sceNetAdhocPtpRecv question

[wth]

I reversed sceNetAdhocPtpRecv into rather raw pseudo C code : http://pastebin.com/TSAcypW7 (1.67 flash0 dump), but there are two things I'd like to ask

1)

line 79, we can see :

Code: Select all

t1 = 0x00000000;
t0 = *(int*)(t1+16);

= line 0x00003744 in the asm code :

Code: Select all

0x00003744: 0x3C090000 '...<' - lui        $t1, 0x0
0x00003748: 0x8D280010 '..(.' - lw         $t0, 16($t1)
0x0000374C: 0x3C0A8041 'A..<' - lui        $t2, 0x8041
0x00003750: 0x1100000C '....' - beqz       $t0, loc_00003784
0x00003754: 0x35420712 '..B5' - ori        $v0, $t2, 0x712

so here $t0 = *(int*)(0x10);
but at pspnet_adhoc.prx's 0x00000010 offset, it's sceNetAdhocInit's code !

Code: Select all

; ==== Section .text - Address 0x00000000 Size 0x00007A30 Flags 0x0006

; ======================================================
; Subroutine sceNetAdhocInit - Address 0x00000000 
; Exported in sceNetAdhoc
sceNetAdhocInit:
	0x00000000: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
	0x00000004: 0xAFBF000C '....' - sw         $ra, 12($sp)
	0x00000008: 0xAFB20008 '....' - sw         $s2, 8($sp)
	0x0000000C: 0xAFB10004 '....' - sw         $s1, 4($sp)
	0x00000010: 0x0C001D25 '%...' - jal        Kernel_Library_D13BDE95
	0x00000014: 0xAFB00000 '....' - sw         $s0, 0($sp)
	0x00000018: 0x284407F0 '..D(' - slti       $a0, $v0, 2032

so *(int*)(0x10) == 0x0C001D25
doesn't make much sense imho no ?



2)
Also secondly, since sceNetAdhocPtpRecv has one more argument than 4, it's one too much for $a0-$a3, but it's kinda weïrd for it to end up into $t0 no ? Or is that a regular mips behavior ?

Code: Select all

; ======================================================
; Subroutine sceNetAdhocPtpRecv - Address 0x00003684 
; Exported in sceNetAdhoc
sceNetAdhocPtpRecv:
	0x00003684: 0x27BDFFD0 '...'' - addiu      $sp, $sp, -48
	0x00003688: 0xAFB50024 '$...' - sw         $s5, 36($sp)
	0x0000368C: 0x00E0A821 '!...' - move       $s5, $a3
	0x00003690: 0xAFB3001C '....' - sw         $s3, 28($sp)
	0x00003694: 0x00809821 '!...' - move       $s3, $a0
	0x00003698: 0xAFB20018 '....' - sw         $s2, 24($sp)
	0x0000369C: 0x01009021 '!...' - move       $s2, $t0
	0x000036A0: 0xAFB10014 '....' - sw         $s1, 20($sp)
	0x000036A4: 0x00C08821 '!...' - move       $s1, $a2
	0x000036A8: 0xAFB00010 '....' - sw         $s0, 16($sp)
	0x000036AC: 0x00A08021 '!...' - move       $s0, $a1
	0x000036B0: 0xAFBF002C ',...' - sw         $ra, 44($sp)
	0x000036B4: 0xAFB60028 '(...' - sw         $s6, 40($sp)

Advertising

[FrEdDy]

Don't know abou the first question, but, in MIPS arguments are passed in this order: aX, tX, and then pushed on the stack (i believe), so yes, it's normal.

Advertising

[wth]

ok thanks

[coyotebean]

For Q1, that should be pointing to the data section. I use the -r switch when disassembling with prxtool to apply relocation to resolve this.

[wth]

For Q1, that should be pointing to the data section. I use the -r switch when disassembling with prxtool to apply relocation to resolve this.

