{"id":339,"date":"2006-11-15T23:11:11","date_gmt":"2006-11-16T06:11:11","guid":{"rendered":"http:\/\/multimedia.cx\/eggs\/risc-re\/"},"modified":"2006-12-08T19:30:12","modified_gmt":"2006-12-09T03:30:12","slug":"risc-re","status":"publish","type":"post","link":"https:\/\/multimedia.cx\/eggs\/risc-re\/","title":{"rendered":"RISC RE"},"content":{"rendered":"<p>I sometimes hypothesize about reverse engineering code compiled for alternate (i.e. non-x86) CPU architectures. It makes one question why so much effort is focused on x86 RE (to which the simple and immediate answer is, because all the interesting code is compiled for the x86 architecture). Maybe I&#8217;m just enamored at how neat RISC code tends to be, with typical architectures featuring 32-bit instruction words. Writing a disassembler obviously embodies not even a fraction of the complexity of a decent x86 disassembler. Fortunately, the GNU binutils take care the disassembly details already (I recently posted a <a href=\"http:\/\/wiki.multimedia.cx\/index.php?title=Objdump\">Wiki page on using objdump<\/a>, even cross-compiling for non-native architectures). Here is some representative disassembly from a PowerPC ELF binary, for those who have never been exposed:<\/p>\n<pre>\r\n   16b40:       80 e1 01 14     lwz     r7,276(r1)\r\n   16b44:       7c 09 3a 14     add     r0,r9,r7\r\n   16b48:       7d 3e 00 ae     lbzx    r9,r30,r0\r\n   16b4c:       55 20 e1 3e     rlwinm  r0,r9,28,4,31\r\n   16b50:       48 00 00 08     b       16b58\r\n   16b54:       38 00 00 0f     li      r0,15\r\n   16b58:       2c 0b 00 0f     cmpwi   r11,15\r\n   16b5c:       7c 04 03 78     mr      r4,r0\r\n   16b60:       40 82 00 54     bne-    16bb4\r\n   16b64:       88 19 00 02     lbz     r0,2(r25)\r\n<\/pre>\n<p>Quite a change from the typical x86 slop. Though I sometimes wonder what the &#8216;reduced&#8217; in reduced instruction set computer (RISC) is really supposed to mean. It definitely doesn&#8217;t indicate reduced functionality for individual instructions. I looked up that <em>rlwinm<\/em> instruction: <a href=\"http:\/\/publib.boulder.ibm.com\/infocenter\/pseries\/v5r3\/topic\/com.ibm.aix.aixassem\/doc\/alangref\/rlwinm.htm\">Rotate Left Word Immediate Then AND with Mask<\/a>. I started to wonder if it would be simpler to compose <a href=\"http:\/\/multimedia.cx\/eggs\/unnamed-re-project\/\">an assembly re-targeter<\/a> for a RISC CPU until I started reading up on this instruction.<\/p>\n<p>And here&#8217;s some MIPS RISC code:<\/p>\n<pre>\r\n  20157c:       84820002        lh      v0,2(a0)\r\n  201580:       2484000a        addiu   a0,a0,10\r\n  201584:       44820000        mtc1    v0,$f0\r\n  201588:       46800020        cvt.s.w $f0,$f0\r\n  20158c:       46010002        mul.s   $f0,$f0,$f1\r\n  201590:       e4600000        swc1    $f0,0(v1)\r\n  201594:       0501fff2        bgez    t0,0x201560\r\n  201598:       24630008        addiu   v1,v1,8\r\n  20159c:       1000000a        b       0x2015c8\r\n  2015a0:       3c020000        lui     v0,0x0\r\n<\/pre>\n<p>As memory serves, with MIPS CPUs, you get the added fun of manually tracking in your brain the CPU pipelining. I.e., an arithmetic operation from one instruction may not be completed by the next instruction, which happens to operate on the same register, and the compiler was specifically counting on that, and you need to count on it as well during your RE efforts.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I sometimes hypothesize about reverse engineering code compiled for alternate (i.e. non-x86) CPU architectures. It makes one question why so much effort is focused on x86 RE (to which the simple and immediate answer is, because all the interesting code is compiled for the x86 architecture). Maybe I&#8217;m just enamored at how neat RISC code [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-339","post","type-post","status-publish","format-standard","hentry","category-reverse-engineering"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/posts\/339","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/comments?post=339"}],"version-history":[{"count":0,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/posts\/339\/revisions"}],"wp:attachment":[{"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/media?parent=339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/categories?post=339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/tags?post=339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}