In ARM architecture, a program can change from ARM (4 bytes) to Thumb (2 bytes) and vice versa.
It’s $PC register (program counter) least significant bit will always be an even number (0).
Assuming we are performing a typical buffer overflow with tons of ‘A’s which translates to 0x41, the $PC will be reflected as 0x41414140 (THUMB flag set to 0x1) instead of 0x41414141.
Thus in this case, notice the THUMB flag is set, and thus, we have to add 1 to the $PC when using
For example:
~/Desktop$ python pattern2.py 200
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag
~/Desktop$ python pattern2.py 0x63413162
Couldn`t find 0x63413162 (b1Ac) anywhere in the pattern.
~/Desktop$ python pattern2.py 0x63413163
Pattern 0x63413163 first occurrence at position 64 in pattern.