补丁运行过程剖析。最新更新在线查看调试工具,可实时动态查看ram,7楼,超值推荐
征用1、2楼作日志,原1、2楼帖已移至3楼1.在浏览器中打开txt文件时,将当前文件名写入A:\temp.txt
org 0B00000h
#define strlen 0C78536h
#define fileopen 0DBAF5Ch
#define FileWrite 0DBB91Ch
#define fileclose 0DBCD8Eh
MOV [-R0],R9 ;当前文件名pag
MOV [-R0],R8 ;当前文件名pof
MOV [-R0],R6
MOV R12,#POF(temp) ;临时文件名
MOV R13,#PAG(temp) ;临时文件名
MOV R14,#0102h ;文件打开方式,102=rewrite?
MOV R15,#0100h ;100
CALLS fileopen
MOV R6,R4 ;r4=filehandle,if success;fail=ffff
add r4, #1
JMPR cc_Z,_35
MOV R12,R8
MOV R13,R9
ADD R12,#0B2h
CALLS strlen ;取得文件名长度,结果返回在r4
MOV R15,R4 ;r15=写文件长度=文件名长度
MOV R12,R6 ;r6=filehandle
MOV R13,R8 ;point to buffer
MOV R14,R9 ;point to buffer
ADD R13,#0B2h
CALLS FileWrite
MOV R12,R6
CALLS FileClose
_35:
MOV R6,
MOV R8,
MOV R9,
RETS
temp:
db 41h,3Ah,5Ch,74h,65h,6Dh,70h,2Eh,74h,78h,74h ;临时文件名A:\temp.txt
2.寻找查看短信时号码所在ram.
goto_D569CC, "Save No. into $" 保存号码到通讯录
》》》
seg0D5:69CC INBoxOption: ; DATA XREF: seg0D4:FC78o
seg0D5:69CC ; seg0D4:FC7Co
seg0D5:69CC mov [-r0], r9
seg0D5:69CE mov [-r0], r8
seg0D5:69D0 sub r0, #8
seg0D5:69D4 mov [-r0], r12
seg0D5:69D6 mov [-r0], r13
seg0D5:69D8 mov [-r0], r14
seg0D5:69DA mov [-r0], r15
seg0D5:69DC calls 0E5h, GetSelectMenuItem
seg0D5:69E0 mov r8, r4
seg0D5:69E2 mov r9, r5
seg0D5:69E4 mov r15,
seg0D5:69E6 mov r14,
seg0D5:69E8 mov r13,
seg0D5:69EA mov r12,
seg0D5:69EC mov r1, r8
seg0D5:69EE cmp r9, #0
seg0D5:69F0 jmpr cc_NZ, loc_D569F6
seg0D5:6A36 cmp r8, #6
seg0D5:6A38 jmpa cc_Z, loc_D56B1E 根据菜单序号,应该是6
》》》
seg0D5:6B1E loc_D56B1E: ; CODE XREF: seg0D5:6A38j
seg0D5:6B1E mov r12, #35E8h 消息地址
seg0D5:6B22 mov r13, #0Eh
seg0D5:6B26 mov r14, #0B4h ; '?
seg0D5:6B2A mov r15, #0Bh
seg0D5:6B2C calls 0B4h, pSendMessage?
seg0D5:6B30 jmpa cc_UC, loc_D56BBA
》》》消息结构
pag00E:35E8 pid_MMI: dw 3062h, 11h >>>>>
pag00E:35E8
pag00E:35EC dw 3FF4h, 34Bh 》》》D2FFF4 在这里处理
pag00E:35F0 dw 0, 0
pag00E:35F4 dw 0C7Ch, 2D2h 》》》B48C7C
》》》
seg0D2:FFD8 dw 0FFF5h
seg0D2:FFDA dw 434Eh ; MsgHandleOff 这里 D3434E
seg0D2:FFDA dw 0D3h ; MsgHandlePage
seg0D2:FFDA dw 436Ah ; OnInit_Off
seg0D2:FFDA dw 0D3h ; OnInit_Page
seg0D2:FFDA dw 43FAh ; OnCancle_Off
seg0D2:FFDA dw 0D3h ; OnCanlce_Page
seg0D2:FFDA dw 1EEh ; MemCount
seg0D2:FFDA dw 1 ; field_E
seg0D2:FFDA dw 3FD8h ; Offset
seg0D2:FFDA dw 34Bh ; Page
seg0D2:FFEE dw 5Ch
seg0D2:FFF0 dw 3A41h
seg0D2:FFF2 dw 5Ch
seg0D2:FFF4 word_D2FFF4: dw 7E8Ah ; DATA XREF: InitMainFrame+8o
seg0D2:FFF6 dw 0D3h
seg0D2:FFF8 dw 4Dh
seg0D2:FFFA dw 96h
>>>
顺D3434E找到
eg0D3:3D1E loc_D33D1E:
seg0D3:3D1E mov r12, #8
seg0D3:3D20 mov [-r0], r12
seg0D3:3D22 mov r12, #2
seg0D3:3D24 add r12, r0 copy length= 8+2=10
seg0D3:3D26 and r12, #3FFFh
seg0D3:3D2A mov r13, DPP1
seg0D3:3D2E extp r7, #2
seg0D3:3D30 mov r15, r15= number pof?
seg0D3:3D34 mov r14, r14= number pag?
seg0D3:3D36 calls 0C7h, memcpy_NoOverlap ; copy memory from r14:r15 to r12:r13 lenght
[ 本帖最后由 JunFeng 于 2007-5-6 02:45 编辑 ] 在Patch中,一般的困惑就是,看到一段Flash,都是静态的内容,但如果做过Crack的都知道,需要加以动态调试才能深入了解软体的运行过程,可是西门子不会大方的送给我们开发板,那么只能自己想一些办法来。在Flash中,一般的如果是全局数据的话,我们可以看代码段或用AT指令看数据段。但如果是栈区的内容不同方法就无能为力了,此外还有函数的调用栈,这是使用的是系统栈。针对这个我写了两个小程序,一个是Dump一段连续内存,另一个是打印当前的调用栈,大家感兴趣的可以看一下!
