-1

I have a small command line application named "debugger" which acts as a debugger for a process A. Now this application works fine with x86 and x64. Now I have to migrate this "debugger" to ARM64 architecture. What this debugger very briefly does is attach breakpoints aka writes instruction int3(0xcc) to the start of functions it finds in the map file of the Process A. Now whenever I try to run my application via this "debugger" app I am able to set breakpoints but the app continuously gets "access_violation" and crashes violently. My hunch is that for ARM64 architecture the instruction "0xcc" which I am writing to the start of the functions is causing the access_violation. I have tried using instructions "0x150", "0xF000" instead of "0xcc". For more info please refer my earlier question.

To make sure that this is the only issue I want an instruction adding which does not impact code execution in any way so that I can confirm that the only issue is the instruction I am writing as breakpoint in my debugger code. Please help me narrow down my issue, also provide links for all your answers.

πάντα ῥεῖ
  • 1
  • 13
  • 116
  • 190
arielBodyLotion
  • 47
  • 1
  • 8
  • https://developer.arm.com/documentation/dui0489/c/arm-and-thumb-instructions/miscellaneous-instructions/nop#:~:text=Usage,necessarily%20a%20time%2Dconsuming%20NOP%20. – Alan Birtles Dec 21 '21 at 18:13
  • 4
    0xCC is an x86 instruction. Why would you ever expect it to [work on ARM](https://stackoverflow.com/q/11345371/327083)? – J... Dec 21 '21 at 18:14
  • @AlanBirtles Converted NOP to hex using https://armconverter.com/?code=NOP%0A , still getting same access_violation. How can I make sure that the hex conversion is completely correct because then I will completely focus on something else. – arielBodyLotion Dec 21 '21 at 18:33
  • @J... Correct, I know this is not the correct instruction, but other instructions also give me the same error, so I am trying to isolate the problem here. – arielBodyLotion Dec 21 '21 at 18:34
  • AArch64 uses fixed-width 4-byte instructions. You need to update the whole instruction, not just the first byte. – Peter Cordes Dec 21 '21 at 18:43
  • 3
    If you overwrite an instruction in the code—which presumably does *something*—with an instruction that does nothing, I would expect nothing other than a crash. You **have to** overwrite using a legitimate arm64 instruction that causes a trap, so the original instruction can be replaced by the trap handler to allow execution to continue. – prl Dec 21 '21 at 19:58
  • @prl I want to address the same question to you - When I encounter the brk op code in my debugger I want to put the original bytes back so that execution can run as it was intended to, for this I want to reduce the Pc register(start executing instructions at the start of the function) to the previous instruction. But decrementing Pc once did not do the job but decrementing it 4 times is working fine. Is this because I had written 4 bytes of op code and the Pc had to be decreased 4 times? – arielBodyLotion Jan 05 '22 at 18:43

1 Answers1

6

The ARM64 breakpoint instruction is called brk, and by either referring to the Armv8 Architecture Reference Manual or using an ARM64 assembler, you can see it's encoded as 0xd4200000 (a 4-byte word, little-endian, so the bytes are 0x00 0x00 0x20 0xd4).

But if you're going to successfully port a debugger, you're going to need a lot more knowledge about the ARM64 architecture than just that one instruction.

Nate Eldredge
  • 48,811
  • 6
  • 54
  • 82
  • Thanks for your response Nate, another quick question when I encounter the brk op code in my debugger I want to put the original bytes back so that execution can run as it was intended to, for this I want to reduce the Pc register(start executing instructions at the start of the function) to the previous instruction. But decrementing Pc once did not do the job but decrementing it 4 times is working fine. Is this because I had written 4 bytes of op code and the Pc had to be decreased 4 times? – arielBodyLotion Jan 05 '22 at 18:42
  • @arielBodyLotion: Right, the pc value is a normal address, so its units are bytes, but every instruction is 4 bytes long. So yes, you must subtract 4 to point to the previous instruction. – Nate Eldredge Jan 06 '22 at 04:58