Figure 10- 32 UXTB
According to the ARM official document in figure 10-32, UXTB is used to zero extend the 8-
bit value in R8 to a 32-bit value and then put it into R0, who is a 32-bit register. In other words,
R0 comes from R8, so R8 is the 12th data source A; and from the facts that arg_0 = 0x8, R8 =
(R7 + arg_0) = (R7 + 0x8), R7 = SP + 0xC, we can know that R8 = *(SP + 0x14), which
means (SP + 0x14) is the 13th data source A. Well, where does (SP + 0x14) come from? It
definitively doesn’t come from nowhere, so before “LDR.W R8, [R7,#8]”, there must be an
instruction writing something into *(SP + 0x14), right? That instruction is where the 14th data
source A resides. As a result, we have to trace back to the instruction that writes to *(SP + 0x14).
Although the idea sounds straightforward, things are much harder than you think. The
reason is that SP, unlike those rarely used registers, is affected by lots of instructions. Say, push
and pop both change the value of SP, so (SP + 0x14) may appears in the form of (SP’ + offset)
in other instructions due to the change of SP. And what’s even worse is that the value of offset is
undetermined yet. Sounds like we’re getting into troubles! From now on, we have to find every
single operation that writes into *(SP’ + offset) before “LDR.W R8, [R7,#8]”, and then check
whether (SP + 0x14) equals to (SP’ + offset). Thanks to the frequent and irregular changes of SP,
the following section is the hardest part of this book. So please stay very close! Let’s start from
“LDR.W R8, [R7,#8]” and trace back every single operation that writes into *(SP’ + offset) for
now.
In sub_26984444, the first 4 instructions before “LDR.W R8, [R7,#8]” are all SP related. We
use SP1~SP4 to mark the values of SP before the execution of the current instruction, as shown