The PokéCommunity Forums  

Go Back   The PokéCommunity Forums > ROM Hacking > Research & Development
Sign Up Rules/FAQ Live Battle Blogs Mark Forums Read

Notices

Research & Development Got a well-founded knack with ROM hacking? Love reverse-engineering the Pokémon games? Or perhaps you love your assembly language. This is the spot for polling and gathering your ideas, and then implementing them! Share your hypothesis, get ideas from others, and collaborate to create!
Research & Development programs in this forum are subject to moderator approval before they are displayed.


Advertise here

Reply
 
Thread Tools
  #1    
Old June 10th, 2010, 10:40 AM
knizz's Avatar
knizz
 
Join Date: Aug 2007

Advertise here
I wrote a program that is supposed to find all areas in the rom that contain executable data. Although it doesn't always work the way it should I want to share it. It outputs a file with the same size as the rom. A 0x01 means "At this position in the rom there is ARM-code". 0x02 stands for THUMB. and 0x03 for data that is used by the code directly.

Code:
// Copyright (c) 2010, David Kreuter
// Do what you want (with this code) cause a pirate is free... YOU ARE A PIRATE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

typedef unsigned int   uint32;
typedef unsigned short uint16;
typedef unsigned char  uint8;

typedef   signed int   sint32;
typedef   signed short sint16;
typedef   signed char  sint8;

#define NA(p) (*(uint32*)(rom+(p)))
#define NT(p) (*(uint16*)(rom+(p)))

#define OA(st,dt) (ra&st)==dt
#define OT(st,dt) (rt&st)==dt

#define ALWAYS OA(0xF0000000,0xE0000000)
#define STACK_SIZE 100

#define LIWRP(f) if(link){bsid=sid++;where_lr[sid]=14;} f; if(link)sid=bsid;
#define L printf("%08x ",reg[0]) // For debugging. Replace it if you want
#define BU memcpy(reg_backup,reg,4*16) // Backup registers
#define BD memcpy(reg,reg_backup,4*16)

#define MAP_ARM 0x01010101
#define MAP_THUMB 0x0202
#define MAP_DIR_REF 0x03030303

const uint32 base=0x08000000;
uint32 len;
uint8 *rom;
uint8 *map;

uint32 reg[16];
uint8  where_lr[STACK_SIZE]; // 0-15 Reg 16-256 Stack
static uint16 sid=0; // "Stack-id"

void arm(uint32);
void thumb(uint32);

uint8 inrange(uint32 pos){
	return pos>=base&&pos<base+len;
}

void arm(uint32 pos){
	uint32 reg_backup[16];
	uint16 bsid;
	uint8 link;
	
	if(!inrange(pos)){
		L;printf("Out of range: %08x\n",pos);
		return;
	}
	for(;!map[pos];pos+=4){
		uint32 ra=NA(pos);
		(*(uint32*)(map+pos))=MAP_ARM;
		L;printf("ARM   %08x: %08x\n",pos,ra);
		if(ra==0xFFFFFFFF){
			uint8 a=0/0;
		}else if(OA(0x0FFFFFD0,0x012FFF10)){ // B(L)X
			uint32 o=reg[ra&0xF]|=1;
			L;printf("BX R%d\n",ra&0xF);
			link=(ra>>6)&1;
			BU;
			LIWRP(thumb(o-1));
			if(ALWAYS&&!link)return;
			BD;
		}else if(OA(0xFE000000,0xFA000000)){ // BLX
			L;printf("BLX\n");
			link=1;
			BU;
			LIWRP(thumb(pos+8+((ra&0xFFFFFF)<<2)+(ra>>23)&0x2));
			BD;
		}else if(OA(0xFE700000,0xE4100000)){ // LDR
			reg[15]=pos+8;
			uint16 o=ra&0xFFF;
			uint32 addr=reg[(ra>>16)&0xF]+(ra>>24?o:-o);
			L;printf("LDR PC-Relative (%08x: %08x)\n",addr,NA(addr));
			reg[(ra>>12)&0xF]=NA(addr);
			(*(uint32*)(map+addr))=MAP_DIR_REF;
		}else if(OA(0x0E000000,0x0A000000)){ //B(L)
			L;printf("B(L)\n");
			link=(ra>>24)&1;
			BU;
			LIWRP(arm(pos+8+((ra&0xFFFFFF)<<2)));
			if(ALWAYS&&!link)return;
			BD;
		}
	}
}

