Help/Support Encoding Branch and Link BL sub_x

FateEX · February 16, 2015

The issue I have is encoding the branch and link ARM instruction, since the opcode is pc-relative.

All I am trying to do is call a different function that returns a modified item instead of the original.

And I am stuck on figuring out the hex for these particular functions. To make it easier, I have here, the old assembly, and what I want to modify the new assembly to be.

Old Assembly:

Offset = 0x36C2A6
BL              sub_3C1FC4 // hex=0x55F08DFE
B               loc_36C308 // hex=0x2DE0

Modified Assembly:

Offset = 0x36EE8A
BL              sub_3C5944 // hex=??
B               loc_36EEEC // hex=??

I want it to reference these different functions.

If there is any way you can help me figure this out, it would be much appreciated!

If I am missing any other piece of information, let me know so I can include it on this post

Updated February 16, 2015 by Javi Tech

castix · February 16, 2015

Change to HEX view in IDA to see the changes

FateEX · February 16, 2015

On 2/16/2015 at 10:29 AM, castix said:
Change to HEX view in IDA to see the changes

Well it's not that, what I am trying to do is change the functions it is referencing, so instead of BL sub_3C1FC4, I am trying to make it to be BL sub_3C5944, but how would I do that? How would I know how to change the hex to make it reference that function?

castix · February 16, 2015

How do you know the new offset without changing the HEX. Meh, try using an ARM > HEX converter

http://iosgods.com/topic/686-tool-windows-arm-hex-converter-v401/

FateEX · February 16, 2015

On 2/16/2015 at 10:44 AM, castix said:

How do you know the new offset without changing the HEX. Meh, try using an ARM > HEX converter

http://iosgods.com/topic/686-tool-windows-arm-hex-converter-v401/

I tried testing it on "BL sub_3C1FC4" and it gave me "FEFFFFEB" instead of "55F08DFE", so I don't think it will work

castix · February 16, 2015

I guess the function you mean is

BX       LR

which determines the end of the function.

2Byte BX LR : 7047
4Byte BX LR : 1EFF2FE1

FateEX · February 16, 2015

On 2/16/2015 at 11:03 AM, castix said:
I guess the function you mean is
BX       LR
which determines the end of the function.

2Byte BX LR : 7047

4Byte BX LR : 1EFF2FE1

Huh? No, it's not BX LR. I'm trying to link it to another function

jayvee · February 16, 2015

someone posted this in EE and i think this is very helpful http://elementevil.com/forum/brave-frontier-31/guide-ios-1-2-4-1-offset-modifications-9754/

castix · February 16, 2015

Change

MOV R0,#0

to

MOV R0,#1

at the location

sub_3C1FC4

BL links to the function which holds the value of the boolean. Remember #0 = false; #1= true

FateEX · February 26, 2015

On 2/16/2015 at 11:14 AM, akosijv said:
someone posted this in EE and i think this is very helpful http://elementevil.com/forum/brave-frontier-31/guide-ios-1-2-4-1-offset-modifications-9754/

Yeah, he pretty much explains what I already know. I just want to know how to encode BL.W sub_X to hex or if there's a program that can do it for me.

BL.W sub_44F08 -> CA F0 43 F5

Where the heck does CA F0 43 F5 come from?