Help/Support ARM jump without code? What?

infernusdoleo · January 7, 2016

As I progress in figuring this code out, I just ran into something REALLY weird.

The software I'm hacking uses some number mangling function to hide the values in memory. It's hard to tell for sure since it's a sub_x program, but from of what I've seen, it appears that all integers are fed through this function before storing to memory or pulling them back out for use. For example:

storing a variable:

char_level = mangle_it(mangle_it(old_level)+1);

whats_my_level = mangle_it(char_level);

Not sure what I wrote above makes 100% sense, I've been staring at code for hours today.

Anyway - this function is called 100x a second. Trying to hook and log it almost killed the syslog on my iphone.

So I found a memory address I wanted to watch. I set a watchpoint on it. I had the # increase. The program halted inside the mangle function.

The weird part - the backtrace never once called the function. The next previous frame was at this line in the assembly: ldr r0, [sp, #0x28]

Lines above and below it didn't call the function either. Nothing anywhere near it called the code.

Is there some way in C or assembly to hook a variable access so that any time it's read or written it calls a function? It would make sense, given so much is hidden by this function.

I'm basically trying to intercept the values before they are set, but without having any clear place WHERE it's set, and it suddenly just popping into this mangler function, seemingly out of nowhere.

Any clue?

infernusdoleo · January 7, 2016

Nevermind, I found where the code links. The really weird part is there's a function call a few lines back, and about 4 functions deep into that one, the mangler is called.

Not sure why the program keeps breaking way after it though. Either way, mystery solved. Sorta.