;DumpMemory.asm
$Segmented
$Mod167
;Memory Function
Memchr EQU 0C78360h ;Finds characters in a buffer. R12 = Offset R13 = Page R14 = Char R15 = Size
Memcmp EQU 0C78388h ; = Size.
Memcpy_Src_LT_Dst EQU 0C77430h ;Memory copy. R4 = SrcOff R5 = SrcPag R10 = DstOff R11 = DstPag R3 = Size
Memcpy EQU 0C783DCh ; = size r12 = Dstoffr13 = Dstpag r14 = Srcoff r15 = Srcpag
;String Function
Strcat EQU 0C784A6h ;Append a string. r12 = Dstoffr13 = Dstpag r14 = Srcoff r15 = Srcpag
Strchr EQU 0C784CCh ;Find a character in a string. R12 = Offset R13 = Page R14 = Char
Strrchr EQU 0C785CCh ;Scan a string for the last occurrence of a character.
Strcmp EQU 0C784EEh ;Compare strings. r12 = Dstoffr13 = Dstpag r14 = Srcoff r15 = Srcpag
Strcmp_Size EQU 0C78578h ;Compare strings. = Size
Strcpy EQU 0C78516h ;Copy a string. r12 = Dstoffr13 = Dstpag r14 = Srcoff r15 = Srcpag
Strcpy_FillSizeEQU 0C7859Eh ;Copy a string,Fill #FF1Ch. = Size
Strcspn EQU 0C785F0h ;Find a substring in a string.r12 = Setoffr13 = Setpag r14 = SubSrcoff r15 = SubSrcpag
Strset EQU 0C78416h ;Set characters of a string to a character.R12 = Offset R13 = Page R14 = Char R15 = Size
GetLength EQU 0C78536h ;R12 = Offset R13 = Page R4 = Length
;AT Function
SendATCommandEQU 0CC9DCCh ;Send reply string.
;Address for Patch Data
Patch_Address EQU 1F8000h ;Free Space in Flash (CHANGE THIS)
Patch Section Code Word At Patch_address ; Start Patch at Patch_Address
;-------------------------------------------------------------------------------;
main proc far; start main of patch
;///////////////////////////////////////
;ToDo,补充被修改的位置的指令
;///////////////////////////////////////
MOV[-R0],R12
MOV[-R0],R13
MOV[-R0],R14
MOV[-R0],R15
MOV R14,R12 ;需要Dump内存的offset
MOV R15,R13 ;需要Dump内存的Page
MOVR12,#400H ;Dump的内存数量
MOV[-R0],R12
MOVR12,#1000H ;Dump到0c:1000,有大段空间(约A00),如果是多次Dump,需递增地址
MOVR13,#0CH
CALLS SEG(Memcpy),SOF(Memcpy)
ADDR0,#2
MOVR15,
MOVR14,
MOVR13,
MOVR12,
;///////////////////////////////////////
;ToDo,补充被修改的位置的指令
;///////////////////////////////////////
RETS
main endp
;-------------------------------------------------------------------------------;
Patch EndS
CHANGEBYTE Section Code Word At 0x35622A ; Start Patch at Patch_Address
CHANGE PROC FAR
CALLSSEG(Patch_address+0xA00000),SOF(Patch_address+0xA00000)
CHANGE ENDP
CHANGEBYTE ENDS
END
;***************************************************************************************************
;DumpCS.asm
$Segmented
$Mod167
;Address for Patch Data
Patch_Address EQU 1F8000h ;Free Space in Flash (CHANGE THIS)
Patch Section Code Word At Patch_address ; Start Patch at Patch_Address
main proc far; start main of patch
mov[-r0],r12
mov[-r0],r13
mov[-r0],r14
mov[-r0],r15
movr4,#8 ;Dump栈的深度
; cmpr12, #243h ;可能满足某种条件才Dump
; jmpCC_NZ, ProcEnd
movr15, r4
movr14, #1000h ;Dump到C:1000
PopProc:
popr12
popr13
extp #0Ch, #1
mov,r12
addr14,#2
extp #0Ch, #1
mov,r13
addr14,#2
mov[-r0],r12
mov[-r0],r13
subr15,#1
jmpCC_NZ,PopProc
movr15,r4
PushProc:
movr13,
movr12,
push r13
push r12
subr15,#1
jmpCC_NZ,PushProc
ProcEnd:
movr15,
movr14,
movr13,
movr12,
; TODO
cmp r12, #1388h
rets
main endp
Patch EndS
END
此外,还可以Dump所有的寄存器的值,这个Riza曾经写过一个Dump寄存器,和上面的类似,但是很简单,我也写过一个,这个找不到了,关键是要能Dump多次的信息,就是在Ram中增加一个计数,然后滚动的向前Dump。
?动态的寻找数据或转跳点真的是太需要了,大概看了一下dump程序,好像是把给定地址的数据复制400h字节到0c:000处,如何使用呢,是不是将需要的地址参数刷入,然后通过at调用查看呢?
