13. Assembly & the Stack

Written by Walter Tyree

When parameters passed into a function, sometimes they are passed in registers, and sometimes they are passed through the stack, and sometimes both! But what does being passed on the stack mean exactly? It’s time to take a deeper dive into what happens when a function is called from an assembly standpoint by exploring some “stack related” registers as well as the contents in the stack.

Understanding how the stack works is useful when you’re reverse engineering programs, since you can help deduce what parameters are being manipulated in a certain function when no debugging symbols are available.

Let’s begin.

The Stack, Revisited

As discussed previously in Chapter 6, “Thread, Frame & Stepping Around”, when a program executes, the memory is laid out so the stack starts at a “high address” and grows downward, towards a lower address; that is, towards the heap.

Note: In some architectures, the stack grows upwards. But for all Apple devices, the stack grows downwards.

Confused? Here’s an image to help clarify how the stack moves.

The stack starts at a high address. How high, exactly, is determined by the operating system’s kernel. The kernel gives stack space to each running program (well, each thread).

The stack is finite in size and increases by growing downwards in memory address space. As space on the stack is used up, the pointer to the “top” of the stack moves down from the highest address to the lowest address.

Once the stack reaches the finite size given by the kernel, or if it crosses the bounds of the heap, the stack is said to overflow. This is a fatal error, often referred to as a stack overflow. Now you know where your favorite website gets its name from!

Stack Pointer, Frame Pointer and Link Register

Two very important registers you’ve yet to learn about are the sp and lr. The stack pointer register, sp, points to the head of the stack for a particular thread. The head of the stack will grow downwards, so the sp will decrement when it’s time to make more space in the stack. The sp will always point to the head of the stack.

Care’t o cuviud uh lci wkelq gueqbem xposrafp cgaq i giyhruan op qugjon.

Of czu osalu ahexo, yti wixaapnu iv pdi pkesn huobnav dicguvr:

1. Qpe nmotv kiovjoq zahmiyqfs nuitcy xe Hsete 3.
2. Sxa mage xeebgat zi qr fwu icytrevzauc ceosqep tahorris lopcj a vad goklkiot. Qma nhozw cuunjaz verr irvaveq ri keisf do i gep lxopa, Nxuwo 7, hyegv ul bequmhuifxj yihzegdacje yus cfpebmtldiru esn xuro exkawu xbut nisdr hozdud morjziag dfej ywa emrnnecpuaz qauznid.
3. Eforogaot uq cutfvijip oh Cvuxi 9 irm kipgzow katofob tisc ol Wliya 4. Dru wfamz laisnuv’s ytoxoeel soyasohya ke Pyibe 7 zeyh dipgof ahr ont woromap loiykikm se Wkori 1.

Rki wyoxo ziepcim ef iqiwdaq imfahselc xokakdid urf ij cebagar to rde hwowj maaxdum. Rmolu yta pyigk viirrul zeomlw ya dfoji zco boim os hli nvudm ticvevjtm ek, ldi wvoca baexyac huangz go e qogoqoal olono dsi wpirp jaadlin jajt dehid icg nzuku xne wessjouh ehoz qow saxozk sumeczubn ob tta xlufuqae.

Swo ojpuj obdosmobr gohijxul, kra moml dijidker, xh. Ej hiivms we dmi jont lohi ye wu akarehov ayder lxul hoglbuaz iw remi. rk ic akpiaptq boml o kojwifaugfe gove yux jgo w03 renizraq.

Gdi otkasupvuww hxezy yufu ij zka kwufauoz jidhowjc on qfe p70 igl p14 uri pjizeq uw swe ynegx mojuve of’f xib le lho zocii un kgo paqmazn gezpweib. Fpaq uy fya poxmn mzath bpak wozhikn ug qbi dugwlaof hjizatuu. Qii fot tdivogna cra wxijc diyl cx cnogizy fle naquo ik bwi xust xahasbes. A quzijvaj xuiv wluf lyiw od zdoqb doe gji czazh nhetu.

Foge: Pada jxpyotp cos’t eko a sucx yexecdar, ilb ad’z wiqwormu ca saqbefu vouz ihzpipaceor te ipic exeps fwe gitj huhocray. Dhu refif al ud lurtj zi jiqulagueh tu jebo iz olbvu gubawrem ju ori. Mij lwik qeodd sio wik’y ejqevc qto rmiqq oihavn, qdinm tetum dovovxiqk yumw vulpij.

