Figure 2-16 is a function from Windows RT. Read MSDN if needed. Ignore the security PUSH/POP cookie routines.
Here is the disassembly of the function:
 |
| Figure 2-16. Practical Reverse Engineering. © 2014 by Bruce Dang |
The ARM processor is in Thumb state, but transfers out during some of the syscalls. The function queries different clock APIs depending on the size of the supplied struct.
size_t QueryChrono(size_t *bytes_copied,
size_t max_size,
struct *clock_info)
{
/* MOVS R4, #0 */
bytes_copied = 0;
/* CMP R5, #0x10 */
if (max_size >= 16)
{
SYSTEMTIME sysTime; /* SUB SP, SP, #0x10 */
GetSystemTime(&sysTime); /* LDR R3, =__imp_GetSystemTime */
/* LDR R3, [SP,#0x1C+var_1C] */
/* LDR R3, [SP,#0x1C+var_18] */
/* LDR R3, [SP,#0x1C+var_14] */
/* LDR R3, [SP,#0x1C+var_10] */
/* STR R3, [R6,#0xC] */
memcpy(clock_info->sysTime0x0, &sysTime, sizeof(SYSTEMTIME));
bytes_copied = 16; /* MOVS R4, #0x10 */
}
/* SUBS R3, R5, R4 */
/* CMP R3, #4 */
if ((max_size - bytes_copied) >= 4)
{
/* LDR R3, =__imp_GetCurrentProcessId */
/* STR R0, [R6,R4] */
*(clock_info + bytes_copied) = GetCurrentProcessId();
bytes_copied += 4; /* ADDS R4, #4 */
}
/* SUBS R3, R5, R4 */
/* CMP R3, #4 */
if ((max_size - bytes_copied) >= 4)
{
/* LDR R3, =__imp_GetTickCount */
/* STR R0, [R6,R4] */
*(clock_info + bytes_copied) = GetTickCount();
bytes_copied += 4; /* ADDS R4, #4 */
}
/* SUBS R3, R5, R4 */
/* CMP R3, #9 */
if ((max_size - bytes_copied) >= 8)
{
/* MOV R0, SP */
LARGE_INTEGER perfCount;
/* LDR R3, =__imp_QueryPerformanceCounter */
QueryPerformanceCounter(&perfCount);
/* STR R3, [R6,R4] */
/* STR R3, [R2,#4] */
memcpy((clock_info + bytes_copied), &perfCount,
sizeof(LARGE_INTEGER));
bytes_copied += 8; /* ADDS R4, #8 */
}
return bytes_copied; /* MOV R0, R4 */
}
No comments :
Post a Comment