对,是这样的。般的程序都只用R12,R13,R14,R15作参数。如果是键盘处理程序,会把按键的相关信息放在R15:R14里,而把主程序传入的参数放在R13:R12里,这样你可以在常用的mov r8,r12 mov r9,r13的地方hook,dumpR13:R12的内容,就可以看到很多感兴趣的东西,比如短消息列表V2的信息就是如此。
而DumpCS的用处也很大,比如你只知道某个地方显示了一个信息,那么你可以找到语言文件中信息的ID,然后Hook函数GetUStringByID,根据调用栈找到你感兴趣的地方。
Dump的调用栈在内存中显示从1000开始,是从栈顶到栈底,一般情况如果是键盘处理,很容易看到后面是系统的中断函数了。需要注意Jmps并不会把调用地址压入系统栈。
哦?这样子的啊。
狼大的意思是说,将程序挂载到某一函数后,还能发现是哪里的程序调用它了吗,那就太有用了。
不知道c167种调用时压入的顺序是什么,先是segment,然后是offset?如果是中断flag等是否也压入保存呢?盼狼大指点。
关于追踪jmps转跳地址,pinky在x86上一般用回调的方法,不知道在c167中是否仍然可用的说~
在X86中,系统栈和用户栈是通用的,而在C166中,一般是Push和Pop操作系统栈,主要存放系统信息,比如指令地址,它是先压Seg,后压Off。而用户栈一般是用作为栈顶来使用。
这样子啊~Pinky有些明白了
还有一点,在c166中如果用户程序碰到ret指令,是从栈中弹出返回地址,还是从系统栈呢?
系统栈里的内容有没有办法像x86那样通过指针寄存器来操作修改呢?
遇到rets才是从系统栈返回,ret并不存取系统栈。你可以用push在pop的办法修改。
比如常用的用函数指针调用一个函数的办法
push r5
push r4
rets
附上一个不错的在线调试查看工具,可实时动态查看ram并修改数据。。。
推荐,人手必备
需要刷这个补丁
;open bfb for 5508
12BC4A: 60 00
[ 本帖最后由 JunFeng 于 2006-2-20 22:56 编辑 ] 日志预留
[ 本帖最后由 JunFeng 于 2007-5-6 02:47 编辑 ] 由于我所知有限,实质也是不懂编程的菜鸟 ^&^
权充抛砖引玉,期待大师们的指点
补丁很难??
nonono
简单的很
下面就以自动超频补丁为例,讲解补丁运行原理
先了解子程序的概念,比如我们6688的整个flash中的程序就是由许许多多的子程序组合而成,各个子程序实现不同的功用。。比如调用亮灯子程序灯就亮了,调用灭灯子程序灯就灭了。。。
实际子程序表现就是
比如汇编指令calls AABBCC,在补丁中就是DAAACCBB,意思是把当前地址压栈保存然后转到AABBCC这里执行,当执行到AACCBB这里的rets指令(补丁数据就是DB00),就从栈中取出DAXXXXX时保存的地址并继续执行此地址指令。
子程序一个简单例子,说说超频补丁用到的绿茶的待机patch表
待机patch表原理:
由于天线图标总是显示的,也就是说显示天线图标的子程序一直都运行的,那么加到这里的子程序也是会一直运行的。
这是绿茶的待机patch补丁
0x3637FA: DAB304DF DABF6000 DABF6000也就是呼叫子程序,地址为BF0060(补丁地址就是BF0060-A00000=1F0060)
0x1F0060: FFFFFFFF DAB304DF 上面的DABF6000就是转到这里来处理,DAB304DF就是原来上面对天线图标显示子程序,现在要还原,否则就没天线显示了。。。
0x1F0064: FFFFFFFF CC00CC00 cc00转为汇编就是nop,意为空,不做动作
0x1F0068: FFFFFFFF CC00CC00
0x1F006C: FFFFFFFF CC00CC00
0x1F0070: FFFFFFFF CC00CC00
0x1F0074: FFFFFFFF CC00CC00
0x1F0078: FFFFFFFF CC00CC00
0x1F007C: FFFFFFFF CC00CC00
0x1F0080: FFFFFFFF CC00CC00
0x1F0084: FFFFFFFF CC00CC00
0x1F0088: FFFFFFFF CC00CC00
0x1F008C: FFFFFFFF CC00CC00
0x1F0090: FFFFFFFF DB00FFFF 这里DB00就表示rets(返回),也就是说,BF0060这个子程序结束并返回到3637fa的下一条指令继续处理
地址冲突!!如何转移此补丁地址?
那么先来一个补丁地址在具体补丁数据中的表现方式
比如这里新补丁数据地址0x1F0060,要从补丁中转移到这个地址是直接用吗?比如DA1F0060?NO,这是我们对flash实体操作的物理地址,而在补丁数据中用的是cpu用的虚拟地址,在6688中物理地址和虚拟地址的转换有公式:
物理地址=虚拟地址+A00000
那么在补丁中调用0x1F0060是这样写DABF0060?NO,还是错误,这里BF0060中的BF表示这里是BF段,0060是偏移量,而在16进制中偏移量要颠倒,高位在后,低位在前,也就是6000,段是不变的,所以呢还是DABF6000
什么是段?什么是偏移量?