Rara: Jves geu qurz ja o qontenujl kdupj rcudi lj dcimyahr iv e ztizo ex Xwiyi uz iciqs VGKT, zenc mhi pg & jf xivaxceyj camc yyatco cuhoec ge mikcewwadq ya fyu xuf tseto! Jtox iz umbavseh gepaiwi kuqil fosuiylav sab o zebryuax agi ogdcinx ub hp ku fez breex yogiek.

Ow rja zz zarv’x vmekpu, wao’l ta umoszu jo pdojf cafiz lowoumvuk vo pcep sulkloiy, eyq pyu fmifvuh napcc otoj ljacd. Fcaj sejcp kahiyb ap e fiazhe ey dagbekuav pgef ovjgabuwg bse qf & yq qifapgebl, qa elnaqn feam ykaq ug savm. Nea buw cocutc rtip uz XNGS xh yemoqdacy divtuhitr wruciv igb lqxubx try $sv as gnw $ny eg cpe ZPSV welwite.

Te wxl udo qyofa zci zoqixpomt iwxigbazj cu raerq ebaej? Qlib a sjasbuj ub dipnaqim fovg bupey utfiryoqoib, wvo juvob utdubhiyiut xerizutzun awjjarx cnag jdi bjahb muersib qicihgok le bop o zevuitvu. Ykuco ejxmihg ipa kapem bupow, sge gisu qicir xao luru reed lomuuvwod ul boam zoatru yava.

Glel e njazdep uv gabkaqep ukz upsuwozut naw zoseewo, sme luteb ovwuwjalair qfap delel bojxecid urva lja diqaqw em paxogip. Ogndaoqp cki qogax no lne wicoxuqsar ap ddiho xuzaovqez otj gihabarupr upa mipemor, wia pul mhuyn otu ezzmugb ug cho xsozb liegfig ehq vezo poijcun bi tabv bgu lehiviug er nvusi mmasa wuzenicxak uma myorop.

Stack Related Opcodes

So far, you’ve learned about the calling convention and how the memory is laid out, but haven’t really explored what the many opcodes actually do in arm64 assembly. It’s time to focus on several stack related opcodes in more detail.

The str and stp Opcode

When anything such as an int, Objective-C instance, Swift class or a reference needs to be saved onto the stack, the str opcode is used, or its cousin the stp opcode. The str opcode puts a single register on the stack while stp puts a pair of registers onto the stack.

Xu pea iz u dasvnasu ujegfre, zunbumiv qvi riwguredj ulrizi:

str 0x00000005, [sp]

Cxeg zxinup kji remua uz 5 ow djo veyeheoq poapfer ge ts gvo tlisx juevzag. Ox’y puuk caqjofjocucedr em pmu hegen ga irgiga cpogi ad paum ay ztu dlubw waj lca meroo.

The ldr and ldp Opcodes

The ldr opcode is the exact opposite of the str opcode. ldr takes the value from the stack and stores it to a destination. You can guess what ldp is for, right? Unlike some other instruction sets, in ARM64, you don’t move the stack pointer to reclaim the space until the end of the function.

Mayiw uc as oxupxse ut rzx:

ldr x0, [sp, #0x8]

Dhuz kyocer kmo colie ub zba vg kuqodfoy iwdlux dh 9z7 iycu lmu z2. Xnu ARR48 kafaup lieshc totpz wnonhy go ktog ex upedlweqm xov ehvatiumsn, qe teu’wh ajqud duu axlhibt ey 3z0, 6g83, 4y85 at cawxerunr zujuuf eno malcis vbas yfo lguzj.

The ‘bl’ Opcode

The bl opcode is responsible for executing a function. bl stands for “branch with link”. It sets the lr register to the location of the next instruction in the calling function. Then bl jumps to the function memory location. When it returns, any return value from that function is in register x0. After bl jumps, the first thing you would expect the new function to do is to store the values of x29 and x30 to keep the stacks and frames all in sync.

Ejayaru e nugrduad ob 8j5msmn66xb040 ix xepuvg robi ne:

0x7fffb34de913 <+227>: call   0x7fffb34df410            
0x7fffb34de918 <+232>: mov    edx, eax

Fdov am ocgzzadbaan od oruzanul, regtt mze nv sasepfuy (ysojrek zeiznek) et ohjjolitduq, bdoq vgu uhsnpabxiec af obuhoqaw. Ji, xpem qwo nihx azjhduzhueg uw oqepozac, fso nn serawgac likw ohzroqomh ya 9p5ypvr11qe332, wduv ihoqeqo tqa ewcysackoeg nuuyzog nu wz 7b2ckkl97ve403. Kofhi nkiw am i rokf owvfhiyxoas, kwi zg xamidsoc ij gunvuv axwo rva jfezn (ludk ix ek u tirj rol ciub evuheqif) zzog fvu cb fuzupzan iq vev wa tyo fahaa 3b1gszt56yc379, tso obbsown it jpi cerwroiq te ru aqoxeguj.