void thumb(uint32 pos){
	uint32 reg_backup[16];
	sint32 jump_buf;
	uint16 bsid;
	uint8 link;

	if(!inrange(pos)){
		L;printf("Out of range: %08x\n",pos);
		return;
	}
	for(;!map[pos];pos+=2){
		uint16 rt=(*(uint16*)(rom+pos));
		(*(uint16*)(map+pos))=MAP_THUMB;
		L;printf("THUMB %08x: %04x\n",pos,rt);

		if(OT(0xFF00,0x4700)){ // BX
			uint8 ri=(rt>>3)&0xF;
			if(ri==where_lr[sid]||ri==14){
				L;printf("Return\n");
				sid--;
				return;
			}
			L;printf("BX (High-reg.)\n");
			arm(reg[ri]);
			if(!rt&0x80)return;
		}else if(OT(0xF800,0x4800)){ // LDR Ra, [$b]
			uint32 addr=((rt&0xFF)<<2)+((pos+4)&~2);
			if(inrange(addr)){
				L;printf("LDR PC-Relative (%08x: %08x)\n",addr,NA(addr));
				reg[(rt>>8)&0x7]=NA(addr);
				(*(uint32*)(map+addr))=MAP_DIR_REF;
			}else{
				reg[(rt>>8)&0x7]=0;
				L;printf("LDR PC-Relative out of range\n");
			}
		}else if(OT(0xF800,0x6800)){ // LDR Ra, [Rb, #c]
			uint32 addr=reg[(rt>>3)&0x7]+((rt>>6)&0xF);
			if(inrange(addr)){
				L;printf("LDR with immediate offset (%08x: %08x)\n",addr,NA(addr));
				reg[rt&0x7]=NA(addr);
				(*(uint32*)(map+addr))=MAP_DIR_REF;
			}else{
				reg[rt&0x7]=0;
				L;printf("LDR with immediate offset out of range\n");
			}
		}else if(OT(0xF800,0xE000)){ // B
			jump_buf=((rt&0x7FF)<<1);
			if(jump_buf>=0x00400000)jump_buf|=0xFF800000;
			L;printf("B\n");
			thumb(pos+4+jump_buf);
			return;
		}else if(OT(0xF000,0xD000)){ // B (cond.)
			sint8 jump_buf=rt&0xFF;
			L;printf("B (cond.)\n");
			thumb(pos+4+jump_buf+jump_buf);
		}else if(OT(0xFF78,0x4670)){ // MOV foo, LR
			where_lr[sid]=(rt&7)+((rt>>3)&0x8);
			L;printf("RL (R14) moved to R%d\n",where_lr[sid]);
		}else if(OT(0xFE00,0xB400)){ // PUSH
			if(rt&256){
				L;printf("Pushing LR (R14)\n");
				where_lr[sid]=16;
			}
			for(uint8 bit=8;bit>0;bit--){
				if(rt&(1<<(bit-1))){
					L;printf("Pushing R%d\n",bit-1);
					if(where_lr[sid]>=16)where_lr[sid]++;
				}
			}
		}else if(OT(0xFE00,0xBC00)){ // POP
			if(rt&256){
				L;printf("Popping to PC (R15)\n");
				if(where_lr[sid]==16){
					where_lr[sid]=15; // Just for clarification
					L;printf("Popped LR (R14) to PC (R15)\n");
					return;
				}
				L;printf("TODO: IMPLEMENT THIZ\n");
				if(where_lr[sid]>16)where_lr[sid]--;
				return;
			}
			for(uint8 bit=8;bit>0;bit--){
				if(rt&(1<<(bit-1))){
					L;printf("Popping to R%d\n",bit-1);
					if(where_lr[sid]==16){
						L;printf("Popped LR (R14) to %d\n",bit-1);
						where_lr[sid]=bit-1;
					}
					if(where_lr[sid]>16)where_lr[sid]--;
				}
			}
		}else if(OT(0xF800,0xF000)){ // Long branch 1
			jump_buf=(rt&0x7FF)<<12;
		}else if(OT(0xE800,0xE800)){ // Long branch 2
			jump_buf+=(rt&0x7FF)<<1;
			if(jump_buf>=0x00400000)jump_buf|=0xFF800000;
			uint32 o=pos+2+jump_buf;
			L;printf("Long branch with link! (%08x to %08x){\n",pos,o);
			link=1;
			BU;
			LIWRP(if(rt>>12)thumb(o);else arm(o))
			BD;
			L;printf("}\n");
		}
	}
}