Ok thanks
I thought this was weïrd because for instance, in usersystemlib.prx's module_start for example, line 0x00000004 we can see :

Code: Select all

module_start:
	0x00000000: 0x3C040000 '...<' - lui        $a0, 0x0
	0x00000004: 0x8C850B68 'h...' - lw         $a1, 2920($a0)

so $a1 = *(int*)(0x0B68);

but this time at the 0B68 offset, it looks like correct data :

Code: Select all

; ======================================================
; Subroutine sceKernelCheckThreadStack - Address 0x00000958 
; Imported from ThreadManForUser
sceKernelCheckThreadStack:		; Refs: 0x00000284 
	0x00000958: 0x03E00008 '....' - jr         $ra
	0x0000095C: 0x00000000 '....' - nop        
	0x00000960: 0x00000000 '....' - nop        
	0x00000964: 0x00000000 '....' - nop        
	0x00000968: 0x80000000 '....' - lb         $zr, 0($zr)
	0x0000096C: 0x00010304 '....' - Unknown    
	0x00000970: 0x00000A5C '\...' - Unknown    
	0x00000974: 0x00000A7C '|...' - Unknown    
	0x00000978: 0x00010011 '....' - Unknown    
	0x0000097C: 0x00110005 '....' - Unknown    
	0x00000980: 0x00000A8C '....' - syscall    0x2A
	0x00000984: 0x00020000 '....' - sll        $zr, $v0, 0
	0x00000988: 0x00000B34 '4...' - Unknown    
	0x0000098C: 0x00010011 '....' - Unknown    
	0x00000990: 0x00010004 '....' - sllv       $zr, $at, $zr
	0x00000994: 0x00000B40 '@...' - sll        $at, $zr, 13
	0x00000998: 0x00000000 '....' - nop        
	0x0000099C: 0x00000000 '....' - nop        
	0x000009A0: 0x00000A18 '....' - Unknown    
	0x000009A4: 0x40000011 '...@' - Unknown    
	0x000009A8: 0x00010005 '....' - Unknown    
	0x000009AC: 0x00000B4C 'L...' - syscall    0x2D
	0x000009B0: 0x00000928 '(...' - Unknown    
	0x000009B4: 0x00000A30 '0...' - Unknown    
	0x000009B8: 0x40000011 '...@' - Unknown    
	0x000009BC: 0x00010005 '....' - Unknown    
	0x000009C0: 0x00000B48 'H...' - Unknown    
	0x000009C4: 0x00000920 ' ...' - Unknown    
	0x000009C8: 0x00000A48 'H...' - Unknown    
	0x000009CC: 0x40010011 '...@' - Unknown    
	0x000009D0: 0x00060005 '....' - Unknown    
	0x000009D4: 0x00000B50 'P...' - Unknown    
	0x000009D8: 0x00000930 '0...' - Unknown    
	0x000009DC: 0x00000000 '....' - nop        

