0

Is it possible to, instead of calling one sub_ function, to call another? The ARM_ASM converter I am using converts: 

BL sub_67F7DC

to:

FE FF FF EB

However, IDA converts that instruction into the following hex:

B9 57 E8 EB

Is it possible for me to change the sub_67F7DC to reference another function, such as sub_77F7DC?

Aspire
  • 21
  • 1
  • 5
  • Depends where it is - `BL` is a PC-relative branch, so it's a question of whether the offset is going to be small enough to fit into the instruction encoding (it probably is, unless your binary is _huge_). – Notlikethat Feb 01 '16 at 21:08
  • How would I go about fitting it in the instruction coding? As you can see, I don't think the ARM_ASM converter I am using correctly converts the BL sub_whatever to what I want it to be, – Aspire Feb 01 '16 at 21:34
  • For an assembler to calculate the appropriate offset for `bl `, it needs to know where `` is relative to the current instruction - if it doesn't then it's just going to fill in some placeholder value and emit a relocation for the linker to sort out later (which is probably what happened in your first example, because that instruction as-is is branching to itself). A fully-assembled branch, though, already contains the correct offset for its target address, so through the power of maths one can work out the difference between that and the new address, and adjust accordingly ;) – Notlikethat Feb 01 '16 at 23:10
  • [Related](http://stackoverflow.com/q/29737035/3156750); [related](http://stackoverflow.com/q/6744661/3156750). – Notlikethat Feb 01 '16 at 23:13
  • Thanks. If I knew the relative location from this to the other branch, how would I do something like: bl [relative location]? (If I knew the offset where it was located) – Aspire Feb 01 '16 at 23:29
  • I suppose you could run `bl . + 0x1234` (with 0x1234 representing the appropriate difference between branch and target) through an assembler, but (assuming those symbol names are autogenerated from the addresses they're at), calculating `0xe857b9 + ((0x77f7dc - 0x67f7dc) >> 2)` and just patching the result back in directly seems perhaps even simpler. – Notlikethat Feb 01 '16 at 23:49

0 Answers0