As the title shows, I want to disassemble the ELF file, but I suffered a problem that I could not know which instruction is arm instruction and which is thumb instruction. Because the arm instruction is 32-bit, and the thumb instruction is 16-bit, the disassembling way is different. So how could I detect the thumb instruction from the hex instructions?
Asked
Active
Viewed 1,675 times
3
-
1possible duplicate of [Script/Tool predicate for ARM ELF compiled for Thumb OR Arm](http://stackoverflow.com/questions/15913964/script-tool-predicate-for-arm-elf-compiled-for-thumb-or-arm). As in that question, someone can always come up with some pathological code that runs in both modes. Anything that follows the EABI and uses standard compilers can be easy to determine. I just disassemble both ways and in a few minutes, it is easy to see which is correct. Also, the intent of the author and the [ROP exploitablity](https://en.wikipedia.org/wiki/Return-oriented_programming) are different. – artless noise Jul 22 '15 at 16:30
-
Is it hosted by an OS? Is it some boot loader code? Are you reverse engineering, making a tool, etc. The way the question is asked is far too generic for anyone to give a meaningful answer. However, the **possible** duplicate applies to Linux ELF files (and probably BSD/Apple as well). If you want an exploit, the intent of the original code doesn't matter. If you want to know what the code is doing, then it is different question. – artless noise Jul 22 '15 at 16:34
1 Answers
3
In an ELF file, there is actually a straightforward method - just look at the function addresses in the symbol table. Much like target addresses for interworking branches, the bottom bit of the symbol address indicates the relevant instruction set - clear for ARM functions, and set for Thumb functions (see section 4.5.3 of the ARM ELF ABI).
Notlikethat
- 20,095
- 3
- 40
- 77