cooperate with other instructions; most THUMB instructions can only make use of registers R0
to R7, etc. Compared with ARM instructions, the features of THUMB instructions are:
² There’re less THUMB instructions than ARM instructions
Since THUMB is just a subset, the number of THUMB instructions is definitely less. For
example, among all multiply instructions, only MUL is kept in THUMB.
² No conditional execution
Except branch instructions, other instructions cannot be executed conditionally.
² All THUMB instructions set flags by default
² Barrel shift cannot cooperate with other instructions^
Shift instructions can only be executed alone, say:
LSL R0 #2But cannot:
ADD R0, R1, LSL #2² Limitation of registers
Unless declared explicitly, THUMB instructions can only make use of R0 to R7. However,
there are exceptions: ADD, MOV, and CMP can use R8 to R15 as operands; LDR and STR can
use PC or SP; PUSH can use LR, POP can use PC; BX can use all registers.
² Limitation of immediate values and the second operand^
Most of THUMB instructions’ formats are “op Rd, Rm”, excluding shift instructions, ADD,
SUB, MOV and CMP.
² Doesn’t support data write back
All THUMB instructions do not support data write back i.e. “!”, except LDMIA and STMIA.
We will see the instructions mentioned above a lot during the junior stage of iOS reverse
engineering. If you only have a smattering of the knowledge so far, take it easy. Get your hands
dirty and analyze several binaries from now on, you will gradually get familiar with ARM
assembly. This section is just an introduction, if you have any questions about instructions in
practice, ARM Architecture Reference Manual on http://infocenter.arm.com will always be the
best reference for you. Of course, things discussed on http://bbs.iosre.com are also worth to
have a look.