简单理解
由于6688 6m的fullflash过于庞大,所以就分为一段段便于寻找,故我们可以理解为文件夹的意思
至于偏移量就可以理解为文件所在位置,只不过由于是16进制,所以在补丁中的时候要高低位对调。。
罗嗦了一大堆,那么说说如果绿茶的待机patch表和某个补丁冲突如何转移地址
其过程是非常简单的,如下
找个空白地址比如 0x123456
0x3637FA: DAB304DF DAB25634
0x123456: FFFFFFFF DAB304DF
0x123466: FFFFFFFF CC00CC00
0x123476: FFFFFFFF CC00CC00
0x123486: FFFFFFFF CC00CC00
0x123496: FFFFFFFF CC00CC00
0x1234a6: FFFFFFFF CC00CC00
0x1234b6: FFFFFFFF CC00CC00
0x1234C6: FFFFFFFF CC00CC00
0x1234D6: FFFFFFFF CC00CC00
0x1234E6: FFFFFFFF CC00CC00
0x1234F6: FFFFFFFF CC00CC00
0x123506: FFFFFFFF CC00CC00
0x123516: FFFFFFFF DB00FFFF
搞定,除了地址什么都不用改。。keke
然后看超频补丁:
53ED36: DACF4C36 DAE41E4A ;ExitProcess减速,中断系统exitprocess函数,转到E44A1E处理
5336B6: F07DF06C DAE4004A ;CreateProcess加速,中断系统create process,转到E44A00处理
444A00: F0 7D : mov r7, r13 补原指令
444A02: F0 6C : mov r6, r12 补原指令
444A04: DA E4 30 4A : calls 0E4h, loc_E44A30 保护寄存器子程序
444A08: DA B4 72 9B : calls 0B4h, loc_B49B72 加速程序
444A0C: DA E4 3E 4A : calls 0E4h, loc_E44A3E 还原寄存器子程序
444A10: DB 00 : rets 返回
;------------------------------------------------------------
444A12: D7 40 34 00 : extp #34h, #1 切换到34h
444A16: F3 F8 2B 3E : movb rl4, 0D3E2Bh ; (0034:3E2B) 34,3E2B处数据字节传送到r4低位(rl4)
444A1A: 49 81 : cmpb rl4, #1 比较rl4是否为1(1为待机)
444A1C: 3D 08 : jmpr cc_NZ, loc_444A2E 不是待机就跳了
444A1E: DA E4 30 4A : calls 0E4h, loc_E44A30 否则保护寄存器
444A22: DA B4 5E 9B : calls 0B4h, loc_B49B5E 减速
444A26: DA E4 3E 4A : calls 0E4h, loc_E44A3E 恢复寄存器
444A2A: DA CF 4C 36 : calls 0CFh, loc_CF364C 补原指令
444A2E: DB 00 : loc_444A2E:
444A2E: DB 00 : rets 返回
;------------------------------------------------------------
444A30: 88 80 : mov [-r0], r8 保护寄存器子程序
444A32: 88 90 : mov [-r0], r9
444A34: 88 C0 : mov [-r0], r12
444A36: 88 D0 : mov [-r0], r13
444A38: 88 E0 : mov [-r0], r14
444A3A: 88 F0 : mov [-r0], r15
444A3C: DB 00 : rets
;------------------------------------------------------------
444A3E: 98 F0 : mov r15, 恢复寄存器子程序
444A40: 98 E0 : mov r14,
444A42: 98 D0 : mov r13,
444A44: 98 C0 : mov r12,
444A46: 98 90 : mov r9,
444A48: 98 80 : mov r8,
444A4A: DB 00 : rets 返回
解释一下,怎么知道待机标志位?这个是多看用ida反汇编后的6688全部程序所推断出来的,因为有待机idle状态,找到idle函数(也就是子程序),发现它向34,3e2b这里写入了数据,而在其他地方读取了34,3e2b的数据并根据数据来做不同的处理。。。
cpu功耗控制子程序,如下,可在补丁任意地方调用,需要保护积存器
26m hz
calls 0B4h, loc_B49B72 全速26m hz运行
13m hz
calls 0B4h, loc_B49B5E 半速13m hz运行
剖析可选补丁的原理
可选补丁一般都包含这样的数据
D7403600F2F4760D9AF409E0
红颜色的0d76就是ram地址,由这里判断是处于第几大项,36h,0d74是第二大项,36h,0d76是第三大项,第一大项可自行看看用到了的补丁。。。
蓝颜色的E0就是大项中的具体第几项,从00到F0一共16个选项,一般就是修改这里
如何做可选?先看汇编原理
extp #36h, #1 切换到ram中的36h
mov r4, 0D76h 取得应用程序3的数据
jnb r4.14, loc_1F6622 看第14项选择了没有,jnb是没有就跳
一般的是修改没有选择就跳到返回处了
如果用jb r4.14, loc_1F6622 的话就是选择了才跳,也就是选择了才跳到相应的地方处理
再来个xinshou 发的如何转移冲突补丁地址:
原贴在这里http://mobile.0110.cn/viewthread.php?tid=194044&fpage=1&highlight=
冲突补丁可以非常容易地把地址改移好!
