|
Title: MED9.1 Find LDRXN Post by: haxpure on October 07, 2022, 12:52:40 PM Hello Guys! Im new to MED9 (started not long ago with reverse engineering) and i tried to follow the tutorials that are on the Forum here. So far so good... I loaded a Project that is available here where LDRXN is already Named right.
I used a different file where i had a damos. It looks identical but not quite the same. This is the Subroutine from the predecompiled file from the forum (LDRXN): ROM:0052D298 # =============== S U B R O U T I N E ======================================= ROM:0052D298 ROM:0052D298 ROM:0052D298 LOAD_LDRXN_AND_LDRXNZK: ROM:0052D298 ROM:0052D298 .set var_50, -0x50 ROM:0052D298 .set var_4C, -0x4C ROM:0052D298 .set var_44, -0x44 ROM:0052D298 .set var_28, -0x28 ROM:0052D298 .set var_20, -0x20 ROM:0052D298 .set arg_0, 0 ROM:0052D298 ROM:0052D298 addi r11, r1, arg_0 ROM:0052D29C stwu r1, -0x28(r1) ROM:0052D2A0 mflr r0 ROM:0052D2A4 bl sub_4C40E0 ROM:0052D2A8 lis r27, unk_5D048E@h ROM:0052D2AC addi r27, r27, unk_5D048E@l ROM:0052D2B0 lbz r4, byte_7FC596 ROM:0052D2B4 addi r3, r27, 0 ROM:0052D2B8 bl sub_5A6C4C ROM:0052D2BC stw r3, dword_7FEF6C ROM:0052D2C0 lbz r12, byte_7FEECB ROM:0052D2C4 lbz r9, byte_7FEECE ROM:0052D2C8 mulli r12, r12, 3 ROM:0052D2CC lis r10, LDRXN1_REF@h <------- Renamed Address ROM:0052D2D0 add r9, r9, r12 ROM:0052D2D4 addi r10, r10, LDRXN1_REF@l <------- Renamed Address ROM:0052D2D8 slwi r9, r9, 2 ROM:0052D2DC lwzx r3, r10, r9 This is how my Subroutine looks. Identical but looks wrong to me :/ ROM:0051A5E8 # =============== S U B R O U T I N E ======================================= ROM:0051A5E8 ROM:0051A5E8 ROM:0051A5E8 LOAD_LDRXN_AND_LDRXNZK: ROM:0051A5E8 ROM:0051A5E8 .set var_50, -0x50 ROM:0051A5E8 .set var_4C, -0x4C ROM:0051A5E8 .set var_44, -0x44 ROM:0051A5E8 .set var_28, -0x28 ROM:0051A5E8 .set var_20, -0x20 ROM:0051A5E8 .set arg_0, 0 ROM:0051A5E8 ROM:0051A5E8 addi r11, r1, arg_0 ROM:0051A5EC stwu r1, -0x28(r1) ROM:0051A5F0 mflr r0 ROM:0051A5F4 bl sub_4BD24C ROM:0051A5F8 lis r27, ((word_5CF4F6+0x10000)@h) ROM:0051A5FC addi r27, r27, -0xB0A # word_5CF4F6 ROM:0051A600 lbz r4, byte_7FC6D3 ROM:0051A604 addi r3, r27, 0 ROM:0051A608 bl sub_590DD4 ROM:0051A60C stw r3, dword_7FEECC ROM:0051A610 lbz r9, byte_7FEE2A ROM:0051A614 lis r10, ((off_5CF528+0x10000)@h) <------- This should be the call to load the map #1. But why is there the 0x10000?? <--------- And here is the add missing ROM:0051A618 addi r10, r10, -0xAD8 # off_5CF528 ROM:0051A61C clrlslwi r9, r9, 24,2 ROM:0051A620 lwzx r3, r10, r9 Shouldnt be the function always be 100% identical? Maybe someone can give me a hint so i can learn and progress ??? Greetings from Austria ;D Title: Re: MED9.1 Find LDRXN Post by: rogerius on October 08, 2022, 12:27:29 AM I am not more advaced than you, but I would load bin and damos in winols (good you have them), then look for LDRXNx maps and identify map and axes addresess in the disassembly, theen define entire function with damos in hand.
