Module UID to address

[bbtgp32465]

I was doing a little reversing on SensMe yesterday and i ran across some code i couldn't really figure out:

First, the part of the function im working on gets the module uid like so sceKernelGetModuleIdByAddress(module_start) and passess it to another function.

This is the part i don't understand- $s1 is the module id

Code: Select all

	0x0011A034: 0x001117C3 '....' - sra        $v0, $s1, 31
	0x0011A038: 0x000216C2 '....' - srl        $v0, $v0, 27
	0x0011A03C: 0x02221821 '!.".' - addu       $v1, $s1, $v0
	0x0011A040: 0x3063001F '..c0' - andi       $v1, $v1, 0x1F
	0x0011A044: 0x00621823 '#.b.' - subu       $v1, $v1, $v0
	0x0011A048&#58; 0x3C020096 '...<' - lui        $v0, 0x96
; Data ref 0x0095CD34 ... 0x00000000 0x00000000 0x00000000 0x00000000 
	0x0011A04C&#58; 0x2442CD34 '4.B$' - addiu      $v0, $v0, -13004
	0x0011A050&#58; 0x00039080 '....' - sll        $s2, $v1, 2
	0x0011A054&#58; 0x08046818 '.h..' - j          loc_0011A060
	0x0011A058&#58; 0xAE91037C '|...' - sw         $s1, 892&#40;$s4&#41;

loc_0011A060&#58;		; Refs&#58; 0x0011A054 
	0x0011A060&#58; 0x02422821 '!&#40;B.' - addu       $a1, $s2, $v0
	0x0011A064&#58; 0x8CA30084 '....' - lw         $v1, 132&#40;$a1&#41;
	0x0011A068&#58; 0x10600012 '..`.' - beqz       $v1, loc_0011A0B4

My reverse looks like this
int address = ((((((0x0435AB53/2)^31)>>27)+0x0435AB53)&0x1f)-(((0x0435AB53/2)^31)>>27)<<2)+((0x96<<16)+-13004);
and it returns
0x0095CD80

so unless it throws a bus error which it doesn't, there must be something im not getting.

[a_noob]

I am assuming s1 = 0x0435AB53

I get

Code: Select all

//may want to look into this, i just threw the logic shift together, im sure theres a better way
#define LOGICAL_RIGHT&#40;v, shift&#41; &#40;&#40;v < 0&#41;?&#40;&#40;v >> shift&#41;|&#40;0x01 << 31&#41;&#41;&#58;&#40;v >> shift&#41;&#41;
#define LOGICAL_LEFT&#40;v, shift&#41; &#40;&#40;v < 0&#41;?&#40;&#40;v << shift&#41;|&#40;0x01 << 31&#41;&#41;&#58;&#40;v << shift&#41;&#41;


int s1 = 0x0435AB53;
int v0 = s1 >> 31;//arithmetic right shift
v0 = LOGICAL_RIGHT&#40;v0,27&#41;;
int v1 = s1 + v0;
v1 &= 0x1F;
v1 -= v0;
v0 = 0x96;
v0 += 0xCD34 << 16;
int s2 = LOGICAL_LEFT&#40;v1,2&#41;;

I am definitely no ASM expert but from the looks of it it is looking for some sort of offset in the module maybe? Maybe looking at its import table? Then again 0x0095CD80 is quite large, does it even exist in the file?

[bbtgp32465]

Yes that's much to large. The UID was 0x0435AB53 and after i ran it though my reverse it was 0x0095CD80 but its not large enough to be a address either as the code implies.

Im going to have psplink step through the code later to see what the registers are while its doing its thing. Should help me understand it more.

[bbtgp32465]

well there it is...

Code: Select all

zr:0x00000000 at:0xDEADBEEF v0:0x00000001 v1:0x00000000
a0:0x00000001 a1:0x0BBAFB00 a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x0BBAFEF4 s1:0x04641535 s2:0x0BBAFEE0 s3:0x00000014
s4:0x0BBAFB00 s5:0x0BBAFB00 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x0BBAFF00 k1:0x00000000
gp:0x0900DA30 sp:0x0BBAFA80 fp:0x0BBAFEA0 ra:0x08943130

sra        $v0, $s1, 31
zr:0x00000000 at:0xDEADBEEF v0:0x00000001 v1:0x00000000
a0:0x00000001 a1:0x0BBAFB00 a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x0BBAFEF4 s1:0x04641535 s2:0x0BBAFEE0 s3:0x00000014
s4:0x0BBAFB00 s5:0x0BBAFB00 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x0BBAFF00 k1:0x00000000
gp:0x0900DA30 sp:0x0BBAFA80 fp:0x0BBAFEA0 ra:0x08943130

srl        $v0, $v0, 27
zr:0x00000000 at:0xDEADBEEF v0:0x00000000 v1:0x00000000
a0:0x00000001 a1:0x0BBAFB00 a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x0BBAFEF4 s1:0x04641535 s2:0x0BBAFEE0 s3:0x00000014
s4:0x0BBAFB00 s5:0x0BBAFB00 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x0BBAFF00 k1:0x00000000
gp:0x0900DA30 sp:0x0BBAFA80 fp:0x0BBAFEA0 ra:0x08943130

