|
bandit Gangwere
|
why/how does procnto get shifted
|
|
bandit Gangwere
07/31/2008 8:39 PM
post11304
|
why/how does procnto get shifted
The procnto-600 code appear to be shifted down.
I admit I have not spent the time to see if shifted via a memcpy() or similar at runtime.
How/why does it occur?
It seems to work, just curious and running out of time to explore.
Note the procnto-600 .elf header gets relocated to 02014000,
but the code (image) gets relocated to 02015000
Thanks ... bandit
If you look at the procnto-600 binary, the entry point is 0203d240
from procnto-600 (before link at 02015000)
00028240: 82 41 00 18 82 61 00 1c 82 81 00 20 82 a1 00 24 .A...a..... ...$
00028250: 82 c1 00 28 82 e1 00 2c 83 01 00 30 83 21 00 34 ...(...,...0.!.4
00028260: 83 41 00 38 83 61 00 3c 83 81 00 40 83 a1 00 44 .A.8.a.<...@...D
00028270: 83 c1 00 48 83 e1 00 4c 38 21 00 50 4e 80 00 20 ...H...L8!.PN..
00028280: 3c 20 00 00 38 21 0f f0 38 21 ff f0 3d a0 00 00 < ..8!..8!..=...
00028290: 39 ad 00 00 3c 40 00 00 38 42 00 00 48 00 00 00 9...<@..8B..H...
but this is what the code/address is at execution time (after link)
dump_uint8() inbuf(0203d240) len(1024)(00000400)eip
0203d240: 3c 20 02 07 38 21 40 b8 38 21 ff f0 3d a0 02 08 < ..8!@.8!..=...
0203d250: 39 ad c6 10 3c 40 02 08 38 42 a6 58 48 01 1b 70 9...<@..8B.XH..p
0203d260: 3d 20 02 05 39 29 e0 60 91 23 00 00 3d 20 02 05 = ..9).`.#..= ..
0203d270: 39 29 e0 9c 91 24 00 00 4e 80 00 20 94 21 ff f0 9)...$..N.. .!..
0203d280: 7c 08 02 a6 90 01 00 14 80 0d 91 1c 70 09 00 02 |...........p...
0203d290: 40 82 00 30 70 09 01 00 41 82 00 18 3c 60 02 07 @..0p...A...<`..
0203d2a0: 38 63 14 94 38 80 00 03 48 01 36 69 48 00 00 14 8c..8...H.6iH...
0203d2b0: 3c 60 02 07 38 63 14 b8 38 80 00 03 48 01 36 55 <`..8c..8...H.6U
0203d2c0: 80 01 00 14 7c 08 03 a6 38 21 00 10 4e 80 00 20 ....|...8!..N..
the code that actually executes is at (procnto-600) 00028280,
ie there is a "shift down" of 0x40 hex bytes.
A (hand) disassembly of the code is:
0003c200:
** 82 41 00 18 lwz r18,18(r1) r18 = *(r1 + 0x18)
** 82 61 00 1c lwz r19,1c(r1) r19 = *(r1 + 0x1c)
** 82 81 00 20 lwz r20,20(r1) r20 = *(r1 + 0x20)
** 82 a1 00 24 lwz r21,24(r1) r21 = *(r1 + 0x24)
0003c210:
** 82 c1 00 28 lwz r22,28(r1) r22 = *(r1 + 0x28)
** 82 e1 00 2c lwz r23,2c(r1) r23 = *(r1 + 0x2c)
** 83 01 00 30 lwz r24,30(r1) r24 = *(r1 + 0x30)
** 83 21 00 34 lwz r25,34(r1) r25 = *(r1 + 0x34)
0003c220:
** 83 41 00 38 lwz r26,38(r1) r26 = *(r1 + 0x38)
** 83 61 00 3c lwz r27,3c(r1) r27 = *(r1 + 0x3c)
** 83 81 00 40 lwz r28,40(r1) r28 = *(r1 + 0x40)
** 83 a1 00 44 lwz r29,44(r1) r29 = *(r1 + 0x44)
0003c230:
** 83 c1 00 48 lwz r30,48(r1) r30 = *(r1 + 0x48)
** 83 e1 00 4c lwz r31,4c(r1) r31 = *(r1 + 0x4c)
** 38 21 00 50 addi r1,0,0x50 r1 += 0x50
** 4e 80 00 20 bclr (always) to addr in LK
this is the code that actually gets executed
This is also more logical than the code above
0003c240:
** 3c 20 02 07 addis r1,0,0207 r1 = 0x0207
** 38 21 30 b8 addi r1,r1,0x30b8 r1 = r1 + 0x30b8
(r1 = 0207 + 30b8 = 32bf)
** 38 21 ff f0 addi r1,r1,0x30b8 r1 = r1 + 0xfffffff0
(r1 = 000032bf + fffffff0 = 000032bf - 10 = 32af)
** 3d a0 02 08 addis r1,0,0208 r1 = 0x0208
0003c250:
** 39 ad b6 10 addi r13,r13,0xb610 r13 = r13 + 0xb610
** 3c 40 02 08 addis r2,0,0208 r2 = 0x0208
** 38 42 96 58 addi r2,r2,0x9658 r2 = r2 + 0x9658
(r2 = 0208 + 9658 = 9930)
** 48 01 1b 70 b ( curr_addr + simm )
curr_addr = 0203c25c + 0046dc = 02040938 (shifted down test)
curr_addr = 0203c29c + 0046dc = 02040978 (theoretical)
|
|
|
|
|
