├── Application.mk
├── example
    ├── Application.mk
    ├── hooktest.c
    └── Android.mk
├── relocate.h
├── include
    └── inlineHook.h
├── Android.mk
├── README.md
├── inlineHook.c
└── relocate.c


/Application.mk:
--------------------------------------------------------------------------------
1 | APP_ABI := armeabi armeabi-v7a
2 | APP_PIE:= true


--------------------------------------------------------------------------------
/example/Application.mk:
--------------------------------------------------------------------------------
1 | APP_ABI := armeabi-v7a
2 | APP_PIE:= true
3 | 


--------------------------------------------------------------------------------
/relocate.h:
--------------------------------------------------------------------------------
1 | #ifndef _RELOCATE_H
2 | #define _RELOCATE_H
3 | 
4 | #include <stdio.h>
5 | 
6 | void relocateInstruction(uint32_t target_addr, void *orig_instructions, int length, void *trampoline_instructions, int *orig_boundaries, int *trampoline_boundaries, int *count);
7 | 
8 | #endif


--------------------------------------------------------------------------------
/include/inlineHook.h:
--------------------------------------------------------------------------------
 1 | #ifndef _INLINEHOOK_H
 2 | #define _INLINEHOOK_H
 3 | 
 4 | #include <stdio.h>
 5 | 
 6 | enum ele7en_status {
 7 | 	ELE7EN_ERROR_UNKNOWN = -1,
 8 | 	ELE7EN_OK = 0,
 9 | 	ELE7EN_ERROR_NOT_INITIALIZED,
10 | 	ELE7EN_ERROR_NOT_EXECUTABLE,
11 | 	ELE7EN_ERROR_NOT_REGISTERED,
12 | 	ELE7EN_ERROR_NOT_HOOKED,
13 | 	ELE7EN_ERROR_ALREADY_REGISTERED,
14 | 	ELE7EN_ERROR_ALREADY_HOOKED,
15 | 	ELE7EN_ERROR_SO_NOT_FOUND,
16 | 	ELE7EN_ERROR_FUNCTION_NOT_FOUND
17 | };
18 | 
19 | enum ele7en_status registerInlineHook(uint32_t target_addr, uint32_t new_addr, uint32_t **proto_addr);
20 | enum ele7en_status inlineUnHook(uint32_t target_addr);
21 | void inlineUnHookAll();
22 | enum ele7en_status inlineHook(uint32_t target_addr);
23 | void inlineHookAll();
24 | 
25 | #endif


--------------------------------------------------------------------------------
/example/hooktest.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | 
 3 | #include "inlineHook.h"
 4 | 
 5 | int (*old_puts)(const char *) = NULL;
 6 | 
 7 | int new_puts(const char *string)
 8 | {
 9 |     old_puts("inlineHook success");
10 | }
11 | 
12 | int hook()
13 | {
14 |     if (registerInlineHook((uint32_t) puts, (uint32_t) new_puts, (uint32_t **) &old_puts) != ELE7EN_OK) {
15 |         return -1;
16 |     }
17 |     if (inlineHook((uint32_t) puts) != ELE7EN_OK) {
18 |         return -1;
19 |     }
20 | 
21 |     return 0;
22 | }
23 | 
24 | int unHook()
25 | {
26 |     if (inlineUnHook((uint32_t) puts) != ELE7EN_OK) {
27 |         return -1;
28 |     }
29 | 
30 |     return 0;
31 | }
32 | 
33 | int main()
34 | {
35 |     puts("test");
36 |     hook();
37 |     puts("test");
38 |     unHook();
39 |     puts("test");
40 | }


--------------------------------------------------------------------------------
/Android.mk:
--------------------------------------------------------------------------------
 1 | # Copyright (C) 2009 The Android Open Source Project
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #      http://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | #
16 | #
17 | LOCAL_PATH := $(call my-dir)
18 | 
19 | include $(CLEAR_VARS)
20 | LOCAL_MODULE    := hook
21 | LOCAL_SRC_FILES := inlineHook.c relocate.c
22 | include $(BUILD_STATIC_LIBRARY)


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Android-Inline-Hook
 2 | thumb16 thumb32 arm32 inlineHook
 3 | 
 4 | # Build
 5 | ```ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk NDK_APPLICATION_MK=./Application.mk```
 6 | 
 7 | # Example
 8 | ```C
 9 | #include <stdio.h>
10 | 
11 | #include "inlineHook.h"
12 | 
13 | int (*old_puts)(const char *) = NULL;
14 | 
15 | int new_puts(const char *string)
16 | {
17 |     old_puts("inlineHook success");
18 | }
19 | 
20 | int hook()
21 | {
22 |     if (registerInlineHook((uint32_t) puts, (uint32_t) new_puts, (uint32_t **) &old_puts) != ELE7EN_OK) {
23 |         return -1;
24 |     }
25 |     if (inlineHook((uint32_t) puts) != ELE7EN_OK) {
26 |         return -1;
27 |     }
28 | 
29 |     return 0;
30 | }
31 | 
32 | int unHook()
33 | {
34 |     if (inlineUnHook((uint32_t) puts) != ELE7EN_OK) {
35 |         return -1;
36 |     }
37 | 
38 |     return 0;
39 | }
40 | 
41 | int main()
42 | {
43 |     puts("test");
44 |     hook();
45 |     puts("test");
46 |     unHook();
47 |     puts("test");
48 | }
49 | 
50 | ```
51 | 
52 | # Contact
53 | If you find any bugs, please contact me(ele7enxxh@qq.com)
54 | 