What I observed is that not all bins have the exactly same structured function(s), but they are similar. Title: Re: MED9.1 Find LDRXN Post by: rogerius on October 08, 2022, 12:32:19 AM my annotations look like this (not guaranteed correct, just and idea):
............................... 4B FA 83 3D bl sub_BA27C ROM:00111F44 3F 60 00 5D lis r27, ((SignBitXaxis_STA10LDUB_word_5CD9C4+0x10000)@h) ROM:00111F48 3B 7B D9 C4 addi r27, r27, -0x263C # SignBitXaxis_STA10LDUB_word_5CD9C4 ROM:00111F4C 88 8D 26 01 lbz r4, tans ROM:00111F50 38 7B 00 00 addi r3, r27, 0 ROM:00111F54 48 06 E4 E1 bl sub_180434 ROM:00111F58 90 6D 36 E0 stw r3, esst_sta10ldub ROM:00111F5C ROM:00111F5C mapLDRXN: # offset for SignWrdXaxisAndMap_LDRXN is 5CD8DC ROM:00111F5C 3C 60 00 5D lis r3, ((SignWrdXaxisAndMap_LDRXN_off_5CD8DC+0x10000)@h) # nonoffsetSignWrd address is 1CD8DC ROM:00111F5C # nonoffsetSignWrd=1CDDC is followed by Xaxis=1CD8DE and map=1CD8FE ROM:00111F60 38 63 D8 DC addi r3, r3, -0x2724 # SignWrdXaxisAndMap_LDRXN_off_5CD8DC ROM:00111F64 ROM:00111F64 continue_normalLDRLMXcode_afterAltLDRXNs_selection: ROM:00111F64 A0 8D 35 EC lhz r4, nmot_w ROM:00111F68 48 07 0B FD bl Lookup_XaxisAndMap_LDRXNs_sub_182B64 ROM:00111F6C B0 6D 0F D2 sth r3, rlmaxmd_w ROM:00111F70 ROM:00111F70 checkif_knock: ROM:00111F70 89 8D EB 40 lbz r12, B_kfzk ROM:00111F74 2C 0C 00 00 cmpwi r12, 0 ROM:00111F78 41 82 00 1C beq no_knock ROM:00111F7C ROM:00111F7C Is_knock_mapLDRXNZK: ROM:00111F7C 3C 60 00 5D lis r3, ((SignWrdXaxisAndMap_LDRXNZK_off_5CD91E+0x10000)@h) ROM:00111F80 38 63 D9 1E addi r3, r3, -0x26E2 # SignWrdXaxisAndMap_LDRXNZK_off_5CD91E ROM:00111F84 A0 8D 35 EC lhz r4, nmot_w ROM:00111F88 48 07 0B DD bl Lookup_XaxisAndMap_LDRXNs_sub_182B64 ROM:00111F8C 3B 43 00 00 addi r26, r3, 0 ROM:00111F90 48 00 00 08 b loc_111F98 ROM:00111F94 # --------------------------------------------------------------- Title: Re: MED9.1 Find LDRXN Post by: prj on October 08, 2022, 02:58:39 AM .text_external_flash2:0012D7B0 LDRLMX_50ms: # DATA XREF: .text_external_flash2:000BAEFC↑o
.text_external_flash2:0012D7B0 .text_external_flash2:0012D7B0 .set back_chain, -0x28 .text_external_flash2:0012D7B0 .set var_20, -0x20 .text_external_flash2:0012D7B0 .set pre_back_chain, 0 .text_external_flash2:0012D7B0 .text_external_flash2:0012D7B0 addi r11, r1, pre_back_chain .text_external_flash2:0012D7B4 stwu r1, back_chain(r1) .text_external_flash2:0012D7B8 mflr r0 .text_external_flash2:0012D7BC bl _savegpr_26_l .text_external_flash2:0012D7C0 lis r27, STA10LDUB@ha .text_external_flash2:0012D7C4 addi r27, r27, STA10LDUB@l .text_external_flash2:0012D7C8 lbz r4, (tans - 0x7FFFF0)(r13) .text_external_flash2:0012D7CC addi r3, r27, 0 .text_external_flash2:0012D7D0 bl gkl_sst_U8 .text_external_flash2:0012D7D4 stw r3, (esst_sta10ldub - 0x7FFFF0)(r13) .text_external_flash2:0012D7D8 lbz r12, (vkGeArt3 - 0x7FFFF0)(r13) .text_external_flash2:0012D7DC lbz r9, (vkKraQu - 0x7FFFF0)(r13) .text_external_flash2:0012D7E0 mulli r12, r12, 3 .text_external_flash2:0012D7E4 lis r10, LDRXN@ha .text_external_flash2:0012D7E8 add r9, r9, r12 .text_external_flash2:0012D7EC addi r10, r10, LDRXN@l .text_external_flash2:0012D7F0 slwi r9, r9, 2 .text_external_flash2:0012D7F4 lwzx r3, r10, r9 .text_external_flash2:0012D7F8 lhz r4, (nmot_w - 0x7FFFF0)(r13) .text_external_flash2:0012D7FC bl kl_ipol_U16 .text_external_flash2:0012D800 sth r3, (rlmaxmd_w - 0x7FFFF0)(r13) .text_external_flash2:0012D804 lbz r11, (B_kfzk - 0x7FFFF0)(r13) .text_external_flash2:0012D808 cmpwi r11, 0 .text_external_flash2:0012D80C beq loc_12D840 .text_external_flash2:0012D810 lbz r10, (vkGeArt3 - 0x7FFFF0)(r13) .text_external_flash2:0012D814 lbz r11, (vkKraQu - 0x7FFFF0)(r13) .text_external_flash2:0012D818 mulli r10, r10, 3 .text_external_flash2:0012D81C lis r12, LDRXNZK@ha .text_external_flash2:0012D820 add r11, r11, r10 .text_external_flash2:0012D824 addi r12, r12, LDRXNZK@l .text_external_flash2:0012D828 slwi r11, r11, 2 .text_external_flash2:0012D82C lwzx r3, r12, r11 .text_external_flash2:0012D830 lhz r4, (nmot_w - 0x7FFFF0)(r13) .text_external_flash2:0012D834 bl kl_ipol_U16 .text_external_flash2:0012D838 addi r26, r3, 0 .text_external_flash2:0012D83C b loc_12D844 .text_external_flash2:0012D840 # --------------------------------------------------------------------------- .text_external_flash2:0012D840 .text_external_flash2:0012D840 loc_12D840: # CODE XREF: LDRLMX_50ms+5C↑j .text_external_flash2:0012D840 lhz r26, (rlmaxmd_w - 0x7FFFF0)(r13) .text_external_flash2:0012D844 .text_external_flash2:0012D844 loc_12D844: # CODE XREF: LDRLMX_50ms+8C↑j .text_external_flash2:0012D844 lbz r11, (vstrlx - 0x7FFFF0)(r13) .text_external_flash2:0012D848 clrlwi r12, r26, 16 .text_external_flash2:0012D84C mullw r12, r12, r11 .text_external_flash2:0012D850 srwi r12, r12, 8 .text_external_flash2:0012D854 sth r12, (rlmx_w - 0x7FFFF0)(r13) Title: Re: MED9.1 Find LDRXN Post by: prj on October 08, 2022, 03:09:59 AM And if you let Ghidra do all the work for you:
Code: esst_sta10ldub = gkl_sst_U8(STA10LDUB,tans); |