NefMoto

Technical => Reverse Engineering => Topic started by: Neuss on November 11, 2019, 06:14:40 AM


Title: Subroutines without any xrefs
Post by: Neuss on November 11, 2019, 06:14:40 AM
In the firmware disassembled in IDA Pro, there are functions for which there are no xrefs, as in the example below. Firmware HJ 0002. How to determine where such functions are called from?

Title: Re: Subroutines without any xrefs
Post by: woj on November 11, 2019, 02:56:09 PM
These are from indirect calls / calls by function pointer. The actual call is by a 3 op procedure:

Code:
indirect_call:
  push r5
  push r4
  rets

Before this is called there is typically a read of a function pointer from a larger array or some other structure to put the segment and offset of the function to r4/r5. In my disassembly I tried to do it completely right and bind all such structures to their call sites, I managed 99%, but this is a very tedious task. 

Title: Re: Subroutines without any xrefs
Post by: Neuss on November 12, 2019, 11:31:15 AM
How can "push r4, push r5, rets"  invoke a function? I can not find such addressing in the datasheet ...

Title: Re: Subroutines without any xrefs
Post by: nyet on November 12, 2019, 12:19:47 PM
Quote from: Neuss on November 12, 2019, 11:31:15 AM
How can "push r4, push r5, rets"  invoke a function? I can not find such addressing in the datasheet ...

rets means return according to items on the stack. So push stuff on the stack, call rets, and its the same as a call, except when that routine rets, it returns to the caller of the original function.

Title: Re: Subroutines without any xrefs
Post by: fluke9 on November 13, 2019, 04:52:09 AM
Quote from: woj on November 11, 2019, 02:56:09 PM
Code:
indirect_call:
  push r5
  push r4
  rets

Find that thing, make a subfunction out of it and you will find a lot of calls to it like here:

Code:
2032                 mov     r4, asc0_ErrorISR_Function
2036                 mov     r5, word_E084
203A                 calls   0, StackJumpR5R4_1342 ; Jumps to the address R5:R4


This is also often used to look up functions from a function pointer table with an index and then call them.




Title: Re: Subroutines without any xrefs
Post by: DT on April 29, 2021, 03:34:20 PM
Quote from: woj on November 11, 2019, 02:56:09 PM
These are from indirect calls / calls by function pointer. The actual call is by a 3 op procedure:
Code:
indirect_call:
  push r5
  push r4
  rets
Before this is called there is typically a read of a function pointer from a larger array or some other structure to put the segment and offset of the function to r4/r5. In my disassembly I tried to do it completely right and bind all such structures to their call sites, I managed 99%, but this is a very tedious task. 
I've not been able to find where these sometimes long arrays are referenced from. From what I understand you know from where and how?


Powered by SMF 1.1.21 | SMF © 2015, Simple Machines