--------------------------------------------------------------------------------
/example/Android.mk:
--------------------------------------------------------------------------------
 1 | # Copyright (C) 2009 The Android Open Source Project
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #      http://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | #
15 | #
16 | #
17 | LOCAL_PATH := $(call my-dir)
18 | 
19 | include $(CLEAR_VARS)
20 | LOCAL_MODULE := hook
21 | LOCAL_SRC_FILES := $(LOCAL_PATH)/../obj/local/armeabi-v7a/libhook.a
22 | LOCAL_EXPORT_C_INCLUDES := $(LOCAL_PATH)/../include
23 | include $(PREBUILT_STATIC_LIBRARY)
24 | 
25 | include $(CLEAR_VARS)
26 | LOCAL_MODULE    := hooktest
27 | LOCAL_SRC_FILES := hooktest.c
28 | LOCAL_STATIC_LIBRARIES := libhook
29 | include $(BUILD_EXECUTABLE)


--------------------------------------------------------------------------------
/inlineHook.c:
--------------------------------------------------------------------------------
  1 | /*
  2 | thumb16 thumb32 arm32 inlineHook
  3 | author: ele7enxxh
  4 | mail: ele7enxxh@qq.com
  5 | website: ele7enxxh.com
  6 | modified time: 2015-01-23
  7 | created time: 2015-11-30
  8 | */
  9 | 
 10 | #include <stdlib.h>
 11 | #include <stdbool.h>
 12 | #include <string.h>
 13 | #include <dirent.h>
 14 | #include <signal.h>
 15 | #include <sys/mman.h>
 16 | // #include <asm/ptrace.h>
 17 | #include <sys/wait.h>
 18 | #include <sys/ptrace.h>
 19 | 
 20 | #include "relocate.h"
 21 | #include "include/inlineHook.h"
 22 | 
 23 | #ifndef PAGE_SIZE
 24 | #define PAGE_SIZE 4096
 25 | #endif
 26 | 
 27 | #define PAGE_START(addr)	(~(PAGE_SIZE - 1) & (addr))
 28 | #define SET_BIT0(addr)		(addr | 1)
 29 | #define CLEAR_BIT0(addr)	(addr & 0xFFFFFFFE)
 30 | #define TEST_BIT0(addr)		(addr & 1)
 31 | 
 32 | #define ACTION_ENABLE	0
 33 | #define ACTION_DISABLE	1
 34 | 	
 35 | enum hook_status {
 36 | 	REGISTERED,
 37 | 	HOOKED,
 38 | };
 39 | 
 40 | struct inlineHookItem {
 41 | 	uint32_t target_addr;
 42 | 	uint32_t new_addr;
 43 | 	uint32_t **proto_addr;
 44 | 	void *orig_instructions;
 45 | 	int orig_boundaries[4];
 46 | 	int trampoline_boundaries[20];
 47 | 	int count;
 48 | 	void *trampoline_instructions;
 49 | 	int length;
 50 | 	int status;
 51 | 	int mode;
 52 | };
 53 | 
 54 | struct inlineHookInfo {
 55 | 	struct inlineHookItem item[1024];
 56 | 	int size;
 57 | };
 58 | 
 59 | static struct inlineHookInfo info = {0};
 60 | 
 61 | static int getAllTids(pid_t pid, pid_t *tids)
 62 | {
 63 | 	char dir_path[32];
 64 | 	DIR *dir;
 65 | 	int i;
 66 | 	struct dirent *entry;
 67 | 	pid_t tid;
 68 | 
 69 | 	if (pid < 0) {
 70 | 		snprintf(dir_path, sizeof(dir_path), "/proc/self/task");
 71 | 	}
 72 | 	else {
 73 | 		snprintf(dir_path, sizeof(dir_path), "/proc/%d/task", pid);
 74 | 	}
 75 | 
 76 | 	dir = opendir(dir_path);
 77 |     if (dir == NULL) {
 78 |     	return 0;
 79 |     }
 80 | 
 81 |     i = 0;
 82 |     while((entry = readdir(dir)) != NULL) {
 83 |     	tid = atoi(entry->d_name);
 84 |     	if (tid != 0 && tid != getpid()) {
 85 |     		tids[i++] = tid;
 86 |     	}
 87 |     }
 88 |     closedir(dir);
 89 |     return i;
 90 | }
 91 | 
 92 | static bool doProcessThreadPC(struct inlineHookItem *item, struct pt_regs *regs, int action)
 93 | {
 94 | 	int offset;
 95 | 	int i;
 96 | 
 97 | 	switch (action)
 98 | 	{
 99 | 		case ACTION_ENABLE:
100 | 			offset = regs->ARM_pc - CLEAR_BIT0(item->target_addr);
101 | 			for (i = 0; i < item->count; ++i) {
102 | 				if (offset == item->orig_boundaries[i]) {
103 | 					regs->ARM_pc = (uint32_t) item->trampoline_instructions + item->trampoline_boundaries[i];
104 | 					return true;
105 | 				}
106 | 			}
107 | 			break;
108 | 		case ACTION_DISABLE:
109 | 			offset = regs->ARM_pc - (int) item->trampoline_instructions;
110 | 			for (i = 0; i < item->count; ++i) {
111 | 				if (offset == item->trampoline_boundaries[i]) {
112 | 					regs->ARM_pc = CLEAR_BIT0(item->target_addr) + item->orig_boundaries[i];
113 | 					return true;
114 | 				}
115 | 			}
116 | 			break;
117 | 	}
118 | 
119 | 	return false;
120 | }
121 | 
122 | static void processThreadPC(pid_t tid, struct inlineHookItem *item, int action)
123 | {
124 | 	struct pt_regs regs;
125 | 
126 | 	if (ptrace(PTRACE_GETREGS, tid, NULL, &regs) == 0) {
127 | 		if (item == NULL) {
128 | 			int pos;
129 | 
130 | 			for (pos = 0; pos < info.size; ++pos) {
131 | 				if (doProcessThreadPC(&info.item[pos], &regs, action) == true) {
132 | 					break;
133 | 				}
134 | 			}
135 | 		}
136 | 		else {
137 | 			doProcessThreadPC(item, &regs, action);
138 | 		}
139 | 
140 | 		ptrace(PTRACE_SETREGS, tid, NULL, &regs);
141 | 	}
142 | }
143 | 
