Part 1.
Internal structure of the Arm assembly

Chapter 1.
Introduction to Reverse Engineering

__Introduction to Assembly
____bits and bytes
____character encoding
____Machine code and assembler
____Assembler Programming
______Cross Assembler
__high-level language
__Disassembly
__Decompile

Chapter 2. Inside the ELF File Format

__Program Structure
__High-level vs.
low-level language
__Compile procedure
____Cross-compilation for other architectures
____Assembly and Link
__ELF File Overview
__ELF file header
____ELF file header information fields
____Target Platform Field
____entry point field
____table location field
__ELF program header
____PHDR program header
____INTERP program header
____LOAD program header
____DYNAMIC program header
____NOTE Program Header
____TLS program header
____GNU_EH_FRAME program header
____GNU_STACK program header
____GNU_RELRO program header
__ELF section header
____ELF meta section
______String Table Section
______Symbol Table Section
____week ELF section
______.text section
______.data section
______.bss section
______.rodata section
______.tdata and
__symbol
______global symbol vs.
Regional symbols
______weak symbol
______Symbol Version
______Symbol Mapping
__Dynamic sections and dynamic loading
____Dependency Loading
____Program Relocation
______Static relocation
______Dynamic Relocation
______Global Offset Table (GOT)
______Procedure Link Table (PLT)
____ELF program initialization and termination section
______Initialization and shutdown sequence
__Thread local storage
____Region-Enforced TLS Access Model
____Early-Run TLS Access Model
____General-Dynamic TLS Access Model
____Regional-Dynamic TLS Access Model

Chapter 3.
Operating System Basics

__Operating System Architecture Overview
____User Mode vs.
Kernel mode
____process
____system call
______objects and handles
____thread
__Process memory management
____memory page
____Memory Protection
____Anonymous and memory-mapped memory
______Memory-mapped files and modules
____Randomize address space layout
____Stack implementation
____shared memory

Chapter 4.
Arm architecture

__Architecture and Profile
__Armv8-A architecture
____Exception level
______Armv8-A Trust Zone Extension
Change ______Exception Level
____Armv8-A running status
__AArch64 execution status
____A64 instruction set
____AArch64 register
______program counter
______stack pointer
______zero register
______Link Register
______frame pointer
______Platform Register (x18)
______Internal Procedure Call Register
______SIMD and floating-point registers
______system register
____PSTATE
__AArch32 execution status
____A32 and T32 instruction sets
______A32 instruction set
______T32 instruction set
______Instruction set switching
____AArch32 register
______program counter
______stack pointer
______frame pointer
______Link Register
______procedure internal call register (IP, r12)
____Current Program Status Register
______Application Program Status Register
____Running Status Register
______Instruction Set Status Register
______IT Block Status Register (ITSTATE)
______endian state
______mode and exception mask bits

Chapter 5.
Data processing instructions

__Shift and rotate operations
____logical left shift
____Logical right shift
____Arithmetic Right Shift
____Right Rotate
____Extended Right Rotate
____instruction form
______shift directly to constant form
Shift in ______ register format
____Bitfield manipulation operations
______Move Bitfield
______sign and zero extension operations
Extract and insert ______ bitfields
__Logic Operations
____ bit AND
______TST instruction
______ bit clear
____ bit OR
______ bit OR NOT
____ bit exclusive OR
______TEQ instruction
______Exclusive OR NOT
__arithmetic operations
____Addition and subtraction
______reverse subtraction
____comparison
______CMP instruction operation behavior
__multiplication operation
Multiplication in ____A64
Multiplication in ____A32/T32
______Least significant word multiplication
______Top word multiplication
______Halfword Multiplication
______Vector (dual) multiplication
______long (64-bit) multiplication
__division operation
__Move Operation
____Direct constant move
Direct constant shift and MOVT in ______A32/T32
Direct constant move via MOVZ, MOVK in ______A64
Move ____register
Move with ____NOT

Chapter 6.
memory access instructions

__Instruction Overview
__Addressing mode and offset type
____Offset Addressing
______Direct Constant Offset
______register offset
____Dictionary Index Mode
______Dictionary Index Mode Example
____Post-index addressing
______Post-index addressing example
____String constant (PC-relative) addressing
Load ______constant
Load ______ address into register
__Load and store instructions
Load and save ____words or doublewords
____Halfword/byte load and store
Example using ______load and save
____Multiple Load and Save (A32)
______STM and LDM examples
A more complex example using ______STM and LDM
____Pair Load and Save (A64)

Chapter 7.
Conditional execution

__Conditional Execution Overview
__condition code
____NZCV condition flag
______Signed Integer Overflow vs.
Unsigned integer overflow
____condition code
__Conditional Instructions
____Thumb's If-Then (IT) instruction
__Flag Set Instruction
____instruction 'S' suffix
______S suffix for addition and subtraction instructions
______S suffix of logical shift instructions
S suffix of ______multiplication instruction
______S suffix for other instructions
____Test and Compare Instructions
______Comparison (CMP)
______Negative Comparison (CMN)
______Test Bit (TST)
______Equivalence Test (TEQ)
__Conditional Selection Instruction
__Conditional comparison instruction
AND logical operator conditional instruction using ____CCMP
OR logical operator conditional instruction using ____CCMP

Chapter 8.
Control flow

__branch instruction
____Conditional branching and looping
____Branch Testing and Comparison
____Table Branch (T32)
____branch and status changes
____Subroutine branch
__Functions and Subroutines
____Procedure Call Standard
____Volatile vs.
nonvolatile registers
____arguments and return values
____Passing a large value
____Leaf and non-leaf functions
______leaf function
______non-leaf function
______Prologue and Epilogue

Part 2.
reverse engineering

Chapter 9.
Arm environment

__Arm board
Emulation using __QEMU
____QEMU user mode emulation
____QEMU full system emulation
____Firmware Emulation

Chapter 10.
Static analysis

__Static analysis tool
____command line tool
____Disassembler and Decompiler
____Binary Ninja Cloud
__Call by reference example
__Control Flow Analysis
____Main function
____subroutine
Convert to ____ character
____if statement
____ quotient division
____for loop
__Algorithm Analysis

Chapter 11.
Dynamic analysis

__Command line debugging
____GDB commands
____GDB Multi-architecture
____GDB Extension: GEF
______installation
______interface
______Useful GEF Commands
______Memory Check
______Memory Area Monitoring
______Vulnerability Analyzer
______checksec
____Lader2
______Debugging
__Remote Debugging
____Lader2
____Aida Pro
__Debugging memory corruption
__Debugging processes with GDB

Chapter 12.
arm64 Mac OS malware reverse tracking

__Background knowledge
____Mac OS arm64 binaries
____Mac OS Hello World (arm64)
__Hunting for malicious arm64 binaries
__arm64 malware analysis
____Analyze prevention technology
____Anti-debugging logic structure (using ptrace)
____Debugging prevention logic structure (using sysctl)
____VM prevention logic structure (via SIP state and VM artifact detection)
__conclusion

◈ Target audience of this book ◈

A comprehensive guide for both beginners and seasoned professionals, this book provides an intuitive introduction to a processor language that is rapidly gaining popularity and demand.
It helps readers dramatically improve their vulnerability discovery and analysis, exploit development, and malware analysis skills by easily presenting the necessary information.

◈ Structure of this book ◈

This book explains what instructions are and where they come from.
Chapter 2 briefly introduces the ELF file format, its sections, and the compilation process.
Binary analysis cannot be complete without understanding the execution environment, so Chapter 3 covers the fundamentals of the operating system.

In Chapter 4, we will prepare to delve deeper into the Arm architecture based on the basic knowledge above.
Chapter 5 examines the most commonly used data processing instructions, and Chapter 6 provides an overview of memory access instructions.
This instruction is known as the Load/Store architecture and is the most common in the Arm architecture.
Chapters 7 and 8 discuss conditional execution and flow control.
This is the most important component in reverse engineering.

Chapter 9 is of particular interest to reverse engineers.
The Arm environment has many different formats, so it's important to be familiar with them, especially if you need to perform dynamic analysis or analyze binaries at runtime.

