Pages: [1]
Author Topic: Subroutines without any xrefs  (Read 5322 times)
Neuss
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 8


« on: November 11, 2019, 06:14:40 AM »

In the firmware disassembled in IDA Pro, there are functions for which there are no xrefs, as in the example below. Firmware HJ 0002. How to determine where such functions are called from?
Logged
woj
Hero Member
*****

Karma: +43/-3
Offline Offline

Posts: 500


« Reply #1 on: November 11, 2019, 02:56:09 PM »

These are from indirect calls / calls by function pointer. The actual call is by a 3 op procedure:

Code:
indirect_call:
  push r5
  push r4
  rets

Before this is called there is typically a read of a function pointer from a larger array or some other structure to put the segment and offset of the function to r4/r5. In my disassembly I tried to do it completely right and bind all such structures to their call sites, I managed 99%, but this is a very tedious task. 
Logged
Neuss
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 8


« Reply #2 on: November 12, 2019, 11:31:15 AM »

How can "push r4, push r5, rets"  invoke a function? I can not find such addressing in the datasheet ...
Logged
nyet
Administrator
Hero Member
*****

Karma: +608/-168
Offline Offline

Posts: 12271


WWW
« Reply #3 on: November 12, 2019, 12:19:47 PM »

How can "push r4, push r5, rets"  invoke a function? I can not find such addressing in the datasheet ...

rets means return according to items on the stack. So push stuff on the stack, call rets, and its the same as a call, except when that routine rets, it returns to the caller of the original function.
« Last Edit: November 13, 2019, 09:42:06 AM by nyet » Logged

ME7.1 tuning guide
ECUx Plot
ME7Sum checksum
Trim heatmap tool

Please do not ask me for tunes. I'm here to help people make their own.

Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
fluke9
Full Member
***

Karma: +26/-1
Offline Offline

Posts: 113


« Reply #4 on: November 13, 2019, 04:52:09 AM »

Code:
indirect_call:
  push r5
  push r4
  rets

Find that thing, make a subfunction out of it and you will find a lot of calls to it like here:

Code:
2032                 mov     r4, asc0_ErrorISR_Function
2036                 mov     r5, word_E084
203A                 calls   0, StackJumpR5R4_1342 ; Jumps to the address R5:R4


This is also often used to look up functions from a function pointer table with an index and then call them.



Logged
DT
Full Member
***

Karma: +20/-1
Offline Offline

Posts: 184


« Reply #5 on: April 29, 2021, 03:34:20 PM »

These are from indirect calls / calls by function pointer. The actual call is by a 3 op procedure:
Code:
indirect_call:
  push r5
  push r4
  rets
Before this is called there is typically a read of a function pointer from a larger array or some other structure to put the segment and offset of the function to r4/r5. In my disassembly I tried to do it completely right and bind all such structures to their call sites, I managed 99%, but this is a very tedious task. 
I've not been able to find where these sometimes long arrays are referenced from. From what I understand you know from where and how?
Logged

Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Page created in 0.018 seconds with 17 queries. (Pretty URLs adds 0.001s, 0q)