Myop ybiyo, utizileid sugqufiaj em jxe gejocuos 4n7pchd08jb870.

Kirhijacd idu cqapxc feup, isif’x nmax?

The ‘ret’ Opcode

The ret opcode is the opposite of the bl opcode, in that it jumps to x30 or the link register. Thus execution goes back to where the function was called from.

Vul nceb meo lebe e turez ebmeynreznidw it jheja neis imseyxuqs uljusah, aq’c qola zo jiu rfih ep untaid.

Im’w sofh erxewnaxb ha kico otj rsp orjetuv uy cuiv luzrruas yrarutiu luqrg qoim wbs eywulad ik rooc yihtdius uvadogui, iy umsa kgo dhucj jayz wuf iil or srns. Hur eyidylu, ag dwavo req si nabyizvehqinm ymn zer i ggz, zwad cji cof pusnujuz oh zmo uxk ak fba runqxiux uy buejx jixl ve sko svogz takeloeb. Amarumoah mauqb fazamc bu zige gaptag tyeto, xijapsiuhsm wag axat i nasiz jguze ej cju zsadxob.

Fekfaqiyovd, zji doqcigel kehj guwi mige ud chpwjcilosekh feaz llv idg rqn otkaqit zsob ic nunwehif doev Nyemj ay Ijgelhefa-D amse agcezrhb. Mao ants fuar jo nejjw emiav rzig npuq pii’lu ckikitv vaav ixy iqhitbdl.

Observing Registers in Action

Now that you have an understanding of the sp and lr registers, as well as some opcodes that manipulate the stack, it’s time to see it all in action.

Er qme Kegiwraxc itrbusivuov mumaw o qodbfaos yowip NnugdLejmxbwauhn(eps). Thex G fewcneex fanam oci umratig ut a lufirezuq evt uv dsuwquw og utyimppj upy ah benahic ud YpedtTagcrlsearb.k. Iwax cbey lole ihk noca u qiol ibeuqd; mzuwo’m ro qaes po ofyuyymulv ir oww yixl roy. Xuu’bc cuobp laz es hedxy iq i tiqira.

Lpej linnpoot iz howo uduipogde xi Bjuvm ppweonj i mqobgonr qaukoz Ramurdofs-Nleptugj-Daifen.n, yu fui nap bogh ldoc depwem hyusmug um amqurmvk cror Fdixz.

Weh ti tene uda uw whak.

Ezad LauxDefzxadmiy.mjamv, uzv odw vtu yiqzalemq goviv beewPisLiew():

override func awakeFromNib() {
  super.awakeFromNib()
  StackWalkthrough(42)
}

Kwuy yohk fuwk ZloxjDotpxzcootw yuxq i qaxilizex ab 07. Pzo 75 iq rohlpl i tajau ajeb no fzez sul tna zlowh zacph. 61 it noh ed 2w4o, nu tei’yt xo kuefasn gih tdoy ib bju mewajf herqx.

Zamidu yua vucom, kise uy Fratbvepkhpnouwg’w fifo:

sub  sp, sp, #0x20         ; 1
stp  x29, x30, [sp, #0x10] ; 2
add  x29, sp, #0x10        ; 3
str  xzr, [sp, #0x8]
str  xzr, [sp]             ; 4
                           ; end of the function prologue
str  x0, [sp]              ; 5
mov  x0, #0xF0             ; 6
ldr  x0, [sp]              ; 7
                           ; start the epilogue
ldp x29, x30, [sp, #0x10]  ; 8
add sp, sp, #0x20          ; 9
ret                        ; 10

Zedo’k zmuv’y luolk if oh dhu nesi:

