AArch 64 Bytes: Part 1 (Reversing Exit)

debraj9121 pixabay

For a complete table of contents of all the lessons please click below as it will give you a brief of each lesson in addition to the topics it will cover. https://github.com/mytechnotalent/AArch64-Bytes

Welcome to the AArch64 Bytes series of articles designed to reinforce AArch64 or ARM 64 Linux Assembly concepts written in small bites (bytes).

Today we are going to start off by breaking down what exactly is an AArch64 machine code instruction.

AArch64 utilizes 32-bit wide machine code instructions. To further understand what actually happens when the Assembly is translated down to the processor we will examine the ARM64 exit syscall.

ARM 64 Linux System Call Table

Linux System Call Table

Let’s write an exit call in Assembly.

d2800000     mov   x0, #0x0                   // #0
d2800ba8     mov   x8, #0x5d                  // #93
d4000001     svc   #0x0

We first need to understand how parameters are passed in utilizing AArch64 in addition to where the syscall is placed.

x0-x7 = function params
x8 = syscall number
svc = call syscall

STEP 1: Reverse — mov x0, #0x0

d2800000
d    2    8    0    0    0    0    0
1101 0010 1000 0000 0000 0000 0000 0000
31         = 1                -> 64-bit version
29         = 0                -> do NOT set flags (branching)
30 & 28-23 = 1100101          -> opcode for MOV
22-21      = 00               -> no shift operation involved
20-5       = 0000000000000000 -> immediate value (0)
4-0        = 00000            -> register to load (x0)

STEP 2: Reverse — mov x8, #0x5d

d2800ba8
d    2    8    0    0    b    a    8
1101 0010 1000 0000 0000 1011 1010 1000
31         = 1                -> 64-bit version
29         = 0                -> do NOT set flags (branching)
30 & 28-23 = 1100101          -> opcode for MOV
22-21      = 00               -> no shift operation involved
20-5       = 0000000001011101 -> immediate value (93)
4-0        = 01000            -> register to load (x8)

STEP 3: Reverse —svc #0x0

d4000001
d    4    0    0    0    0    0    1
1101 0100 0000 0000 0000 0000 0000 0001
31         = 1                -> 64-bit version
29         = 0                -> do NOT set flags (branching)
30 & 28-23 = 1101000          -> opcode for SVC
22-21      = 00               -> no shift operation involved
20-5       = 0000000000000000 -> immediate value (0)
4-0        = 00001            -> register to load (x1)

This simple syscall tells us a great deal of what is actually happening under the hood when we are reversing AArch64 or ARM 64-bit Assembly as we can now have the tools to reverse any single instruction which could help in shellcode or ROP exploit development.