sfe的 汇编/反汇编功能是非常好用的,可以很简单地翻过来/反过去。
本来就很简单,只要
sfe d patch.vkp,4f0000,300 a00000,p>patch.asm
sfe 后面,d就是反汇编,patch.vkp是补丁,4f0000是补丁中新数据开始的地址,300是反汇编数量,A00000是基址(所有补丁基址都是A00000),p是输出为完全asm源码格式,>patch.asm 表示将结果写入patch.asm
可以对比一下这样和上面的区别
sfe d patch.vkp,4f0000,300
这里就是带补丁数据的源码格式了,不能用sfe编译的
用文本编辑软件打开patch.asm,开头有org 0EF0000字样,这里的EF0000就是上面的4F0000
把这个修改为你的空白地址
如:
替换为
org 0Fca050h(也就是说补丁的新地址是0x5CA050,改成我们的空白地址)
再用 sfe a patch.asm p,10,a00000>mypatch.vkp
就得到patch的补丁vkp了。
sfe后面的 a是表示编译,patch.asm是补丁的汇编源代码,p是表示输出patch补丁格式,a00000是基址, >mypatch.vkp表示将编译结果写入mypatch.vkp
如果是小补丁,下面这步可省略
最后将新旧两个补丁都反汇编成带补丁数据格式,也就是
sfe d patch.vkp,4f0000,300 >patch1.txt
sfe d mypatch.vkp,5CA050,300 >mypatch1.txt
一步步的看两个txt中calls,jmps,jmpr到的地方是否一致
如果确认无误,刷入测试。。。
如果补丁能正常工作
那么,恭喜,你大可以去试着移植补丁了。。。。
然后看看寒山转移某个补丁的实例集
(寒山兄,借你帖了,呵呵,大家看完了要支持啊。。)
如果你转移某个补丁不能成功,那么到这里看看实际过程及大家的讨论和云河的指点。。
http://mobile.0110.cn/viewthread.ph ... ght=%2B%BA%AE%C9%BD
继续寒山同学的成长帖,看完记得顶啊(这个是反映优先级的)
http://mobile.0110.cn/viewthread.ph ... ght=%2B%BA%AE%C9%BD
还来寒山同学的转移较大补丁实例(精华帖)
http://mobile.0110.cn/viewthread.ph ... %BA%AE%C9%BD&page=1
继续一个寒山同学转移一个补丁(涉及数据存储方式及补丁中如何调用,补丁中如果含数据地址的话,则转移补丁后数据地址也发生了相应变化,需调整,此贴有实际过程及解释,有xhjjxm大大指点)
http://mobile.0110.cn/viewthread.ph ... ght=%2B%BA%AE%C9%BD
还有寒山同学的小修改(呵呵,改了mp3和一些其他补丁的数据了)
http://mobile.0110.cn/viewthread.ph ... ght=%2B%BA%AE%C9%BD
[ 本帖最后由 JunFeng 于 2007-5-6 02:47 编辑 ] 来个补丁转移的过程几注释
27D410: E6 F1 10 00 : mov r1, #10h ;把立即数10写入r1
27D414: 88 10 : mov [-r0], r1 ;r1入栈
27D416: E6 FC 40 3D : mov r12, #3D40h ;向r12写入立即数3d40
27D41A: E6 FD 11 00 : mov r13, #11h ;向r13写入立即数11
27D41E: E6 FE 5E 14 : mov r14, #145Eh ;向r14写入立即数145e
27D422: E6 FF 1F 03 : mov r15, #31Fh ;向r15写入立即数31f
27D426: DA C7 9E 85 : calls 0C7h, loc_C7859E ;系统库函数strncpy,Copy string ended by 0 from r15:r14 to r13:r12
27D42A: 08 02 : add r0, #2 ;栈加2,也就是栈顶上移2
27D42C: D7 40 36 00 : extp #36h, #1 ;切换到36页,有效指令一条
27D430: C2 F1 62 03 : movbz r1, 0D8362h ; (0036:0362) 把0036:0362处的数据移动到r1
27D434: E6 FD 11 00 : mov r13, #11h ;向r13写入立即数11
27D438: 46 F1 2A 00 : cmp r1, #2Ah ;用r1的值减2a,且不修改r1数据,我们可以理解为判断r1是否为2a
27D43C: 2D 03 : jmpr cc_Z, loc_27D444 ;2d03 意为如果相等则跳转
ok,再看系统库函数strncpy:Copy string ended by 0 from r15:r14 to r13:r12
也就是说把31f,145e处的数据复制到11,34d0,于0结束
31f,145e怎么找?
