360trev
Full Member
Karma: +68/-2
 Offline
Posts: 235
|
 |
« Reply #90 on: January 03, 2013, 05:00:51 PM »
|
|
|
360: it already detects the multipoint no problem; i just loosened the matching parameters some (see latest git checkin).. what i cant' find is the CRC blocks
Yes, but this way should be guarenteed for ANY variant, it derives it from the actual code init function, without using signatures which may or may not always work and could hit false positives. Here's the full checksum routine incase anyone is interested, it requires fully commenting however...
Multipoint:
mov [-r0], r9
mov [-r0], r8
mov [-r0], r7
mov [-r0], r6
calls 86h, CHECK1
movb rl4, loop_counter
cmpb rl4, #1
jmpa cc_NZ, exit_chk
movb rl5, initvar3
cmpb rl5, #4
jmpr cc_NC, chk2
mov r8, MainRom_Checksum_START_Low_cpy
mov r9, MainRom_Checksum_START_High_cpy
mov r7, #0
jmpr cc_UC, Check_Done_1024
chk7:
exts r9, #1
mov r4, [r8]
mov r5, #0
add initvar1, r4
addc initvar2, r5
add r8, #2
addc r9, #0
add r7, #1
Check_Done_1024:
cmp r7, #1024
jmpr cc_NC, chk5
mov r4, r8
mov r5, r9
sub r4, MainRom_Checksum_End_Low_Cpy
subc r5, MainRom_Checksum_End_High_Cpy
jmpr cc_C, chk7
chk5:
mov MainRom_Checksum_START_Low_cpy, r8
mov MainRom_Checksum_START_High_cpy, r9
mov r4, r8
mov r5, r9
sub r4, MainRom_Checksum_End_Low_Cpy
subc r5, MainRom_Checksum_End_High_Cpy
jmpa cc_C, exit_chk
jmpr cc_UC, chk4
chk2:
mov r4, initvar1
mov r5, initvar2
extp #543, #2
sub r4, Checksum_Final_Hi
subc r5, Checksum_Final_Lo
jmpr cc_NZ, chk1
mov r4, #1B00h
mov r5, #0E0h
extp r5, #1
movb rl3, [r4]
orb rl3, #8
mov r4, #1B00h
mov r5, #0E0h
extp r5, #1
movb [r4], rl3
jmpr cc_UC, chk3
chk1:
mov r4, #1B00h
mov r5, #0E0h
extp r5, #1
movb rl3, [r4]
andb rl3, #0F7h
mov r4, #1B00h
mov r5, #0E0h
extp r5, #1
movb [r4], rl3
chk3:
movb loop_counter, ZEROS
jmpr cc_UC, exit_chk
chk4:
movb rl4, #2
addb initvar3, rl4
movbz r6, initvar3
shl r6, #2
extp #206h, #3
mov r4, [r6+3FE6h]
mov r5, [r6+3FE8h]
nop
mov MainRom_Checksum_START_Low_cpy, r4
mov MainRom_Checksum_START_High_cpy, r5
extp #206h, #3
mov r4, [r6+3FEAh]
mov r5, [r6+3FECh]
nop
mov MainRom_Checksum_End_Low_Cpy, r4
mov MainRom_Checksum_End_High_Cpy, r5
exit_chk:
mov r6, [r0+]
mov r7, [r0+]
mov r8, [r0+]
mov r9, [r0+]
rets
|
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #91 on: January 03, 2013, 05:09:01 PM »
|
|
|
Success! for 4 block, i just let the CRC accumulate through all 5 regions 0: Adr: 0x8183E9-0x8183F2 CalcCRC: F9A70C59 (seed 00000000)
1: Adr: 0x810002-0x813FFE @0x90000 CRC: 13BFD815 CalcCRC: 13BFD815 (seed F9A70C59) CRC OK
2: Adr: 0x814252-0x817F4E @0x90006 CRC: 8C92421A CalcCRC: 8C92421A (seed 13BFD815) CRC OK
3: Adr: 0x818192-0x81FBDC CalcCRC: 07E6F36A (seed 8C92421A)
4: Adr: 0x826A00-0x82FFFC @0x9000c CRC: C95513B5 CalcCRC: C95513B5 (seed 07E6F36A) CRC OK
phila: i need a way to detect the 0x8183e9 range... 360: ok, i will try to use what you gave me to do a better job looking for start. actually, if you can give me an exact needle/mask pair that would be ideal  |
|
|
|
« Last Edit: January 03, 2013, 05:37:05 PM by nyet »
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #92 on: January 03, 2013, 05:34:42 PM »
|
|
|
This work?
