controller, arithmetic, and registers, registers are used for temporary storage of data
-
The CPU’s computing speed is very fast. For the sake of performance, the CPU creates a small temporary storage area inside the CPU and copies the data from memory to this small temporary storage area before the operation. The operations take place in this small area of temporary storage called a register
For arm64 cpus,
-
If the register starts with x, it is a 64-bit register
-
If the register starts with W, it is a 32-bit register
There are no 16-bit and 32-bit registers available for access and use in the system, where the 32-bit register is the lower 32-bit part of the 64-bit register and does not exist independently
-
To the programmer, the most important component in the CPU is the registers, and you can control the CPU by changing the contents of the registers
-
The number and structure of registers are different for different cpus
Floating point and vector registers
Because the floating-point number storage and its operation is special, the CPU specifically provides the floating-point register to deal with the floating-point number
- Floating point register
64-bit: D0-D3132-bit: S0-S31
Now CPU support vector operations (vector operations in graphics processing related areas are used a lot), for support vector computation, the system also provides a number of vector registers
- Vector register 128 bits:
V0 - V31
General purpose register
- The general purpose register is also called
Data address register. Is usually used toDo data calculation of temporary storage, accumulation, counting, address preservation and other functions. These registers are defined to hold operands in CPU instructions and are used as regular variables in the CPU - Arm64 have
32 64-bit general purpose registers X0-X30, and XZR (zero register). These general purpose registers sometimes serve a specific purpose- Then the 32-bit w0-W28, since 64-bit cpus are compatible with 32-bit, can only use the lower 32 bits of the 64-bit register
- For example, w0 is the lower 32 bits of x0
Note: As any 8086 assembler must know, there is also a special register segment register: CS, DS, SS, ES. These four registers are used to store the base addresses of these segments, which belong to Intel cpus and are not found in ARM cpus
- In general,
The CPU stores the data in memory into a general purpose register and then operates on the data in the register
Let’s say I have a block in memory that has a value of 3 in the red memory space, and I want to increase its value by 1 and store the result in the blue memory space
Mov X0, red memory space
- Then add the X0 register to 1: 'add X0,1' - and finally assign the value to the memory space: 'mov blue memory space,X0'Copy the codePC Register (Program Counter)
- for
Instruction pointer register, itIndicates the address of the instruction to be read by the CPU - On memory/disk, there is no difference between instructions and data, both are binary information
- When the CPU works, it treats some information as instructions and some as data, giving different meanings to the same information
- For example, 1110 0000 0000 0011 0000 1000 1010 1010
- It can be regarded as data 0xE003008AA
- It could also be an instruction mov, x0, x8
- By what does the CPU treat information in memory as an instruction?
- The CPU treats the contents of memory cells pointed to by the PC as instructions
- If a piece of memory has ever been executed by the CPU, it must have been pointed at by the PC
Register Case Analysis
Let’s look at this with the following code example
#import <UIKit/UIKit.h> #import "AppDelegate.h" int test(){ int cTemp = 0x1FFFFFFFF; return cTemp; } int main(int argc, char * argv[]) { printf("%x\n",test()); @autoreleasepool { return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class])); }}Copy the code- The register types in demo are as follows
- Where the general purpose register is shown below
- Below is a compilation diagram of the demo
PC register debugging
- Print PC register, now FDEC4
- Press Control +Step into to continue printing
You can write as well as read
- register write pc 0x104c31ecc
- Register read the PC is not going to be able to read it because the break point is broken, so if step into, where is the break point broken? Finally, through verification, it is found that it will break on the next line of CC
The cache
The A11, the arm processor on the iPhoneX, has a level 1 cache of 64kb and a level 2 cache of 8M
Before the CPU executes an instruction, it reads quality from memory to the CPU memory and executes it. Registers run much faster than memory reads and writes. For performance, the CPU also integrates a cache area. When the program is running, the instruction code and data to be executed are copied to the cache (done by the operating system), and the CPU reads the instructions directly from the cache in turn for execution
Bl instruction
- Where the CPU executes instructions, depending on what’s in the PC, can
Control the CPU to execute target instructions by changing the contents of the PC - The ARM64 provides one
Mov instruction (transfer instruction)Can be used to change the value of most registers, such as mov x0,#10, MOV x1,#20 - However,
The mov instruction cannot be used to set the value of the PC, the ARM64 does not provide such functionality - Arm64 provides additional instructions to
Change the value of the PC, these instructions are calledTransfer instruction, the simplest of which is the BL instruction
The BL instruction exercise now has two pieces of code! Suppose the program executes A first, write the order in which the instructions are executed. What is the final value of register X0?
_A: mov x0,#0xa0 mov x1,#0x00 add x1, x0, #0x14 mov x0,x1 bl _B mov x0,#0x0 ret _B: add x0, x0, #0x10 ret <! Mov x0,#0xa0 -- x0:0xA0 mov x1,#0x00 -- x1:0x00 add x1, x0,# 0x14 -- x1:0xA0 +0x14= 0xB4 0xb4 add x0, x0,# 0x10 -- x0:0xb4+0x10= 0xC4 RET -- return to the next line of bl jump mov x0,#0x0 -- x0:0x00 x0 value: 0x00Copy the codeAssembly code validation
Com +n — empty — asm.s (assembly code file, which will compile into source code)
How does it work?
- Define a function declaration in VC
- Add A breakpoint at A() execution, and execute the program to start assembly debugging
- Hold down Control + Step into to enter the specific assembly of A
Then start LLDB debugging, and follow the steps up to 0x00
- Enter assembly code A
- Enter assembly code B
- Execute ret to A
conclusion
-
1. Compile overview
-
A programming language that uses mnemonics in place of machine instructions
-
Assembly and machine instructions are one – to – one correspondence, get binary can be disassembled
-
Assembly is not portable because it corresponds to the INSTRUCTION set of the CPU
-
-
2. Bus: a collection of wires
-
Address bus: Its width determines addressing capability
-
Data bus: Its width determines the CPU data throughput
-
Control bus: Its width determines the CPU’s ability to control other components
-
-
3, into the system
-
Any base is composed of the corresponding number of symbols, symbols can be customized
-
2/8/16 is a relatively perfect base, the relationship between them
-
Three binaries use a base 8 identifier
-
Four binaries use a hexadecimal identifier
-
Two hexadecimal values can identify a byte, or 8 bits
-
-
Number of units- 1024 = 1K, 1024 = 1M, and 1024 = 1G
-
Capacity of the unit- 1024 = 1KB, 1024KB = 1MB, 1024MB = 1GB
-
Width of data
- Data in a computer has a width, and if you exceed it, it will overflow
-
-
4, register: CPU for performance, from the internal open up a small temporary storage area
-
Floating point vector register: used for floating point/vector storage and operation
-
Abnormal status register -
General purpose registers: in addition to storing data, they sometimes serve a special purpose
-
ARM64 has 32 64-bit general purpose registers X0-X30 and XZR (zero register)
-
To be compatible with 32 bits, arm 64-bit has 30 32 bit registers from W0 to W28 and WZR
-
32-bit registers are not independent; for example, W0 is the lower 32 bits of X0
-
-
PC register: instruction pointer register
-
The values in the PC register hold the addresses of the instructions that the CPU will execute next
-
Changing the value of PC can change the execution flow of the program
-
The MOV instruction cannot change the value of the PC register. It is necessary to change the value of the PC register through the BL jump instruction
-
-