maybe I'd be better at getting back into my reverse engineering projects if getting back into them didn't involve first figuring out which of the 13 Ghidra versions I have installed is for that project
-
@foone Just switch to Python 3.10 or later? Which has a match expression? https://peps.python.org/pep-0635/
-
@clayote probably should do that yeah.
-
okay it kind of does relocation backwards.
my understanding is that the way this is done on sensible platforms is that there's an executable that's like "hey, when you load me, shove the pointer to GetWindowTextA at offset 0x234805 in my code" -
this instead steps through the entire code looking for specific bytecode opcodes that it knows need relocation.
so when it sees a pvm_Jump opcode, it knows that although that opcode takes an absolute address, it interprets the current "absolute address" as an index into a jump table, which it then overwrites the current value with.
-
I'd love to do more logging on what the game is actually doing at runtime, but it turns out this interpreter is multithreaded. It's running tons of scripts at the same time, and it's really a pain to track which execution is for which script
-
plus the debug logging capabilities of the emulator are abysmal
-
oh god
please tell me you fools didn't design a bytecode VM with DELAY SLOTS
-
ahh, it uses a 24bit addressing scheme. nice.
-
or rather, it's an encoding scheme where they tag their pointers. and if the upper byte of a 32bit pointer is 1 or 0, it gets relocated.
-
so this resolveRefs function iterates through all the code and it sometimes sets a local boolean
it never, ever, reads it. WHY IS THIS HERE?
-
so, this specific bytecode looks like this:
pvm_PushConstant 0
and you might think that just pushes a zero onto the stack. Nope! it instead looks up constant #0, which according to the table for this file, is... 0. oh.
-
for (iVar2 = 0; iVar2 < (int)(uint)*(ushort *)(((uint)((PVOpCode *)pdata + 4) & 0xfffffffc) + 2); iVar2 = iVar2 + 1) {
is that enough casts, ghidra?
-
You know you've got a great decompiler when it's way easier to figure out WTF the pointers are doing by just reading the powerpc disassembly
-
okay I got most of the relocation step finished. I haven't managed the switch statement (IT'S COMPLICATED AND INVOLVES POINTERS) and the EnterFrame statement, because I'm not really sure what the fuck it's doing.
-
@foone is this. is this wheel of fortune
-
@petrapup yes
-
@foone Reminds me of a game I was looking at which used a virtual filesystem with a sidecar file containing the filenames…on one platform. They didn’t ship it on the other platform and the file sizes/orders didn’t line up.
-
@misty yikes.
-
@foone lol, I don’t use Ghidra much for a variety of reasons but a friend once sent me this tip about turning off type casting: Tool Options -> Decompiler -> Display -> Disable Printing of Type Casts
-
@blackBoxRE oooooh