This document contains information about an ARM simulation project called ARMSIM. It includes: 1. The names of 6 students working on the project. 2. An overview of ARMSIM, which allows users to simulate ARM assembly programs on an ARM7TDMI processor. It includes an assembler and linker. 3. Limitations of ARMSIM are that it only supports little-endian format and does not support the Thumb instruction set.

1. ARMSIM
16BEC069 - MANAV KANOJIYA
16BEC070 - VIDHI SHAH
16BEC077 - PRITI KHANDELWAL
16BEC084 - SHREEYA MAKWANA
16BEC100 - SHIVEN PANDYA
16BEC101 - RAHUL BANSAL

2. Courtesy : [1]
Architecture Profile
A
(Architecture)
R
(Real-time)
M
(Microcontroller)

3. Architecture
A64 A32 T32

4. DIFFERENT ISA FOR ARM
ARM THUMB
Instructions are always of 32 bit. Instructions are of 16 bit and they can be
converted into 32 bit for arm exploit
development process.
All instructions support the conditional
execution.
Thumb state can support conditional
execution by using IT instruction.
All ARM versions support the arm state . Not all versions of ARM support the thumb
state.
While writing arm shellcode, we need to
get rid of null bytes in arm state.
Due to availability of 16 bit instructions, it
reduces the chances of having null bytes.

5. ARM REGISTERS

7. Flag Description
N
(Negative)
Enabled if result of the instruction yields a
negative number.
Z
(Zero)
Enabled if result of the instruction yields a zero
value.
C
(Carry)
Enabled if result of the instruction yields a value
that requires a 33rd bit to be fully represented.
V
(Overflow)
Enabled if result of the instruction yields a value
that cannot be represented in 32 bit two’s
complement.
E
(Endian-bit)
ARM can operate either in little endian, or big
endian. This bit is set to 0 for little endian, or 1
for big endian mode.
T
(Thumb-bit)
This bit is set if you are in Thumb state and is
disabled when you are in ARM state.
M
(Mode-bits)
These bits specify the current privilege mode
(USR, SVC, etc.).
J
(Jazelle)
Third execution state that allows some ARM
processors to execute Java bytecode in
hardware.

8. MNEMONICS IN ARM
Instruction Description Instruction Description
MOV Move data POP Pop on stack
ADD Addition SUB Subtraction
MUL Multiplication LSL Logical shift left
LSR Logical shift right ASR Arithmetic shift right
ROR Rotate right CMP Compare
AND Bitwise AND ORR Bitwise OR
EOR Bitwise XOR LDR Load
STR Store LDM Load multiply
STM Store multiply PUSH Push on stack
B Branch BL Branch with link
BX Branch with exchange BLX Branch with link and
exchange
SWI/SVC System call MVN Move 2’s complement

9. FORMAT OF ARM INSTRUCTIONS
• MNEMONIC{S} {condition} {Rd}, Operand1, Operand2
Where, MNEMONIC : Short name of the instruction
{S} : An optional suffix. If S is specified, the condition flags are updated on the result of the operation.
{Condition} : Conditions that has to be met for the execution of the instruction.
{Rd} : Destination of the register for storing the output of the instruction.
Operand1 : First register (either can be a register or an immediate value).
Operand2 : Second (Flexible) operand (can be a register or an immediate value with a level of shift).

10. INSTRUCTION EXAMPLES
Rx, LSR n Register x with logical shift right by n bits (1 = n = 32)
Rx, RRX Register x with rotate right by one bit, with extend
ADD R0, R1, R2 Adds contents of R1 (Operand1) and R2 (Operand2 in a form of
register) and stores the result into R0 (Rd).
MOVLE R0, #5 Moves number 5 (Operand2, because the compiler treats it as MOVE
R0, R0, #5) to R0 (Rd) ONLY if the condition LE (Less Than or Equal) is
satisfied.

11. LOAD AND STORE
• ARM uses Load-store model for memory access
• On ARM data is must be moved from memory into registers before being
operated on.
• This means that incrementing a 32-bit value at a particular address into
register, increment it within the register, and store it back to the memory
from register.

12. DATA TYPES WITH THE INSTRUCTIONS LOAD AND STORE:
• ldr = Load Word
• ldrh = Load unsigned Half Word
• ldrsh = Load signed Half Word
• ldrb = Load unsigned Byte
• ldrsb = Load signed Bytes
• str = Store Word
• strh = Store unsigned Half Word
• strsh = Store signed Half Word
• strb = Store unsigned Byte
• strsb = Store signed Byte

13. ADDRESS MODES
Three basic offset forms with different address modes for each offset form.
1. Offset form: Immediate value as the offset
• Offset mode uses an immediate as offset
Example: ldr r3,[r1,#3]
2. Offset form: Register as the offset
• Offset mode uses a register as offset
Example: ldr r3,[r1,r2]
3. Offset form: scaled register as the offset
• Offset mode uses a scaled register as offset
Example: ldr r3,[r1,r2,LSL#2]

14. BRANCHES
Branches (aka Jumps) allow us to jump to another code segment. This is useful when we
need to skip (or repeat) blocks of codes or jump to a specific function. Best examples of such
a use case are IFs and Loops. So let’s look into the IF case first.
There are three types of branching instructions:
• Branch (B)
• Simple jump to a function
• Branch link (BL)
• Saves (PC+4) in LR and jumps to function
• Branch exchange (BX) and Branch link exchange (BLX)
• Same as B/BL + exchange instruction set (ARM <-> Thumb)
• Needs a register as first operand: BX/BLX reg

15. CONDITIONAL EXECUTION
Condition
Code
Meaning
(for cmp
or subs)
Status of
Flags
EQ Equal Z==1
NE Not Equal Z==0
GT
Signed
Greater
Than
(Z==0) &&
(N==V)
LT
Signed
Less Than
N!=V
GE
Signed
Greater
Than or
Equal
N==V
LE
Signed
Less Than
or Equal
(Z==1) ||
(N!=V)
CS or HS
Unsigned
Higher or
Same (or
Carry Set)
C==1
CC or LO
Unsigned
Lower (or
Carry
Clear)
C==0
• Branches can also be executed conditionally
and used for branching to a function if a specific
condition is met.

16. ARMSIM
• ARMsim is a desktop application, it allows users to simulate the execution of
ARM assembly language programs on a system based on the ‘ARM7TDMI’
processor.
• ARMsim includes both an assembler and a linker. However editor is not there,
so file must be loaded into the application.
• The file to be opened must be a source (.s) file or an object (.o) file.

17. ARMSIM LIMITATION
• The ARM architecture supports both little‐endian and big‐endian access to memory. But the
ARMsim supports only the little‐endian format.
• The ARM architecture has a special mode of execution called ‘Thumb mode’ which is
intended for embedded system applications where memory is a scarce resource. (each
thumb instruction occupies only 2 bytes).
Thumb mode is not currently supported by ARMsim.