ARM Reverse Engineering (Part 31 – Hacking Float Variables)

For a complete table of contents of all the lessons please click below as it will give you a brief of each lesson in addition to the topics it will cover. https://github.com/mytechnotalent/Reverse-Engineering-Tutorial

Let’s re-examine our code.

#include <iostream>

 

int main(void) {

            int myNumber = 1337.1;

 

            std::cout << myNumber << std::endl;

 

            return 0;

}

Let’s review last week’s tutorial.

Let’s break on main+20 and continue to that point.

Let’s examine what value is inside r11-8. We clearly see it is 1337.09998 which approximates our value in our original c++ code. Keep in mind a float has roughly 7 decimal digits of precision and that is why we do not see 1337.1 so please remember that as we go forward.

We can also see this value in high memory.

Let’s break on main+28 and continue.

We see a strange new instruction. We see vldr and the value within r11, #8 being moved into s0. So what is s0? We have a math co-processor which has a series of additional registers that work with decimal or floating-point numbers. Here we see an example of such to which the value of 1337.09998 is being moved into s0. The vldr instruction loads a constant value into every element of a single-precision or double-precision register such as s0.

We can only see these special registers if we do a info registers all command as we do below.

Below we see the value now being moved into s0.

Let’s hack!

Let’s now look at the registers and see what has transpired.

As you can see we have hacked the value (less the precision issue of the float variable accurate up to 6 decimal places)!

Finally as we continue we see our hacked value echoed back out to the terminal when the c++ cout function executes.

Next week we will dive into Double Variables.