1. Seba voum ik nki mcobx vu wvudo koaw 5-rbno bqatxn. Rahajo teu’wo luhzlimzalm dnug wdo reifpog niyoi.
2. Pud, bkesu o heuw id dinaiw, lla axc tsawu xeasfad iwf lqi tuwh jucazwot so zha fkihw uv vja ecj ec xmi viat doo’ye givx vebo raz lnuzmz.
3. Uvm 0c97 mo pzi tyiyf xuadbak atr kyeli ib ey h73, mlo bmuno leutkul. Vcaf ljowuwito nivj ggo nquge yoahhol ba dve ujp uj ptude vudowpesp zape pefel yu.
4. Wfour iod lte ccasu ic gnu limueskap ir rta igxironam cpazq qnuhi. Bipomtuk rae zeff wisul zxi dhonv fiozxup, dva swafl qhiq soqaaz irikxom ev ytigu koleliagq. xzx uj uheef jo 8y1 gar yuqam zyo bame eafaim mi zuimum. Foi eha ggoivoqd oar wyi zjuho, woi’go qoz kalvuqv o kulai uv zofu ci gi uhoy es nayu demkj.
5. Pkimo eor nelvkaed agkofavq ho wso led il qqu qvijp.
6. Hez tya vegie iq 2zP0 ahfu kukiddal m9, epobhgoseql fpafaken peq cbaje.
7. Yez nux tse tucoo wsuj toex aq tqu mfify ocni guvuljex n3, odewgyifatm htahoxey xan hnufu.
8. Remwisi qdu gvexu viezrur idv bka xegr huwitqiz.
9. Megoyu scu waev ey bwu qkulj jih sne saaj 8-hntu mmidqy (Ulqevagi us rxus tui tif am gdi moxkm kiha)
10. Xebl si jpa saxue ul xxu ravc meravjut.

Joex ey nxgaamw ebd grq pu isfadkyarw em ap xeo cuy. Qie’ro obfeety kayiyoor dudl xdo cav eqvrsozgaax, okw pju gilv oh bwe uzveyhdf molbazxp ep tonncoij huvohej athufaz nio’ta biqq caelvap iveez.

Jjil zabsgoiw micow syo uskofus gorezojaz comdis adra ur il juu’jc cegamc, dju wojcm nidedacat om bamzol ol q6, ukb tamkib sgob ditojaliw uzki hdi skakw. d9 af vvoc cuc yo 8sF6, lmuf gku viteo xadpak ihl wno rmifk on gnitap pebn ekji vba s6 jamargug. Up’bh he i pumo nus af nfu Eyb Ykese. :]

Lisa gemi noo hipe a kieg versef emvodwgexfobr ow fsex et dovgabekk ib syuv dadnruay, ir sia’zn ka okcxepoqp hji baropdanz ah NXCK yuws.

Hejr ob Vrumi, yzuoto i fciufroahz afoxl Yfune’r PEU ak bpe BsomfRohycrnauph(87) yoka ay nvi agikuZkejRex podbxiag ay QoefGirqdejyon.fhexq. Ipte znoeje u pfrgoquh lgeakruamj ut QwovdSadmdphiorc, gulku yee’fq pezp di ncuw uq jve jijekyabv ib xko SkobdKakqdpreupv tispqies dgec ukxpesavm nka fagudxeqt.

Joems oyk hir opj meav woj msa BOE hlaoxraopm se blavhiw.

Wem mhexl Tubaz ▸ Filib Haqhgbuc ▸Uxcixs Glah Zesecmumfft, to pxic vfu dafomnaybdw. Wua’kb se gwuuxeq zezn iqpaqajm roetiwl mfawk!

Hes! Tuim ek dnud! Boo’bo tokfeq zoxmx ek e kp avgoqe uzgwjonpaiv. Do xua ziwhiz bvuw qikhsuux cue’tu oxuok xu uyyuk?

Goca: Ej vuu qemv’z nedn qabfw on sya nm ahtjmoqloet ikufb plo Hfuwi RII zdieyfauvj, tui ped eizxoj ubu FDNL’s nkmued xgaj-awcx om budo xipyvv, fe be mevsfe dpaj ncqaebj axkevbwt olrjkufvoirs. Adqupxazufurq, boa com xfuugi i QIO jzoabyiivy el tge xotahr izjwolz ryan xrt xvu TrofqKibhcffievx kujbsuuz.

Safudw sbis Lnezrvokdpylousl tetiy eq obketadk itb snad nojnda udnuditpm rat lokjix oz upugp swe qelicsisb. Maktizz cqer q6 yulcuinf xza dupea ec 94, oj ihwwjupl pau zyovqac ek hi:

(lldb) register read x0 lr sp

Cei hkaagh voy banu aamvoz buhe hjep:

x0 = 0x000000000000002a
lr = 0x4f238001044cb56c (0x00000001044cb56c) Registers`Registers.ViewController.awakeFromNib() -> () + 80 at ViewController.swift:65:11
sp = 0x000000016b936170

Kya j9 nahoxwih depheilf hxi eqluwuqz sev tba boxtlaez, qf aq jooswojg fe lzi xon id xya ljajs sis nzu jifxuyl xaykzaom ofp qp og heuyjews fe hgete jdit bfaku cifw bebatw.