144 | static pid_t freeze(struct inlineHookItem *item, int action)
145 | {
146 | 	int count;
147 | 	pid_t tids[1024];
148 | 	pid_t pid;
149 | 
150 | 	pid = -1;
151 | 	count = getAllTids(getpid(), tids);
152 | 	if (count > 0) {
153 | 		pid = fork();
154 | 
155 | 		if (pid == 0) {
156 | 			int i;
157 | 
158 | 			for (i = 0; i < count; ++i) {
159 | 				if (ptrace(PTRACE_ATTACH, tids[i], NULL, NULL) == 0) {
160 | 					waitpid(tids[i], NULL, WUNTRACED);
161 | 					processThreadPC(tids[i], item, action);
162 | 				}
163 | 			}
164 | 			
165 | 			raise(SIGSTOP);
166 | 
167 | 			for (i = 0; i < count; ++i) {
168 | 				ptrace(PTRACE_DETACH, tids[i], NULL, NULL);
169 | 			}
170 | 
171 | 			raise(SIGKILL);
172 | 		}
173 | 
174 | 		else if (pid > 0) {
175 | 			waitpid(pid, NULL, WUNTRACED);
176 | 		}
177 | 	}
178 | 
179 | 	return pid;
180 | }
181 | 
182 | static void unFreeze(pid_t pid)
183 | {
184 | 	if (pid < 0) {
185 | 		return;
186 | 	}
187 | 
188 | 	kill(pid, SIGCONT);
189 | 	wait(NULL);
190 | }
191 | 
192 | static bool isExecutableAddr(uint32_t addr)
193 | {
194 | 	FILE *fp;
195 | 	char line[1024];
196 | 	uint32_t start;
197 | 	uint32_t end;
198 | 
199 | 	fp = fopen("/proc/self/maps", "r");
200 | 	if (fp == NULL) {
201 | 		return false;
202 | 	}
203 | 
204 | 	while (fgets(line, sizeof(line), fp)) {
205 | 		if (strstr(line, "r-xp")) {
206 | 			start = strtoul(strtok(line, "-"), NULL, 16);
207 | 			end = strtoul(strtok(NULL, " "), NULL, 16);
208 | 			if (addr >= start && addr <= end) {
209 | 				fclose(fp);
210 | 				return true;
211 | 			}
212 | 		}
213 | 	}
214 | 
215 | 	fclose(fp);
216 | 
217 | 	return false;
218 | }
219 | 
220 | static struct inlineHookItem *findInlineHookItem(uint32_t target_addr)
221 | {
222 | 	int i;
223 | 
224 | 	for (i = 0; i < info.size; ++i) {
225 | 		if (info.item[i].target_addr == target_addr) {
226 | 			return &info.item[i];
227 | 		}
228 | 	}
229 | 
230 | 	return NULL;
231 | }
232 | 
233 | static struct inlineHookItem *addInlineHookItem() {
234 | 	struct inlineHookItem *item;
235 | 
236 | 	if (info.size >= 1024) {
237 | 		return NULL;
238 | 	}
239 | 
240 | 	item = &info.item[info.size];
241 | 	++info.size;
242 | 
243 | 	return item;
244 | }
245 | 
246 | static void deleteInlineHookItem(int pos)
247 | {
248 | 	info.item[pos] = info.item[info.size - 1];
249 | 	--info.size;
250 | }
251 | 
252 | enum ele7en_status registerInlineHook(uint32_t target_addr, uint32_t new_addr, uint32_t **proto_addr)
253 | {
254 | 	struct inlineHookItem *item;
255 | 
256 | 	if (!isExecutableAddr(target_addr) || !isExecutableAddr(new_addr)) {
257 | 		return ELE7EN_ERROR_NOT_EXECUTABLE;
258 | 	}
259 | 
260 | 	item = findInlineHookItem(target_addr);
261 | 	if (item != NULL) {
262 | 		if (item->status == REGISTERED) {
263 | 			return ELE7EN_ERROR_ALREADY_REGISTERED;
264 | 		}
265 | 		else if (item->status == HOOKED) {
266 | 			return ELE7EN_ERROR_ALREADY_HOOKED;
267 | 		}
268 | 		else {
269 | 			return ELE7EN_ERROR_UNKNOWN;
270 | 		}
271 | 	}
272 | 
273 | 	item = addInlineHookItem();
274 | 
275 | 	item->target_addr = target_addr;
276 | 	item->new_addr = new_addr;
277 | 	item->proto_addr = proto_addr;
278 | 
279 | 	item->length = TEST_BIT0(item->target_addr) ? 12 : 8;
280 | 	item->orig_instructions = malloc(item->length);
281 | 	memcpy(item->orig_instructions, (void *) CLEAR_BIT0(item->target_addr), item->length);
282 | 
283 | 	item->trampoline_instructions = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
284 | 	relocateInstruction(item->target_addr, item->orig_instructions, item->length, item->trampoline_instructions, item->orig_boundaries, item->trampoline_boundaries, &item->count);
285 | 
286 | 	item->status = REGISTERED;
287 | 
288 | 	return ELE7EN_OK;
289 | }
290 | 
291 | static void doInlineUnHook(struct inlineHookItem *item, int pos)
292 | {
293 | 	mprotect((void *) PAGE_START(CLEAR_BIT0(item->target_addr)), PAGE_SIZE * 2, PROT_READ | PROT_WRITE | PROT_EXEC);
294 | 	memcpy((void *) CLEAR_BIT0(item->target_addr), item->orig_instructions, item->length);
295 | 	mprotect((void *) PAGE_START(CLEAR_BIT0(item->target_addr)), PAGE_SIZE * 2, PROT_READ | PROT_EXEC);
296 | 	munmap(item->trampoline_instructions, PAGE_SIZE);
297 | 	free(item->orig_instructions);
298 | 
299 | 	deleteInlineHookItem(pos);
300 | 
301 | 	cacheflush(CLEAR_BIT0(item->target_addr), CLEAR_BIT0(item->target_addr) + item->length, 0);
302 | }
303 | 
304 | enum ele7en_status inlineUnHook(uint32_t target_addr)
305 | {
306 | 	int i;
307 | 
308 | 	for (i = 0; i < info.size; ++i) {
309 | 		if (info.item[i].target_addr == target_addr && info.item[i].status == HOOKED) {
310 | 			pid_t pid;
311 | 
312 | 			pid = freeze(&info.item[i], ACTION_DISABLE);
