Title: MED9 PowerPC Instruction Address Referencing Post by: 360trev on November 12, 2020, 08:00:41 PM I had to do a bit of work on a MED9x firmware recently and needed to lookup the P-Code table.
I found it alright (see below) ROM:00447CC0: 88 8D AD 66 lbz r4, -0x529A(r13) Locate_CLAAA_CDCAAA+4 3D 80 00 5E lis r12, (CLAAAA+0x10000)@h # CLAAAA Locate_CLAAA_CDCAAA+8 39 8C 90 F3 addi r12, r12, -0x6F0D # CLAAAA Locate_CLAAA_CDCAAA+C 3D 60 00 5E lis r11, (CDCAAA+0x1120+0x10000)@h # 0x5DA438 Locate_CLAAA_CDCAAA+10 7D 8C 22 14 add r12, r12, r4 Locate_CLAAA_CDCAAA+14 3C 60 00 5E lis r3, (CDCAAA+0x10000)@h # CDCAAA Locate_CLAAA_CDCAAA+18 39 6B A4 38 addi r11, r11, -0x5BC8 # 0x5DA438 Locate_CLAAA_CDCAAA+1C 7D 44 22 14 add r10, r4, r4 Locate_CLAAA_CDCAAA+20 38 63 93 18 addi r3, r3, -0x6CE8 # CDCAAA Locate_CLAAA_CDCAAA+24 54 84 18 38 slwi r4, r4, 3 Locate_CLAAA_CDCAAA+28 7D 6B 52 14 add r11, r11, r10 Locate_CLAAA_CDCAAA+2C 7C 63 22 14 add r3, r3, r4 Locate_CLAAA_CDCAAA+30 91 6D 91 34 stw r11, -0x6ECC(r13) Locate_CLAAA_CDCAAA+34 91 8D 91 28 stw r12, -0x6ED8(r13) Locate_CLAAA_CDCAAA+38 90 6D 91 30 stw r3, -0x6ED0(r13) Locate_CLAAA_CDCAAA+3C 90 6D 91 2C stw r3, -0x6ED4(r13) Locate_CLAAA_CDCAAA+40 4E 80 00 20 blr .. but what I am looking for is a quick explanation of how the addressing modes are work here. More specifically they reference these addresses.. ROM:005D90F3 00 00 06 06 00 00 00 06+CLAAAA: .short 0 # 0 ROM:005D90F3 03 03 03 03 03 03 03 03+ # DATA XREF: Locate_CLAAA_CDCAAA+4↑o ROM:005D90F3 06 06 03 00 03 03 06 06+ # ROM:00577A90↑o ROM:005D90F3 06 06 00 00 06 06 06 06+ .short 0x606 # 1 ROM:005D90F3 1F 1F 06 00 00 06 00 00+ .short 0 # 2 Without reading the reference manual for hours (yes I intend to do this at some point) How is IDA deriving the offset back to these locations, specifically in relation to the hex of the assembly instructions ? I can see for instance on the 3rd instruction the operators include 90F3 and the rom address where CLAAAA is located is indeed at 5D90F3 which is 1D90F3 bytes into the file. Where is the extra 400000 coming from? Is there some address translation going on that someone can easily explain... I'm trying to search for the hex codes and then from the hex work out the CLAAAA address but I am missing something... Is the clue related to R13? Damn it.. I better download the instruction set reference manual.... |