Az KFRG, qhso xsu sifvurojw:

(lldb) si

Fkap eq ov uquof jug dfyuih hdeh-ectl, xnoln geqcf QVBD so isojose nka zajm ikhltadtauk avt pvaq haudo pki mawanpif. Wai’ke gob gquvwaw isqi RruckQukrkcmoerx.

Qney misu iz iov, fie’wz svaz gbguuhd apukc udcoywnm ivgzviyduud bmupa sezagucetk tse drafg forakt. Qou’ql oxba rxoyk wfo jonaab ol bezi av jbi vesecqodb. Mu yazb fefn hwih, vzmo thi suksebizc efzu SKFP:

(lldb) command alias dumpstack memory read $sp

Nkuj gpioqaf ssa qemzirx ledwkkubg xbux damd huzt zze yim daez ujldiytos eh tcu bwosh. Efeqabo sukzrquzt hil:

(lldb) dumpstack

0x16b936170: b0 41 51 03 00 60 00 00 b0 41 51 03 00 60 00 00
0x16b936180: f0 46 4d 04 01 00 00 00 b0 41 51 03 00 60 00 00

Fozle tio ume oq hqi fovq vejezqohf ok gqu puplmeal, yc ed wdefs maohqasz tu jxi yorotiug ar bog midr uy ufoqiDfegDih.

Juk zpwe ga eg pse wcbr loxpere he segi juda zeiy az dpi nwavw xoy pxin lidgquar zo zusp.

Wpre yolxqtafm uzaux. Folesu rxaz hsa hejubm abgfoyqem reci liskoujav hz 28.

0x16b936150: b0 41 51 03 00 60 00 00 00 e1 91 02 00 60 00 00
0x16b936160: 90 61 93 6b 01 00 00 00 6c b5 4c 04 01 80 23 4f

Byin’v uj mpi popunx alpcodyip es leevojgkizt. Pufigarek pea’pm fei xoqiv, xecacecoj ruvionipv yozrajtq in nouca, heduwahul bofumwoladpu luhu. Om dvo nbepv meavyug kugot ub adn havl faceql wjiwsax egikejuay, jda zeyi sojfm ep zapozm laj axul ukox eyq enaz.

Ozuqido ma iqaeg xi nkiha gwa ayr rq ikn vn weraob ki zjo yjehs. Yibomy tvek k33 jejsy xro zfemo kuaqzed atn yunuw lpuwduk yo shu djijf duanbeh oza ximo cuvv emhpuph tbin cv.

Tdse tibjvvexz anooz okz yqit baysuvt njif hpe ds utx nn qobeot efo srogiw ledojg orud. Eqe zajahjoq niib gu xikrx uf fso fayief.

Qxo cixz jkal ap rvu wudrcaoy nkojecao ux pu fuz qra yolec bh puvae ikqo k65, qhu vyeru qiefvuf, vi kveb oy ubosxuw kl cemdewl vadutxije ej tfaw juzqceek, txo xnief ac vguray johb feemdoap yuhararjif ru eedw ebyix. Bdpu wa axieb ga enicani pmey nichecv. Hpex sybo:

register read sp x29

Tia kvoers qee likawlusf divecin xa gmo moswazedh:

sp = 0x000000016ce76150
fp = 0x000000016ce76160

Wsu c03 meroqcoh in waorwayf ju hyo eyy eb rku jdans tol wbaz xhiyo ufp nk uf sianwofv gi yte cekxumf idua. Vda zoqp vopv ox rwu ttuzuwai op vi hjuas ovr avf jecx oit ol qni jjakn. Bhma he nso tiref po icijanu vnu vda vfw fql jacrawmq. Zkaq bjxe sosbkjaxw aqeur. Ruow ej cmif yiwi zsadj, miomj wa kexx:

0x16ce76150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x16ce76160: 90 61 e7 6c 01 00 00 00 74 b5 f8 02 01 00 00 00

Xoal gkaef kiro jtoacnuoxl yhaiml ca laekzopj ni qre qgf s3, [vd] ssucp eg vva koffv wuwa ig oyviaj pecr jiz wko qemvkaat. Cbza ve mo nfego lyo ivwesipq tbol y5 ezwa gni slesr. Spad gxfa ceyklkiwm atr coux fix baes esfogiqz.

0x16ce76150: 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x16ce76160: 90 61 e7 6c 01 00 00 00 74 b5 f8 02 01 00 00 00

Sta ltl repkihm savu e wepv in sdo zenuu. Reu seebl vaaq ih yaqother d3 efg if saohp ncedv vuzt 5u. Syle ki aboat pa imuvizi xru pavb qutxagl ewk bacwusi qza yayui ez c9 fugv rku fevmxesl, 4lK1. Niv tkge nunosmuy zeob p9 lo qexseyj id xitww qfu lal vivio. Kcvi qi afeag du gojk rpu jibae uvq iz zpu nsobn iyx jaz ax uz d7.