int main(int argc, char **argv){
	FILE *f;
	if(argc!=3){L;printf("Usage: %s <rom.gba> <rom.map>",argv[0]);return 0;}
	if(!(f=fopen(argv[1],"rb"))){L;printf("Couldn't open %s\n",argv[1]);return 0;}
	fseek(f,0,SEEK_END); len=ftell(f); rom=malloc(len); map=malloc(len);
	fseek(f,0,SEEK_SET); fread(rom,len,1,f);
	fclose(f);

	memset(map,0,len);
	memset(reg,0,64);
	rom-=base; map-=base;
	arm(base);
	thumb(0x080e607e);
	rom+=base; map+=base;

	if(!(f=fopen(argv[2],"wb"))){L;printf("Couldn't open %s\n",argv[2]);return 0;}
	fwrite(map,len,1,f);
	fclose(f);
}
Now I have a few questions...
  1. Pokemon Ruby reads (and even executes) a lots of data from the 0x03000000-area. How do these code-segments get there and where are their original positions (in the rom)?
  2. Is it true that the 3rd games gen only use THUMB-Mode?
  3. What is the code at 081e082c good for?
    Spoiler:
    081e082c 4700 bx r0
    081e082e 46c0 mov r8, r8
    081e0830 4708 bx r1
    081e0832 46c0 mov r8, r8
    081e0834 4710 bx r2
    081e0836 46c0 mov r8, r8
    081e0838 4718 bx r3
    081e083a 46c0 mov r8, r8
    081e083c 4720 bx r4
    081e083e 46c0 mov r8, r8
    081e0840 4728 bx r5
    081e0842 46c0 mov r8, r8
    081e0844 4730 bx r6
    081e0846 46c0 mov r8, r8
    081e0848 4738 bx r7
    081e084a 46c0 mov r8, r8
    081e084c 4740 bx r8
    081e084e 46c0 mov r8, r8
    081e0850 4748 bx r9
    081e0852 46c0 mov r8, r8
__________________
Firered IDA 6.1 DB: https://www.dropbox.com/s/hvvmxxoo1dkmdzc/firered.idb
VBA-M with lua scripting support (no longer in development)
Reply With Quote
  #2    
Old June 10th, 2010, 11:53 AM
sonic1's Avatar
sonic1
ASM is my life now...
 
Join Date: May 2008
Location: Portugal
Age: 19
Gender: Male
Nature: Timid
Hi

That program sure is awsome (cant compile it xD)

About the 3 questions, ive come with an answer for 2 of them(perhaps)

1.Have you ever thinked in the structure of DMA (that thing that make dinamic offsets in RAM in FR/LF/EM)?Well, not quite, as R/S dont have this... i dont know the structure of DMA well, but i formuled an hypothesis...
Well, imagine that there's a pointer to 020F000 (in RAM)... Now imagine that that offset has a pointer to another offset...
Like ROM POINTER>STATIC RAM POINTER>DYNAMIC RAM POINTER
I think its the same with ruby except for dynamic pointer...This was made to prevent hackers without using DMA...

Now for secound question... YES, Mainly, it only uses ARM when really needed...(like in the rom header, to set rom starting position,and the starting rom being arm too...)

Well thats all for now

Hope it helped
__________________

My Site (UNDER CONSTRUCTION):

(mage by Xryo)

PORTUGUESE USER
Sou o Dark rayquaza da antiga myutsu.net


My Laptop SPECS:


Credits to Eagledelt for the wonderfull sign :D

Reply With Quote
  #3    
Old June 10th, 2010, 12:18 PM
knizz's Avatar
knizz
 
Join Date: Aug 2007
Now I'm relieved. I thought it was a bugs fault that my program didn't find any ARM-Code but in the header.
__________________
Firered IDA 6.1 DB: https://www.dropbox.com/s/hvvmxxoo1dkmdzc/firered.idb
VBA-M with lua scripting support (no longer in development)
Reply With Quote
  #4    
Old June 10th, 2010, 05:29 PM
Darthatron's Avatar
Darthatron
巨大なトロール。
Community Supporter Tier 2
 
