TI(德州仪器) TMS320C674x逆向分析之二

TI官网文档：

http://www.ti.com/product/tms320c6745/technicaldocuments

里面资料非常详细，可以对着里面一个个看，用的比较多的两个文档：

TMS320C674x指令格式：TMS320C674x DSP CPU and Instruction Set User's Guide .pdf

芯片相关的接口地址可以到这里找：  TMS320C6745, TMS320C6747 Fixed- and Floating-Point Digital Signal Processor (Rev. F)

下面是网上收集的C6000的反汇编实例，C674x与之大致类似。

1、C6000汇编实例详解1

void tsk_test5(void){  unsigned int i,j;  unsigned char a,b;  unsigned long l;  i=0xAA55;  j=0x55AA;  a=0x88;  b=0x99;  l=0x11223344;  while(1){      iprintf(\"haha5\\n\");   TSK_time();   iprintf(\"test5 time = %d,count = %d\",TSK_time(),count++);   funtionarg(i,b,l);   }   }

void tsk_test5(void){8000AEB0       STW.D2T2   B3,*SP--[10]   //SP=SP-4*10;*(SP)=B3；SP向下增长，8000AEB4       NOP      2     i=0xAA55;8000AEB8       MVK.S1    0xffffaa55,A3  //A3=0xffffaa558000AEBC       .fphead    p, l, W, BU, nobr, nosat, 0000010 //不知道，好像是个系统调用8000AEC0       MVKH.S1    0x0000,A3    //把0x0000赋值给A3的高16，A3=0x0000AA558000AEC4       STW.D2T1   A3,*B15[5]   //i是局部变量，压入栈中,*(B15+4*5)=A3(B15==SP).8000AEC6       NOP      2     j=0x55AA;8000AEC8       MVK.S2    0x55aa,B4    //B5=0x55aa8000AECC       STW.D2T2   B4,*B15[6]    //*(B15+4*6)=B4(B15==SP).8000AECE       NOP      2     a=0x88;8000AED0       MVK.S1    0x0088,A38000AED4       STB.D2T1   A3,*+SP[28]  //*(SP+28)=A38000AED8       NOP      2     b=0x99;8000AEDA       MVK.S2    153,B48000AEDC      .fphead    n, l, W, BU, nobr, nosat, 10010108000AEE0       STB.D2T2   B4,*+SP[29]  //*(SP+29)=B48000AEE4       NOP      2     l=0x11223344;8000AEE8       MVK.S2    0x3344,B48000AEEC       MVKH.S2    0x11220000,B48000AEF0 ||     MVK.L2    0,B58000AEF4       STDW.D2T2   B5:B4,*+SP[4] //长整型，8字节，*(SP+4×4)=B5:B48000AEF8       NOP           iprintf(\"haha5\\n\");8000AEFC     C$DW$L$_tsk_test5$2$B, C$L4:8000AEFC       MVK.S2    0x187c,B48000AF00       MVKH.S2    0x80010000,B48000AF04       CALLP.S2   iprintf (PC-9212 = 0x80008b04),B38000AF08 ||     STW.D2T2   B4,*+SP[1]  //这块要注意，指令前有“||”表示和上面一条指令同时执行，可变参数函数，参数压栈。     TSK_time();8000AF0C     C$RL2:8000AF0C       LDW.D2T2   *+B14[162],B4 //B14: 存放全局变量的基地址，也就是BSS段的基地址。*+B14[162]这个应该是TSK_time()的地址。8000AF10       NOP      4     iprintf(\"test5 time = %d,count = %d\",TSK_time(),count++);8000AF14       LDHU.D2T2   *+B14[437],B4 //B4=*(B14+4×437)将全局变量count的值放入B4中8000AF18       LDW.D2T2   *+B14[162],B5 //将TSK_time()的返回值放入B5中8000AF1C       MVK.S1    0x1883,A38000AF20       MVKH.S1    0x80010000,A38000AF24       STW.D2T1   A3,*B15[1]   //第一个参数（也就是字符串地址）压栈。8000AF26       STW.D2T2   B4,*B15[3]   //第三个压栈8000AF28       ADD.L2    B4,1,B4    //count++8000AF2A       STW.D2T2   B5,*B15[2]   //第二个压栈。8000AF2C       CALLP.S2   0x80008AE4 (PC-9244 = 0x80008ae4),B38000AF30 ||     STH.D2T2   B4,*+B14[437] //count=B4;     funtionarg(i,b,l);8000AF34     C$RL3:8000AF34       LDW.D2T1   *+SP[5],A4   //A4=*(SP+4*5)=i;第一个参数用A4传递8000AF38       LDBU.D2T2   *+SP[29],B4  //B4=*(SP+4*29)=b;第二个参数用B4传递8000AF3C       .fphead    n, l, W, BU, nobr, nosat, 00001108000AF40       LDDW.D2T1   *+SP[4],A7:A6 //第三个参数用A7：A6传递。long型数据。8000AF44 ||     CALLP.S2   funtionarg (PC-268 = 0x8000ae34),B38000AF46     C$RL4:8000AF46       BNOP.S1    C$L4 (PC-68 = 0x8000aefc),5 //while循环}

