Startup code

We have surmised that our application is missing the proper startup code, but just what does startup code for an Android/Linux application on ARM look like? Where do we turn to get this kind of information? Let's look deeper into the bag of Code-Sourcery tricks for a clue.

A number of executable applications ship with Android. Let's pull one of those over to the desktop and see what we can learn. Perhaps we can extract information from that file that can assist in solving this puzzle.

The tool we are going to use to assist us in this effort is the object dump command, arm-none-linux-gnueabi-objdump. This utility has a number of options for tearing apart an ELF (Executable and Linkable Format) file for examination. This is the kind of file structure used by applications in the Android/Linux environment. Using the -d option of the objdump command results in a disassembly of the executable file, showing the assembly language equivalent of the code in each executable section. Our interest is in the first .text section of the disassembly, as this ought to be the entry point of the application. Listing 13.6 shows the .text section from the ping program taken from the Android Emulator (via adb pull).

Listing 13.6 Disassembly of ping

000096d0 <dlopen-0x60>



mov r0, sp

<—B Stack pointer



mov r1, #0;


<—C mov instruction



add r2, pc,

#4 ; 0x4 I #4 ; 0x4 D

add instruction



add r3, pc,



b 9514 <dlopen-


<—© Branch instruction



b cef8 <dlclose+0x37bc>

<—F Branch instruction



andeq lr, r0, r8

lsl #8

<—G Conditional expressions



andeq lr, r0, r0

lsl r4

96f 0


andeq lr, r0, r8

lsl r4

96 f 4


andeq lr, r0, r0

lsr #8

96 f 8


nop (mov r0

r0 )

<—H nop instruction

96 f c


nop (mov r0

r0 )

The first instruction assigns the value of the stack pointer (sp) to register 0 (r0) O-Next the literal value of zero is assigned to register r1 ©. The address counter plus four memory location spaces is stored in registers r2 and r3 ©.The b instruction tells the code to branch to a specific address ©. In this case, the address is 0x21c bytes prior to the address of the dlopen function. This value is 9514 in decimal. The next branch is to an address that is 0x37bc bytes beyond the dlclose label ©. The next few instructions G are conditional operations. The code snippet finishes up with a pair of nop instructions ©. Note that the address of each instruction is shown to the very left of each line. Each instruction occurs at a 4-byte offset from its predecessor. Four bytes times eight bits per byte equals a 32-bit address bus, which makes sense because the ARM processor family is 32-bit.

Okay, so that looks a little different from the rest of the code in this chapter—and just what does it do? Unfortunately, other than some basic interpretation of the op codes used, there is little to tell us why those instructions are there. After doing some research on the internet, we found a better example of this code, shown in listing 13.7.

0 0

Post a comment