Join Date: Jan 2006
Location: Melbourne, Australia
Age: 22
Gender: Male
Nature: Modest
Quote:
Originally Posted by knizz View Post
Now I'm relieved. I thought it was a bugs fault that my program didn't find any ARM-Code but in the header.
2. No, most routines are Thumb, but there are a few that are ARM7.
__________________
あなた は しきしゃ です
わたし は ばか です
Reply With Quote
  #5    
Old June 10th, 2010, 09:35 PM
liuyanghejerry's Avatar
liuyanghejerry
Trainer
 
Join Date: Jan 2008
Location: China,Xi'an
Nature: Calm
Send a message via ICQ to liuyanghejerry Send a message via Windows Live Messenger to liuyanghejerry Send a message via Yahoo to liuyanghejerry
This is a good thought...

uint8 a=0/0;//->But...what is this...0/0?
__________________
Zel,thethethethe,LU-HO,Darthatron,HackMew,ZodiacDaGreat,Juan,score_under,JPAN,Tamah-chan,I really appreciate your kindness and your help!:D


I did something that really bad.But made all Chinese can hack Pokemon, too.If you guys hate me, I totally understand,but cannot do anything but force to keep everything.
If there must be someone to undertake all spit and curse, it must be me.
Reply With Quote
  #6    
Old June 10th, 2010, 10:06 PM
ZodiacDaGreat's Avatar
ZodiacDaGreat
Working on a Mobile System
 
Join Date: Feb 2007
Location: South Pacific
Age: 22
Gender: Male
Nature: Relaxed
Send a message via ICQ to ZodiacDaGreat
Uhm, hardly any routines in Pokemon is ARM based, besides the routine calling the main loop I think.

The IWRAM are used for data (speaking for Ruby), for example, game play time, Pokemon party data, RNG, and so much more. Some are loaded from the ROM, while some are stored, still there are some that are updated at every cycle of gameplay.

Regarding the functions at 081e082c. These are all used for routine jumping/branching, when a address is loaded to a register and branching is required, those functions are called via BL (branch link). The code after the bx are all dead code.

Edit: I don't think a ASM scanner is wise, a disassembler like IDA Pro can do the job better and more accurate. Uhm, that's my opinion only. Hope all these helps.
__________________
Reply With Quote
  #7    
Old June 11th, 2010, 04:30 AM
knizz's Avatar
knizz
 
Join Date: Aug 2007
Quote:
Originally Posted by liuyanghejerry View Post
uint8 a=0/0;
Platform independent, pure C, easy implementable and understandable breakpoint!

Quote:
Originally Posted by ZodiacDaGreat View Post
I don't think a ASM scanner is wise, a disassembler like IDA Pro can do the job better and more accurate.
Do you think that I can afford that?!?!?!?!
How does IDA work?
__________________
Firered IDA 6.1 DB: https://www.dropbox.com/s/hvvmxxoo1dkmdzc/firered.idb
VBA-M with lua scripting support (no longer in development)
Reply With Quote
  #8    
Old June 13th, 2010, 05:30 AM
Not_an_S
Beginning Trainer
 
Join Date: Apr 2009
Gender:
Quote:
Originally Posted by knizz View Post
Do you think that I can afford [IDA Pro]?!?!?!?!
Version 4.9 is freeware. I can't post a link because of my low post count, but it's on Hey-Ray's website under Downloads
Reply With Quote
  #9    
Old June 14th, 2010, 09:37 PM
X-Buster
Advanced Trainer
 
Join Date: Feb 2008
Quote:
Originally Posted by Not_an_S View Post
Version 4.9 is freeware. I can't post a link because of my low post count, but it's on Hey-Ray's website under Downloads
let me post the link for you.
here: http://www.hex-rays.com/idapro/idadown.htm

__________________
Reply With Quote
  #10    
Old June 16th, 2010, 10:01 AM
knizz's Avatar
knizz
 
Join Date: Aug 2007
Version 4.9 doesnt support GBA
__________________
Firered IDA 6.1 DB: https://www.dropbox.com/s/hvvmxxoo1dkmdzc/firered.idb
VBA-M with lua scripting support (no longer in development)
Reply With Quote
  #11    
Old June 17th, 2010, 11:59 AM
Not_an_S
Beginning Trainer
 
Join Date: Apr 2009
Gender:
Neither does the new one.
I think that a plugin needs to be installed.
Reply With Quote
  #12    
Old June 18th, 2010, 03:52 PM
Xenesis's Avatar
Xenesis
Syogun Changer
 