2、C6000汇编实例详解2

//固定参数一般函数 反汇编unsigned int funtionarg(unsigned int m,unsigned char k,unsigned long l){  unsigned int i,j;  unsigned char a,b;  unsigned long ll=0;  j=0x55aa;  i=m+j;  a=0x88;  b=a+0x11+k;  ll=l+1;    my_delay(100);  return i;}unsigned int funtionarg(unsigned int m,unsigned char k,unsigned long l){8000AE34     C$DW$L$_tsk_main$2$E, funtionarg:8000AE34       STW.D2T2   B3,*SP--[12]     //压栈函数返回地址并分配48个字节8000AE38       NOP      28000AE3C       .fphead    n, l, W, BU, br, nosat, 00001018000AE40       STDW.D2T1   A7:A6,*+SP[2]    //压栈第三而参数8000AE44       STB.D2T2   B4,*+SP[8]      //压栈第二个参数8000AE48       STW.D2T1   A4,*B15[1]      //压栈第一个参数8000AE4A       NOP      2     unsigned int i,j;     unsigned char a,b;     unsigned long ll=0;8000AE4C       ZERO.L1    A5:A4        //A5:A4 = 08000AE50       STDW.D2T1   A5:A4,*+SP[5]    //ll=*(SP+4*5)=A5:A48000AE54       NOP      2     j=0x55aa;8000AE58       MVK.S2    0x55aa,B4      //B4=0x55aa8000AE5C       .fphead    n, l, W, BU, nobr, nosat, 00001008000AE60       STW.D2T2   B4,*B15[7]      //j=*(SP+4*7)=B4=0x55AA8000AE62       NOP      2     i=m+j;8000AE64       LDW.D2T2   *B15[7],B5      //B5=*(SP+4*7)=j8000AE66       LDW.D2T2   *B15[1],B4      //B4=*(SP+4)=m8000AE68       NOP      48000AE6A       ADD.L2    B5,B4,B4       //B4=B4+B58000AE6C       STW.D2T2   B4,*B15[6]      //i=*(SP+4*6)=B48000AE6E       NOP      2     a=0x88;8000AE70       MVK.S2    0x0088,B48000AE74       STB.D2T2   B4,*+B15[32]8000AE78       NOP      28000AE7C       .fphead    n, l, W, BU, nobr, nosat, 0001111     b=a+0x11+k;8000AE80       LDBU.D2T2   *+B15[32],B48000AE84       LDBU.D2T2   *+SP[8],B58000AE88       NOP      48000AE8A       ADD.L2    B5,B4,B48000AE8C       ADDK.S2    17,B48000AE90       STB.D2T2   B4,*+B15[33]8000AE94       NOP      2     ll=l+1;8000AE98       LDDW.D2T2   *+SP[2],B5:B48000AE9C       .fphead    n, l, W, BU, nobr, nosat, 00001008000AEA0       MVK.L2    1,B68000AEA2       NOP      38000AEA4       ADDU.L2    B6,B5:B4,B5:B48000AEA8       STDW.D2T2   B5:B4,*+SP[5]8000AEAC       NOP      2     my_delay(100);8000AEAE       CALLP.S2   my_delay (PC-220 = 0x8000adc4),B38000AEB0 ||     MVK.S1    100,A4        //参数为100，用A4传参     return i;8000AEB2     C$RL2:8000AEB2       LDW.D2T1   *B15[6],A4      //A4=*(SP+4*6)=i;A4是返回值8000AEB4       LDW.D2T2   *++SP[12],B3     //B3 程序返回地址8000AEB8       BNOP.S2    B3,58000AEBC       .fphead    p, l, W, BU, br, nosat, 0011001}

3、C6000汇编实例详解3

//可变参数函数反汇编int iprintf(const char *pbFmt,...){    va_list pArg;    char abString[256];    va_start(pArg,pbFmt);    vsprintf(abString,pbFmt,pArg);    UARTSendData(abString);    va_end(pArg);    return 0;}int iprintf(const char *pbFmt,...){80008B04     OR.L1X    0,SP,A15   //A15=SP80008B08 ||   STW.D2T1   A15,*B15--[2] //SP=SP-4*2,开辟空间8字节80008B0A     NOP      280008B0C     ADDK.S2    -264,SP    //SP=SP-264,开辟空间264字节80008B10     STW.D2T2   B3,*+B15[67] //函数返回地址压栈。80008B14     NOP      2    va_list pArg;    char abString[256];    va_start(pArg,pbFmt);80008B18     ADD.L1    8,A15,A3   //通过A15（原来的SP值）取得第一个参数的值。80008B1C     .fphead    n, l, W, BU, nobr, nosat, 000010080008B20     STW.D2T1   A3,*B15[1]  //通过A15（原来的SP值）取得第一个参数的值。80008B22     NOP      2    vsprintf(abString,pbFmt,pArg);80008B24     CALLP.S2   vsprintf (PC+16320 = 0x8000cae0),B380008B28 ||    LDW.D1T2   *+A15[1],B4  80008B2C ||    ADD.L1X    8,SP,A4    //同过B4 A4和A6传递参数80008B30 ||    MV.S1     A3,A6     //以上4条语句同时执行    UARTSendData(abString);80008B32     C$RL0:80008B32     CALLP.S2   UARTSendData (PC+48 = 0x80008b50),B380008B34 ||    ADD.L1X    8,SP,A4   //通过A4传递参数    va_end(pArg);       return 0;80008B38     C$RL1:80008B38     MVK.L1    0,A480008B3C     .fphead    n, l, W, BU, br, nosat, 001000180008B40     LDW.D2T2   *+B15[67],B3 //取得返回地址80008B44     OR.L2X    0,A15,SP80008B48 ||    LDW.D1T1   *+A15[0],A1580008B4C     BNOP.S2    B3,5     //通过B3返回