根据狼大的教导,c166是采用段页式存储,代码用段寻址,数据用页寻址
转换成file address先
公式 : file address= pag*4000+pof
这里是 31f*4000+145e=C7D45E
然后转为补丁地址
C7D45E-A00000=27D45E
为什么?公式: FILE ADDRESS=FLASH ADDRESS+A00000
地址的解释告一段落,用sfe反汇编并对比一下,你就知道为什么了
玫瑰的补丁是要把27d45e处的数据613A2F6A6176612F732F782E6A616400
复制到11,34d0,看看寒山的补丁复制的是什么。。。
原贴出处:
http://mobile.0110.cn/viewthread.php?tid=196631&fpage=1&highlight=%2B%BA%AE%C9%BD
通俗的地址的解释
寒山:
我是求学的好学生,谁进来帮解释一下
DAC7A0E1 是执行到:27E1A0
DAC780D0 是执行到:27D080
DAE4105F 是执行到:445F10
现在我明白地址的低位是高低换位得来的,A0E1->E1A0;80D0->D080;105F->5F10
我的问题是
但地址得高位是怎么转换得,C7->27;E4->44
wwssff (天上云河) :
6688启动时的FLASH是加载到地址A00000那儿,所以在文件中0000000对应A00000,100000对应B00000,2对C,3对D,4对E,5对F。看狼大的FLASH修改入门。
好了
到了这里就可以看狼大的入门了
[ 本帖最后由 JunFeng 于 2006-2-17 14:54 编辑 ] 来点儿6688的硬件资料,摘自www.konca.com,康大网站
http://www.konca.com/mobile/index.html
http://www.konca.com/mobile/6688i/index.html 6688专版
有反汇编fullflash的ida 和康大的idb文件下载
我传了些小工具和开发补丁必备资料的网盘
http://patchtools.ys168.com
C166的寻址空间是16M,它对指令和数据的寻址有点不同:共分256个指令段,每个段64K,最大段偏移是0xFFFF;共1024个数据段,每个段16K,最大段偏移是0x3FFF。
6688i有两块共6M(2+4)的Flash芯片用于保存程序,这6M内容被映射到0xA00000开始的连续空间上(即16M寻址空间的最后的6M)。下表更详细地阐述了空间的分配:
FF0000 - FFFFFF EEPROM
C00000 - FEFFFF 第二块Flash(4M bytes)
BF0000 - BFFFFF 第一块EEPROM(6688未使用)
A00000 - BEFFFF 第一块Flash(2M bytes)
800000 - 9FFFFF C00000-DFFFFF的映射(2M bytes)
400000 - 7FFFFF C00000-FFFFFF的映射(4M bytes)
100000 - 3FFFFF D00000-FFFFFF的映射(3M bytes)
0E0000 - 0FFFFF 空地址,用0填充(128K bytes)
080000 - 0DFFFF RAM (384K bytes, 3M bits)
050000 - 07FFFF C50000-C7FFFF的映射(192K bytes)
018000 - 04FFFF RAM (224K bytes)
010800 - 017FFF 字对齐可写内存(30K bytes)
010000 - 0107FF CPU内部ROM(2K bytes)
00F000 - 00FFFF CPU寄存器内存块
000200 - 00EFFF CPU内部RAM
000000 - 0001FF 中断向量表
CPU加电时,0x10000-0x107FF的CPU内部ROM被映射到0地址,且CPU从0地址开始执行代码。这些在CPU内部ROM的程序做完一些初始化和检测后会跳到Flash中的程序中。
我利用AT+CGSN的补丁把16M的Memory Dump了出来,用IDA进行反汇编,并对照Mamaich提供的v56lg8的IDB文件找出相应的函数,这里提供下载:6688 IDA反汇编文件 (9M, Version B)
接着上云河的帖:
原帖http://mobile.0110.cn/viewthread.php?tid=179657&fpage=1&highlight=%2Bwwssff
C166处理器汇编指令
这是我整理的指令, 有些地方我也搞不懂, 请知道的朋友加上:
ADD 加
ADDB 字节加
ADDC 加带进位
ADDCB 字节加带进位
SUB 减
SUBB 字节减
SUBC 减带进位
SUBCB 字节减带进位
MUL 带符号乘
MULU 无符号乘
DIV 带符号除
DIVL 带符号长除
DIVLU 无符号长除
DIVU 无符号除
CPL 置入正号
CPLB 字节置入正号
NEG 置负
NEGB 字节置负
AND 与
ANDB 字节与
OR 或
ORB 字节或
XOR 与非
XORB 字节与非
BCLR 内存清零
BSET 内存置数
BMOV 内存导入
BMOVN 内存负导入
BAND 内存与
BOR 内存或
BXOR 内存与非
BCMP 内存比较
BFLDH
BFLDL
CMP 比较
CMPB 字节比较
CMPD1
CMPD2
CMPL1
CMPL2
PRIOR 测定循环次数
SHL 左移
SHR 右移
ROL 反转左边字节
ROR 反转右边字节
ASHR
MOV 取值
MOVB 字节取值
MOVBS 取字节值
MOVBZ 同时置零
JMPA 跳绝对地址
JMPI 回跳
JMPR 跳相对地址
JMPS 跳段地址JB 有值相对跳
JBC 跳后内存值清零
JNB 无值相对跳
JNBS 无值相对跳并入值
CALLA 绝对地址调用
CALLI 回调
CALLR 相对地址调用
CALLS 段地址调用
PCALL 调用并压栈
TRAP 调用交互值
POP 出栈
PUSH 压栈
SCXT 压栈并置入新值
RET 返回调用
RETS 返回调用
RETP 返回调用并出栈
RETI 返回最上层
SRST 重置系统
IDLE 进入空闲状态
PWRDN 进入最小活动
SRVWDT 监视时钟
DISWDT 取消监视时钟
EINIT 完成标志
ATOMIC 原子次序
EXTR 开始扩展寄存器
EXTP 开始扩展页
EXTPR 开始扩展页及寄存器
EXTS 开始扩展段
EXTSR 开始扩展段及寄存器
NOP 无操作
条件判断
cc_UC 无条件
cc_Z 零
cc_NZ 非零
cc_V 溢出
cc_NV 非溢出
cc_N 负
cc_NN 非负
cc_C 进位
cc_NC 非进位
cc_EQ 相等
cc_NE 不等
cc_ULT 无符号小于
cc_ULE 无符号小于等于
cc_UGE 无符号大于等于
cc_UGT 无符号大于
cc_SLE 小于等于
cc_SGE 大于等于
cc_SGT 大于
cc_NET 不等并且不是最后
以下是引自狼大的修改入门:
在我们的修改中,见到的大多数指令都很简单,不外乎CALL,MOV,JPR,ADD,SUB等,只需注意一下段内跳转和段间跳转即可。还有EXTP等系列指令,在修改中经常见到。他是临时更换页地址的指令,比如D7 40 34 00,为EXTP #32 #1。#32(临时页地址),#1(有效指令数)。表示下面的1条指令的页地址为32H。还需要注意的是乘和除使用乘法寄存器MD进行操作。比如Mul op1,op2执行的操作时MD=op1*op2。32位寄存器MD的地址是FF0C。MDL是FF0C,而MDH是FF0E。除法时则是先把被除数放入MD。DIV op执行的是(MDL)=(MD)/(op1),(MDH)=(MD)mod(op1。
