August 12, 2011

Not dead yet

I’m not dead yet….I’m still sick……it seems that my body got the infectious mononucleosis
sounds like aids eh ? well, I’ve been staying at home most of the time, doing nothing mainly

However I got sometime fiddling around with ARM assembly (I might tell the whole story once I’ll be better), and got to disassemble one tricky file
as a VIM addict, I got the disassembly with radare2 , I saved it into a file

           0x0001320c  entry0:
            0x0001320c    0    18c04fe2^[[0m         sub ip, pc, #24 ; 0x18
            0x00013210    0    060c9ce8^[[0m         ldm ip, {r1, r2, sl, fp}
            0x00013214    0    0ca08ae0^[[0m         add sl, sl, ip
            0x00013218    0    0cb08be0^[[0m         add fp, fp, ip
            0x0001321c    0    0200a0e1^[[0m         mov r0, r2
            0x00013220    0    01904ce0^[[0m         sub r9, ip, r1
            0x00013224    0    011a81e2^[[0m         add r1, r1, #4096 ; 0x1000
            0x00013228    0    013aa0e3^[[0m         mov r3, #4096 ; 0x1000
            0x0001322c    0    0f002de9^[[0m         push {r0, r1, r2, r3}
            0x00013230    0    0720a0e3^[[0m         mov r2, #7 ; 0x7
            0x00013234    0    3230a0e3^[[0m         mov r3, #50 ; 0x32
            0x00013238    0    0040e0e3^[[0m         mvn r4, #0 ; 0x0
            0x0001323c    0    c070a0e3^[[0m         mov r7, #192 ; 0xc0
            0x00013240    0    000000ef^[[0m         svc 0x00000000
                ; syscall[0x0][0]=?

I used radare since IDA unknowingly failed to disassemble it correctly,
and now to the real things, see this annoying ^[[0m characters ? well, I tried using vim’s :%s to replace it with space with a classical


but apparently it did not work well at all, I started thinking I should add \ for the [ characters indeed


but it did not work either

I started getting a bit tipsy, maybe I’m doing something wrong w/ matching the correct patterns ?
I started walking around the string itself and found that the first ^[ is actually one character, which is quite stupid imho to miss something like it
so the actualy pattern to look for would be


and the day was saved, once again (:

I hope to feel better within a few weeks and start sharing more on my previous research I’ve done



