Re: Reverse engeneering the SMU (iMac G5, newer single-pro G5)
On Thu, Apr 14, 2005 at 01:48:29PM +0100, Francois wrote:
> There are far more branching instructions than don't use jbsr, but I
> don't know how to interpret them. For instance:
>
> ---
> lwz r2,__ZN23SMU_Neo2_PlatformPluginC2EPK11OSMetaClass(r3)
> lwz r12,0x368(r2)
> mtspr ctr,r12
> bctrl
> ---
>
> Looks like a jump to __ZN23SMU_Neo2_PlatformPluginC2EPK11OSMetaClass (is
> this right?).
Well, the equivalent in C (if this was a function on it's own, which it isn't
due to the lack of stack management) would be something like this:
---
typedef void (*voidfunc)(char *);
void func(char *this)
{
char *tmp; /* r2 */
voidfunc func; /* r12 */
tmp = *(this + __ZN23SMU_Neo2_PlatformPluginC2EPK11OSMetaClass);
func = (voidfunc) *(tmp + 0x368);
func(this);
}
---
Obviously, the return types on the functions and arguments and such are
purely for example. This code only has one input, and no obvious outputs.
I would guess (as did someone else) that this was originally objective-C
code, and this is a very optimised form of a method call on an object.
It seems to be deliberately leaving r3 alone, which would make that an
implicit first argument to the subroutine being called. The fact that the
branch saves the link implies that it is a function of some sort. My guess
is that r3 contains a pointer to the object, and the two loads are to
get to the addresses of the methods, then to the correct method.
Just as a note, r2 is sometimes used as a safe spot to store a pointer
to the TOC or other global environment type stuff. Depending on the
runtime environment of this snippet, it may be important that r2 is
being used as one of the intermediate loads.
Brad Boyer
flar@allandria.com
Reply to: