CHAPTER 21. STRUCTURES CHAPTER 21. STRUCTURES
OllyDbg + fields aligning on 1 byte boundary
Things are much clearer here: 4 fields occupy 10 bytes and the values are stored side-by-side
Figure 21.4:OllyDbg: Beforeprintf()execution21.4.2 ARM.
Optimizing Keil 6/2013 (Thumb mode)
Listing 21.21: Optimizing Keil 6/2013 (Thumb mode).text:0000003E exit ; CODE XREF: f+16
.text:0000003E 05 B0 ADD SP, SP, #0x14
.text:00000040 00 BD POP {PC}
.text:00000280 f
.text:00000280
.text:00000280 var_18 = -0x18
.text:00000280 a = -0x14
.text:00000280 b = -0x10
.text:00000280 c = -0xC
.text:00000280 d = -8
.text:00000280
.text:00000280 0F B5 PUSH {R0-R3,LR}
.text:00000282 81 B0 SUB SP, SP, #4
.text:00000284 04 98 LDR R0, [SP,#16] ; d
.text:00000286 02 9A LDR R2, [SP,#8] ; b
.text:00000288 00 90 STR R0, [SP]
.text:0000028A 68 46 MOV R0, SP
.text:0000028C 03 7B LDRB R3, [R0,#12] ; c
.text:0000028E 01 79 LDRB R1, [R0,#4] ; a
.text:00000290 59 A0 ADR R0, aADBDCDDD ; "a=%d; b=%d; c=%d; d=%d\n"
.text:00000292 05 F0 AD FF BL __2printf
.text:00000296 D2 E6 B exit
As we may recall, here a structure is passed instead of pointer to one, and since the first 4 function arguments in ARM are
passed via registers, the structure’s fields are passed viaR0-R3.
LDRB loads one byte from memory and extends it to 32-bit, taking its sign into account. This is similar toMOVSXin x86.
Here it is used to load fieldsaandcfrom the structure.
One more thing we spot easily is that instead of function epilogue, there is jump to another function’s epilogue! Indeed, that
was quite different function, not related in any way to ours, however, it has exactly the same epilogue (probably because, it
hold 5 local variables too ( 5 ∗4 = 0x 14 )). Also it is located nearby (take a look at the addresses). Indeed, it doesn’t matter
which epilogue gets executed, if it works just as we need. Apparently, Keil decides to reuse a part of another function to
economize. The epilogue takes 4 bytes while jump —only 2.