313 | 
314 | 			doInlineUnHook(&info.item[i], i);
315 | 
316 | 			unFreeze(pid);
317 | 
318 | 			return ELE7EN_OK;
319 | 		}
320 | 	}
321 | 
322 | 	return ELE7EN_ERROR_NOT_HOOKED;
323 | }
324 | 
325 | void inlineUnHookAll()
326 | {
327 | 	pid_t pid;
328 | 	int i;
329 | 
330 | 	pid = freeze(NULL, ACTION_DISABLE);
331 | 
332 | 	for (i = 0; i < info.size; ++i) {
333 | 		if (info.item[i].status == HOOKED) {
334 | 			doInlineUnHook(&info.item[i], i);
335 | 			--i;
336 | 		}
337 | 	}
338 | 
339 | 	unFreeze(pid);
340 | }
341 | 
342 | static void doInlineHook(struct inlineHookItem *item)
343 | {
344 | 	mprotect((void *) PAGE_START(CLEAR_BIT0(item->target_addr)), PAGE_SIZE * 2, PROT_READ | PROT_WRITE | PROT_EXEC);
345 | 
346 | 	if (TEST_BIT0(item->target_addr)) {
347 | 		int i;
348 | 
349 | 		i = 0;
350 | 		if (CLEAR_BIT0(item->target_addr) % 4 != 0) {
351 | 			((uint16_t *) CLEAR_BIT0(item->target_addr))[i++] = 0xBF00;  // NOP
352 | 		}
353 | 		((uint16_t *) CLEAR_BIT0(item->target_addr))[i++] = 0xF8DF;
354 | 		((uint16_t *) CLEAR_BIT0(item->target_addr))[i++] = 0xF000;	// LDR.W PC, [PC]
355 | 		((uint16_t *) CLEAR_BIT0(item->target_addr))[i++] = item->new_addr & 0xFFFF;
356 | 		((uint16_t *) CLEAR_BIT0(item->target_addr))[i++] = item->new_addr >> 16;
357 | 	}
358 | 	else {
359 | 		((uint32_t *) (item->target_addr))[0] = 0xe51ff004;	// LDR PC, [PC, #-4]
360 | 		((uint32_t *) (item->target_addr))[1] = item->new_addr;
361 | 	}
362 | 
363 | 	mprotect((void *) PAGE_START(CLEAR_BIT0(item->target_addr)), PAGE_SIZE * 2, PROT_READ | PROT_EXEC);
364 | 
365 | 	if (item->proto_addr != NULL) {
366 | 		*(item->proto_addr) = TEST_BIT0(item->target_addr) ? (uint32_t *) SET_BIT0((uint32_t) item->trampoline_instructions) : item->trampoline_instructions;
367 | 	}
368 | 
369 | 	item->status = HOOKED;
370 | 	
371 | 	cacheflush(CLEAR_BIT0(item->target_addr), CLEAR_BIT0(item->target_addr) + item->length, 0);
372 | }
373 | 
374 | enum ele7en_status inlineHook(uint32_t target_addr)
375 | {
376 | 	int i;
377 | 	struct inlineHookItem *item;
378 | 
379 | 	item = NULL;
380 | 	for (i = 0; i < info.size; ++i) {
381 | 		if (info.item[i].target_addr == target_addr) {
382 | 			item = &info.item[i];
383 | 			break;
384 | 		}
385 | 	}
386 | 
387 | 	if (item == NULL) {
388 | 		return ELE7EN_ERROR_NOT_REGISTERED;
389 | 	}
390 | 
391 | 	if (item->status == REGISTERED) {
392 | 		pid_t pid;
393 | 
394 | 		pid = freeze(item, ACTION_ENABLE);
395 | 
396 | 		doInlineHook(item);
397 | 
398 | 		unFreeze(pid);
399 | 
400 | 		return ELE7EN_OK;
401 | 	}
402 | 	else if (item->status == HOOKED) {
403 | 		return ELE7EN_ERROR_ALREADY_HOOKED;
404 | 	}
405 | 	else {
406 | 		return ELE7EN_ERROR_UNKNOWN;
407 | 	}
408 | }
409 | 
410 | void inlineHookAll()
411 | {
412 | 	pid_t pid;
413 | 	int i;
414 | 
415 | 	pid = freeze(NULL, ACTION_ENABLE);
416 | 
417 | 	for (i = 0; i < info.size; ++i) {
418 | 		if (info.item[i].status == REGISTERED) {
419 | 			doInlineHook(&info.item[i]);
420 | 		}
421 | 	}
422 | 
423 | 	unFreeze(pid);
424 | }
425 | 


--------------------------------------------------------------------------------
/relocate.c:
--------------------------------------------------------------------------------
  1 | /*
  2 | relocate instruction
  3 | author: ele7enxxh
  4 | mail: ele7enxxh@qq.com
  5 | website: ele7enxxh.com
  6 | modified time: 2016-10-17
  7 | created time: 2015-01-17
  8 | */
  9 | 
 10 | #include "relocate.h"
 11 | 
 12 | #define ALIGN_PC(pc)	(pc & 0xFFFFFFFC)
 13 | 
 14 | enum INSTRUCTION_TYPE {
 15 | 	// B <label>
 16 | 	B1_THUMB16,
 17 | 	// B <label>
 18 | 	B2_THUMB16,
 19 | 	// BX PC
 20 | 	BX_THUMB16,
 21 | 	// ADD <Rdn>, PC (Rd != PC, Rn != PC) 在对ADD进行修正时，采用了替换PC为Rr的方法，当Rd也为PC时，由于之前更改了Rr的值，可能会影响跳转后的正常功能。
 22 | 	ADD_THUMB16,
 23 | 	// MOV Rd, PC
 24 | 	MOV_THUMB16,
 25 | 	// ADR Rd, <label>
 26 | 	ADR_THUMB16,
 27 | 	// LDR Rt, <label>
 28 | 	LDR_THUMB16,
 29 | 
 30 | 	// CB{N}Z <Rn>, <label>
 31 | 	CB_THUMB16,
 32 | 
 33 | 
 34 | 	// BLX <label>
 35 | 	BLX_THUMB32,
 36 | 	// BL <label>
 37 | 	BL_THUMB32,
 38 | 	// B.W <label>
 39 | 	B1_THUMB32,
 40 | 	// B.W <label>
 41 | 	B2_THUMB32,
 42 | 	// ADR.W Rd, <label>
 43 | 	ADR1_THUMB32,
 44 | 	// ADR.W Rd, <label>
 45 | 	ADR2_THUMB32,
 46 | 	// LDR.W Rt, <label>
 47 | 	LDR_THUMB32,
 48 | 	// TBB [PC, Rm]
 49 | 	TBB_THUMB32,
 50 | 	// TBH [PC, Rm, LSL #1]
 51 | 	TBH_THUMB32,
 52 | 
 53 | 	// BLX <label>
 54 | 	BLX_ARM,
 55 | 	// BL <label>
 56 | 	BL_ARM,
 57 | 	// B <label>
 58 | 	B_ARM,
 59 | 	// BX PC
 60 | 	BX_ARM,
 61 | 	// ADD Rd, PC, Rm (Rd != PC, Rm != PC) 在对ADD进行修正时，采用了替换PC为Rr的方法，当Rd也为PC时，由于之前更改了Rr的值，可能会影响跳转后的正常功能;实际汇编中没有发现Rm也为PC的情况，故未做处理。
 62 | 	ADD_ARM,