E6 FC LL LL E6 FD HH HH E0 sE DA XX XX XX F6 F4
s == length in bytes
|
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #93 on: January 03, 2013, 05:39:09 PM »
|
|
|
Phila, trying it now.
Are you sure the other two regions aren't checked anywhere?
|
|
|
|
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #94 on: January 03, 2013, 05:49:50 PM »
|
|
|
Phila, trying it now.
Are you sure the other two regions aren't checked anywhere?
Other two as in 0 and 3 in your previous post? Not checked. |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #95 on: January 03, 2013, 06:26:16 PM »
|
|
|
F K and Q all work now, which leaves ferrari's bin, and 4Z7907551S 8D0907551C 8D0907551T T is curious, there seems to be a false match 8D0907551T: Found CRC #1 at 0x81b494
Found CRC #2 at 0x87d94c
Found CRC #3 at 0x87d952
Found CRC #4 at 0x87d958
Found CRC #5 at 0x87e350
0: Adr: 0x81840A-0x818413 CalcCRC: 7232DBBC (seed 00000000)
1: Adr: 0x810002-0x813FFE @0x1b494 CRC: 00800000 CalcCRC: F57794F2 (seed 7232DBBC) ** NOT OK **
2: Adr: 0x814252-0x817F4E @0x7d94c CRC: F57794F2 CalcCRC: 0E24D8DF (seed F57794F2) ** NOT OK **
3: Adr: 0x818192-0x81FBAC CalcCRC: 891D9138 (seed 0E24D8DF)
4: Adr: 0x81FBAE-0x81FBB0 @0x7d952 CRC: 0E24D8DF CalcCRC: DEDB9C23 (seed 891D9138) ** NOT OK **
4Z7907551S.bin cant find offsets at all |
|
|
|
« Last Edit: January 03, 2013, 06:35:07 PM by nyet »
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #96 on: January 03, 2013, 06:37:43 PM »
|
|
|
err after some code tweaking: Found CRC #1 at 0x81b494
Found CRC #2 at 0x87d94c
Found CRC #3 at 0x87d952
Found CRC #4 at 0x87d958
Found CRC #5 at 0x87e350
0: Adr: 0x81840A-0x818413 CalcCRC: 7232DBBC (seed 00000000)
1: Adr: 0x810002-0x813FFE @0x1b494 CRC: 00800000 CalcCRC: F57794F2 (seed 7232DBBC) ** NOT OK **
2: Adr: 0x814252-0x817F4E @0x7d94c CRC: F57794F2 CalcCRC: 0E24D8DF (seed F57794F2) ** NOT OK **
3: Adr: 0x818192-0x81FBAC @0x7d952 CRC: 0E24D8DF CalcCRC: 891D9138 (seed 0E24D8DF) ** NOT OK **
4: Adr: 0x81FBAE-0x81FBB0 @0x7d958 CRC: DEDB9C23 CalcCRC: DEDB9C23 (seed 891D9138) CRC OK
ETA: works with this search pattern, but that pattern doesn't work with the other boxes  uint8_t needle[] = {0xEA, 0xA5, 0xE6, 0xF4, 0x00, 0x00, 0xE6, 0xF5, 0x00, 0x00, 0xDA, 0x00, 0xD8, 0x7E};
uint8_t mask[] = {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff};
Found CRC #1 at 0x87d94c
Found CRC #2 at 0x87d952
Found CRC #3 at 0x87d958
0: Adr: 0x81840A-0x818413 CalcCRC: 7232DBBC (seed 00000000)
1: Adr: 0x810002-0x813FFE @0x7d94c CRC: F57794F2 CalcCRC: F57794F2 (seed 7232DBBC) CRC OK
2: Adr: 0x814252-0x817F4E @0x7d952 CRC: 0E24D8DF CalcCRC: 0E24D8DF (seed F57794F2) CRC OK
3: Adr: 0x818192-0x81FBAC CalcCRC: 891D9138 (seed 0E24D8DF)
4: Adr: 0x81FBAE-0x81FBB0 @0x7d958 CRC: DEDB9C23 CalcCRC: DEDB9C23 (seed 891D9138) CRC OK
|
|
|
|
« Last Edit: January 03, 2013, 07:24:53 PM by nyet »
|
Logged
|
|
|
|
jooo
Jr. Member
Karma: +0/-1
Offline
Posts: 30
|
|
« Reply #97 on: January 03, 2013, 07:44:36 PM »
|
|
|
The question now is how to convert the asm instruction relative offsets to byte offsets in the file?
