Thread: PE Anatomist
View Single Post
  #37  
Old 03-13-2022, 23:25
RamMerLabs RamMerLabs is online now
Family
  
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
The reason is that Windows runs ARM7 in a Thumb instructions set mode. And "1" in every RVA of executive code is an indicator of this: 1 - Thumb, no 1 - no Thumb. There is no mistake, it's native.
ARM7 has 2 or 4 bytes instructions length, so this 1 in RVA doesn't affect real addresses.
BTW, it's right to apply (AND (NOT 0x1)) instead of substraction.
Last edited by RamMerLabs; 03-13-2022 at 23:43.
Reply With Quote
The Following 4 Users Say Thank You to RamMerLabs For This Useful Post:
Abaddon (03-15-2022), DavidXanatos (03-13-2022), ionioni (03-14-2022), tonyweb (07-23-2022)