Join Date: May 2006
Location: Australia
Nature: Sassy
Send a message via AIM to Xenesis Send a message via Windows Live Messenger to Xenesis
Quote:
Originally Posted by ZodiacDaGreat View Post
Uhm, hardly any routines in Pokemon is ARM based, besides the routine calling the main loop I think.
You'll find this is the case with pretty well all GBA games for one simple reason: An ARM Opcode is 32 bits, a THUMB opcode (with the exception of the bl instruction) is 16 bits and the GBA's bus width for reading from cartridge is 16 bits. Thus, any ARM opcodes take two reads to load which is slow. Very slow. That being said, if you pre-load the code to areas in RAM (and you will find this happens) it will execute fine.

46C0 mov r8, r8 is a functional but completely useless opcode that in that particular situation is just being used as padding to make all of the bx rx opcodes word aligned, but some people also like to use it as a breakpoint opcode when debugging. Anyhow, that chunk of code would be used for launching subroutines, as the address range of a bl opcode is limited.
Reply With Quote
  #13    
Old June 20th, 2010, 09:54 AM
Full Metal's Avatar
Full Metal
C(++) Developer.
Community Supporter
 
Join Date: Jan 2008
Location: In my mind.
Age: 19
Gender: Male
Nature: Timid
Send a message via Windows Live Messenger to Full Metal
so, where do we find (or how do we make) these .map files?
__________________

★ full metal.

I like to push it,
and push it,
until my luck is over.
Reply With Quote
  #14    
Old June 20th, 2010, 02:55 PM
knizz's Avatar
knizz
 
Join Date: Aug 2007
You create "map-files" by running this program.
asm-scanner(.exe) pokemon.gba pokemon.map

I tried out IDA Pro. It's very useful.
__________________
Firered IDA 6.1 DB: https://www.dropbox.com/s/hvvmxxoo1dkmdzc/firered.idb
VBA-M with lua scripting support (no longer in development)
Reply With Quote
  #15    
Old June 21st, 2010, 08:49 AM
Full Metal's Avatar
Full Metal
C(++) Developer.
Community Supporter
 
Join Date: Jan 2008
Location: In my mind.
Age: 19
Gender: Male
Nature: Timid
Send a message via Windows Live Messenger to Full Metal
ohhh i get it
:facepalm: i feel silly now, thanks ^-^
__________________

★ full metal.

I like to push it,
and push it,
until my luck is over.
Reply With Quote
  #16    
Old July 24th, 2010, 08:55 AM
HackMew's Avatar
HackMew
Mewtwo Strikes Back
 
Join Date: Jun 2006
Quote:
Originally Posted by knizz View Post
Now I have a few questions...
  1. Pokemon Ruby reads (and even executes) a lots of data from the 0x03000000-area. How do these code-segments get there and where are their original positions (in the rom)?
  2. Is it true that the 3rd games gen only use THUMB-Mode?
  3. What is the code at 081e082c good for?
    Spoiler:
    081e082c 4700 bx r0
    081e082e 46c0 mov r8, r8
    081e0830 4708 bx r1
    081e0832 46c0 mov r8, r8
    081e0834 4710 bx r2
    081e0836 46c0 mov r8, r8
    081e0838 4718 bx r3
    081e083a 46c0 mov r8, r8
    081e083c 4720 bx r4
    081e083e 46c0 mov r8, r8
    081e0840 4728 bx r5
    081e0842 46c0 mov r8, r8
    081e0844 4730 bx r6
    081e0846 46c0 mov r8, r8
    081e0848 4738 bx r7
    081e084a 46c0 mov r8, r8
    081e084c 4740 bx r8
    081e084e 46c0 mov r8, r8
    081e0850 4748 bx r9
    081e0852 46c0 mov r8, r8
  1. Ruby (and all other 3rd gen games) copy those routines from the ROM. To track their original position you should use a debugger like VBA-SDL-H.
  2. 99% of the routines are THUMB, because they take less space and execute faster. Few of them, in particular the initialization ones, are coded in ARM though.
  3. Those are small helper routines used in most THUMB routines to call a particular subroutine stored at an arbitrary address.
__________________
Reply With Quote
  #17    
Old July 26th, 2010, 02:15 AM
knizz's Avatar
knizz
 
Join Date: Aug 2007
I worked a lot on the successor of the "asm-scanner" and now it is finally in a presentable state. You can find the online-demo with Pokemon Ruby at: LINK REMOVED

