scr34m · April 4, 2024 14:25
diff --git a/offset_dump.ini b/offset_dump.ini
 ; 68 A0 00 90 adrp       x8, #0x102620000
 ; 08 29 41 F9 ldr        x8, [x8, #0x250]
 ; 09 81 04 91 add        x9, x8, #0x120
 [object_manager]
 pattern=\x08(.){2}\xF9\x09\x81\x04\x91
 value_0=adr:-4 ldr:0

 ; 68 A7 00 F0 adrp       x8, #0x1021f0000
 ; 08 ED 40 F9 ldr        x8, [x8, #0x1d8]
 ; 60 00 00 B4 cbz        x8, loc_100d013e4
 ; 00 99 5C F9 ldr        x0, [x8, #0x3930]
 [camera]
 pattern=\x94(.){4}\x08(.){2}\xF9\x68\x00\x00\xB4\x00(.){2}\xF9\xC0\x03\x5F\xD6
 value_0=adr:1 ldr:5
 value_1=ldr:13

 ; 08 7d 40 93     sxtw       x8,w8
 ; c9 b9 00 b0     adrp       x9,0x1027c9000
 ; 29 01 2f 91     add        x9,x9,#0xbc0
 ; 29 15 08 8b     add        x9,x9,x8, LSL #0x5
 ; 28 69 40 b9     ldr        w8,[x9, #0x68]=>DAT_1027c9c28
 [get_prop_num]
 pattern=\x08\x7d\x40\x93(.){7}\x91(.){1}\x15\x08\x8b\x28
 value_0=adr:4 add:8 ldr:16

 ; 00 00 80 52     mov        w0,#0x0
 ; 8c 00 00 14     b          LAB_100b65a80
 ; 08 b9 00 d0     adrp       x8,0x102287000
 ; 08 71 1d 91     add        x8,x8,#0x75c
 ; 08 01 40 39     ldrb       w8,[x8]=>DAT_10228775c
 [in_world]
 pattern=\x00\x00\x80\x52\x8c\x00\x00\x14(.){8}\x08\x01\x40\x39
 value_0=adr:8 add:12

 ; 01 04 80 52     mov        w1,#0x20
 ; 63 65 81 52     mov        w3,#0xb2b
 ; 06 c1 f0 97     bl         FUN_10124ebbc
 ; a0 02 00 b4     cbz        x0,LAB_10161e7fc
 ; 08 d2 9d 52     mov        w8,#0xee90
 ; 08 00 08 8b     add        x8,x0,x8
 ; 09 01 40 f9     ldr        x9,[x8]
 [player_current_health]
 pattern=\xa0\x02\x00\xb4(.){4}\x08\x00\x08\x8b\x09\x01\x40\xf9
 value_0=mov:4
diff --git a/offset_dump.py b/offset_dump.py
 #!/usr/local/bin/python
 import sys
 import re
 import struct
 import ConfigParser

 '''
 https://armconverter.com/?disasm
 Arm A64 Instruction Set Architecture
 https://github.com/najahiiii/binutils/blob/master/gdb/arch/aarch64-insn.c
 '''
 def decode_adr(data, offset):
    v = struct.unpack_from('<I', data, offset)[0]
    # print 'bytecode: {:x}'.format(v)

    is_adrp = v >> 31 & 0x1
    immlo = v >> 29 & 0x3
    immhi = v >> 5 & 0x7FFFF

    page = offset & 0xfffff000

    if is_adrp:
        return ((immhi << 2 | immlo) * 4096) + page
    else:
        return (immhi << 2 | immlo)

 # LDR (immediate) 32 bit - Unsigned offset 10 111001 01
 # LDR (immediate) 64 bit - Unsigned offset 11 111001 01
 def decode_ldr(data, offset):
    v = struct.unpack_from('<I', data, offset)[0]
    # print 'bytecode: {:x}'.format(v)

    rt = v & 0x1F
    rn = (v >> 5) & 0x1F

 # 10 111001 01 000000011010 01001 01000
 # 0x1a 11010    
 # 0x68 1101000
    
    if (v >> 30) == 2: # size
        offset = (v >> 10 & 0xFFF) << 2
        return offset
    else:
        offset = (v >> 10 & 0xFFF) << 3
        return offset

