|
masterj
|
 |
« Reply #45 on: November 27, 2012, 11:25:55 AM »
|
|
|
N0. If thats what you want then just press "x" after clicking on word_384960.
oh man, so i was trying so hard to do wrong thing  well, any thing I have learned is always useful. So now when I see xrefs to this word, I have tried to open few locations and basically it always goes like this: word is moved to r14 and after that always there's subroutine called. Is every single subroutine linked to different map addresses that uses axis from word? |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #46 on: November 27, 2012, 11:26:44 AM »
|
|
|
call sub_833B94 is a function call.
r15 is a function call parameter.
i.e.
function(.., blah, ...) in assembly
is
mov r15, blah
call function
here, function() is a map lookup, and r15 is loaded with the map address before calling the function.
|
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
|
nyet
|
|
« Reply #47 on: November 27, 2012, 11:28:10 AM »
|
|
|
The problem here is that you don't really understand how a compiler works (yet)
i.e. how does a compiler convert a function call and a function implementation into assembly.
|
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
|
masterj
|
|
« Reply #48 on: November 27, 2012, 11:42:50 AM »
|
|
|
The problem here is that you don't really understand how a compiler works (yet)
i.e. how does a compiler convert a function call and a function implementation into assembly.
I'm trying my best to understand this... Ok, so rxx are input variables to functions (that are called subroutines in asm). Now, I have calculated axis address that is set as r12 input variable (axis size addr - 206h * 4000h) of lookup function. My next step is to xref variable in r15 and find every function that uses this variable in its input, right? And one of those functions should be the one that outputs map address based on axis addres (using word_384960 for example)? P.S> by xrefing word_384960 I have found 3 other functions that are using same variable as input: sub_8343D2:
mov r3, r14
movbz r2, rh3
add r12, r2
extp r13, #1
movb rl4, [r12+]
movbs r4, rl4
shl r14, #8
shr r14, #1
jmpr cc_Z, locret_8343F6 sub_834370:
mov r3, r14
movbz r2, rh3
add r12, r2
extp r13, #1
movb rl4, [r12+]
movbz r4, rl4
shl r14, #8
shr r14, #1 sub_8343F8:
mov r3, r14
movbz r2, rh3
shl r2, #1
add r12, r2
extp r13, #1
mov r4, [r12+]
shl r14, #8
jmpr cc_Z, locret_834428 |
|
|
|
« Last Edit: November 27, 2012, 11:52:09 AM by masterj »
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #49 on: November 27, 2012, 12:18:33 PM »
|
|
|
You've got the right idea about function calls now.
However, I don't think there is a generalized function that outputs a map address based on an axis address, since there is no constant want to determine map address based on only the axis address.
You'll have to be more specific about what you are looking for (I couldn't really tell from the rest of your posts in the thread)
|
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
|
masterj
|
|
« Reply #50 on: November 27, 2012, 12:42:34 PM »
|
|
|
You've got the right idea about function calls now.
However, I don't think there is a generalized function that outputs a map address based on an axis address, since there is no constant want to determine map address based on only the axis address.
You'll have to be more specific about what you are looking for (I couldn't really tell from the rest of your posts in the thread)
Could you give me example of workflow how can I find map(s) that share known axis? For example I see axis start in my bin (4xxxxxxxDC) @ 1ABDC. Axis size is defined @ 1ABDA (it is 16bit data so we have to get back by word). I do the 81ABDAh - 206h * 4000h and find 2BDAh. I searched for 2BDAh and found seg003:352E8 mov r12, #2BDAh This is input to lookup function.... seg003:352E0 extp #0E1h, #1 ; 'ß'
seg003:352E4 mov word_38495E, r4
seg003:352E8 mov r12, #2BDAh ; axis 1ABDA
seg003:352EC mov r13, #206h ; use 206h in equation
seg003:352F0 mov r14, word_F9B6 ; type of axis variable
seg003:352F4 extp #0E1h, #1 ; 'ß'
seg003:352F8 mov r15, word_384960 ; x this input variable to find all functions that uses this variable
seg003:352FC calls 83h, sub_833B94 |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #51 on: November 27, 2012, 01:08:37 PM »
|
|
|
Unfortunately, I'm a noob at disassembly. I'll shut up here and let people who know wtf they're doing answer.
However, if it was ME7.1, i'd just look at an existing map pack and search, and I wouldn't have to do any of that... I'm assuming that isn't an option in this case? Or maybe this is just an exercise for learning..
|
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
|
masterj
|
|
« Reply #52 on: November 27, 2012, 01:13:09 PM »
|
|
|
Unfortunately, I'm a noob at disassembly. I'll shut up here and let people who know wtf they're doing answer.
However, if it was ME7.1, i'd just look at an existing map pack and search, and I wouldn't have to do any of that... I'm assuming that isn't an option in this case? Or maybe this is just an exercise for learning..
This is learning exercise + some things that aren't that easy to track via winols... for example if I ever need to change axis values I need to be 100% sure on what maps it will have effects and also I want to be 100% before I'm doing any map edits... So far I can verify my definitions for one byte maps by comparing known ols file and looking at the xref data. But I need to learn how to connect axis with map(s) and vise versa to be able to check defined one dimensional and two dimensional maps... |
|
|
|
« Last Edit: November 27, 2012, 01:15:56 PM by masterj »
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #53 on: November 27, 2012, 02:07:04 PM »
|
|
|
The axis will be described differently depending on the lookup method, so there isn't one set way to xref them.
