|
Title: Analyze C16x Unkown Function Post by: unicornux on August 25, 2020, 12:17:03 AM Hi Guys,
I recently work on some c166 bin file. And I am suspicious to the one of them. Does anyone know what is this? What does this do? This function repeated in all of my dump file. It seems this is a standard function. Code: sub_37C2: Title: Re: Analyze C16x Unkown Function Post by: woj on August 25, 2020, 01:08:06 AM Quick glance, you pass a DPP encoded address to it (where the first two bits specify the page from the corresponding DPP register), you get a full segment plus offset 3 byte address on r5/r4.
Title: Re: Analyze C16x Unkown Function Post by: nyet on August 25, 2020, 01:57:15 AM Near -> far address converter.
Title: Re: Analyze C16x Unkown Function Post by: unicornux on August 25, 2020, 02:46:09 AM Quick glance, you pass a DPP encoded address to it (where the first two bits specify the page from the corresponding DPP register), you get a full segment plus offset 3 byte address on r5/r4. Thanks So, you say i must add 3 byte(that calculated from r4/r5) to DPP0? This piece of code below shown how sub_37C2 invoked: Code: loc_1892: According to this code r4 must be r0+6. And when i placement this value to sub_37C2 instead of r5, this line of code will be : Code: mov r5, [r0+6+0FE00h] So. how I can calculate this far address? It seems this is pointing to an address of Stack. Title: Re: Analyze C16x Unkown Function Post by: unicornux on August 25, 2020, 10:38:21 PM No one ?
Title: Re: Analyze C16x Unkown Function Post by: woj on August 26, 2020, 12:10:34 AM After that call of yours you get in r4/r5 the far address of the function call stack (r0) shifted by 6 positions. There is no FE00 in this address. It is done in a slightly contrived way I see, and I am unsure myself what the purpose of this code is (getting a full far address of the call stack).
I also think that the suggested naming of near and far addresses is a bit unfortunate. I'd say near is an offset defined address within the same segment (as in for example jmpa), and far is any address within the address space, and this can be either page addressed (extp or through dpp), or segment addressed (exts). Title: Re: Analyze C16x Unkown Function Post by: unicornux on August 26, 2020, 12:59:09 AM After that call of yours you get in r4/r5 the far address of the function call stack (r0) shifted by 6 positions. There is no FE00 in this address. It is done in a slightly contrived way I see, and I am unsure myself what the purpose of this code is (getting a full far address of the call stack). I also think that the suggested naming of near and far addresses is a bit unfortunate. I'd say near is an offset defined address within the same segment (as in for example jmpa), and far is any address within the address space, and this can be either page addressed (extp or through dpp), or segment addressed (exts). It is possible my question is imperfect. So I put here my complete question that I ask in reverse engineer. I will be thankful if you glance that. https://reverseengineering.stackexchange.com/questions/25747/c166-c167-code-analyzing (https://reverseengineering.stackexchange.com/questions/25747/c166-c167-code-analyzing) Title: Re: Analyze C16x Unkown Function Post by: woj on August 26, 2020, 09:09:35 AM I really do not see an actual question there, no wonder noone answers. What do you mean you can't convert it to C code? You got it quite right with temp = *cBuffer++. Your problem is that the asm code accesses array data on the call stack, rather than in RAM, the code you quote simply tries to deal with accessing it there. So perhaps it's a clear case of call by value rather than call by reference for array parameters...?
Title: Re: Analyze C16x Unkown Function Post by: nyet on August 26, 2020, 09:19:04 AM I also think that the suggested naming of near and far addresses is a bit unfortunate. I'd say near is an offset defined address within the same segment (as in for example jmpa), and far is any address within the address space, and this can be either page addressed (extp or through dpp), or segment addressed (exts). Agreed, but in this case it seems to me the stack addressing is via a "near" pointer (address within same segment) and the return value is an absolute address (will avoid using the term "far"). That said, I may have completely misconstrued the ASM, I'm no expert. Title: Re: Analyze C16x Unkown Function Post by: unicornux on August 27, 2020, 12:32:51 AM I really do not see an actual question there, no wonder noone answers. What do you mean you can't convert it to C code? You got it quite right with temp = *cBuffer++. Your problem is that the asm code accesses array data on the call stack, rather than in RAM, the code you quote simply tries to deal with accessing it there. So perhaps it's a clear case of call by value rather than call by reference for array parameters...? Yes, you right. Actually I try to find the first address of this array. But I can't calculate this address. How I can calculate actual address till I can get the right value. Please pay attention to the picture shown below: (https://i.ibb.co/tPqr0HD/photo-2020-08-27-11-49-49.jpg) (https://ibb.co/tPqr0HD) According to the picture I deeply feel I am wrong :) totally i wanna to calculate actual address of an array especially in this case. Best regards. Title: Re: Analyze C16x Unkown Function Post by: unicornux on August 30, 2020, 10:17:17 PM Yes, you right. Actually I try to find the first address of this array. But I can't calculate this address. How I can calculate actual address till I can get the right value. Please pay attention to the picture shown below: (https://i.ibb.co/tPqr0HD/photo-2020-08-27-11-49-49.jpg) (https://ibb.co/tPqr0HD) According to the picture I deeply feel I am wrong :) totally i wanna to calculate actual address of an array especially in this case. Best regards. Here I think I have some wrong in base concepts, I check once again. In the code shown below as you have seen, `r4` is input argument for `sub_37C2` where `r4` is `r0 + 6`. And probably this function return `r4` and `r5`. So, we have a 32-bit address after `sub_37C2`. Code: loc_1892: OK. In `sub_37C2`we have: Code: sub_37C2: Suppose we know what this function does.(Convert near address to far) But, There are some basically question. Why `r5` shifted 14 times to right after that 1 times to left? Does this have a specific purpose? In line `mov r5, [r5+0FE00h] ; DPP0`, what is the `r5` after execute? DPP0 is 1D. After that, we have `CRC_16_Calculate` function that used `r4,r5`(as `r13` and `r14`) for input argument and use in sub function that shown below: Code: loc_29A4: Too000 weird. Why `r13` increment but `r4` is used as the address? Can anyone help me until I find my answer? Thanks people. Title: Re: Analyze C16x Unkown Function Post by: woj on September 01, 2020, 01:32:37 AM You should really get back to the CPU documentation and understand the different addressing modes, DPPs, and indirect addressing. I think you car hunting down something that you should not be hunting ;)
Title: Re: Analyze C16x Unkown Function Post by: unicornux on September 01, 2020, 04:14:00 AM You should really get back to the CPU documentation and understand the different addressing modes, DPPs, and indirect addressing. I think you car hunting down something that you should not be hunting ;) Yes. I think you're right. :-\ Can you describe it for me(and other noobs) in nutshell? ??? (like some people in stackoverflow :P ) excuse for eating you time :) Title: Re: Analyze C16x Unkown Function Post by: unicornux on September 14, 2020, 11:01:24 PM https://reverseengineering.stackexchange.com/questions/25824/the-c166-family-code-meaning (https://reverseengineering.stackexchange.com/questions/25824/the-c166-family-code-meaning) |