With the information mentioned so far, you're well-equipped to embark on your next reverse engineering adventure.
To that end, Chapter 10 introduces common static analysis tools.
It also provides practical and simple static analysis examples that you can follow step by step.

Reverse engineering becomes tedious without dynamic analysis that allows you to observe the program's behavior while it runs.
In Chapter 11, we will learn about frequently used dynamic analysis tools and useful commands that can be used during analysis, and we will look at examples.
We conclude the chapter with two practical debugging examples, which can be done using GDB.
One of the two examples is debugging a memory corruption vulnerability, and the other is process debugging.

Reverse engineering is useful in a variety of cases.
Arm instruction sets and reverse engineering techniques can be used to extend the technology to other areas.
For example, vulnerability analysis or malware analysis.

While reverse engineering is a crucial skill for malware analysts, it's also important to become familiar with the environment in which a given malware sample was compiled.
For this purpose, a chapter on analyzing arm64 Mac OS malware is also included (Chapter 12).
This chapter was written by Patrick Wardle, author of The Art of Mac Malware (No Starch Press, 2022).
Unlike previous chapters, this chapter does not focus on Arm assembly.
Instead, we introduce common anti-analysis techniques that macOS malware uses to avoid analysis.
The purpose of this chapter is to examine macOS malware compatible with Apple Silicon M1/M2.
Therefore, it will be a good starting point for engineers who want to track and analyze Arm-based macOS malware.

◈ Author's Note ◈

The purpose of this book is to make you more familiar with the Arm instruction set and give you enough knowledge to apply it to your work.
I spent a lot of time dissecting the Arm reference manual and cataloging the most frequently used instructions and their grammatical forms.
However, this book is not simply a list of the most frequently used Arm instructions.
It contains explanations that you won't find anywhere else, even in the Arm manual.
The basic descriptions of instructions in the Arm manual are overly simplistic. While this might be sufficient for very simple instructions like MOV or ADD, instructions that perform complex operations and are frequently used can be difficult to understand with just a simple description.
Therefore, many of the instructions mentioned in this book are covered with diagrams that illustrate the underlying operation.

If you are new to reverse engineering, you need to understand binary file formats, sections, how source code is compiled into machine code, dependency environments, etc.
Due to space and time constraints, this book cannot cover all file formats and operating systems.
Therefore, we will focus here on the Linux environment and the ELF file format.
Arm instructions are platform or file format independent.
Even if you reverse engineer an Arm binary compiled for macOS or Windows, the instructions mean the same thing.

It took over two years to write this book.
I first picked up a pen in March 2020, when the pandemic hit the world and everyone was in quarantine.
I am so happy that after two years of blood, sweat, and tears, this book has finally come to life.
I am grateful to all of our readers for their continued trust, and I hope this book will serve as a helpful guide, paving the way for your reverse engineering journey rather than burdening it.

◈ Translator's Note ◈

ARM assembly language has become a core component in many modern embedded systems and mobile devices.
Therefore, it can be said that this is the golden age of ARM processors.
This book provides an in-depth analysis of the internal structure and operating principles of ARM processors, helping you acquire reverse engineering skills.
Thanks to this, translators were able to gain a deeper understanding of the ARM instruction set while translating this book.

Part 1 introduces the fundamental concepts and structure of ARM assembly. Beginning with the fundamentals of ARM assembly language, it delves into the ELF file format, the fundamental structure of the operating system, and the ARM architecture, providing readers with a solid foundation.
It also covers topics such as data processing and memory access instructions, conditional execution, and control flow, providing practical knowledge needed to utilize ARM assembly language.
Part 2 covers how to analyze and debug code in ARM environments using reverse engineering techniques. This book details emulation using ARM boards and QEMU, the use of static and dynamic analysis tools, and analysis of ARM64 binaries in a Mac OS environment, providing valuable practical skills for real-world use.
This book balances theory and practice, enabling readers to effectively master ARM assembly language and reverse engineering.
The examples and exercises provided in each chapter will enable readers to develop the ability to solve a variety of problems that may arise in real-world situations.
I hope this book will be of great help to anyone who wants to learn ARM assembly language and reverse engineering.