[ 本帖最后由 JunFeng 于 2006-2-16 18:09 编辑 ] 文件存取系统函数5601
> 0xDFA73E: open (r13:r12 -> filename, r14 - flags, r15 - mode;
> return r4
> = fd, -1 on error)
> 0xDFF6AA: fstat (r12 - fd, r14:r13 -> buffer; return r4=0 - success)
> 0xDFABAE: read (r12 - fd, r14:r13 -> buffer, r15 - size; return r4 =
> Nbytes read)
> 0xDFB868: lseek (r12 - fd, r14:r13 - offset, r15 - whence)
> 0xDFC570: close (r12 - fd)
org 0E45AC0h
loc_EBIN:
mov r4, #0
jmpr cc_UC, loc_447350
mov r4, #1
jmpr cc_UC, loc_447350
mov r4, #2
jmpr cc_UC, loc_447350
mov r4, #3
jmpr cc_UC, loc_447350
mov r4, #4
jmpr cc_UC, loc_447350
mov r4, #5
jmpr cc_UC, loc_447350
mov r4, #6
jmpr cc_UC, loc_447350
mov r4, #7
jmpr cc_UC, loc_447350
mov r4, #8
jmpr cc_UC, loc_447350
mov r4, #9
jmpr cc_UC, loc_447350
mov r4, #0Ah
jmpr cc_UC, loc_447350
mov r4, #0Bh
jmpr cc_UC, loc_447350
mov r4, #0Ch
jmpr cc_UC, loc_447350
mov r4, #0Dh
jmpr cc_UC, loc_447350
mov r4, #0Eh
jmpr cc_UC, loc_447350
mov r4, #0Fh
jmpr cc_UC, loc_447350
loc_447350:
mov [-r0], r4
mov r12, #10h
mov [-r0], r12
mov r12, #0000h
mov r13, #23h
mov r14, #pof(ebindw)
mov r15, #pag(ebindw)
calls 0C7h, 83DCh
add r0, #2
mov r4,
add r4, #6161h
mov r13, #23h
mov r12, #0000h
extp r13, #2
movb , rh4
movb , rl4
mov r14, r12
mov r15, r13
callr loc_readbin
rets
loc_FAM33:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_Z, loc_pFAM32
mov r12, #1
calls 0C5h, 0BECAh
cmp r4, #3
jmpr cc_Z, loc_callin
mov r12, #sof(playmp3)
mov r13, #seg(playmp3)
push r13
push r12
loc_callin:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h
calls 0B4h, 724Ch
loc_445AF0:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_NZ, loc_445AF0
loc_pFAM32:
cmp r8, #40h
jmpr cc_Z, loc_445B06
cmp r8, #22h
jmps 0DCh, 1EDEh
loc_445B06:
mov r4,
mov r5,
mov r12,
mov r13,
calls 0C7h, 0EE88h
jmps 0DCh, 2B60h
loc_FAM32:
mov [-r0], r15
mov [-r0], r14
mov [-r0], r13
mov [-r0], r12
mov r12, #3870h
mov r13, #0Eh
mov r14, #40h
mov r15, #0
calls 0B4h, 724Ch
add r0, #8
rets
playmp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #26h
calls 0B4h, 724Ch
loc_445B30:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_Z, loc_445B30
rets
loc_exttable:
cmpb rl6, #06h
jmpr cc_Z, loc_BFA
cmpb rl6, #14h
jmpr cc_Z, loc_TXT
loc_expret:
jmps 0D3h, 2B0h
loc_BFA:
callr loc_pBFA
jmpr cc_UC, loc_expret
loc_TXT:
callr loc_pTXT
jmpr cc_UC, loc_expret
loc_pBFA:
mov r14, r8
mov r15, r9
add r14, #0B2h
loc_readbin:
mov r12, #sof(pBFAROUTIME)
mov r13, #seg(pBFAROUTIME)
calls 0E5h, 0FFF2h
ret
loc_pTXT:
mov r14, r8
mov r15, r9
add r14, #0B2h
mov r14,
mov r15,
calls loc_copyname
mov r12, #0000h
extp #37h, #1
mov 3FF2h, r12
mov r15,
mov r14,
mov r12, #sof(TXTROUTIME)
mov r13, #seg(TXTROUTIME)
calls 0E5h, 0FFF2h
ret
loc_copyname:
mov r12, #30h
mov [-r0], r12
mov r12, #3F00h
mov r13, #33h
calls 0C7h, 83DCh
rets
pBFAROUTIME:
mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch
mov r8, r4
cmp r8, #0FFFFh
jmpa cc_NZ, loc_445BC0
mov r12, #1
mov r13, #04B3h
calls 0E6h, 00538h
rets
loc_445BC0:
mov r12, r8
mov r9, #20h
loc_445B9A:
mov r14, r9
mov r13, #0
mov r15, #4000h
calls 0DBh, 0B3CCh
mov r12, r8
cmp r4, #4000h
jmpr cc_C, loc_445BB8
cmp r9, #23h
jmpr cc_Z, loc_445BB8
add r9, #1
jmpr cc_UC, loc_445B9A
loc_445BB8:
calls 0DBh, 0CD8Eh
calls 8, 0
rets
loc_IDLE:
calls loc_IDLESUB