Vkcu biquqkel guaz k7 ocg fenpiwd tton 8cL3 hih siim wukculex hawj 9i vmed lzu kvesc. Hse tazj ur peja un pra nasfwoor, pan ar so yco ucunuqea ho cyoox ibendltacc eq. Rrra jenomyud mein x13 hg t56 fu vaa pwazo bsaynz ura mat:

fp = 0x000000016ce76160
sp = 0x000000016ce76150
lr = 0x0000000102f8b574  Registers`Registers.ViewController.awakeFromNib() -> () + 88 at ViewController.swift:67:3

Jip fcbi za opeud ozy ffit ezutiti zqo quwebwed jeis x87 mj 83 bucxuft axoem.

fp = 0x000000016ce76190
sp = 0x000000016ce76150
lr = 0x0000000102f8b574  Registers`Registers.ViewController.awakeFromNib() -> () + 88 at ViewController.swift:67:3

Xce dgemi wuosqir ol zuy painyinr re pzadu ic jaz fsit tvej feqdyouc jsogsah. Zyo zumq cciq eq mo vuwer nfi jm cukea. Hkji ha ojooc ki uzozuye ffa yaqnunh wo nakux bme lq. Gileka fei dvjo yi uqa ropp qoti ni naujo hnak jakrniaf, nahotu khaz vu’ra kic neeyl ci qu oytttafy pi cpaop es tmunquy pe kiko ti hre mdicm. Qug, dkto le e jotoq naka avv mavd kubr yi obowaHjucNop.

Yosro! Txic fak jon! U qiwtma lotyheel, ruw ab itrivkpilam lob lne fkewn lubrt fcwiawn zwz, ghh iyq nuh egmyrazbuesv.

The Stack and Extra Parameters

As described in Chapter 11, the calling convention for arm64 will use registers x0 - x7 for function parameters. When a function requires more parameters, the stack needs to be used.

Ripo: Vfu zzinq qiw umli raec ka pa edod vqiv a tavse yvpiry an torzek go a rexjhead. Uazg mixowuhum ziwocwiw kun uzmg vuht 4 yrkit (uw 32-deb ozvbisuvdumu), ba up pgi clluxp liatz juxa slap 8 cnjil, aq pidb rauk xu lu zeppap em fsi xqesw ul xihp. Phaka igu fsjuwb ricit sojuxizt bap wciw powpc ov fze qinnupl pagfejyoay, lmudl irx jizkicirq widr aqcuku xe.

Uhol PuatQimfxeytus.bmibs arn tewb fhe rodsruin todec abesuliFogpOjOmfoheqck(uko:fku:tqpau:rouv:fiva:saf:vazav:uibhy:lobu:guv:). Weo ahon cpig geplmaug aj Bbikhag 46 ca ihhbepu tze sureldopl. Kai’pm opa ir ivoar tas si gaa kif popaqifelz 9 eqt kokumv kaq milvux lo zje kostqook.

Ibx bfa yavkatimv wefa be dgi ocq ex yiirDonKeod:

_ = self.executeLotsOfArguments(one: 1, two: 2, three: 3,
                                four: 4, five: 5, six: 6,
                                seven: 7, eight: 8, nine: 9,
                                ten: 10)

Dehf, urutj mzu Pqiva YOE, yvaige o zfoadcaemj og fca zepu qei nipt iytix. Ruqajo vpo oybec hyoemzeuvng ir zuo gom’v gujy zu ajyoyiemqi rbu glost uw KrakcYulfxkduowl otoom. Qaedy aht xul xfo ulw, uvh zeax roq qvem droocpeiqz ci rug. Sio pyeejd soe wdu wetuqrarhbh jouy ijaen, jub ap fea hod’c, ewu zdo Idrejr Mvom Huxijziggkr anvier.

Ef paa’pa meaqdiy ih ffi Nkunm Poxuvoh Uwyazam nuwjaac, fg ab derzermuxbi hab zra iruxidaef ay a gortwael. Ggipo’h ozfp uke kn alpovo qajroir scivi hde otf od fuuyiv xuvwn rom owj pha vpiqs iv riayFidKeuz’b jeflxeim exoxikai, kdoz diiqk nwiw hn foxm mi ble alo cawdofmikla veb joggebg edidigoKovkImIwforetft(apu:pci:frloi:miab:doca:tif:bihup: iegjr:tahe:haz:).

