Main content
1. Detailed explanation of the Thumb instruction set
2. Registers directly accessed by
Thumb 3. Detailed explanation of the components of the Thumb instruction set
4. The status of Thumb and arm is changed
5. Common application scenarios of Thumb
1. Detailed explanation of Thumb instruction set
• ARM processor supports two instruction sets: ARM instruction set and Thumb instruction set.
• The length of the ARM instruction set is 32 bits, and the length of the Thumb instruction set is 16 bits. Under the 16-bit external data bus width, the performance of using Thumb instructions on ARM processors is better than that of using ARM instructions.
• The meaning of Thumb instruction: compatible with application systems with a data bus width of 16 bits.
2. Registers directly accessed by Thumb
3. Components of Thumb instruction set
• 3.1. Thumb data processing instructions
• 3.2. Branch jump instructions
•3.3. Register load and store instructions (single register, multiple registers)
•3.4. Miscellaneous instructions
•SWI: Soft interrupt instruction The
instruction format is as follows:
SWI immed_8
其中:immed_8 8 位立即数,值为0~255 之间的整数。
SWI 指令举例如下:
SWI 1 ;软中断,中断立即数为0
SWI 0x55 ;软中断,中断立即数为0x55
使用SWI 指令时,通常使用以下两种方法进行传递参数,SWI 异常中断处理程序可以提供相关的服务,这两种方法均是用户软件协定。SWI 异常中断处理程序要通过读取引起软中断的SWI 指令。以取得8 位立即数。
(A)指令中8 位的立即数指定了用户请求的服务类型,参数通过用寄存器传递。
MOV R0,#34 ;设置子功能号为34
SWI 18 ;调用18 号软中断
(B)指令中的8 位立即数被忽略,用户请求的服务类型由寄存器R0 的值决定,参数通过其它的通用寄存器传递。
MOV R0,#18 ;调用18 号软中断
MOV R1,#34 ;设置子功能号为34
SWI 0
4. Thumb and ARM state change
• The state switch between ARM/Thumb is realized by a special transfer exchange instruction BX.
Assembly format: BX{} Rm
function: BX instruction jumps to the target address specified in the instruction and realizes the state switch. Rm is a register that expresses the target address. When the lowest bit Rm[0] in Rm is 1, the program is forced to jump from the ARM instruction state to the Thumb instruction state; when the lowest bit Rm[0] in Rm is 0, the program is forced to jump from the Thumb instruction state to the ARM instruction status.
BX instruction example
CODE32 ;ARM 程序段,32 位编码
arm1 ADR R0,thumb1+1 ;把thumb1 所在地址赋给R0 ,末位R0[0] 置1 ,要跳转THUMB 指令集
MOV LR,PC ;设置返回地址
BX R0 ;跳转
ADD R1,R2,#2 ;返回地址处,第4 条指令
CODE16 ;THUMB 程序段, 16 位编码
thumb1 ADD R1,R3,#1 ;THUMB 程序
BX LR ;跳转到返回地址处,执行第4 条指令
Analysis of the above example: It explains the subroutine call and return structure with state switching. The return address is saved in the LR register when the ARM program segment executes MOV LR, PC statements. When the BX statement is executed, the PC points to the next statement to be executed. At this time, the value in PC (R15) is the address of the next statement ADD instruction, and the switch from ARM state to R0 is realized according to bit[0] in R0 Thumb state. In this way, the Thumb subroutine is called. After the subroutine is called, the BX LR instruction is used to realize the return of the subroutine call and switch to the ARM state.
5. Some applications of Thumb instruction
• How to identify Thumb instructions and ARM instructions in ida
• CODE32 means using ARM assembly instructions, CODE16 means using THUMB assembly instructions.
• The main application scenarios of Thumb assembly: when reverse debugging So files, when writing ARM shellcode.
• The following is the application of arm's shellcode
For more articles, follow my official account, learn together, and make progress together.