	0x000009E0: 0x01060007 '....' - srav       $zr, $a2, $t0
	0x000009E4: 0x4B656373 'sceK' - Unknown    
	0x000009E8: 0x656E7265 'erne' - Unknown    
	0x000009EC: 0x62694C6C 'lLib' - Unknown    
	0x000009F0: 0x79726172 'rary' - Unknown    
	0x000009F4: 0x00000000 '....' - nop        
	0x000009F8: 0x00000000 '....' - nop        
	0x000009FC: 0x00000000 '....' - nop        
	0x00000A00: 0x00008030 '0...' - Unknown    
	0x00000A04: 0x00000964 'd...' - Unknown    
	0x00000A08: 0x00000998 '....' - Unknown    
	0x00000A0C: 0x000009A0 '....' - Unknown    
	0x00000A10: 0x000009DC '....' - Unknown    
	0x00000A14: 0x00000000 '....' - nop        
	0x00000A18: 0x4D737953 'SysM' - Unknown    
	0x00000A1C: 0x73556D65 'emUs' - Unknown    
	0x00000A20: 0x6F467265 'erFo' - vsge.s     S113, S423, S122
	0x00000A24: 0x65735572 'rUse' - Unknown    
	0x00000A28: 0x00000072 'r...' - Unknown    
	0x00000A2C: 0x00000000 '....' - nop        
	0x00000A30: 0x65746E49 'Inte' - Unknown    
	0x00000A34: 0x70757272 'rrup' - Unknown    
	0x00000A38: 0x6E614D74 'tMan' - Unknown    
	0x00000A3C: 0x72656761 'ager' - Unknown    
	0x00000A40: 0x00000000 '....' - nop        
	0x00000A44: 0x00000000 '....' - nop        
	0x00000A48: 0x65726854 'Thre' - Unknown    
	0x00000A4C: 0x614D6461 'adMa' - vsbn.s     S013, S103, S312
	0x00000A50: 0x726F466E 'nFor' - Unknown    
	0x00000A54: 0x72657355 'User' - Unknown    
	0x00000A58: 0x00000000 '....' - nop        
	0x00000A5C: 0xD632ACDB '..2.' - lvr.q      R402, -21288($s1)
	0x00000A60: 0xF01D73A7 '.s..' - vmmul.p    E103, M432, M710
	0x00000A64: 0x11B97506 '.u..' - beq        $t5, $t9, loc_0001DE80
	0x00000A68: 0x0F7C276C 'l'|.' - jal        sub_0DF09DB0
	0x00000A6C: 0x00000000 '....' - nop        
	0x00000A70: 0x000009E0 '....' - Unknown    
	0x00000A74: 0x00000B6C 'l...' - Unknown    
	0x00000A78: 0x00000B70 'p...' - Unknown    
	0x00000A7C: 0x6E72654B 'Kern' - Unknown    
	0x00000A80: 0x4C5F6C65 'el_L' - Unknown    
	0x00000A84: 0x61726269 'ibra' - vsbn.s     S213, S023, S423
	0x00000A88: 0x00007972 'ry..' - Unknown    
	0x00000A8C: 0x092968F4 '.h).' - j          loc_04A5A3D0
	0x00000A90: 0x15B6446B 'kD..' - bne        $t5, $s6, loc_00011C40
	0x00000A94: 0x1839852A '*.9.' - Unknown    
	0x00000A98: 0x1FC64E09 '.N..' - Unknown    
	0x00000A9C: 0x293B45B8 '.E;)' - slti       $k1, $t1, 17848
	0x00000AA0: 0x37431849 'I.C7' - ori        $v1, $k0, 0x1849
	0x00000AA4: 0x3AD10D4D 'M..:' - xori       $s1, $s6, 0xD4D
	0x00000AA8: 0x3B84732D '-s.;' - xori       $a0, $gp, 0x732D
	0x00000AAC: 0x47A0B729 ')..G' - Unknown    
	0x00000AB0: 0x5F10D406 '..._' - Unknown    
	0x00000AB4: 0xA089ECA4 '....' - sb         $t1, -4956($a0)
	0x00000AB8: 0xB55249D2 '.IR.' - Unknown    
	0x00000ABC: 0xBEA46419 '.d..' - cache      0x4, 25625($s5)
	0x00000AC0: 0xC1734599 '.Es.' - ll         $s3, 0x00012128
	0x00000AC4: 0xD13BDE95 '..;.' - Unknown    
	0x00000AC8: 0xDC692EE3 '..i.' - vpfxs      [-w, 3, |z|, -|w|]
	0x00000ACC: 0xFA835CDE '.\..' - vwb.q      C030, 23772($s4)
	0x00000AD0: 0x00000080 '....' - sll        $zr, $zr, 2
	0x00000AD4: 0x000003B4 '....' - Unknown    
	0x00000AD8: 0x00000540 '@...' - sll        $zr, $zr, 21
	0x00000ADC: 0x0000036C 'l...' - Unknown    
	0x00000AE0: 0x00000240 '@...' - sll        $zr, $zr, 9
	0x00000AE4: 0x000002E0 '....' - Unknown    
	0x00000AE8: 0x00000440 '@...' - sll        $zr, $zr, 17
	0x00000AEC: 0x000000D4 '....' - Unknown    
	0x00000AF0: 0x0000010C '....' - syscall    0x4
	0x00000AF4: 0x000000AC '....' - Unknown    
	0x00000AF8: 0x000007B8 '....' - Unknown    
	0x00000AFC: 0x00000114 '....' - Unknown    
	0x00000B00: 0x00000378 'x...' - Unknown    
	0x00000B04: 0x0000046C 'l...' - Unknown    
	0x00000B08: 0x00000258 'X...' - Unknown    
	0x00000B0C: 0x000002C0 '....' - sll        $zr, $zr, 11
	0x00000B10: 0x000004C0 '....' - sll        $zr, $zr, 19
	0x00000B14: 0x00010000 '....' - sll        $zr, $at, 0
	0x00000B18: 0x00050004 '....' - sllv       $zr, $a1, $zr
	0x00000B1C: 0x00090008 '....' - Unknown    
	0x00000B20: 0x000A000A '....' - movz       $zr, $zr, $t2
	0x00000B24: 0x000A000A '....' - movz       $zr, $zr, $t2
	0x00000B28: 0x000B000A '....' - movz       $zr, $zr, $t3
	0x00000B2C: 0x000E000D '....' - break      0x3800
	0x00000B30: 0x00100010 '....' - Unknown    
	0x00000B34: 0x47656373 'sceG' - Unknown    
	0x00000B38: 0x616C5F65 'e_la' - vsbn.s     S113, S732, S303
	0x00000B3C: 0x0000797A 'zy..' - Unknown    
	0x00000B40: 0x31129B95 '...1' - andi       $s2, $t0, 0x9B95
	0x00000B44: 0x00000140 '@...' - sll        $zr, $zr, 5
	0x00000B48: 0xEEE43F47 'G?..' - Unknown    
	0x00000B4C: 0xA6848DF8 '....' - sh         $a0, -29192($s4)
	0x00000B50: 0x31327F19 '..21' - andi       $s2, $t1, 0x7F19
	0x00000B54: 0x4C145944 'DY.L' - Unknown    
	0x00000B58: 0x65F54FFB '.O.e' - Unknown    
	0x00000B5C: 0x7CFF8CF3 '...|' - Unknown    
	0x00000B60: 0xBEED3A47 'G:..' - cache      0xD, 14919($s7)
	0x00000B64: 0xD13BDE95 '..;.' - Unknown    
	0x00000B68: 0x00002000 '. ..' - sll        $a0, $zr, 0

