> you will notice that the upper nybble of nearly every fourth byte is an “E”, these denote a number of different operations, including loading, storing, branching and standard arithmetic. When you see a binary file with data represented uniformly like this, you can be reasonably sure that it is running ARM code.
The 'E' nybble doesn't have much to do with the operation code. What it really is, is that more or less A32 instruction can be predicated by a condition code. 'E' means 'always execute this instruction' regardless of the current state of the flags.
Fuzzing the tank within certain parameters made for entertainment. It would drive & shoot randomly. That was great fun, until it shot my wife. Oops.
Oh dear. From my experience in life, women and girls never find being shot with Nerf even remotely as amusing as the men and boys in their life think they will. “It was random, I swear,” probably didn’t help much. Great article though, does anyone know why the toy uses the full 32bit ARM instruction set instead of THUMB?
I'm a man. Being shot by a Nerf depends on the context. Playing with kids - fine. Deeply concentrating in the office and shot by adult idiot? Not fine.
If someone I married was genuinely pissed off about an errant nerf dart, I would seek a new partner. I found the authors comment quite odd for a comitted fellow.
Sometimes I wonder if the SO in these kinds of comments actually get a negative reaction - or if it's just another dumb, outdated joke that women/girls are sooo sensitive
I was the target of the Nerf tank assault. I was winning until Dave picked up the tank and started aiming it at me ;)
Talk video should be up next month for those interested, which goes into a bit more detail about the process taken to reverse the tank. Good research, would get shot again!
Is there a way to determine the instruction set automatically? Like you hit a button on the remote and it looks for a specific change in the hex instruction. Or is the only way to do it is through deductive reasoning and experience like how the author does?
You might try to disassemble the code for a bunch of ISAs and see if your disassembly produces meaningful function prologue & epilogue for that ISAs ABI. Automatically.
Not sure if someone is doing that. Our (commercial) disassembler for example is told by the user what target it's disassembling (and I usually look at the output, not the actual opcodes; so maybe that's not feasible).
It's really a matter of experience (and sometimes lots of brute force); it's not easy to explain but I am able to make a reasonable guess at identifying ARM, MIPS, and x86, and Z80 by looking at the "texture" of the bytes as displayed in a hexdump or ASCII. Basically, stare at enough binaries for long enough and it tends to come naturally, just like people are usually able to tell apart human languages even if they don't actually know them.
The author's reasoning is the usual approach, just as it's possible for an amateur to distinguish between Czech and Finnish by eyeball statistical analysis even without speaking either language.
I'm now wondering if it would be possible / an interesting challenge to compose x86 code that fits the "E upper nibble every 4th byte" pattern of ARM...
The 'E' nybble doesn't have much to do with the operation code. What it really is, is that more or less A32 instruction can be predicated by a condition code. 'E' means 'always execute this instruction' regardless of the current state of the flags.