ozzy_rp
Jr. Member
Karma: +16/-1
Offline
Posts: 49
|
|
« Reply #15 on: October 15, 2014, 11:06:43 PM »
|
|
|
How do you do this?. I cannot generate a new file in IDA after I copy the lines. epy
1. Load in IDA original file 2. In IDA File->Load file->Additional binary file... Select cuted file (0x1C0000-0x1FFFFF) Loading segment: 0x5C000
|
|
|
Logged
|
|
|
|
ericpaulyoung
Full Member
Karma: +5/-0
Offline
Posts: 149
|
|
« Reply #16 on: October 15, 2014, 11:18:38 PM »
|
|
|
How do I make a cut file? If I highlight the 0x1C0000-0x1FFFFF sections, I can copy it onto the clipboard, but what next? If I go to File->Load File->Additional Binary File, I just get a box to open another file, but I have not actually created another separate file yet.
I have tried to create a new file with the copy of 0x1C0000-0x1FFFFF, but that did not work. I am probably missing something very simple on how to create the additional binary file.
Please forgive me if I am asking a super newbe question. epy
|
|
|
Logged
|
|
|
|
ericpaulyoung
Full Member
Karma: +5/-0
Offline
Posts: 149
|
|
« Reply #17 on: October 15, 2014, 11:35:40 PM »
|
|
|
ok, i think i have it. I highlighted the segment, then dumped the file, then loaded additional binary. The dumped file became the cut. Right? epy
|
|
|
Logged
|
|
|
|
ozzy_rp
Jr. Member
Karma: +16/-1
Offline
Posts: 49
|
|
« Reply #18 on: October 16, 2014, 12:03:48 AM »
|
|
|
ok, i think i have it. I highlighted the segment, then dumped the file, then loaded additional binary. The dumped file became the cut. Right? epy
Right
|
|
|
Logged
|
|
|
|
ericpaulyoung
Full Member
Karma: +5/-0
Offline
Posts: 149
|
|
« Reply #19 on: October 16, 2014, 05:41:03 AM »
|
|
|
Hello I think that memory map look like this: ROM @ 0x000000 size 0x200000 Loading address 0x000000 size 0x200000
And i cut data from original file from 0x1C0000 to 0x1FFFFF, then i load this data as additional binary file at 0x5C0000 size 0x40000
Now we have the correct addressing from beginning file, with correct subroutines address. And correct addressing in data block.
When you load the file, do you not specify the RAM address (leave RAM box unchecked), or do you use the address and size indicated by Basano, i.e., RAM @ 0x600000 size 0x300000 ROM @ 0x000000 size 0x200000 Loading address 0x000000 size 0x200000
|
|
|
Logged
|
|
|
|
m_chieppa
Newbie
Karma: +0/-0
Offline
Posts: 11
|
|
« Reply #20 on: October 16, 2014, 06:38:37 AM »
|
|
|
I'm sorry, but at the moment I'm searching for some axis for some maps for my Octavia. All the steps in IDA are very clear and everything is working, but I was wondering how do you find you're axis for your map.
I'm looking for the axis for the maps: -KFPZU0_UC 1C3114 x-ax:V y-ax:1/min source x-ax:spsn_uc source y-ax:nmot_uc -KFPZU1_UC 1C3154 x-ax:V y-ax:1/min source x-ax:spsn_uc source y-ax:nmot_uc
If I look in IDA and go to the sub routine of KFPZU1_UC you see the following code:
ROM:004263BC loc_4263BC: # CODE XREF: sub_426310+8Cj ROM:004263BC lbz r12, byte_7F8214 ROM:004263C0 cmpwi r12, 0 ROM:004263C4 beq loc_4263FC ROM:004263C8 addi r3, r2, -0x6E9C # dword_5C3154 ROM:004263CC lbz r4, byte_5C3354 ROM:004263D0 lwz r5, dword_7F8168 ROM:004263D4 lwz r6, dword_7F8208 ROM:004263D8 bl sub_423D90 ROM:004263DC stb r3, word_7F8178+1 ROM:004263E0 addi r3, r2, -0x6F1C # aAaaaaaaaaaaaaa # "ÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇÇ"... ROM:004263E4 lbz r4, byte_5C3354 ROM:004263E8 lwz r5, dword_7F8168 ROM:004263EC lwz r6, dword_7F8208 ROM:004263F0 bl sub_423D90 ROM:004263F4 stb r3, word_7F817C+1 ROM:004263F8 b loc_42642C ROM:004263FC # ---------------------------------------------------------------------------
I have an offset of 00400000. I think the ax for nmot_uc is 5C3354 - 400000 = 1C3354, but I can't find spsn_uc....