 # ADD (extended register)
 # 10001011001
 # ADD (immediate)
 # 100100010
 def decode_add(data, offset):
    v = struct.unpack_from('<I', data, offset)[0]
    # print 'bytecode: {:x}'.format(v)

    if v >> 23 != 290:
        print("ERROR wrong opc")
        return 0

    rd = v & 0x1F
    rn = (v >> 5) & 0x1F

    if (v >> 22) & 1:
        print("TODO sh")
        return 0

    offset = (v >> 10) & 0xFFF
    return offset

 # MOVZ
 def decode_mov(data, offset):
    v = struct.unpack_from('<I', data, offset)[0]
    # print 'bytecode: {:x}'.format(v)

    offset = (v >> 5) & 0xFFFF
    return offset

 if len(sys.argv)-1 < 1:
    print("usage: {} <process_dump>".format(sys.argv[0]))
    sys.exit(1)

 f = open(sys.argv[1], 'rb')
 data = f.read()
 f.close()

 config = ConfigParser.ConfigParser(allow_no_value=True)
 config.read('offset_dump.ini')
 for section in config.sections():
    pattern = config.get(section, 'pattern')
    for match_obj in re.compile(pattern, re.DOTALL).finditer(data):
        offset = match_obj.start()
        for x in range(10):
            if config.has_option(section, 'value_' + str(x)) != True:
                break
            parts = config.get(section, 'value_' + str(x)).split(' ')
            value = 0
            for part in parts:
                (op, shift) = part.split(':')
                if op == "adr":
                    v = decode_adr(data, offset + int(shift))
                elif op == "ldr":
                    v = decode_ldr(data, offset + int(shift))
                elif op == "add":
                    v = decode_add(data, offset + int(shift))
                elif op == "mov":
                    v = decode_mov(data, offset + int(shift))
                else:
                    print('Unknown operand: {}'.format(op))
                    break
                # print('{} 0x{:x}'.format(op, v))
                value = value + v
            print('{} = 0x{:x}'.format(section, value))
	; 68 A0 00 90 adrp x8, #0x102620000
	; 08 29 41 F9 ldr x8, [x8, #0x250]
	; 09 81 04 91 add x9, x8, #0x120
	[object_manager]
	pattern=\x08(.){2}\xF9\x09\x81\x04\x91
	value_0=adr:-4 ldr:0

	; 68 A7 00 F0 adrp x8, #0x1021f0000
	; 08 ED 40 F9 ldr x8, [x8, #0x1d8]
	; 60 00 00 B4 cbz x8, loc_100d013e4
	; 00 99 5C F9 ldr x0, [x8, #0x3930]
	[camera]
	pattern=\x94(.){4}\x08(.){2}\xF9\x68\x00\x00\xB4\x00(.){2}\xF9\xC0\x03\x5F\xD6
	value_0=adr:1 ldr:5
	value_1=ldr:13

	; 08 7d 40 93 sxtw x8,w8
	; c9 b9 00 b0 adrp x9,0x1027c9000
	; 29 01 2f 91 add x9,x9,#0xbc0
	; 29 15 08 8b add x9,x9,x8, LSL #0x5
	; 28 69 40 b9 ldr w8,[x9, #0x68]=>DAT_1027c9c28
	[get_prop_num]
	pattern=\x08\x7d\x40\x93(.){7}\x91(.){1}\x15\x08\x8b\x28
	value_0=adr:4 add:8 ldr:16

	; 00 00 80 52 mov w0,#0x0
	; 8c 00 00 14 b LAB_100b65a80
	; 08 b9 00 d0 adrp x8,0x102287000
	; 08 71 1d 91 add x8,x8,#0x75c
	; 08 01 40 39 ldrb w8,[x8]=>DAT_10228775c
	[in_world]
	pattern=\x00\x00\x80\x52\x8c\x00\x00\x14(.){8}\x08\x01\x40\x39
	value_0=adr:8 add:12