...I believe a clue is to do with the segmented memory model of the C167, [c167 asm guys help me out here!].
Somewhat described here http://nefariousmotorsports.com/forum/index.php?topic=1735.0and some other threads in Reverse Engineering board |
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #98 on: January 03, 2013, 07:49:37 PM »
|
|
|
For those of you looking for patterns, here are the hexdumps near the matched areas M box: Found possible CRC offset #1 at 0x87a866 (from 0x7ac96)
f6 f5 4a aa [ e6 f4 66 a8 e6 f5 87 00 da 00 d8 7e ] f4 66 a8 e6
Found possible CRC offset #2 at 0x87a86c (from 0x7ad28)
f6 f5 4e aa [ e6 f4 6c a8 e6 f5 87 00 da 00 d8 7e ] f4 6c a8 e6
Found possible CRC offset #3 at 0x87a872 (from 0x7adb8)
f6 f5 52 aa [ e6 f4 72 a8 e6 f5 87 00 da 00 d8 7e ] f4 72 a8 e6
Found CRC #1 at 0x87a866
Found CRC #2 at 0x87a86c
Found CRC #3 at 0x87a872
1: Adr: 0x810002-0x813FFE @0x7a866 CRC: 214CD272 CalcCRC: 214CD272 (seed 00000000) CRC OK
2: Adr: 0x814252-0x817F4E @0x7a86c CRC: 17B90F53 CalcCRC: 17B90F53 (seed 00000000) CRC OK
3: Adr: 0x818192-0x81FBB0 @0x7a872 CRC: 7DE91383 CalcCRC: 7DE91383 (seed 00000000) CRC OK
K box: Searching for main ROM CRC offsets...
Found possible CRC offset #1 at 0x890000 (from 0x904a2)
f6 f5 da a8 [ e6 f4 00 00 e6 f5 89 00 da 00 d8 7e ] f4 00 00 e6
Found possible CRC offset #2 at 0x890006 (from 0x90522)
f6 f5 da a8 [ e6 f4 06 00 e6 f5 89 00 da 00 d8 7e ] f4 06 00 e6
Found possible CRC offset #3 at 0x89000c (from 0x905aa)
f6 f5 da a8 [ e6 f4 0c 00 e6 f5 89 00 da 00 d8 7e ] f4 0c 00 e6
Found CRC #1 at 0x890000
Found CRC #2 at 0x890006
Found CRC #3 at 0x89000c
0: Adr: 0x8183E9-0x8183F2 CalcCRC: F9A70C59 (seed 00000000)
1: Adr: 0x810002-0x813FFE @0x90000 CRC: 13BFD815 CalcCRC: 13BFD815 (seed F9A70C59) CRC OK
2: Adr: 0x814252-0x817F4E @0x90006 CRC: 8C92421A CalcCRC: 8C92421A (seed 13BFD815) CRC OK
3: Adr: 0x818192-0x81FBDC CalcCRC: 07E6F36A (seed 8C92421A)
4: Adr: 0x826A00-0x82FFFC @0x9000c CRC: C95513B5 CalcCRC: C95513B5 (seed 07E6F36A) CRC OK
T box: Found possible CRC offset #1 at 0x81b494 (from 0x37de6)
f7 8e 0f 97 [ e6 f4 94 b4 e6 f5 81 00 da 00 d8 7e ] f4 94 b4 e6
Found possible CRC offset #2 at 0x87d94c (from 0x7df06)
f6 f5 ea a5 [ e6 f4 4c d9 e6 f5 87 00 da 00 d8 7e ] f4 4c d9 e6
Found possible CRC offset #3 at 0x87d952 (from 0x7df86)
f6 f5 ea a5 [ e6 f4 52 d9 e6 f5 87 00 da 00 d8 7e ] f4 52 d9 e6
Found possible CRC offset #4 at 0x87d958 (from 0x7e00e)
f6 f5 ea a5 [ e6 f4 58 d9 e6 f5 87 00 da 00 d8 7e ] f4 58 d9 e6
Found possible CRC offset #5 at 0x87e350 (from 0x7e1dc)
e4 a0 04 00 [ e6 f4 50 e3 e6 f5 87 00 da 00 d8 7e ] f4 50 e3 e6
Found CRC #1 at 0x81b494
Found CRC #2 at 0x87d94c
Found CRC #3 at 0x87d952
Found CRC #4 at 0x87d958
Found CRC #5 at 0x87e350
Did not find exactly 3 matches (got 5). CRC offset find failed
0: Adr: 0x81840A-0x818413 CalcCRC: 7232DBBC (seed 00000000)
1: Adr: 0x810002-0x813FFE @0x1b494 CRC: 00800000 CalcCRC: F57794F2 (seed 7232DBBC) ** NOT OK **
