NefMoto

Technical => Reverse Engineering => Topic started by: 360trev on November 12, 2020, 08:00:41 PM



Title: MED9 PowerPC Instruction Address Referencing
Post by: 360trev on November 12, 2020, 08:00:41 PM
I had to do a bit of work on a MED9x firmware recently and needed to lookup the P-Code table.

I found it alright (see below)

ROM:00447CC0:                   88 8D AD 66                             lbz       r4, -0x529A(r13)
Locate_CLAAA_CDCAAA+4    3D 80 00 5E                             lis       r12, (CLAAAA+0x10000)@h # CLAAAA
Locate_CLAAA_CDCAAA+8    39 8C 90 F3                             addi      r12, r12, -0x6F0D # CLAAAA
Locate_CLAAA_CDCAAA+C    3D 60 00 5E                             lis       r11, (CDCAAA+0x1120+0x10000)@h # 0x5DA438
Locate_CLAAA_CDCAAA+10   7D 8C 22 14                             add       r12, r12, r4
Locate_CLAAA_CDCAAA+14   3C 60 00 5E                             lis       r3, (CDCAAA+0x10000)@h # CDCAAA
Locate_CLAAA_CDCAAA+18   39 6B A4 38                             addi      r11, r11, -0x5BC8 # 0x5DA438
Locate_CLAAA_CDCAAA+1C   7D 44 22 14                             add       r10, r4, r4
Locate_CLAAA_CDCAAA+20   38 63 93 18                             addi      r3, r3, -0x6CE8 # CDCAAA
Locate_CLAAA_CDCAAA+24   54 84 18 38                             slwi      r4, r4, 3
Locate_CLAAA_CDCAAA+28   7D 6B 52 14                             add       r11, r11, r10
Locate_CLAAA_CDCAAA+2C   7C 63 22 14                             add       r3, r3, r4
Locate_CLAAA_CDCAAA+30   91 6D 91 34                             stw       r11, -0x6ECC(r13)
Locate_CLAAA_CDCAAA+34   91 8D 91 28                             stw       r12, -0x6ED8(r13)
Locate_CLAAA_CDCAAA+38   90 6D 91 30                             stw       r3, -0x6ED0(r13)
Locate_CLAAA_CDCAAA+3C   90 6D 91 2C                             stw       r3, -0x6ED4(r13)
Locate_CLAAA_CDCAAA+40   4E 80 00 20                             blr

.. but what I am looking for is a quick explanation of how the addressing modes are work here.

More specifically they reference these addresses..

ROM:005D90F3 00 00 06 06 00 00 00 06+CLAAAA:         .short 0                # 0
ROM:005D90F3 03 03 03 03 03 03 03 03+                                        # DATA XREF: Locate_CLAAA_CDCAAA+4↑o
ROM:005D90F3 06 06 03 00 03 03 06 06+                                        # ROM:00577A90↑o
ROM:005D90F3 06 06 00 00 06 06 06 06+                .short 0x606            # 1
ROM:005D90F3 1F 1F 06 00 00 06 00 00+                .short 0                # 2

Without reading the reference manual for hours (yes I intend to do this at some point) How is IDA deriving the offset back to these locations, specifically in relation to the hex of the assembly instructions ?
I can see for instance on the 3rd instruction the operators include 90F3 and the rom address where CLAAAA is located is indeed at 5D90F3 which is 1D90F3 bytes into the file. Where is the extra 400000 coming from? Is there some address translation going on that someone can easily explain...

I'm trying to search for the hex codes and then from the hex work out the CLAAAA address but I am missing something... Is the clue related to R13?

Damn it.. I better download the instruction set reference manual....