【Android 逆向】ARM switch 逆向

#include <stdio.h>

int switch1(int a, int b, int i){

	switch (i){

	case 1:

		return a + b;

		break;

	case 2:

		return a - b;

		break;

	case 3:

		return a * b;

		break;

	case 4:

		return a / b;

		break;

	default:

		return a + b;

		break;

	}

}

int main(int argc, char* argv[]){

	printf("switch1:%d\n", switch1(3, 5, 3));

	return 0;

}

.text:000085A0 ; =============== S U B R O U T I N E =======================================

.text:000085A0

.text:000085A0

.text:000085A0

.text:000085A0 switch1                                 ; CODE XREF: main+10↓p

.text:000085A0 ; __unwind {

.text:000085A0                 SUB     R2, R2, #1      ; arg2 = arg2 - 1

.text:000085A4                 PUSH    {R4,LR}         ; 栈上保存R4 和 LR 的值，当前LR是外层调用函数调用处下一行的地址

.text:000085A8                 MOV     R3, R0          ; a = arg0

.text:000085AC                 CMP     R2, #3          ; switch 4 cases

.text:000085B0                 ADDLS   PC, PC, R2,LSL#2 ; switch jump (if R2 <=3 则 PC = PC + R2*4)

.text:000085B4 ; ---------------------------------------------------------------------------

.text:000085B4

.text:000085B4 loc_85B4                                ; CODE XREF: switch1+10↑j

.text:000085B4                 B       def_85B0        ; jumptable 000085B0 default case

.text:000085B8 ; ---------------------------------------------------------------------------

.text:000085B8

.text:000085B8 loc_85B8                                ; CODE XREF: switch1+10↑j

.text:000085B8                 B       loc_85E0        ; jumptable 000085B0 case 0

.text:000085BC ; ---------------------------------------------------------------------------

.text:000085BC

.text:000085BC loc_85BC                                ; CODE XREF: switch1+10↑j

.text:000085BC                 B       loc_85D8        ; jumptable 000085B0 case 1

.text:000085C0 ; ---------------------------------------------------------------------------

.text:000085C0

.text:000085C0 loc_85C0                                ; CODE XREF: switch1+10↑j

.text:000085C0                 B       loc_85D0        ; jumptable 000085B0 case 2

.text:000085C4 ; ---------------------------------------------------------------------------

.text:000085C4

.text:000085C4 loc_85C4                                ; CODE XREF: switch1+10↑j

.text:000085C4                 B       loc_85C8        ; jumptable 000085B0 case 3

.text:000085C8 ; ---------------------------------------------------------------------------

.text:000085C8

.text:000085C8 loc_85C8                                ; CODE XREF: switch1+10↑j

.text:000085C8                                         ; switch1:loc_85C4↑j

.text:000085C8                 BL      sub_8620        ; jumptable 000085B0 case 3

.text:000085CC                 POP     {R4,PC}         ; 弹出栈上的值，其中LR的值直接赋给了PC，实现出函数

.text:000085D0 ; ---------------------------------------------------------------------------

.text:000085D0

.text:000085D0 loc_85D0                                ; CODE XREF: switch1+10↑j

.text:000085D0                                         ; switch1:loc_85C0↑j

.text:000085D0                 MUL     R0, R3, R1      ; jumptable 000085B0 case 2

.text:000085D4                 POP     {R4,PC}

.text:000085D8 ; ---------------------------------------------------------------------------

.text:000085D8

.text:000085D8 loc_85D8                                ; CODE XREF: switch1+10↑j

.text:000085D8                                         ; switch1:loc_85BC↑j

.text:000085D8                 RSB     R0, R1, R0      ; jumptable 000085B0 case 1

.text:000085DC                 POP     {R4,PC}

.text:000085E0 ; ---------------------------------------------------------------------------

.text:000085E0

.text:000085E0 loc_85E0                                ; CODE XREF: switch1+10↑j

.text:000085E0                                         ; switch1:loc_85B8↑j

.text:000085E0                 ADD     R0, R1, R0      ; jumptable 000085B0 case 0

.text:000085E4                 POP     {R4,PC}

.text:000085E8 ; ---------------------------------------------------------------------------

.text:000085E8

.text:000085E8 def_85B0                                ; CODE XREF: switch1+10↑j

.text:000085E8                                         ; switch1:loc_85B4↑j

.text:000085E8                 ADD     R0, R1, R0      ; jumptable 000085B0 default case

.text:000085EC                 POP     {R4,PC}

.text:000085EC ; } // starts at 85A0

.text:000085EC ; End of function switch1

.text:000085EC

.text:000085F0

.text:000085F0 ; =============== S U B R O U T I N E =======================================

.text:000085F0

.text:000085F0 ; arg0

.text:000085F0 ;

.text:000085F0

.text:000085F0 ; int __cdecl main(int argc, const char **argv, const char **envp)

.text:000085F0 main                                    ; CODE XREF: j_main↑j

.text:000085F0 ; __unwind {

.text:000085F0                 MOV     R0, #3

.text:000085F4                 PUSH    {R4,LR}

.text:000085F8                 MOV     R2, R0          ; arg2

.text:000085FC                 MOV     R1, #5          ; arg1

.text:00008600                 BL      switch1         ; arg2 = arg2 - 1

.text:00008604                 MOV     R1, R0

.text:00008608                 LDR     R0, =(aSwitch1D - 0x8614) ; "switch1:%d\n"

.text:0000860C                 ADD     R0, PC, R0      ; "switch1:%d\n"

.text:00008610                 BL      printf

.text:00008614                 MOV     R0, #0

.text:00008618                 POP     {R4,PC}

.text:00008618 ; End of function main

.text:00008618

.text:00008618 ; ---------------------------------------------------------------------------

【Android 逆向】ARM switch 逆向的相关教程结束。