You may have already noticed that ARM processors are everywhere — in phones, routers, smart TVs, and of course, IoT devices. In fact, ARM has become one of the most widely used CPU architectures globally. And just like traditional PCs, ARM-based IoT devices are vulnerable to classic exploitation techniques — such as buffer overflows. If […]
The post ARM Assembly for Hackers: Learning 32-bit Architecture for Exploit Development first appeared on Hackers Arise.
You may have already noticed that ARM processors are everywhere — in phones, routers, smart TVs, and of course, IoT devices. In fact, ARM has become one of the most widely used CPU architectures globally. And just like traditional PCs, ARM-based IoT devices are vulnerable to classic exploitation techniques — such as buffer overflows.
If you’re interested in exploit development or reverse engineering malware, learning assembly is a foundational skill. Understanding how code interacts with memory at the lowest level is essential for identifying vulnerabilities and crafting effective exploits.
Given the widespread use of ARM devices and their often-overlooked security vulnerabilities, attacks targeting them are likely to increase. And as a cyberwarrior, you need to understand how these systems work at the assembly level to analyze, secure, or exploit them effectively.
In previous articles, we explored the ARM CPU architecture and got started with 64-bit ARM assembly using the AArch64 instruction set — the modern standard on 64-bit Raspberry Pi OS.
Now, to better understand the foundations of ARM, we’ll shift our focus to 32-bit ARM assembly (ARMv7-A).
What is Assembly Language?
Assembly (ASM or asm) is any low-level programming language with a very strong correspondence between the instructions in the language and the architecture’s machine code instructions. Assembly usually has one statement per machine instruction (1:1). Because ASM depends on the machine code instructions, each assembly language is specific to a particular computer architecture.
In this case, we’re going to explore 32-bit ARM assembly.
Why Learn 32-bit ARM Assembly?
From industrial controllers and medical equipment to consumer electronics, most embedded and IoT devices still run 32-bit ARM CPUs. These systems aren’t upgraded like desktops — they have long lifecycles, limited memory, and rely on smaller, simpler instruction sets like ARMv7. For example, routers, IP cameras, and smart home hubs commonly run on ARMv7-based SoCs (System-on-Chip), often with Linux kernels and BusyBox environments.
Unlike modern desktops or cloud systems, many 32-bit ARM devices in the field lack protection, run as root by default, and don’t have regular updates or patch cycles. To exploit their flaws, you need to understand their instruction set, calling conventions, memory layout, and binary interface — all of which require 32-bit ARM assembly.
Many malware samples in the wild (Mirai, Mozi) are compiled for 32-bit ARM. If you’re analyzing real-world threats, you’ll be disassembling 32-bit ARM binaries, not just 64-bit ones.
In addition, 32-bit ARM is easier to learn and great for building a solid foundation. People who know ARM assembly well are rare, so learning it can lead to better job opportunities and staying on the cutting edge of cybersecurity.
Registers
Registers are places in computer memory where data is stored. When working in the assembler, we are usually using these registers to move and manipulate information, so you should be familiar with them.
ARM 32-bit processors provide 16 general-purpose registers. These registers are:
R0-R3: Argument registers (used for function parameters and return values)
R4-R11: General-purpose registers for local variables and temporary storage
R12: Intra-procedure call scratch register (IP)
R13: Stack Pointer (SP) – points to the top of the stack
R14: Link Register (LR) – stores return addresses for function calls
R15: Program Counter (PC) – points to the currently executing instruction
There is also a special register – xPSR: Extended Program Status Register (combines condition flags, current exception number, and execution state)
Flags
Flags in ARM 32-bit assembly are individual bits in a special register that indicate the status of operations in the CPU. The Program Status Register is 32 bits wide, but the primary flags used are just a few key bits. The main flags of interest are:
Z (Zero) flag: Indicates if the result of an operation is zero.
C (Carry) flag: Indicates a carry-out or borrow in arithmetic operations.
V (Overflow) flag: Indicates an overflow in signed arithmetic.
These flags enable conditional execution of instructions based on the results of previous operations and are updated by many arithmetic and logical instructions with an “S” suffix, for example, ADDS.
ARM Instructions
ARM instructions follow a predictable pattern that makes disassembly reading more intuitive:
Here are some of the most popular instructions:
MOV – move copies the value from the source to the destination. For example:
MOV R0, R1 ; Copy R1 to R0
; means a comment in Assembly.
LDR – load copies a value from memory into a register. For example:
LDR R0, [R1] ; Load the value from the address in R1 into R0
STR – store copies a value from a register into memory. For example:
STR R0, [R1] ; Store the value in R0 to the address in R1
CMP – compares and subtracts the second operand from the first, and sets condition flags. For example:
CMP R0, R1 ; Compare R0 with R1 (sets flags, but doesn't store result)
B – branch causes a jump to a label if the condition is met. For example:
BEQ label ; Branch to 'label' if equal (Z flag is set)
AND – bitwise AND performs a logical AND on each bit of the operands. For example:
AND R0, R1, R2 ; R0 = R1 AND R2
ORR – bitwise OR performs a logical OR on each bit of the operands. For example:
ORR R0, R1, R2 ; R0 = R1 OR R2
EOR – exclusive OR performs a logical XOR on each bit of the operands. For example:
EOR R0, R1, R2 ; R0 = R1 XOR R2
BIC – bit clear performs R1 AND (NOT R2). For example:
BIC R0, R1, R2 ; R0 = R1 AND NOT R2
PUSH – saves registers onto the stack. For example:
PUSH {R0, R1} ; Push R0 and R1 onto the stack
POP – restores registers from the stack. For example:
POP {R0, R1} ; Pop values into R0 and R1 from the stack
BL – branch with link jumps to a subroutine and saves the return address in LR. For example:
BL myFunction ; Call subroutine 'myFunction'
BX – branch and exchange jumps to an address and switches instruction set if needed. For example:
BX LR ; Return from subroutine (branch to address in LR)
SVC – supervisor call triggers a software interrupt to switch to supervisor mode. For example:
SVC #0 ; Call operating system service
ADR – load address of a label into a register. For example:
ADR R0, label ; Load the address of 'label' into R0
Summary
ARM 32-bit assembly might seem daunting at first, but its logical design and consistent instruction format make it more approachable than x86 for many analysts. In this article, we explored the reasons for learning 32-bit assembly, examined flags and registers, and then covered some of the most commonly used instructions.
The post ARM Assembly for Hackers: Learning 32-bit Architecture for Exploit Development first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/arm-assembly-for-hackers-learning-32-bit-architecture-for-exploit-development/