# Reverse Engineering ARM ARM works a bit differently to intel x86 architecture in the way it uses registers and how instructions are formed. ## Registers * `SP` - Stack Pointer (same as ESP - points to top of the stack) * `x29` - the Frame Pointer, `FP`, points to the base of the current functions stack frame (similar to EBP) * `x30` - the Link Register, `LR`, which stores the return address of a function (the return pointer) * `PC` - the Program Counter (aka Instruction Pointer) pointing to the next The calling convention in ARM works similarly to x86: ``` // drop down SP sub sp, sp, 0x20 // Save FP and LR to the stack stp x29, x30, [var_10h] // Set up a new stack frame by updating x29 to SP+0x10 add x29, sp, 0x10 // ... function execution ... // Restore FP and LR ldp X29, X30, [SP], [var_10h] // Return ret ``` Even though it does roughly the same stuff, there are a few differences between x86 and ARM64. Firstly, a lot of instructions take 3 parameters now: ``` sub sp, sp, 0x20 ``` The first parameter here (as well as for other functions such as `add`) is the register to store the result in. In x86, we assume that the first register that we are adding also stores the result, but ARM makes it explicit. The `stp` instruction has no direct x86 equivalent (as far as I am aware!). Essentially, the first two parameters provide registers and the third parameter tells it where in. memory to save the values. For example, the following instruction stores `x29` and `x30` to memory location `var_10h`: ``` stp x29, x30, [var_10h] ``` {% hint style="warning" %} I'm not really sure what `var_10h` refers to - Cutter says\ `var_10h @ stack - 0x10`\ but I don't know exactly what it uses as a reference point - todo moment... {% endhint %} Finally, the `ret` instruction is executed. `ret` transfers the value in `x30` (`LR`) to `PC` to return execution to the next instruction after the call to the function. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ir0nstone.gitbook.io/notes/rev/reverse-engineering-arm.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.