I've read through much of the ARM documentation but still having trouble decoding a BLX instruction. Here are two examples:
__text:0000347C 02 F0 B2 ED BLX _objc_msgSend
__text:0000469C 01 F0 A2 EC BLX _objc_msgSend
Both of these are supposed to go to the same place, virtual address 0x5FE4 as seen here:
__symbolstub1:00005FE4 38 F0 9F E5 LDR PC, =__imp__objc_msgSend
However, I can't figure out what calculation is used to get from the above two addresses (0x347C and 0x469C) using their instruction bytes. According to the ARM documentation its supposed to be a relative jump, using a right shift by 2, but the numbers don't work out.
Can anyone help out?
First, the instruction is being printed as two little-endian 16-bit fields. To match the byte ordering in the ARM reference manual, you need to byteswap each of the fields. For the first instruction, that gives:
F0 02 ED B2
or
11110000000000101110110110110010.
This is encoding T2 of the BLX instruction. Breaking this into the fields identified in the ARM:
11110 0 0000000010 11 1 0 1 1011011001 0
S imm10H J1 J2 imm10L
Then follow the instructions for interpretation of the fields:
I1 = NOT(J1 EOR S) = 0
I2 = NOT(J2 EOR S) = 0
imm32 = SignExtend(S:I1:I2:imm10H:imm10L:00)
= SignExtend(0000000000010101101100100)
= 0x00002b64
Which is precisely 0x5FE4 - 0x3480 (remember, the PC is 4 bytes ahead in Thumb/Thumb 2).
I trust you can work through the second example yourself.
来源:https://stackoverflow.com/questions/8915040/decoding-blx-instruction-on-arm-thumb-ios