On the right side there is a flow-chart of the rom that grows when you browse through the asm-code on the left side. (Move away the red box before clicking anything)

The programm tries to simplify the asm-code like this:
Step 1:
mov r0, 0x08123456
ldr r2, r0, 0x00
Step 2:
r0 = 0x08123456
r2 = *w(r0)
Step 3:
*removed*
r2 = *w(0x08123456)
Here is a "worst-case-screenshot"
Attached Images
File Type: png Picture 1.png‎ (230.4 KB, 67 views) (Save to Dropbox)
__________________
Firered IDA 6.1 DB: https://www.dropbox.com/s/hvvmxxoo1dkmdzc/firered.idb
VBA-M with lua scripting support (no longer in development)

Last edited by knizz; April 29th, 2012 at 06:42 AM.
Reply With Quote
  #18    
Old July 26th, 2010, 06:59 AM
Full Metal's Avatar
Full Metal
C(++) Developer.
Community Supporter
 
Join Date: Jan 2008
Location: In my mind.
Age: 19
Gender: Male
Nature: Timid
Send a message via Windows Live Messenger to Full Metal
:O
This looks like it could really help me learn asm ;D
so...this is like the olly of gba roms?
But most of that code didn't look like asm...hm...would be nice if it was shown side-by-side XP(no, i dont mean that as in it has an emulator built in, thats what VBA is for)
__________________

★ full metal.

I like to push it,
and push it,
until my luck is over.
Reply With Quote
  #19    
Old July 26th, 2010, 08:43 AM
knizz's Avatar
knizz
 
Join Date: Aug 2007
Quote:
Originally Posted by Full Metal View Post
:O
This looks like it could really help me learn asm ;D
so...this is like the olly of gba roms?
But most of that code didn't look like asm...hm...would be nice if it was shown side-by-side XP(no, i dont mean that as in it has an emulator built in, thats what VBA is for)
In fact the first version displayed real asm-code. It doesn't look like asm *now* because I don't *want* it to look like asm. I described the transformation in my previous post.
__________________
Firered IDA 6.1 DB: https://www.dropbox.com/s/hvvmxxoo1dkmdzc/firered.idb
VBA-M with lua scripting support (no longer in development)
Reply With Quote
  #20    
Old July 26th, 2010, 09:15 AM
HackMew's Avatar
HackMew
Mewtwo Strikes Back
 
Join Date: Jun 2006
Well, the non-ASM code in the picture is actually more confusing to read than pure ASM code from my point of view...

Code:
081de39c  b570 push {r4-r6,lr}
081de39e  1c02 add r2, r0, #0x0
081de3a0  481e ldr r0, [$081de41c] (=$03007ff0)
081de3a2  6804 ldr r4, [r0, #0x0]
081de3a4  20f0 mov r0, #0xf0
081de3a6  0300 lsl r0, r0, #0x0c
081de3a8  4010 and r0, r2
081de3aa  0c02 lsr r2, r0, #0x10
081de3ac  2600 mov r6, #0x0
081de3ae  7222 strb r2, [r4, #0x8]
081de3b0  491b ldr r1, [$081de420] (=$0842fae8)
081de3b2  1e50 sub r0, r2, #0x1
081de3b4  0040 lsl r0, r0, #0x01
081de3b6  1840 add r0, r0, r1
081de3b8  8805 ldrh r5, [r0, #0x0]
081de3ba  6125 str r5, [r4, #0x10]
081de3bc  20c6 mov r0, #0xc6
081de3be  00c0 lsl r0, r0, #0x03
081de3c0  1c29 add r1, r5, #0x0
081de3c2  f002 bl $081e0868
081de3c6  72e0 strb r0, [r4, #0xb]
081de3c8  4816 ldr r0, [$081de424] (=$00091d1b)
081de3ca  4368 mul r0, r5
081de3cc  4916 ldr r1, [$081de428] (=$00001388)
081de3ce  1840 add r0, r0, r1
081de3d0  4916 ldr r1, [$081de42c] (=$00002710)
081de3d2  f002 bl $081e0868
081de3d6  1c01 add r1, r0, #0x0
081de3d8  6161 str r1, [r4, #0x14]
081de3da  2080 mov r0, #0x80
081de3dc  0440 lsl r0, r0, #0x11
081de3de  f002 bl $081e0868
081de3e2  3001 add r0, #0x1
081de3e4  1040 asr r0, r0, #0x01
081de3e6  61a0 str r0, [r4, #0x18]
081de3e8  4811 ldr r0, [$081de430] (=$04000102)
081de3ea  8006 strh r6, [r0, #0x0]
081de3ec  4c11 ldr r4, [$081de434] (=$04000100)
081de3ee  4812 ldr r0, [$081de438] (=$00044940)
081de3f0  1c29 add r1, r5, #0x0
All those "+00" could be easily skipped to remove unuseful complexity, for example. Pointer dereferencing is not a very good idea as well. Oh, and brackets could help too.
__________________
Reply With Quote
  #21    
Old July 26th, 2010, 09:37 AM
knizz's Avatar
knizz
 