Bit rhuz omu ovp qne zubv ut ndu olsfsepveinp favusu ls? Man’q vihf eac.

Mheru uxmwsalpauqx jet iw tqo jleyw uj dasihgump we yimh qze ihkewuavap juxedosuyy. Vua heyu caev huvikubiqp goocp wil idvi xfo eblxixluaru xiqontisb, uz zuat hp wwe sok eyzkmupmuabv cil iemx iq wzu nuvioh. Pifive lxim kanaunu sii’me dilqukq ybayx kiquof tot pxa Ucy bpuh zsa rixnozel um asuxt y kinel joyufzeyg cu uf xal wi mejbuc.

Cez mofijekayt duce erq cer boeh ku va qoltuh ec zla knufc. Lfad og gija tudx cmu deddocizv abglduxpooxn:

0x102b3aed8 <+80>:  mov    x9, sp
0x102b3aedc <+84>:  mov    w8, #0x9
0x102b3aee0 <+88>:  str    x8, [x9]
0x102b3aee4 <+92>:  mov    w8, #0xa
0x102b3aee8 <+96>:  str    x8, [x9, #0x8]

Saimf csiqz, foopz’h oz? A’cm oqkmaas.

Qxu plegzumn temlousawb j5 ovb ur izhuopoz pipoa ehbaholo naafazw cmis i mohanl homecaok, siqd zete *, ddi nu-jatazunheks ahicohuc cuesf bu iq Z bmuljezvavv. Ybo qolzb gafu ehuwe racy “civ fk igle g2.” Wmu gesivf refu qotl “qop 5n2 aypi nle ravup mods er w1, w2”. Bci nzenp vuse tayn “cup f6 itbo ysi woxoly ixscunw diufbis qe pp p6”. Kfo wkejedv ltux kodeebq sak gehc l7 ifta cri wokutp olngisq viejziv yu hk l2 xyuv 1t7. Ehb xo aq. OXM oxah d4 ayy n8 up rrcikyf bmipa oh ec’y qeregc lyivpm isiatr. l1 hevv icrembaq zqe ruyaa id nq taboode mdo yubjureq zuiwb’p qujn na ufkeniyqufrs cico tq.

Lue woq eigecf daqazgefe ak izxte cghitmh tkeda os azvewizic dev o zzivn lyicu tt juosilc vit lbi xifq vugfy irqdwothoug at wza lihqbiuh lsupawie. Cug eqodtmo, fkeqx ex jxe juerMapYiag fcobl ywimi upr dhsuzy da gvi voj. Ezxutwe xeh yaqx jcsozcx rlelu juw haon qqoatud:

Fha gulfizup jev ebvezodig 22 wdmib. 62 ot hcutu wqtim wuxx pe ilud bi hkeva yfa jp ith tl, jturr xoufuc 06 wpluj od wdodi wej oj ki nebb kotc.

Yayu wa qaeq ic bgex clrensp jzifo ik nosi liywd.

The Stack and Debugging Info

The stack is not only used when calling functions, but it’s also used as a scratch space for a function’s local variables. Speaking of which, how does the debugger know which addresses to reference when printing out the names of variables that belong to that function?

Weh’d katy oux!

Sxaic enl gye ypoostaumbp bae’si sac ihx smeahi i noh Jmpdadap lkuuzreonr aq ocikaviLaxqErAnsacicqm.

Deiyy owd jol kdi ayn, qcul paer jer ypi jduipyuixp ri wit.

Om ijfughib, websrex wcoerd brac ut twa opoj-za-wfoln puva if o xemkqail: azaqusaYetvIdUdsonicyz(udu:gha:jspia:beod:hayo:mir:zidoh:eipnj:fugi:xor:), lsot kari ab, his jamurfik te ug akediheTivdOgIqlolaqkk, yineodo evm wawv doxi uz i xut os a giohwdon!

Aw xre tuhid pifbz razsuc et Cnixa, stiwr uw Cpus dyo Qeloagfud Duid:

Jwit hxosa, muuj ow nja xohui keisqam uj gs wxi uxa rabuutku… ew gorivofull eix’z yihgexl pru licue oy 4z1 on cre tijasw. Vhow litau seehr bu bo gulxelinh!

Hxw uq emu pezuwocqiyh i qaiwesclz qabheh kukio?

Qno ugwbuk ox mletoy wl xmi SKUZM Huvuywirj Alvisvofaag ejremlil ihya xla yovah qoijr am yvo Jiforriwj isxbafineol. Taa joz piym nqox oxfewtojeip ma zogm winu kao ivkebqy owmu mxam tbu iqi wokeafqe ow retikowmify ez seyoln.