 63 | 	// ADR Rd, <label>
 64 | 	ADR1_ARM,
 65 | 	// ADR Rd, <label>
 66 | 	ADR2_ARM,
 67 | 	// MOV Rd, PC
 68 | 	MOV_ARM,
 69 | 	// LDR Rt, <label>
 70 | 	LDR_ARM,
 71 | 
 72 | 	UNDEFINE,
 73 | };
 74 | 
 75 | static int getTypeInThumb16(uint16_t instruction)
 76 | {
 77 | 	if ((instruction & 0xF000) == 0xD000) {
 78 | 		return B1_THUMB16;
 79 | 	}
 80 | 	if ((instruction & 0xF800) == 0xE000) {
 81 | 		return B2_THUMB16;
 82 | 	}
 83 | 	if ((instruction & 0xFFF8) == 0x4778) {
 84 | 		return BX_THUMB16;
 85 | 	}
 86 | 	if ((instruction & 0xFF78) == 0x4478) {
 87 | 		return ADD_THUMB16;
 88 | 	}
 89 | 	if ((instruction & 0xFF78) == 0x4678) {
 90 | 		return MOV_THUMB16;
 91 | 	}
 92 | 	if ((instruction & 0xF800) == 0xA000) {
 93 | 		return ADR_THUMB16;
 94 | 	}
 95 | 	if ((instruction & 0xF800) == 0x4800) {
 96 | 		return LDR_THUMB16;
 97 | 	}
 98 | 	if ((instruction & 0xF500) == 0xB100) {
 99 | 		return CB_THUMB16;
100 | 	}
101 | 	return UNDEFINE;
102 | }
103 | 
104 | static int getTypeInThumb32(uint32_t instruction)
105 | {
106 | 	if ((instruction & 0xF800D000) == 0xF000C000) {
107 | 		return BLX_THUMB32;
108 | 	}
109 | 	if ((instruction & 0xF800D000) == 0xF000D000) {
110 | 		return BL_THUMB32;
111 | 	}
112 | 	if ((instruction & 0xF800D000) == 0xF0008000) {
113 | 		return B1_THUMB32;
114 | 	}
115 | 	if ((instruction & 0xF800D000) == 0xF0009000) {
116 | 		return B2_THUMB32;
117 | 	}
118 | 	if ((instruction & 0xFBFF8000) == 0xF2AF0000) {
119 | 		return ADR1_THUMB32;
120 | 	}
121 | 	if ((instruction & 0xFBFF8000) == 0xF20F0000) {
122 | 		return ADR2_THUMB32;		
123 | 	}
124 | 	if ((instruction & 0xFF7F0000) == 0xF85F0000) {
125 | 		return LDR_THUMB32;
126 | 	}
127 | 	if ((instruction & 0xFFFF00F0) == 0xE8DF0000) {
128 | 		return TBB_THUMB32;
129 | 	}
130 | 	if ((instruction & 0xFFFF00F0) == 0xE8DF0010) {
131 | 		return TBH_THUMB32;
132 | 	}
133 | 	return UNDEFINE;
134 | }
135 | 
136 | static int getTypeInArm(uint32_t instruction)
137 | {
138 | 	if ((instruction & 0xFE000000) == 0xFA000000) {
139 | 		return BLX_ARM;
140 | 	}
141 | 	if ((instruction & 0xF000000) == 0xB000000) {
142 | 		return BL_ARM;
143 | 	}
144 | 	if ((instruction & 0xF000000) == 0xA000000) {
145 | 		return B_ARM;
146 | 	}
147 | 	if ((instruction & 0xFF000FF) == 0x120001F) {
148 | 		return BX_ARM;
149 | 	}
150 | 	if ((instruction & 0xFEF0010) == 0x8F0000) {
151 | 		return ADD_ARM;
152 | 	}
153 | 	if ((instruction & 0xFFF0000) == 0x28F0000) {
154 | 		return ADR1_ARM;
155 | 	}
156 | 	if ((instruction & 0xFFF0000) == 0x24F0000) {
157 | 		return ADR2_ARM;		
158 | 	}
159 | 	if ((instruction & 0xE5F0000) == 0x41F0000) {
160 | 		return LDR_ARM;
161 | 	}
162 | 	if ((instruction & 0xFE00FFF) == 0x1A0000F) {
163 | 		return MOV_ARM;
164 | 	}
165 | 	return UNDEFINE;
166 | }
167 | 
168 | static int relocateInstructionInThumb16(uint32_t pc, uint16_t instruction, uint16_t *trampoline_instructions)
169 | {
170 | 	int type;
171 | 	int offset;
172 | 	
173 | 	type = getTypeInThumb16(instruction);
174 | 	if (type == B1_THUMB16 || type == B2_THUMB16 || type == BX_THUMB16) {
175 | 		uint32_t x;
176 | 		int top_bit;
177 | 		uint32_t imm32;
178 | 		uint32_t value;
179 | 		int idx;
180 | 		
181 | 		idx = 0;
182 | 		if (type == B1_THUMB16) {
183 | 			x = (instruction & 0xFF) << 1;
184 | 			top_bit = x >> 8;
185 | 			imm32 = top_bit ? (x | (0xFFFFFFFF << 8)) : x;
186 | 			value = pc + imm32;
187 | 			trampoline_instructions[idx++] = instruction & 0xFF00;
188 | 			trampoline_instructions[idx++] = 0xE003;	// B PC, #6
189 | 		}
190 | 		else if (type == B2_THUMB16) {
191 | 			x = (instruction & 0x7FF) << 1;
192 | 			top_bit = x >> 11;
193 | 			imm32 = top_bit ? (x | (0xFFFFFFFF << 11)) : x;
194 | 			value = pc + imm32;
195 | 		}
196 | 		else if (type == BX_THUMB16) {
197 | 			value = pc;
198 | 		}
199 | 		
200 | 		trampoline_instructions[idx++] = 0xF8DF;
201 | 		trampoline_instructions[idx++] = 0xF000;	// LDR.W PC, [PC]
202 | 		trampoline_instructions[idx++] = value & 0xFFFF;
203 | 		trampoline_instructions[idx++] = value >> 16;
204 | 		offset = idx;
205 | 	}
206 | 	else if (type == ADD_THUMB16) {
207 | 		int rdn;
208 | 		int rm;
209 | 		int r;
210 | 		
211 | 		rdn = ((instruction & 0x80) >> 4) | (instruction & 0x7);
212 | 		
213 | 		for (r = 7; ; --r) {
214 | 			if (r != rdn) {
215 | 				break;
216 | 			}
217 | 		}
218 | 		
219 | 		trampoline_instructions[0] = 0xB400 | (1 << r);	// PUSH {Rr}
220 | 		trampoline_instructions[1] = 0x4802 | (r << 8);	// LDR Rr, [PC, #8]
221 | 		trampoline_instructions[2] = (instruction & 0xFF87) | (r << 3);
222 | 		trampoline_instructions[3] = 0xBC00 | (1 << r);	// POP {Rr}
223 | 		trampoline_instructions[4] = 0xE002;	// B PC, #4
