maybe I'd be better at getting back into my reverse engineering projects if getting back into them didn't involve first figuring out which of the 13 Ghidra versions I have installed is for that project
-
Alexander The 1streplied to Foone🏳️⚧️ last edited by
@foone @rotopenguin Is this the one with that one anime avatar image in the bundle? Or a different Wheel of Fortune game?
-
Dave Murphy (he/him)replied to Dave Murphy (he/him) last edited by
@foone lol nvm. I finally read to the relevant parts of the thread. https://digipres.club/@foone/113059464273865702
Begs the question why newer versions of ghidra can't load extensions for old versions. Is there some kind of ABI breakage going on? An issue with java?
-
Foone🏳️⚧️replied to Dave Murphy (he/him) last edited by
@davejmurphy Ghidra just refuses to load incorrect-version extensions, even if they would work. So you'd have to set up the java environment to compile your own, which I've not bothered with
-
Foone🏳️⚧️replied to Alexander The 1st last edited by
@AT1ST @rotopenguin different one! no incest anime here.
-
I think I officially did too much Rust programming. I'm back on my home turf of python(2), and I'm missing the match expression
-
@foone Just switch to Python 3.10 or later? Which has a match expression? https://peps.python.org/pep-0635/
-
@clayote probably should do that yeah.
-
okay it kind of does relocation backwards.
my understanding is that the way this is done on sensible platforms is that there's an executable that's like "hey, when you load me, shove the pointer to GetWindowTextA at offset 0x234805 in my code" -
this instead steps through the entire code looking for specific bytecode opcodes that it knows need relocation.
so when it sees a pvm_Jump opcode, it knows that although that opcode takes an absolute address, it interprets the current "absolute address" as an index into a jump table, which it then overwrites the current value with.
-
I'd love to do more logging on what the game is actually doing at runtime, but it turns out this interpreter is multithreaded. It's running tons of scripts at the same time, and it's really a pain to track which execution is for which script
-
plus the debug logging capabilities of the emulator are abysmal
-
oh god
please tell me you fools didn't design a bytecode VM with DELAY SLOTS
-
ahh, it uses a 24bit addressing scheme. nice.
-
or rather, it's an encoding scheme where they tag their pointers. and if the upper byte of a 32bit pointer is 1 or 0, it gets relocated.
-
so this resolveRefs function iterates through all the code and it sometimes sets a local boolean
it never, ever, reads it. WHY IS THIS HERE?
-
so, this specific bytecode looks like this:
pvm_PushConstant 0
and you might think that just pushes a zero onto the stack. Nope! it instead looks up constant #0, which according to the table for this file, is... 0. oh.
-
for (iVar2 = 0; iVar2 < (int)(uint)*(ushort *)(((uint)((PVOpCode *)pdata + 4) & 0xfffffffc) + 2); iVar2 = iVar2 + 1) {
is that enough casts, ghidra?
-
You know you've got a great decompiler when it's way easier to figure out WTF the pointers are doing by just reading the powerpc disassembly
-
okay I got most of the relocation step finished. I haven't managed the switch statement (IT'S COMPLICATED AND INVOLVES POINTERS) and the EnterFrame statement, because I'm not really sure what the fuck it's doing.
-
@foone is this. is this wheel of fortune