Maybe someone can point me in the right direction. I tried the 7F location, but there is nothing.
|
|
|
Logged
|
|
|
|
Basano
Full Member
Karma: +90/-3
Offline
Posts: 192
|
|
« Reply #21 on: October 16, 2014, 07:20:01 AM »
|
|
|
In this particular case, the x and y axis are actually little maps in themselves. You are very, very close 7F8168 and 7F8208 are the correct places to look at, but they will be blank since they are variables themselves. Double-click 7F8208. Make sure the cursor is still on the line 7F8208. Then from the menu View -> Open subviews -> Cross references Double click the entry that stores (stw) 7F8208. The other entries just read 7F8208 (lwz) In the next screen that opens, you can see just a few lines above 7F8208 is your axis 5C3354 (which is 1C3354) For the other axis, do the same thing and you should get 5C2F89 (which is 1C2F89)
|
|
|
Logged
|
|
|
|
Basano
Full Member
Karma: +90/-3
Offline
Posts: 192
|
|
« Reply #22 on: October 16, 2014, 07:33:32 AM »
|
|
|
When you load the file, do you not specify the RAM address (leave RAM box unchecked), or do you use the address and size indicated by Basano, i.e., RAM @ 0x600000 size 0x300000 ROM @ 0x000000 size 0x200000 Loading address 0x000000 size 0x200000
RAM should still be in a range that includes 0x7Fxxxx upwards, so this will include that: RAM @ 0x600000 size 0x300000 1. Load in IDA original file 2. In IDA File->Load file->Additional binary file... Select cuted file (0x1C0000-0x1FFFFF) Loading segment: 0x5C000
It also struck me that instead of cutting the data and pasting it into a new file, when you specify the additional file, choose the same original input file but use a different file offset: In other words, you use the same file, but but just tell it to load up in different places
|
|
|
Logged
|
|
|
|
m_chieppa
Newbie
Karma: +0/-0
Offline
Posts: 11
|
|
« Reply #23 on: October 16, 2014, 09:32:55 AM »
|
|
|
Wow great, thanks, now it's much clearer to find the axis, I will give it a try this evening. In this particular case, the x and y axis are actually little maps in themselves. You are very, very close 7F8168 and 7F8208 are the correct places to look at, but they will be blank since they are variables themselves. Double-click 7F8208. Make sure the cursor is still on the line 7F8208. Then from the menu View -> Open subviews -> Cross references Double click the entry that stores (stw) 7F8208. The other entries just read 7F8208 (lwz) In the next screen that opens, you can see just a few lines above 7F8208 is your axis 5C3354 (which is 1C3354) For the other axis, do the same thing and you should get 5C2F89 (which is 1C2F89)
|
|
|
Logged
|
|
|
|
ericpaulyoung
Full Member
Karma: +5/-0
Offline
Posts: 149
|
|
« Reply #24 on: October 16, 2014, 09:47:40 AM »
|
|
|
It also struck me that instead of cutting the data and pasting it into a new file, when you specify the additional file, choose the same original input file but use a different file offset:
In other words, you use the same file, but but just tell it to load up in different places
That actually makes a lot of sense, given that you are just taking the same info into different locations. epy
|
|
|
Logged
|
|
|
|
ericpaulyoung
Full Member
Karma: +5/-0
Offline
Posts: 149
|
|
« Reply #25 on: October 16, 2014, 09:59:33 AM »
|
|
|
So in this case, since the file is correct, would we now analyze the whole thing, or do we still restrict IDA to only analyze a segment?
epy
|
|
|
Logged
|
|
|
|
m_chieppa
Newbie
Karma: +0/-0
Offline
Posts: 11
|
|
« Reply #26 on: October 16, 2014, 11:10:42 AM »
|
|
|
The two previous maps I found the 2 axis. In the next map I know 1 ax, because it's the same, the nmot_uc, from the previous maps, but now I'm strugling with the other ax.