224 | 		trampoline_instructions[5] = 0xBF00;
225 | 		trampoline_instructions[6] = pc & 0xFFFF;
226 | 		trampoline_instructions[7] = pc >> 16;
227 | 		offset = 8;
228 | 	}
229 | 	else if (type == MOV_THUMB16 || type == ADR_THUMB16 || type == LDR_THUMB16) {
230 | 		int r;
231 | 		uint32_t value;
232 | 		
233 | 		if (type == MOV_THUMB16) {
234 | 			r = instruction & 0x7;
235 | 			value = pc;
236 | 		}
237 | 		else if (type == ADR_THUMB16) {
238 | 			r = (instruction & 0x700) >> 8;
239 | 			value = ALIGN_PC(pc) + (instruction & 0xFF) << 2;
240 | 		}
241 | 		else {
242 | 			r = (instruction & 0x700) >> 8;
243 | 			value = ((uint32_t *) (ALIGN_PC(pc) + ((instruction & 0xFF) << 2)))[0];
244 | 		}
245 | 
246 | 		trampoline_instructions[0] = 0x4800 | (r << 8);	// LDR Rd, [PC]
247 | 		trampoline_instructions[1] = 0xE001;	// B PC, #2
248 | 		trampoline_instructions[2] = value & 0xFFFF;
249 | 		trampoline_instructions[3] = value >> 16;
250 | 		offset = 4;
251 | 	}
252 | 	else if (type == CB_THUMB16) {
253 | 		int nonzero;
254 | 		uint32_t imm32;
255 | 		uint32_t value;
256 | 
257 | 		nonzero = (instruction & 0x800) >> 11;
258 | 		imm32 = ((instruction & 0x200) >> 3) | ((instruction & 0xF8) >> 2);
259 | 		value = pc + imm32 + 1;
260 | 
261 | 		trampoline_instructions[0] = instruction & 0xFD07;
262 | 		trampoline_instructions[1] = 0xE003;	// B PC, #6
263 | 		trampoline_instructions[2] = 0xF8DF;
264 | 		trampoline_instructions[3] = 0xF000;	// LDR.W PC, [PC]
265 | 		trampoline_instructions[4] = value & 0xFFFF;
266 | 		trampoline_instructions[5] = value >> 16;
267 | 		offset = 6;
268 | 	}
269 | 	else {
270 | 		trampoline_instructions[0] = instruction;
271 | 		trampoline_instructions[1] = 0xBF00;  // NOP
272 | 		offset = 2;
273 | 	}
274 | 	
275 | 	return offset;
276 | }
277 | 
278 | static int relocateInstructionInThumb32(uint32_t pc, uint16_t high_instruction, uint16_t low_instruction, uint16_t *trampoline_instructions)
279 | {
280 | 	uint32_t instruction;
281 | 	int type;
282 | 	int idx;
283 | 	int offset;
284 | 	
285 | 	instruction = (high_instruction << 16) | low_instruction;
286 | 	type = getTypeInThumb32(instruction);
287 | 	idx = 0;
288 | 	if (type == BLX_THUMB32 || type == BL_THUMB32 || type == B1_THUMB32 || type == B2_THUMB32) {
289 | 		uint32_t j1;
290 | 		uint32_t j2;
291 | 		uint32_t s;
292 | 		uint32_t i1;
293 | 		uint32_t i2;
294 | 		uint32_t x;
295 | 		uint32_t imm32;
296 | 		uint32_t value;
297 | 
298 | 		j1 = (low_instruction & 0x2000) >> 13;
299 | 		j2 = (low_instruction & 0x800) >> 11;
300 | 		s = (high_instruction & 0x400) >> 10;
301 | 		i1 = !(j1 ^ s);
302 | 		i2 = !(j2 ^ s);
303 | 
304 | 		if (type == BLX_THUMB32 || type == BL_THUMB32) {
305 | 			trampoline_instructions[idx++] = 0xF20F;
306 | 			trampoline_instructions[idx++] = 0x0E09;	// ADD.W LR, PC, #9
307 | 		}
308 | 		else if (type == B1_THUMB32) {
309 | 			trampoline_instructions[idx++] = 0xD000 | ((high_instruction & 0x3C0) << 2);
310 | 			trampoline_instructions[idx++] = 0xE003;	// B PC, #6
311 | 		}
312 | 		trampoline_instructions[idx++] = 0xF8DF;
313 | 		trampoline_instructions[idx++] = 0xF000;	// LDR.W PC, [PC]
314 | 		if (type == BLX_THUMB32) {
315 | 			x = (s << 24) | (i1 << 23) | (i2 << 22) | ((high_instruction & 0x3FF) << 12) | ((low_instruction & 0x7FE) << 1);
316 | 			imm32 = s ? (x | (0xFFFFFFFF << 25)) : x;
317 | 			value = pc + imm32;
318 | 		}
319 | 		else if (type == BL_THUMB32) {
320 | 			x = (s << 24) | (i1 << 23) | (i2 << 22) | ((high_instruction & 0x3FF) << 12) | ((low_instruction & 0x7FF) << 1);
321 | 			imm32 = s ? (x | (0xFFFFFFFF << 25)) : x;
322 | 			value = pc + imm32 + 1;
323 | 		}
324 | 		else if (type == B1_THUMB32) {
325 | 			x = (s << 20) | (j2 << 19) | (j1 << 18) | ((high_instruction & 0x3F) << 12) | ((low_instruction & 0x7FF) << 1);
326 | 			imm32 = s ? (x | (0xFFFFFFFF << 21)) : x;
327 | 			value = pc + imm32 + 1;
328 | 		}
329 | 		else if (type == B2_THUMB32) {
330 | 			x = (s << 24) | (i1 << 23) | (i2 << 22) | ((high_instruction & 0x3FF) << 12) | ((low_instruction & 0x7FF) << 1);
331 | 			imm32 = s ? (x | (0xFFFFFFFF << 25)) : x;
332 | 			value = pc + imm32 + 1;
333 | 		}
334 | 		trampoline_instructions[idx++] = value & 0xFFFF;
335 | 		trampoline_instructions[idx++] = value >> 16;
336 | 		offset = idx;
337 | 	}
338 | 	else if (type == ADR1_THUMB32 || type == ADR2_THUMB32 || type == LDR_THUMB32) {
339 | 		int r;
340 | 		uint32_t imm32;
341 | 		uint32_t value;
342 | 		
343 | 		if (type == ADR1_THUMB32 || type == ADR2_THUMB32) {
344 | 			uint32_t i;
345 | 			uint32_t imm3;
346 | 			uint32_t imm8;
347 | 		
348 | 			r = (low_instruction & 0xF00) >> 8;
349 | 			i = (high_instruction & 0x400) >> 10;