addu       $v1, $s1, $v0
zr:0x00000000 at:0xDEADBEEF v0:0x00000000 v1:0x04641535
a0:0x00000001 a1:0x0BBAFB00 a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x0BBAFEF4 s1:0x04641535 s2:0x0BBAFEE0 s3:0x00000014
s4:0x0BBAFB00 s5:0x0BBAFB00 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x0BBAFF00 k1:0x00000000
gp:0x0900DA30 sp:0x0BBAFA80 fp:0x0BBAFEA0 ra:0x08943130

andi       $v1, $v1, 0x1F
zr:0x00000000 at:0xDEADBEEF v0:0x00000000 v1:0x00000015
a0:0x00000001 a1:0x0BBAFB00 a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x0BBAFEF4 s1:0x04641535 s2:0x0BBAFEE0 s3:0x00000014
s4:0x0BBAFB00 s5:0x0BBAFB00 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x0BBAFF00 k1:0x00000000
gp:0x0900DA30 sp:0x0BBAFA80 fp:0x0BBAFEA0 ra:0x08943130

subu       $v1, $v1, $v0
zr:0x00000000 at:0xDEADBEEF v0:0x00000000 v1:0x00000015
a0:0x00000001 a1:0x0BBAFB00 a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x0BBAFEF4 s1:0x04641535 s2:0x0BBAFEE0 s3:0x00000014
s4:0x0BBAFB00 s5:0x0BBAFB00 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x0BBAFF00 k1:0x00000000
gp:0x0900DA30 sp:0x0BBAFA80 fp:0x0BBAFEA0 ra:0x08943130

lui        $v0, 0x918
zr:0x00000000 at:0xDEADBEEF v0:0x09180000 v1:0x00000015
a0:0x00000001 a1:0x0BBAFB00 a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x0BBAFEF4 s1:0x04641535 s2:0x0BBAFEE0 s3:0x00000014
s4:0x0BBAFB00 s5:0x0BBAFB00 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x0BBAFF00 k1:0x00000000
gp:0x0900DA30 sp:0x0BBAFA80 fp:0x0BBAFEA0 ra:0x08943130

addiu      $v0, $v0, 24116
zr:0x00000000 at:0xDEADBEEF v0:0x09185E34 v1:0x00000015
a0:0x00000001 a1:0x0BBAFB00 a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x0BBAFEF4 s1:0x04641535 s2:0x0BBAFEE0 s3:0x00000014
s4:0x0BBAFB00 s5:0x0BBAFB00 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x0BBAFF00 k1:0x00000000
gp:0x0900DA30 sp:0x0BBAFA80 fp:0x0BBAFEA0 ra:0x08943130

sll        $s2, $v1, 2
zr:0x00000000 at:0xDEADBEEF v0:0x09185E34 v1:0x00000015
a0:0x00000001 a1:0x0BBAFB00 a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x0BBAFEF4 s1:0x04641535 s2:0x00000054 s3:0x00000014
s4:0x0BBAFB00 s5:0x0BBAFB00 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x0BBAFF00 k1:0x00000000
gp:0x0900DA30 sp:0x0BBAFA80 fp:0x0BBAFEA0 ra:0x08943130

addu       $a1, $s2, $v0
zr:0x00000000 at:0xDEADBEEF v0:0x09185E34 v1:0x00000015
a0:0x00000001 a1:0x09185E88 a2:0xDEADBEEF a3:0xDEADBEEF
t0:0xDEADBEEF t1:0xDEADBEEF t2:0xDEADBEEF t3:0xDEADBEEF
t4:0xDEADBEEF t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x0BBAFEF4 s1:0x04641535 s2:0x00000054 s3:0x00000014
s4:0x0BBAFB00 s5:0x0BBAFB00 s6:0xDEADBEEF s7:0xDEADBEEF
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x0BBAFF00 k1:0x00000000
gp:0x0900DA30 sp:0x0BBAFA80 fp:0x0BBAFEA0 ra:0x08943130

still doesn't make any since though.

[a_noob]

Is it just me or did the shifts do nothing to the registers? This is a weird chunk of code, maybe you should leave this block be, and move on, maybe some other code will make this chunk more transparent.

[Davee]

Code: Select all

u32 val = modid >> 31; /* modid is an int &#40;SceUID&#41; so if modid is < 0, it gets sign extended &#40;srA&#41; */
val >>= 27; /* srL so val is unsigned */

u32 index = &#40;modid + val&#41; & 0x1F; /* note if modid < 0, val = 0x1F, this isolates the bottom 5 bits */
index -= val;

_sw&#40;modid, $s4 + 892&#41;;

/* then it accesses an array of 32bit values &#40;we assume as sll 2 = index * 4 &#40;4 * 8 = 32bit&#41;&#41; at 0x95CD34, loading and checking if it is 0, also 132 beyond so I assume it is a structure */

if &#40;dword_array_95CD34&#91;index&#93;.unk_132 == 0&#41;
	//jump to loc_0011A0B4

Ultimately this code is full of garbage. My translation would be

Code: Select all

_sw(modid, $s4 + 892);

if (dword_array_95CD34[modid % 32].unk_132 == 0)
	//jump to loc_0011A0B4

I assume it's a modulo due to index nature but I'm not sure. Same thing as "& 0x1F".

[bbtgp32465]

Thanks guys, helped me out a little.