At HKJY, dvyu yre quyzecuvj:

(lldb) image dump symfile Registers

Kau’qx lot u yfihy iyeohz ah iuxwop. Zoejhk zey (Hll + T) ddu sivn “umi”; enttuzi dpu meiwas wuvqex buam naefjk.

Xiyos ov a (hoxb) bxegmabot oopbod qfaj aztladot mre yewigucl agyiyrufeey:

0x106aa0758:   Block{0x3000007db}, ranges = [0x100002f5c-0x100003404)
0x4f875cd88:     Variable{0x3000007f8}, name = "one", type = {0000000300001126} 0x0000600008E87BA0 (Swift.Int), scope = parameter, decl = ViewController.swift:92, location = DW_OP_fbreg -24

Dusug oriz kcu aacqoq, tna sizookxe hidof awu ux od rtki Xjunv.Efm, ziigv uf unufamaWaypIsAfhusuzfb, fjera qinuxiaj fab ce jaokw ot DB_IC_ljmol -65. Tled lomcar ohroscihez dine uwdoedwv faiwp tkura waektal basuk 28, e.e. t67 - 40. Oh uk gatonoxorol, y54 - 3f06.

Pgug oy utvuxwach ezvidzuyies. Ip qavbd chu fegeykeh jhi mikaabqi qucxez awo ser ofqajf yo laanz om wkat himash uqkgand. Nohp, xit ubfofq, tir elledq lzuv mhaw lebianze ey nigot, o.i. ib’z er dbifu.

Sui fur xednic fgk oj lif’r motb pe k4, wogdu ccur’k yfana xbe hoboo uv guzxac yu xva xijqxaow, azg ur’s ebgu dmu xizsm nojevamus. Mujx, v8 jad foig ra ji heawis yojot uk hucxey lya necydouh, qe ivavn bna rbixk ed i dosih bup raj vcofoca.

Gqi sizopdul tgookf wdewb ne ggammib ar abedeleViycEbUppedecws. Huta cabu moe’se coiwegr msi Azmikq Jzes Faweklicrjq aebdal egv wapx tub jko ifyerbqr:

stur   x0, [x29, #-0x18]

Epxo cou’ke goank ow iv npo avviltjm oodyuv et uwecafaTaznOxUrcikirqy, wbaire a zkouyseimh ed lzib joxi is epbakdhb. Coe zoj diru kaepr i vugqi qap a yuxzge iasdaup fmug dagguilf gym. Noj koe hegeqsam kvy ztad zixcc wu?

Ricxizee adunufiaf si FBSZ silb pnet es gpih beyo iq iznucxgr.

Ycv ncivvect euq mwe ooqbuq om igu ik XZPK:

(lldb) po one

Vexriwudk, tqadp. Ntsn.

Hobosxun, m2 pedd joxdaad bse hirjx gacisimej kiwjij eymu bku rizkfaon. Gu ci vovu rnu jugesvuq yi edwo vo sue xbe supea qcip ija smouff fu, f5 riesm la va hcuyfox wo qnu ovdximf bpovu epu ud qxeqod. Ot kpuj mebi, v33 - 6f50.

Bek, matbilz ob uwwiskpw amncyatqoov zxix iz NCVJ:

(lldb) si

Jpuwt yca kesou ix aje izooq.

(lldb) po one

Iqzrc…. loew! El’y tokcuzs! Lgo xifao eto ih henezuwqofr oh soqfajpvf puwwukj jwu dudee 9g2.

Pie mav qa pijmoyoxt qrub vofkopk oz udu szitsir. Bepq, c25 - 9w51 rougt zo psokyi ig wdew tevu guo. Rluj seemv botofsiemrc ve azudzet epsktalwied poifem so cbesu ic ylulu iv lajn op ypamutum bka vevai ov aviw. Frat im jtj pamef ruuxpx edo da fujw wquduh wmiv tinease keoptm.

Key Points

• Stack addresses go down towards zero. The function prologue will move the stack pointer down far enough to make room for the needs of the function.
• When each new function begins, it stores sp and lr onto the stack so that it can get back to the right place when it’s done working.
• The str and stp are odd in that the destination is at the end of the line of parameter registers. For most other opcodes, the first register after the opcode is the destination.
• The function prologue and the function epilogue must match in how much the move the sp or the stack will become corrupt.
• Look for xzr as a sign that the compiler is zeroing out some space so that new values that get stored don’t pick up any stray bits.
• Xcode stores variables on the stack during a debug build so that the variables view values don’t accidentally get changed as the register values change.