350 | 			imm3 = (low_instruction & 0x7000) >> 12;
351 | 			imm8 = instruction & 0xFF;
352 | 			
353 | 			imm32 = (i << 31) | (imm3 << 30) | (imm8 << 27);
354 | 			
355 | 			if (type == ADR1_THUMB32) {
356 | 				value = ALIGN_PC(pc) + imm32;
357 | 			}
358 | 			else {
359 | 				value = ALIGN_PC(pc) - imm32;
360 | 			}
361 | 		}
362 | 		else {
363 | 			int is_add;
364 | 			uint32_t *addr;
365 | 			
366 | 			is_add = (high_instruction & 0x80) >> 7;
367 | 			r = low_instruction >> 12;
368 | 			imm32 = low_instruction & 0xFFF;
369 | 			
370 | 			if (is_add) {
371 | 				addr = (uint32_t *) (ALIGN_PC(pc) + imm32);
372 | 			}
373 | 			else {
374 | 				addr = (uint32_t *) (ALIGN_PC(pc) - imm32);
375 | 			}
376 | 			
377 | 			value = addr[0];
378 | 		}
379 | 		
380 | 		trampoline_instructions[0] = 0x4800 | (r << 8);	// LDR Rr, [PC]
381 | 		trampoline_instructions[1] = 0xE001;	// B PC, #2
382 | 		trampoline_instructions[2] = value & 0xFFFF;
383 | 		trampoline_instructions[3] = value >> 16;
384 | 		offset = 4;
385 | 	}
386 | 
387 | 	else if (type == TBB_THUMB32 || type == TBH_THUMB32) {
388 | 		int rm;
389 | 		int r;
390 | 		int rx;
391 | 		
392 | 		rm = low_instruction & 0xF;
393 | 		
394 | 		for (r = 7;; --r) {
395 | 			if (r != rm) {
396 | 				break;
397 | 			}
398 | 		}
399 | 		
400 | 		for (rx = 7; ; --rx) {
401 | 			if (rx != rm && rx != r) {
402 | 				break;
403 | 			}
404 | 		}
405 | 		
406 | 		trampoline_instructions[0] = 0xB400 | (1 << rx);	// PUSH {Rx}
407 | 		trampoline_instructions[1] = 0x4805 | (r << 8);	// LDR Rr, [PC, #20]
408 | 		trampoline_instructions[2] = 0x4600 | (rm << 3) | rx;	// MOV Rx, Rm
409 | 		if (type == TBB_THUMB32) {
410 | 			trampoline_instructions[3] = 0xEB00 | r;
411 | 			trampoline_instructions[4] = 0x0000 | (rx << 8) | rx;	// ADD.W Rx, Rr, Rx
412 | 			trampoline_instructions[5] = 0x7800 | (rx << 3) | rx; 	// LDRB Rx, [Rx]
413 | 		}
414 | 		else if (type == TBH_THUMB32) {
415 | 			trampoline_instructions[3] = 0xEB00 | r;
416 | 			trampoline_instructions[4] = 0x0040 | (rx << 8) | rx;	// ADD.W Rx, Rr, Rx, LSL #1
417 | 			trampoline_instructions[5] = 0x8800 | (rx << 3) | rx; 	// LDRH Rx, [Rx]
418 | 		}
419 | 		trampoline_instructions[6] = 0xEB00 | r;
420 | 		trampoline_instructions[7] = 0x0040 | (r << 8) | rx;	// ADD Rr, Rr, Rx, LSL #1
421 | 		trampoline_instructions[8] = 0x3001 | (r << 8);	// ADD Rr, #1
422 | 		trampoline_instructions[9] = 0xBC00 | (1 << rx);	// POP {Rx}
423 | 		trampoline_instructions[10] = 0x4700 | (r << 3);	// BX Rr
424 | 		trampoline_instructions[11] = 0xBF00;
425 | 		trampoline_instructions[12] = pc & 0xFFFF;
426 | 		trampoline_instructions[13] = pc >> 16;
427 | 		offset = 14;
428 | 	}
429 | 	else {
430 | 		trampoline_instructions[0] = high_instruction;
431 | 		trampoline_instructions[1] = low_instruction;
432 | 		offset = 2;
433 | 	}
434 | 
435 | 	return offset;
436 | }
437 | 
438 | static void relocateInstructionInThumb(uint32_t target_addr, uint16_t *orig_instructions, int length, uint16_t *trampoline_instructions, int *orig_boundaries, int *trampoline_boundaries, int *count)
439 | {
440 | 	int orig_pos;
441 | 	int trampoline_pos;
442 | 	uint32_t pc;
443 | 	uint32_t lr;
444 | 
445 | 	orig_pos = 0;
446 | 	trampoline_pos = 0;
447 | 	pc = target_addr + 4;
448 | 	while (1) {
449 | 		int offset;
450 | 
451 | 		orig_boundaries[*count] = orig_pos * sizeof(uint16_t);
452 | 		trampoline_boundaries[*count] = trampoline_pos * sizeof(uint16_t);
453 | 		++(*count);
454 | 		
455 | 		if ((orig_instructions[orig_pos] >> 11) >= 0x1D && (orig_instructions[orig_pos] >> 11) <= 0x1F) {
456 | 			if (orig_pos + 2 > length / sizeof(uint16_t)) {
457 | 				break;
458 | 			}
459 | 			offset = relocateInstructionInThumb32(pc, orig_instructions[orig_pos], orig_instructions[orig_pos + 1], &trampoline_instructions[trampoline_pos]);
460 | 			pc += sizeof(uint32_t);
461 | 			trampoline_pos += offset;
462 | 			orig_pos += 2;
463 | 		}
464 | 		else {
465 | 			offset = relocateInstructionInThumb16(pc, orig_instructions[orig_pos], &trampoline_instructions[trampoline_pos]);
466 | 			pc += sizeof(uint16_t);
467 | 			trampoline_pos += offset;
468 | 			++orig_pos;
469 | 		}
470 | 		
471 | 		if (orig_pos >= length / sizeof(uint16_t)) {
472 | 			break;
473 | 		}
474 | 	}
475 | 
476 | 
477 | 	
478 | 	lr = target_addr + orig_pos * sizeof(uint16_t) + 1;
479 | 	trampoline_instructions[trampoline_pos] = 0xF8DF;
480 | 	trampoline_instructions[trampoline_pos + 1] = 0xF000;	// LDR.W PC, [PC]
481 | 	trampoline_instructions[trampoline_pos + 2] = lr & 0xFFFF;
482 | 	trampoline_instructions[trampoline_pos + 3] = lr >> 16;
483 | }
484 | 