	; 01 04 80 52 mov w1,#0x20
	; 63 65 81 52 mov w3,#0xb2b
	; 06 c1 f0 97 bl FUN_10124ebbc
	; a0 02 00 b4 cbz x0,LAB_10161e7fc
	; 08 d2 9d 52 mov w8,#0xee90
	; 08 00 08 8b add x8,x0,x8
	; 09 01 40 f9 ldr x9,[x8]
	[player_current_health]
	pattern=\xa0\x02\x00\xb4(.){4}\x08\x00\x08\x8b\x09\x01\x40\xf9
	value_0=mov:4
	#!/usr/local/bin/python
	import sys
	import re
	import struct
	import ConfigParser

	'''
	https://armconverter.com/?disasm
	Arm A64 Instruction Set Architecture
	https://github.com/najahiiii/binutils/blob/master/gdb/arch/aarch64-insn.c
	'''
	def decode_adr(data, offset):
	v = struct.unpack_from('<I', data, offset)[0]
	# print 'bytecode: {:x}'.format(v)

	is_adrp = v >> 31 & 0x1
	immlo = v >> 29 & 0x3
	immhi = v >> 5 & 0x7FFFF

	page = offset & 0xfffff000

	if is_adrp:
	return ((immhi << 2 \| immlo) * 4096) + page
	else:
	return (immhi << 2 \| immlo)

	# LDR (immediate) 32 bit - Unsigned offset 10 111001 01
	# LDR (immediate) 64 bit - Unsigned offset 11 111001 01
	def decode_ldr(data, offset):
	v = struct.unpack_from('<I', data, offset)[0]
	# print 'bytecode: {:x}'.format(v)

	rt = v & 0x1F
	rn = (v >> 5) & 0x1F

	# 10 111001 01 000000011010 01001 01000
	# 0x1a 11010
	# 0x68 1101000

	if (v >> 30) == 2: # size
	offset = (v >> 10 & 0xFFF) << 2
	return offset
	else:
	offset = (v >> 10 & 0xFFF) << 3
	return offset

	# ADD (extended register)
	# 10001011001
	# ADD (immediate)
	# 100100010
	def decode_add(data, offset):
	v = struct.unpack_from('<I', data, offset)[0]
	# print 'bytecode: {:x}'.format(v)

	if v >> 23 != 290:
	print("ERROR wrong opc")
	return 0

	rd = v & 0x1F
	rn = (v >> 5) & 0x1F

	if (v >> 22) & 1:
	print("TODO sh")
	return 0

	offset = (v >> 10) & 0xFFF
	return offset

	# MOVZ
	def decode_mov(data, offset):
	v = struct.unpack_from('<I', data, offset)[0]
	# print 'bytecode: {:x}'.format(v)

	offset = (v >> 5) & 0xFFFF
	return offset

	if len(sys.argv)-1 < 1:
	print("usage: {} <process_dump>".format(sys.argv[0]))
	sys.exit(1)

	f = open(sys.argv[1], 'rb')
	data = f.read()
	f.close()

	config = ConfigParser.ConfigParser(allow_no_value=True)
	config.read('offset_dump.ini')
	for section in config.sections():
	pattern = config.get(section, 'pattern')
	for match_obj in re.compile(pattern, re.DOTALL).finditer(data):
	offset = match_obj.start()
	for x in range(10):
	if config.has_option(section, 'value_' + str(x)) != True:
	break
	parts = config.get(section, 'value_' + str(x)).split(' ')
	value = 0
	for part in parts:
	(op, shift) = part.split(':')
	if op == "adr":
	v = decode_adr(data, offset + int(shift))
	elif op == "ldr":
	v = decode_ldr(data, offset + int(shift))
	elif op == "add":
	v = decode_add(data, offset + int(shift))
	elif op == "mov":
	v = decode_mov(data, offset + int(shift))
	else:
	print('Unknown operand: {}'.format(op))
	break
	# print('{} 0x{:x}'.format(op, v))
	value = value + v
	print('{} = 0x{:x}'.format(section, value))