Tutorial Some Info About ARM64

NitroxicDemon · September 22, 2017

In this tutorial, I will just give a brief overview of some ARM64

You need to know ARMv7 first so this will be easier to understand.

Let's Get Started

So basically, instructions are the same, ARM64 has LDR, MOV, STR, etc., same from ARMv7.

You will notice ARM64 has different registers, instead of R0, for example, ARM64 uses X0, OR W0. You can hack it the same way as you would ARMv7.

Example:

This is ammo in the game Forward Assault. The highlighted instruction is what I hacked, SUB W8, W8, #1

Subtract 1 from W8 and put the value back into W8, simply NOP it.

OR

You can hack the STR underneath it and instead of storing W8, change it to W20 or W29. It will result in making your ammo a very high number. why?

Because you silly goose, W20/W29 is the equivalent of R7. OR you can use X20/X29 if the function has X

But wait, are the W20/W29 both the same Father Nitro?

Well, I'm glad you asked, I was just about to get to that you eager mcbeaver. You see here, the 20 has a high value, but 29 has a even more higher value. Sometimes 29 can make it go too high it can go negative, so use 20 instead.

BOOLS

Now let's talk about Booleans in ARM64. In ARMv7, to make something return TRUE or FALSE, we simply change it to MOV R0, #1 OR MOV R0, #0

ARM64 is no different, it's just X instead. MOV X0, #0 or MOV X0, #1

Example:

Here is an example function. In case you didn't know, it's a BOOL since this function loads a byte, which have 0 or 1 value. So as you can see, this function gets my sexiness. Obviously, to hack it you will change it to MOV X0, #1 making it true, which it is.. This can NEVER be false :kappa:

FLOATS

So floats in ARM64 are similar in ARMv7, using FMOV instead of VMOV. So just hack the instruction the same way as you would in ARMv7.

Example:

You can change that FMOv S2, #0.5 to FMOV S2, #31.0.

Now it's time to discuss something else. As you make know in ARM7, sometimes we want to hack the beginning of a function and make it return a float value.

so we would do:

VMOV S0, #31.0

VMOV R0, S0

BX LR

So father Nitro, is it the same in ARM64?

I know what you're thinking, you're thinking in ARM64 the equivalent would be:

FMOV S0, #31.0

FMOV X0, S0

RET

WRONG! Do that and watch the game crash. In arm64 the second instruction isn't needed.

FMOV S0, #31.0

~~FMOV X0, S0~~

RET

SO just replace the first 2 lines of the function with FMOV S0, #31.0 then RET that bad boy.

Now let me get into another example why ARM64 is bae.

Example:

This function is from Critical Ops, which gets the bounciness from the grenade. As you will see, it's a LDR, you can hack it and change it from LDR to FMOV. Yes, in ARM64 you can hack LDR functions to FMOV's. So to hack the function, you can replace the LDR S0, [X0,#0xA0]

with a FMOV S0, #31.0

This function made my grenades super bouncy, it was funny to troll in public matches. The grenades bounced like crazy!

In ARMv7 I found the same function, it was a LDR followed by a BX LR (RET). So to hack it, I tried many things, MOV R0, R7 and such but every time I threw a grenade it crashed. A VMOV S0, #31.0 VMOV R0, S0 BX LR wouldn't work since there isn't enough space. Unless you wanted to write your own code to the unused part of the binary and make the function branch there, which I'm not entirely sure would have worked since I never tried. So I just hacked it in ARM64 instead