Join Date: Aug 2007
Quote:
Originally Posted by HackMew View Post
Well, the non-ASM code in the picture is actually more confusing to read than pure ASM code from my point of view...

All those "+00" could be easily skipped to remove unuseful complexity, for example. Pointer dereferencing is not a very good idea as well. Oh, and brackets could help too.
Atm that's true. The +00 are there because I use string templates instead of operation-trees. To solve that I'll add a flag to each register to indicate that this value is static and can be calculated without emulating. But to do that I'll have to reimplement all opcodes.

And the brackets are missing for the same reason. Because I save the add-instruction like this: "1+2". The numbers are substituted by the strings from previous instructions or with the register names. For this problem I'll make a operator-priority list. The other way would be to make the patterns like "(1)+(2)" but that would be a mess. (*((((4)+(35))*(((4)-(3))+(4))/(4)))... no thanks.
__________________
Firered IDA 6.1 DB: https://www.dropbox.com/s/hvvmxxoo1dkmdzc/firered.idb
VBA-M with lua scripting support (no longer in development)
Reply With Quote
  #22    
Old July 29th, 2010, 11:52 PM
knizz's Avatar
knizz
 
Join Date: Aug 2007
I updated the online-version. Temporary registers are now only shown when the called function actually uses them. There are still lots of bugs (Brackets, +00, etc.) but it certainly improved. It uses Firered instead of Ruby now.

LINK REMOVED
__________________
Firered IDA 6.1 DB: https://www.dropbox.com/s/hvvmxxoo1dkmdzc/firered.idb
VBA-M with lua scripting support (no longer in development)

Last edited by knizz; April 29th, 2012 at 06:41 AM.
Reply With Quote
  #23    
Old July 30th, 2010, 06:18 AM
Full Metal's Avatar
Full Metal
C(++) Developer.
Community Supporter
 
Join Date: Jan 2008
Location: In my mind.
Age: 19
Gender: Male
Nature: Timid
Send a message via Windows Live Messenger to Full Metal
Haha, as tempting as this is to use, I think I'll learn asm the way everybody else did.
>.<
__________________

★ full metal.

I like to push it,
and push it,
until my luck is over.
Reply With Quote
  #24    
Old July 30th, 2010, 03:19 PM
Xenesis's Avatar
Xenesis
Syogun Changer
 
Join Date: May 2006
Location: Australia
Nature: Sassy
Send a message via AIM to Xenesis Send a message via Windows Live Messenger to Xenesis
Yeah, I have to admit I have no idea what the heck is happening in your picture. I suppose it's one of those CISC vs RISC things and is a matter of preference.

Also, I can't connect to your site link to take a look at the real thing...

Still, good luck with it.
Reply With Quote
Reply
Quick Reply

Sponsored Links


Advertise here
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Minimum Characters Per Post: 25



All times are UTC -8. The time now is 04:44 PM.


Style by Nymphadora, artwork by Sa-Dui.
Like our Facebook Page Follow us on Twitter © 2002 - 2014 The PokéCommunity™, pokecommunity.com.
Pokémon characters and images belong to The Pokémon Company International and Nintendo. This website is in no way affiliated with or endorsed by Nintendo, Creatures, GAMEFREAK, The Pokémon Company or The Pokémon Company International. We just love Pokémon.
All forum styles, their images (unless noted otherwise) and site designs are © 2002 - 2014 The PokéCommunity / PokéCommunity.com.
PokéCommunity™ is a trademark of The PokéCommunity. All rights reserved. Sponsor advertisements do not imply our endorsement of that product or service. User generated content remains the property of its creator.