jalr instructions

[rackarm]

First of all, thanks you very much for all of your excellent work!

I'm trying to analyze the Team Buddies game (SCES-01923). It was a really fun game, and especially a really well designed game. Two papers have been written about its internal design:

• An Object Model for Behavioural Planning in a Dynamic Multi-Agent System.pdf
• Love thine Agent - Implementing believable agents using augmented transition networks.pdf

The game uses overlays, and I can understand the way it does but also load the overlays into Ghidra and reference the functions into them.

But I face some problems and I wonder if it's from the game instructions or me not doing the right thing.

In the main function, an OVERLAY.DAT file is loaded, it contains entries of 48 bytes each. Every entry have a name (e.g. SYS.BIN) and it seem to also have an offset.

The struggle comes when calling a function which is inside an overlay. When the jal instruction is used it's easy, I just have to patch the instruction with the right address and reference the overlay. But sometimes the jalr instruction is used, so the address is computed from the memory.

  FUN_8001a474("\\OVERLAY.DAT;1");
  DAT_80010204 = (code **)&DAT_80010184;
  $loadOverlayEntry(0);
  (*DAT_80010204[6])();
  (*DAT_80010204[7])();
  (*DAT_80010204[9])();
  $loadOverlayEntry(1);
  $loadOverlayEntry(3);
  (**DAT_80010204)();
  (*DAT_80010204[6])();

(the $loadOverlayEntry was renamed by me)

At the moment, to get the right addresses used by the jalr instructions, I use no$psx to debug the game and read the address from the register.

So have you ever encounter such behaviours? If so, how do you deal with them?

I've not attached any of the game file here but I can if you want.

[lab313ru]

Hi,

Thank you for your feedback!.

Try to use Overlay Manager to load overlay file, then use R hotkey at jalr instructions to set up a different address space where the instruction points to (you will be able to choose it after loading the overlay file).

You also able load more than one overlay, if you need it.

On February 18, 2020 23:43:45 rackarm notifications@github.com wrote:

First of all, thanks you very much for all of your excellent work!

I'm trying to analyze the Team Buddies game (SCES-01923). It was a really fun game, and especially a really well designed game. Two papers have been written about its internal design:

An Object Model for Behavioural Planning in a Dynamic Multi-Agent System.pdf Love thine Agent - Implementing believable agents using augmented transition networks.pdf

The game uses overlays, and I can understand the way it does but also load the overlays into Ghidra and reference the functions into them.

But I face some problems and I wonder if it's from the game instructions or me not doing the right thing.

In the main function, an OVERLAY.DAT file is loaded, it contains entries of 48 bytes each. Every entry have a name (e.g. SYS.BIN) and it seem to also have an offset.

The struggle comes when calling a function which is inside an overlay. When the jal instruction is used it's easy, I just have to patch the instruction with the right address and reference the overlay. But sometimes the jalr instruction is used, so the address is computed from the memory.

FUN_8001a474("\OVERLAY.DAT;1"); DAT_80010204 = (code *)&DAT_80010184; $loadOverlayEntry(0); (DAT_80010204[6])(); (DAT_80010204[7])(); (DAT_80010204[9])(); $loadOverlayEntry(1); $loadOverlayEntry(3); (*DAT_80010204)(); (DAT_80010204[6])();

(the $loadOverlayEntry was renamed by me)

At the moment, to get the right addresses used by the jalr instructions, I use no$psx to debug the game and read the address from the register.

So have you ever encounter such behaviours? If so, how do you deal with them?

I've not attached any of the game file here but I can if you want.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[rackarm]

Thank you for your response.

Yes, I use the Overlay Manager to load all the overlays:

And I change the reference of the JAL instructions (e.g. line 14), but I can't with JALR instructions (e.g. line 15):

If I understand well, JALR works by jumping to the address contained in the v1 register. And I can't easilly compute these addresses (I use a debugger for that).

I will try to see if I can create a script to ease the computing of these addresses.

[lab313ru]

Ghidra usually calculates all such references correctly. But if you don't see any reference even into ram: address space, then yes, you need to calculate them manually. And if you do see them, then you just need to change the address space in the address space' combobox.

On February 19, 2020 10:31:02 rackarm notifications@github.com wrote:

Thank you for your response. Yes, I use the Overlay Manager to load all the overlays:

And I change the reference of the JAL instructions (e.g. line 14), but I can't with JALR instructions (e.g. line 15):

If I understand well, JALR works by jumping to the address contained in the v1 register. And I can't easilly compute these addresses (I use a debugger for that).I will try to see if I can create a script to ease the computing of these addresses. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[rackarm]

Hmm, ok, this is what I think first. Thank you very much!