1: Register:
1. How to view the registers, connect xcode to the real machine, after the breakpoint, enter register read to view all the registers of arm64.
There are:
x0~x7: pass the parameters and return value of the subroutine, no need to save when using , redundant parameters are passed on the stack, the 64-bit return result is stored in x0, and more parameters are passed on the stack.
x8: It is used to save the return address of the subroutine, and it does not need to be saved when using it.
x9~x15: Temporary registers, also called variable registers, do not need to be saved when used by subroutines.
x16~x17: subroutine internal call register (IPx), no need to save when using it, try not to use it.
x18: Platform register, its use depends on the platform, try not to use it.
x19~x28: temporary registers, which must be saved when used by subroutines.
x29: Frame pointer register (FP), used to connect stack frames, must be saved when used.
x30: Link register (LR), used to save the return address of the subroutine.
x31: Stack pointer register (SP), used to point to the top of the stack of each function.
PC: records which instruction of the current CPU's current instruction, stores the address of the instruction being executed by the current CPU, similar to IP
CPSR register: status identification register. Each bit stores 0 or 1. There are two pictures below to illustrate the CPSR register.
2. A register x0 represents the use of 64-bit space, while w0 represents the use of 32-bit space, and X and W represent operands.
2: Instructions: Commonly used instructions. If you want to see more complete instructions, please search on Baidu. There is a lot of information.
MOV instructions:
MOV X1, X0; transfer the value of register R0 to register X1
MOV X1, X2, #0X3; transfer The value of register X2 is added to the immediate value 0x3 and then transferred to register X1
ADD instruction:
ADD X0,X1,X2;X0=X1+X2
SUB指令:
SUB X0,X1,X2 ;X0=X1-X2
SUB X0,X1 #256 ;X0=X1-256
SUB X0,X2,X3 LSL#1 ;X0=X2-(X3<<1)
CMP instruction: CMP X0
,
Two bits represent (lessthan, zero), if the result is less than 0, the bit of lessthan is marked as 1, and the bit of zero is marked as 0
LDR instruction: that is, read
LDR X0,[R1] from memory; take out the value in the memory corresponding to the storage address R1 and
put it into X0 LDR The value of the address corresponding to address 8 takes out 8 bytes and stores them in X0
LDUR instruction: same function as LDR, use LDR when the offset address is positive, use LDUR when it is negative
LDUR X0,[R1,#-0x8];
LDP instruction: P means pair, which is a pair of
LDP x29, x30, [SP, #0x6]; after the top pointer of the stack is offset by 6 byte addresses, from here, take the value of 16 bytes accordingly, The first 8 bytes are for X29 and the last 8 bytes are for X30
STR instruction: Storage instruction
STR X8, [X9]; Store the value of X8 in the memory at the address stored in the X9 register to
STR
STUR: Corresponding to LDUR, the same offset address is a negative number use
STR X8,[X9,#-0x8]; store the value of X8 to the location of X9 storage address -8
STP: Relative to LDP, store a pair of content in the memory
STP x29, x30, [sp, #0x08] ; store the value of X29, X30 in the stack at offset 8
B: Jump instruction, such as conditional judgment to jump to the execution of instructions that meet the conditions, which can be regarded as if, else, usually used in conjunction with CMP. Conditional
field: combined with B, such as BEQ (if equal, jump to the instruction corresponding address)
EQ: equal NE: not equal GT: greater than GE: greater than or equal to LT: less than LE: less than or equal to
BL instruction: function call instruction. Using this instruction will jump to the function and store the current next instruction address in the LR register.
WZR/XZR: Zero register, which stores 0. The beginning of W represents 32bit, and the beginning of X represents 64bit.
ORR instruction: or
EOR instruction: exclusive or
RET command: subroutine return command, the return address is saved in LR (X30) by default
Three: Stack balancing:
During the function call process, the stack space will be opened up for use by local variables. After use, the stack space, FP, instruction address, etc. need to be restored. The
stack balancing methods of different functions are somewhat different
. 1. Leaf function: There is no function in the function. Calling other functions
2. Non-leaf function: other functions are called within the function
//非叶子函数
test(1,2);
void test(int a,int b)
{
int x = 5;
printf("a+b+x=%d",a+b+x);
}
The following code is the assembly code after execution
0x100dd1f08 <+0>: sub sp, sp, #0x30 ; 开辟0x30个栈空间
0x100dd1f0c <+4>: stp x29, x30, [sp, #0x20] ;将原fp地址和返回地址入栈
0x100dd1f10 <+8>: add x29, sp, #0x20 ; 将当前fp寄存器指向sp+0x20的位置
0x100dd1f14 <+12>: stur w0, [x29, #-0x4] ;将寄存器w0=1入栈
0x100dd1f18 <+16>: stur w1, [x29, #-0x8] ;将寄存器w1=2入栈
0x100dd1f1c <+20>: mov w8, #0x5 ;w8寄存器存入5的值
0x100dd1f20 <+24>: stur w8, [x29, #-0xc] ;将5入栈
-> 0x100dd1f24 <+28>: ldur w8, [x29, #-0x4] ;取出栈中fp-0x4的值放入w8寄存器
0x100dd1f28 <+32>: ldur w9, [x29, #-0x8] ;取出栈中fp-0x8的值放入w9寄存器
0x100dd1f2c <+36>: add w8, w8, w9 ;将1+2的结果放入w8
0x100dd1f30 <+40>: ldur w9, [x29, #-0xc] ;取出栈中5的值
0x100dd1f34 <+44>: add w10, w8, w9 ;将w8的结果和5相加,放入w10
0x100dd1f38 <+48>: adrp x0, 1
0x100dd1f3c <+52>: add x0, x0, #0x608 ; =0x608
0x100dd1f40 <+56>: mov x9, sp ;将sp的地址放入x9
0x100dd1f44 <+60>: mov x8, x10 ;x10的值放入x8
0x100dd1f48 <+64>: str x8, [x9] ;将a+b+x的结果入栈
0x100dd1f4c <+68>: bl 0x100dd2554 ; 调用printf函数
0x100dd1f50 <+72>: ldp x29, x30, [sp, #0x20] ;将之前入栈的fp和返回地址还原
0x100dd1f54 <+76>: add sp, sp, #0x30 ; 将栈空间释放
0x100dd1f58 <+80>: ret ;返回到调用函数的下一句指令
Author: ZZ_Junge
Link: https://www.jianshu.com/p/b6de34ed6942
Source: Jianshu
The copyright belongs to the author. For commercial reprinting, please contact the author for authorization. For non-commercial reprinting, please indicate the source.