(and on Linux using VirtualBox or other emulation software).įollow the links in the submenu above for detailed help in using Igor Pro.
#Igor pro tutorial code
In case you discover a specific code pattern and need to script it, you can also use IDC functions force_bl_jump(ea) and force_bl_call(ea).Igor Pro is a powerful program for taking and analyzing data-and evenĭeveloping simulations-that runs natively on Macintosh and Windows In cases where the BL jumps detection fails (it marks a BL as a jump where it should be a call, or vice versa), you can always override its decision using Force BL jump and Force BL call menu options. To set this by default, change ARM_DISABLE_BL_JUMPS value in ida.cfg. Note that you will likely have to delete the wrongly created functions, so it may be better to reload the file, changing the options in the initial Load File dialog. For this, turn off Disable BL jumps detection in the processor specific options and reanalyze the program. If the binary has multiple functions which use this technique, it may be worth it to let the analyzer check each BL destination before creating functions.
You can then delete the wrongly created function and extend or recreate the original one which had been truncated. IDA will take this into account and indicate that this BL does not continue to the next instruction by adding a dashed comment line after it. For this, place the cursor on the line with BL and use Edit > Other > Force BL jump menu item. If the BL-as-branch approach is used only in few cases, you can handle them manually.
Also, func saves LR on the stack, so BL clobbering it does not matter. But we see that func is not complete, so most likely sub_C is actually its continuation and BL is used only as a branch. IDA has created a function because of the BL instruction which normally implies a function call. Here’s an example of a Thumb mode program which looks a little strange… However, old code still needs to be analyzed sometimes, so it may be necessary to support such usage of BL. The BL is encoded as pair of 16-bit instructions, which gives it a range of ±4MB.Ī later extension of the Thumb, called Thumb-2, introduced a 32-bit version of B, giving it a range of ☑6MB, so there is less need of such tricks in code compiled for modern processors which support Thumb-2. If the LR is saved at the start of the current function, it does not matter that if LR is clobbered by the intermediate BL instructions, since it can be restored from the saved area to return to the caller. On ARM, the function calls do not use the stack, so the only side effect of BL as opposed to simple branch is that it sets the LR register to the address following the BL instruction. Some compiler writers realized, that the BL instruction, normally used for function calls, can be used for simple branches as well. In case longer distance was needed, a longer instruction sequence would have to be generated. Because most relative branches occur in the same function, the ☒KB range available for 16-bit B instructions was usually enough. Some time later, ARM introduced a a compact 16-bit encoding for a subset of instructions, called Thumb. The relative branch instruction, B, allocated 24 bits for the offset, giving it a range of ☓2MB. The ARM instruction set initially used fixed-width 32-bit instructions. What is it and when to use it? Background
If you ever looked at IDA ARM module’s processor-specific settings, you may have been puzzled by the option “Disable BL jumps detection”.
0 kommentar(er)