2: Adr: 0x814252-0x817F4E @0x7d94c CRC: F57794F2 CalcCRC: 0E24D8DF (seed F57794F2) ** NOT OK **
3: Adr: 0x818192-0x81FBAC @0x7d952 CRC: 0E24D8DF CalcCRC: 891D9138 (seed 0E24D8DF) ** NOT OK **
4: Adr: 0x81FBAE-0x81FBB0 @0x7d958 CRC: DEDB9C23 CalcCRC: DEDB9C23 (seed 891D9138) CRC OK
maybe that f6 f5 XX XX sequence? |
|
|
|
« Last Edit: January 03, 2013, 07:52:10 PM by nyet »
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #99 on: January 03, 2013, 08:02:54 PM »
|
|
|
This seems to work for everything but 8D0907551C and 4Z7907551S comments? // LL LL HH HH
uint8_t needle[] = {0xF6, 0xF5, 0x00, 0x00, 0xE6, 0xF4, 0x00, 0x00, 0xE6, 0xF5, 0x00, 0x00, 0xDA, 0x00, 0xD8, 0x7E};
uint8_t mask[] = {0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff};
|
|
|
|
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #100 on: January 03, 2013, 08:40:50 PM »
|
|
|
This seems to work for everything but 8D0907551C and 4Z7907551S comments? // LL LL HH HH
uint8_t needle[] = {0xF6, 0xF5, 0x00, 0x00, 0xE6, 0xF4, 0x00, 0x00, 0xE6, 0xF5, 0x00, 0x00, 0xDA, 0x00, 0xD8, 0x7E};
uint8_t mask[] = {0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff};
Different ROM? That's a call to ROM function at the end. Hardcoding addresses isn't always a good idea. |
|
|
|
|
Logged
|
|
|
|
|
phila_dot
|
|
« Reply #101 on: January 03, 2013, 08:48:39 PM »
|
|
|
This works in four files I checked real quick.
E6 F4 XX XX E6 F5 XX XX DA 00 XX XX E6 00 04 02
|
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #102 on: January 03, 2013, 09:01:49 PM »
|
|
|
Do you mean:
ETA: err nvm gimme a sec
|
|
|
|
« Last Edit: January 03, 2013, 09:06:52 PM by nyet »
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #103 on: January 03, 2013, 09:08:54 PM »
|
|
|
Doesn't work for t-box Found possible CRC offset #1 at 0x81b494 (from 0x37de6)
f7 8e 0f 97 [e6 f4 94 b4 e6 f5 81 00 da 00 d8 7e e6 00 04 02] f4 94 b4 e6
Found possible CRC offset #2 at 0x87d94c (from 0x7df06)
f6 f5 ea a5 [e6 f4 4c d9 e6 f5 87 00 da 00 d8 7e e6 00 04 02] f4 4c d9 e6
Found possible CRC offset #3 at 0x87d952 (from 0x7df86)
f6 f5 ea a5 [e6 f4 52 d9 e6 f5 87 00 da 00 d8 7e e6 00 04 02] f4 52 d9 e6
Found possible CRC offset #4 at 0x87d958 (from 0x7e00e)
f6 f5 ea a5 [e6 f4 58 d9 e6 f5 87 00 da 00 d8 7e e6 00 04 02] f4 58 d9 e6
Found possible CRC offset #5 at 0x87e350 (from 0x7e1dc)
e4 a0 04 00 [e6 f4 50 e3 e6 f5 87 00 da 00 d8 7e e6 00 04 02] f4 50 e3 e6
|
|
|
|
|
Logged
|
|
|
|
|
nyet
|
|
« Reply #104 on: January 03, 2013, 09:11:40 PM »
|
|
|
This does though (prepend f6 f5 xx xx) needle[] = {0xF6, 0xF5, 0x00, 0x00, 0xE6, 0xF4, 0x00, 0x00, 0xE6, 0xF5, 0x00, 0x00, 0xDA, 0x00, 0x00, 0x00, 0xe6, 0x00, 0x04, 0x02};
mask[] = {0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff};
4Z7907551S is still broken, of course ETA: with the F6 F5 XX XX i dont even seem to need the e6 00 04 02 tail... |
|
|
|
« Last Edit: January 03, 2013, 09:17:07 PM by nyet »
|
Logged
|
|
|
|
|
