Page 3 of 6
Re: Current Status on E38, E67, etc.. Hacking Toys
Posted: Fri Nov 24, 2023 12:21 pm
by Tre-Cool
so found a small interesting difference/offset between os 12609099 & 12612381.
Since i already had some tables mapped out in 12612381 I went looking for the same data in 099. Looks like everything is identical & there is an offset difference.
Now this might change as the newer OS evolved, but thought it was interesting at least. So if someone was smart enough & had a full file definition it could be easy to map out various operating systems.
Re: Current Status on E38, E67, etc.. Hacking Toys
Posted: Fri Nov 24, 2023 10:32 pm
by gmtech825
it's very common to see similar data at different addresses with gm. it can be very helpful
Re: Current Status on E38, E67, etc.. Hacking Toys
Posted: Fri Nov 24, 2023 11:35 pm
by hjtrbo
Torque convertor time! The learning curve is step aye. A lot to learn.
Re: Current Status on E38, E67, etc.. Hacking Toys
Posted: Sat Nov 25, 2023 12:49 am
by gmtech825
setting up your r13 value will clean it up a lot
Re: Current Status on E38, E67, etc.. Hacking Toys
Posted: Sat Nov 25, 2023 1:44 am
by In-Tech
Hiya's
It's been quite a few years since I reversed anything(cost me an over 15 BILLION dollar law suit... I won). I used to start at the IO register and go backwards from there. Then discern what I wanted to learn and it will be a shit ton.
Have fun
Re: Current Status on E38, E67, etc.. Hacking Toys
Posted: Sat Nov 25, 2023 7:40 pm
by hjtrbo
Complete Ghidra and PPC newb and anything disassembly for that matter. Happy dabbling in a little bit of C with a PIC 8 bit micro. Never used assembly language.
r13, doing some reading, it is the stack pointer?
To find the r13 address, I need to look for reference(s) for r13 where it is written to?
I found
Code: Select all
00010290 3d a0 00 40 lis r13,0x40 #load immediate shift left by 16 bits
Does that mean the r13 address is 0x40 << 16 = 0x40 0000?
Here are the settings for anyone that want's to play along:
Language ID: PowerPC:BE:32:MPC8270 (1.5)
Compiler ID: default
Processor: PowerPC
Endian: Big
Disassembly options were left at default.
A note on the address workbook. It contains all the common tuning tables. It's approx 2/3 of what HP has defined for this OS.
Re: Current Status on E38, E67, etc.. Hacking Toys
Posted: Sat Nov 25, 2023 7:42 pm
by hjtrbo
In-Tech wrote:(cost me an over 15 BILLION dollar law suit... I won)
I haven't been around here for long. Sounds like one hell of a story!
Re: Current Status on E38, E67, etc.. Hacking Toys
Posted: Sat Nov 25, 2023 8:47 pm
by hjtrbo
I want to doc things here in case I forget.
Search for r13. If required enlarge search results. Copy results to excel. Use text to columns to split up the line contents so we can filter for destructive instances of r13. That should be it.
In the listing view, ctrl+A to select the whole file, right click -> set address -> set the r13 address. After clicking ok, re-analyse the file (Analyse -> Re-analyse)
gmtech825 wrote:setting up your r13 value will clean it up a lot
Yes it did, thank you. Same code snippet from earlier, much better to look at.
Re: Current Status on E38, E67, etc.. Hacking Toys
Posted: Sat Nov 25, 2023 9:26 pm
by hjtrbo
Question: The text in the olive colour is not in memory I.e. it's address is greater than the length of the binary. Presuming the answer is I need to read and understand the memory structure of the CPU?
Re: Current Status on E38, E67, etc.. Hacking Toys
Posted: Sat Nov 25, 2023 11:18 pm
by kur4o
r13=3fe800
r2=0
That not referenced area is RAM and some external registers. You need to map them as a separate segment, so they can be referenced in disassembly.
Ram usually starts from 200000 and goes upto 800000, based on cpu and pcm being used.