Pass arguments to ARM program while remotely debugging

Question

I'm trying to debug an ARM code from my Linux machine. The beginning of the code is as follows:

.text:00008290                 MOV     R12, SP
.text:00008294                 STMFD   SP!, {R4,R11,R12,LR,PC}
.text:00008298                 SUB     R11, R12, #4
.text:0000829C                 SUB     SP, SP, #0x24
.text:000082A0                 STR     R0, [R11,#var_28]
.text:000082A4                 STR     R1, [R11,#var_2C]
.text:000082A8                 LDR     R3, [R11,#var_28]
.text:000082AC                 CMP     R3, #1          ; Check whether arg has been provided
.text:000082B0                 BGT     loc_82C0        ; Jump to 0x82C0 if arg provided
.text:000082B4                 MOV     R3, #0xFFFFFFFF
.text:000082B8                 STR     R3, [R11,#var_30]
.text:000082BC                 B       loc_8448

As you can see, if arg is provided, the code jumps to 0x82C0 but I can't find a way to run the code with the argument.

To debug it, I'm using a server/client architecture on my machine as follows:

1st terminal window:

$ qemu-arm -g 1234 ./chall9.bin

2nd terminal window:

$ gdb-multiarch
(gdb) file chall9.bin 
Reading symbols from /data/malware/chall9.bin...done.
(gdb) set architecture arm
The target architecture is assumed to be arm
(gdb) target remote 127.0.0.1:1234
Remote debugging using 127.0.0.1:1234
[New Remote target]
[Switching to Remote target]
0x00008150 in _start ()
(gdb) break *0x82b0
Breakpoint 1 at 0x82b0
(gdb) set args 12345
(gdb) show args 
Argument list to give program being debugged when it is started is "12345".
(gdb) r
The "remote" target does not support "run".  Try "help target" or "continue".
(gdb) c
Continuing.

Breakpoint 1, 0x000082b0 in main ()
(gdb) x /12i $pc
=> 0x82b0 <main+32>:    bgt 0x82c0 <main+48>
   0x82b4 <main+36>:    mvn r3, #0
   0x82b8 <main+40>:    str r3, [r11, #-48] ; 0x30
   0x82bc <main+44>:    b   0x8448 <main+440>
   0x82c0 <main+48>:    mov r3, #0
   0x82c4 <main+52>:    str r3, [r11, #-28]
   0x82c8 <main+56>:    mov r0, #32
   0x82cc <main+60>:    bl  0x8248 <xmalloc>
   0x82d0 <main+64>:    mov r3, r0
   0x82d4 <main+68>:    str r3, [r11, #-32]
   0x82d8 <main+72>:    b   0x832c <main+156>
   0x82dc <main+76>:    ldr r3, [r11, #-28]
(gdb) si
0x000082b4 in main ()

It seems that my arguments are not taken because the code should normally jump to 0x82c0 but it jumps to 0x82b4.

Any idea? Thank you in advance for your inputs.

Answer 1

I've found! The arg should be passed to qemu as follows:

$ qemu-arm -g 1234 ./chall9.bin 12345