Find the axis in IDA and depending on how it is described will determine how you can xref it.
|
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #54 on: November 27, 2012, 02:17:22 PM »
|
|
|
The axis will be described differently depending on the lookup method, so there isn't one set way to xref them.
Find the axis in IDA and depending on how it is described will determine how you can xref it.
How to find out how axis is DESCRIBED?  Here's axis in IDA: seg003:1ABDA dw 7 seg003:1ABDC dw 78h seg003:1ABDE dw 0C8h seg003:1ABE0 dw 1F4h seg003:1ABE2 dw 3E8h seg003:1ABE4 dw 5DCh seg003:1ABE6 dw 0BB8h seg003:1ABE8 dw 1194h |
|
|
|
|
Logged
|
|
|
|
|
matchew
|
|
« Reply #55 on: November 27, 2012, 02:53:05 PM »
|
|
|
How to find out how axis is DESCRIBED?
A reference line drawn on a graph from which you can measure from and find values. |
|
|
|
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #56 on: November 27, 2012, 04:35:49 PM »
|
|
|
Holly cracks! I finally understand how to connect axis to map! For example I see axis start in my bin (4xxxxxxxDC) @ 1ABDC. Axis size is defined @ 1ABDA (it is 16bit data so we have to get back by word). I do the 81ABDAh - 206h * 4000h and find 2BDAh. I searched for 2BDAh and found seg003:352E8 mov r12, #2BDAh This is input to lookup function.... seg003:352E0 extp #0E1h, #1 ; 'ß'
seg003:352E4 mov word_38495E, r4
seg003:352E8 mov r12, #2BDAh ; axis 1ABDA
seg003:352EC mov r13, #206h ; use 206h in equation
seg003:352F0 mov r14, word_F9B6 ; type of axis variable
seg003:352F4 extp #0E1h, #1 ; 'ß'
seg003:352F8 mov r15, word_384960 ; x this input variable to find all functions that uses this variable
seg003:352FC calls 83h, sub_833B94 Now I xref data that is in r15 and find a lot of locations. Next step is to check each and look at the r12 and r13. For example one instance: seg003:4F36A mov r12, #3B72h
seg003:4F36E mov r13, #206h
seg003:4F372 extp #0E1h, #1 ; 'ß'
seg003:4F376 mov r14, word_384960
seg003:4F37A calls 83h, sub_8343F8 r12 holds the map address and r13 holds the multiplier for 4000h, so to reverse it we go like this: 3B72h + 206h * 4000h = 81BB72So one of the maps is @ 1BB72!!! Also, what I do now is rename the first function to something like MAP_LOCATOR_SUB_833B94 to easily see it next time i look for axis |
|
|
|
« Last Edit: November 27, 2012, 04:44:10 PM by masterj »
|
Logged
|
|
|
|
|
masterj
|
|
« Reply #57 on: November 27, 2012, 04:56:03 PM »
|
|
|
So final result of my search is this: Axis @ 1ABDC is shared by: 1BB72
1BB2C
1BB56
1BB3A
1BB64
1BB48
1BB80
1BB1E
1843D
1844E
18455
18444A lot of maps, huh? Now I need help in getting the factor and offset for axis... how to look for them? Any ideas? |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #58 on: November 27, 2012, 05:32:56 PM »
|
|
|
3B72h + 206h * 4000h = 81BB72
Btw you should get used to writing that like so: (206h << 14) | 3b72h |
|
|
|
|
Logged
|
ME7.1 tuning guideECUx PlotME7Sum checksumTrim heatmap toolPlease do not ask me for tunes. I'm here to help people make their own. Do not PM me technical questions! Please, ask all questions on the forums! Doing so will ensure the next person with the same issue gets the opportunity to learn from your ex
|
|
|
|
masterj
|
|
« Reply #59 on: November 27, 2012, 05:36:27 PM »
|
|
|
Now other thing I have noticed is for axes that have data xref. For example TVUB. Axis is here: seg003:13EB0 unk_813EB0: db 5 ; DATA XREF: sub_865E8C+58�r
seg003:13EB1 db 71h ; q
seg003:13EB2 db 8Eh
seg003:13EB3 db 0AAh ; ¬
seg003:13EB3 ; END OF FUNCTION CHUNK FOR sub_813CE2
seg003:13EB4 db 0C7h ; Ū
seg003:13EB5 db 0E3h ; Ń As you can see axis size is defined @ 13EB0 and it has direct xref which makes it extra easy All we have to do is double click the sub_865E8C+58�r. seg003:65EDC extp #0E1h, #1 ; 'ß'
seg003:65EE0 mov word_384A92, r4
seg003:65EE4 movbz r12, unk_813EB0
seg003:65EE8 mov r13, #3EB1h
seg003:65EEC mov r14, #3EB6h
seg003:65EF0 movbz r15, byte_38099C
seg003:65EF4 calls 0, sub_7B42 Now we look for r14, which holds address to the map (r13 I think holds first cell of axis, dunno why it is needed) One more thing: multiplier for 4000h can be 204h or 205h or 206h or 207h... 204h -> addr: 10000 : 14000 205h -> addr: 14000 : 18000 206h -> addr: 18000 : 1C000 207h -> addr: 1C000 : 20000 and so on.... |
|
|
|
« Last Edit: November 27, 2012, 05:42:15 PM by masterj »
|
Logged
|
|
|
|
|