	0x00000B6C: 0x06060010 '....' - Unknown    

	0x00000B70: 0x00000003 '....' - sra        $zr, $zr, 0
	0x00000B74: 0x00000020 ' ...' - add        $zr, $zr, $zr
	0x00000B78: 0x00000400 '....' - sll        $zr, $zr, 16
	0x00000B7C: 0x00000000 '....' - nop        

; ==== Section .data - Address 0x00000B80 Size 0x00000040 Flags 0x0002
           - 00 01 02 03 | 04 05 06 07 | 08 09 0A 0B | 0C 0D 0E 0F - 0123456789ABCDEF
-------------------------------------------------------------------------------------
0x00000B80 - FF FF FF FF | 00 00 00 00 | 00 00 00 00 | 64 00 00 00 - ............d...
0x00000B90 - 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 - ................
0x00000BA0 - 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 - ................
0x00000BB0 - 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 - ................

here apparently *(int*)(0x0B68) == 0x00002000

[thecobra]

a bit offtopic but @ I have a question, Where did you find the definition of "ins" from mips. I was googling it several time but i couldn't find any good source explaining what it does. An example of this instruction i was trying to reverse was:

Code: Select all

ins $a0, $zr, 8 ,8 ;

[jigsaw]

@thecobra http://208.92.232.34/redmine/projects/u ... structions

[thecobra]

@thecobra http://208.92.232.34/redmine/projects/u ... structions

Thanks, That website has some useful information *Running to add it to my Bookmark*.

[coyotebean]

@wth the section address used to resolve the relocation is in the relocation entry. You cannot determine it from the instruction itself.

@thecobra this instruction set quick reference may be useful too http://www.mips.com/media/files/MD00565 ... -01.01.pdf

[wth]

@wth the section address used to resolve the relocation is in the relocation entry. You cannot determine it from the instruction itself.

Ok is there a way see the relocation entry with prxtool ? I really have no idea how to find relocation addresses