485 | static void relocateInstructionInArm(uint32_t target_addr, uint32_t *orig_instructions, int length, uint32_t *trampoline_instructions, int *orig_boundaries, int *trampoline_boundaries, int *count)
486 | {
487 | 	uint32_t pc;
488 | 	uint32_t lr;
489 | 	int orig_pos;
490 | 	int trampoline_pos;
491 | 
492 | 	pc = target_addr + 8;
493 | 	lr = target_addr + length;
494 | 
495 | 	trampoline_pos = 0;
496 | 	for (orig_pos = 0; orig_pos < length / sizeof(uint32_t); ++orig_pos) {
497 | 		uint32_t instruction;
498 | 		int type;
499 | 
500 | 		orig_boundaries[*count] = orig_pos * sizeof(uint32_t);
501 | 		trampoline_boundaries[*count] = trampoline_pos * sizeof(uint32_t);
502 | 		++(*count);
503 | 
504 | 		instruction = orig_instructions[orig_pos];
505 | 		type = getTypeInArm(instruction);
506 | 		if (type == BLX_ARM || type == BL_ARM || type == B_ARM || type == BX_ARM) {
507 | 			uint32_t x;
508 | 			int top_bit;
509 | 			uint32_t imm32;
510 | 			uint32_t value;
511 | 
512 | 			if (type == BLX_ARM || type == BL_ARM) {
513 | 				trampoline_instructions[trampoline_pos++] = 0xE28FE004;	// ADD LR, PC, #4
514 | 			}
515 | 			trampoline_instructions[trampoline_pos++] = 0xE51FF004;  	// LDR PC, [PC, #-4]
516 | 			if (type == BLX_ARM) {
517 | 				x = ((instruction & 0xFFFFFF) << 2) | ((instruction & 0x1000000) >> 23);
518 | 			}
519 | 			else if (type == BL_ARM || type == B_ARM) {
520 | 				x = (instruction & 0xFFFFFF) << 2;
521 | 			}
522 | 			else {
523 | 				x = 0;
524 | 			}
525 | 			
526 | 			top_bit = x >> 25;
527 | 			imm32 = top_bit ? (x | (0xFFFFFFFF << 26)) : x;
528 | 			if (type == BLX_ARM) {
529 | 				value = pc + imm32 + 1;
530 | 			}
531 | 			else {
532 | 				value = pc + imm32;
533 | 			}
534 | 			trampoline_instructions[trampoline_pos++] = value;
535 | 			
536 | 		}
537 | 		else if (type == ADD_ARM) {
538 | 			int rd;
539 | 			int rm;
540 | 			int r;
541 | 			
542 | 			rd = (instruction & 0xF000) >> 12;
543 | 			rm = instruction & 0xF;
544 | 			
545 | 			for (r = 12; ; --r) {
546 | 				if (r != rd && r != rm) {
547 | 					break;
548 | 				}
549 | 			}
550 | 			
551 | 			trampoline_instructions[trampoline_pos++] = 0xE52D0004 | (r << 12);	// PUSH {Rr}
552 | 			trampoline_instructions[trampoline_pos++] = 0xE59F0008 | (r << 12);	// LDR Rr, [PC, #8]
553 | 			trampoline_instructions[trampoline_pos++] = (instruction & 0xFFF0FFFF) | (r << 16);
554 | 			trampoline_instructions[trampoline_pos++] = 0xE49D0004 | (r << 12);	// POP {Rr}
555 | 			trampoline_instructions[trampoline_pos++] = 0xE28FF000;	// ADD PC, PC
556 | 			trampoline_instructions[trampoline_pos++] = pc;
557 | 		}
558 | 		else if (type == ADR1_ARM || type == ADR2_ARM || type == LDR_ARM || type == MOV_ARM) {
559 | 			int r;
560 | 			uint32_t value;
561 | 			
562 | 			r = (instruction & 0xF000) >> 12;
563 | 			
564 | 			if (type == ADR1_ARM || type == ADR2_ARM || type == LDR_ARM) {
565 | 				uint32_t imm32;
566 | 				
567 | 				imm32 = instruction & 0xFFF;
568 | 				if (type == ADR1_ARM) {
569 | 					value = pc + imm32;
570 | 				}
571 | 				else if (type == ADR2_ARM) {
572 | 					value = pc - imm32;
573 | 				}
574 | 				else if (type == LDR_ARM) {
575 | 					int is_add;
576 | 					
577 | 					is_add = (instruction & 0x800000) >> 23;
578 | 					if (is_add) {
579 | 						value = ((uint32_t *) (pc + imm32))[0];
580 | 					}
581 | 					else {
582 | 						value = ((uint32_t *) (pc - imm32))[0];
583 | 					}
584 | 				}
585 | 			}
586 | 			else {
587 | 				value = pc;
588 | 			}
589 | 				
590 | 			trampoline_instructions[trampoline_pos++] = 0xE51F0000 | (r << 12);	// LDR Rr, [PC]
591 | 			trampoline_instructions[trampoline_pos++] = 0xE28FF000;	// ADD PC, PC
592 | 			trampoline_instructions[trampoline_pos++] = value;
593 | 		}
594 | 		else {
595 | 			trampoline_instructions[trampoline_pos++] = instruction;
596 | 		}
597 | 		pc += sizeof(uint32_t);
598 | 	}
599 | 	
600 | 	trampoline_instructions[trampoline_pos++] = 0xe51ff004;	// LDR PC, [PC, #-4]
601 | 	trampoline_instructions[trampoline_pos++] = lr;
602 | }
603 | 
604 | void relocateInstruction(uint32_t target_addr, void *orig_instructions, int length, void *trampoline_instructions, int *orig_boundaries, int *trampoline_boundaries, int *count)
605 | {
606 | 	if (target_addr & 1 == 1) {
607 | 		relocateInstructionInThumb(target_addr - 1, (uint16_t *) orig_instructions, length, (uint16_t *) trampoline_instructions, orig_boundaries, trampoline_boundaries, count);
608 | 	}
609 | 	else {
610 | 		relocateInstructionInArm(target_addr, (uint32_t *) orig_instructions, length, (uint32_t *) trampoline_instructions, orig_boundaries, trampoline_boundaries, count);
611 | 	}
612 | }
613 | 


--------------------------------------------------------------------------------