The map is KFMOF_UM and I thought it was starting on 1C32D8, but when looking in IDA I think it starts at 1C32DA I see the y-ax, nmot_uc, is 1C3354 (following 7F8208), but it's a little unclear what the x-ax is, mz_um, because there is a bl sub_423D90 next to the y-ax. Do I have to follow the sub_423D90 or should I skip it and go to the next lbz (byte_7F81F9)?
Or am I totally in the wrong map?
KFMOF_UM 1C32D8 x-as:1/min y-as:% source x:mz_um source y:nmot_uc
ROM:00426C94 loc_426C94: # CODE XREF: sub_4268D0+3B8j ROM:00426C94 lbz r5, word_7F8188+1 ROM:00426C98 stb r5, byte_7F81FA ROM:00426C9C lbz r11, word_7F8188+1 ROM:00426CA0 not r11, r11 ROM:00426CA4 stb r11, byte_7F836E ROM:00426CA8 addi r3, r2, -0x6CB6 ROM:00426CAC mr r4, r5 ROM:00426CB0 bl sub_423B24 ROM:00426CB4 stw r3, dword_7F81FC ROM:00426CB8 lwz r5, dword_7F81FC ROM:00426CBC not r9, r5 ROM:00426CC0 stw r9, dword_7F8370 ROM:00426CC4 addi r3, r2, -0x6D16 # word_5C32DA ROM:00426CC8 lbz r4, byte_5C3354 ROM:00426CCC lwz r6, dword_7F8208 ROM:00426CD0 bl sub_423D90 ROM:00426CD4 stb r3, byte_7F81F9 ROM:00426CD8 lbz r9, byte_7F81F9 ROM:00426CDC not r9, r9 ROM:00426CE0 stb r9, byte_7F836D ROM:00426CE4 lwz r3, dword_800EB4 ROM:00426CE8 bl sub_58C23C ROM:00426CEC
|
|
|
Logged
|
|
|
|
ericpaulyoung
Full Member
Karma: +5/-0
Offline
Posts: 149
|
|
« Reply #27 on: October 16, 2014, 11:28:21 AM »
|
|
|
I tried loading the original file twice, using the approach above, and I do not have any 004 addresses at all. At the end of 001FFFFC it skips directly to 005C0000. epy
|
|
|
Logged
|
|
|
|
ericpaulyoung
Full Member
Karma: +5/-0
Offline
Posts: 149
|
|
« Reply #28 on: October 16, 2014, 12:26:27 PM »
|
|
|
I found this a little confusing, so for those who need to know how to dump the user selected lines into a separate file.
Step 1. Open Jump->Jump To Address 2. Type 0x1C0000 and hit Enter 3. Alt+L (to mark start of selection) 4. Jump->Jump To Address 5. 0x1FFFFF and hit Enter 6. Place the cursor directly before RAM:00600000, and click (this should highlight all the lines you want) 7. Open File->Produce File->Create LST File 8. Enter the name of the file you want, and the location you want it, and hit Enter
You have just dumped the user selected area to a second file that you can then import as additional binary.
epy
|
|
|
Logged
|
|
|
|
Basano
Full Member
Karma: +90/-3
Offline
Posts: 192
|
|
« Reply #29 on: October 16, 2014, 01:18:12 PM »
|
|
|
The two previous maps I found the 2 axis. In the next map I know 1 ax, because it's the same, the nmot_uc, from the previous maps, but now I'm strugling with the other ax.
The map is KFMOF_UM and I thought it was starting on 1C32D8, but when looking in IDA I think it starts at 1C32DA I see the y-ax, nmot_uc, is 1C3354 (following 7F8208), but it's a little unclear what the x-ax is, mz_um, because there is a bl sub_423D90 next to the y-ax. Do I have to follow the sub_423D90 or should I skip it and go to the next lbz (byte_7F81F9)?
I think your axis is 0x1C333A. There's a pattern to this. The registers that hold the maps and axis are normally very close together. R3 - map location R5 - y axis R6 - x axis So you found the map (which is loaded into R3). You've got one axis (which is loaded in R6). It's a pretty solid guess the other axis will be in R5. Have a look just before the map is loaded into R3 and you'll see R5. Follow R5 back a bit and you can see that R5 is 7F81FC. Just above where this is done is another line addi r3, r2, -0x6CB6 5C9FF0 - 0x6CB6 = 5C333A aka 1C333A If anyone has too much time on their hands, attached is a doc explaining the conventions and usage of r3 and so on.
|
|
|
Logged
|
|
|
|
|