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
calls 0C8h, 0C3EEh
rets
loc_memadd:
mov r8, r4
mov r9, r5
jmpr cc_UC, loc_445C00
loc_bh_imeadd:
mov r6, r4
mov r7, r5
jmpr cc_UC, loc_445C00
loc_IDLESUB:
extp #34h, #1
movb rl4, 3E2Bh
cmpb rl4, #1
jmpr cc_Z, loc_445C0E
rets
loc_Creatprocessadd:
mov r7, r13
mov r6, r12
loc_445C00:
callr loc_445C18
calls 0B4h, 9B72h
callr loc_445C26
rets
loc_exitprocesssub:
calls 0CFh, 364Ch
loc_445C0E:
callr loc_445C18
calls 0B4h, 9B5Eh
callr loc_445C26
rets
loc_445C18:
mov [-r0], r8
mov [-r0], r9
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
ret
loc_445C26:
mov r15,
mov r14,
mov r13,
mov r12,
mov r9,
mov r8,
ret
TXTROUTIME:
calls loc_readdata
calls 0E4h, 6300h
rets
loc_readdata:
mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch
cmp r4, #0FFFFh
jmpr cc_Z, loc_445CBE
mov r8, r4
extp #37h, #1
mov 3FF0h, r8
calls loc_txtread
extp #37h, #1
mov r15, 3FF2h
loc_loop:
extp #37h, #1
mov r4, 3FF4h
cmp r4, #4000h
jmpr cc_C, loc_closefile
cmp r15, #0
jmpr cc_Z, loc_closefile
mov [-r0], r15
calls loc_txtread
mov r15,
sub r15, #1
jmpr cc_UC, loc_loop
loc_closefile:
extp #37h, #1
mov r12, 3FF0h
calls 0DBh, 0CD8Eh
loc_445CBE:
rets
loc_txtread:
extp #37h, #1
mov r12, 3FF0h
mov r13, #100h
mov r9, #20h
mov r15, #3F00h
loc_445CD4:
mov r14, r9
calls 0DBh, 0B3CCh
extp #37h, #2
mov 3FF0h, r8
mov 3FF4h, r4
mov r12, r8
cmp r4, #3F00h
jmpr cc_C, loc_445CFA
cmp r9, #26h
jmpr cc_Z, loc_445CFA
add r9, #1
mov r13, #0
mov r15, #4000h
jmpr cc_UC, loc_445CD4
loc_445CFA:
mov r2, r4
cmp r4, #4000h
jmpr cc_NZ, loc_445D08
sub r4, #4000h
add r9, #1
loc_445D08:
cmp r9, #20h
jmpr cc_NZ, loc_445D12
add r4, #100h
loc_445D12:
mov r12, #0
extp r9, #1
mov , r12
mov r9, #0
mov r13, #20h
mov r14, #0FFh
mov r15, #100h
calls 0C7h, 8416h
rets
loc_loopread:
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
extp #37h, #1
mov r12, 3FF2h
add r12, #1
extp #37h, #1
mov 3FF2h, r12
mov r12, #sof(loc_readdata)
mov r13, #seg(loc_readdata)
mov r14, #3F00h
mov r15, #33h
calls 0E5h, 0FFF2h
mov r15,
mov r14,
mov r13,
mov r12,
rets
loc_smsmp3:
mov r9, r13
mov r8, r12
mov [-r0], r4
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
calls loc_ispause
mov r15,
mov r14,
mov r13,
mov r12,
mov r4,
rets
loc_ispause:
extp #32h, #1
movb rl4, 2F7Ch
cmpb rl4, #4
jmpr cc_Z, loc_smsplaymp3
cmpb rl4, #1
jmpr cc_Z, loc_smspausemp3
rets
loc_smspausemp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h
calls 0B4h, 724Ch
rets
loc_smsplaymp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #26h
calls 0B4h, 724Ch
rets
ebindw:
db 61h,3Ah,5Ch,7Ah,62h,69h,6Eh,5Ch,7Ah,61h,61h,2Eh,62h,69h,6Eh,00h
jmps loc_FAM33
jmps loc_FAM32
jmps loc_exttable
calls loc_IDLE
calls loc_Creatprocessadd
calls loc_exitprocesssub
calls loc_memadd
calls loc_loopread
calls loc_smsmp3
calls loc_bh_imeadd
end
下面是我改的txt关联的主程序
可以直接在ram阅读中切换到进入时的栈顶,然后calls 0E4h, 627Eh,就可以读下一部分数据,不过我找不到需要的栈顶。。。
org 0E46212h
calls 0E4h, 621Ah
jmps 0D3h, 2B0h 退出mmc浏览器
mov r14, r8 r8,r9point to file nameascⅡ
mov r15, r9
add r14, #0B2h
mov r12, #6230h
mov r13, #0E4h
calls 0E4h, 484Ch calls fam3.2,传送文件名到r12,r13并执行r到14,r15所在
rets
mov r14, #0 r14,r15指向这里
mov r15, #0
calls 0DBh, 0AF5Ch open file,-1=faild,if open,r4=filehandle
mov r8, r4
cmp r8, #0FFFFh 打开失败?
jmpr cc_Z, loc_44626C 失败就出去返回
extp #37h, #1
mov 3FFEh, r8 将filehandle保存到37h,3ffe
calls 0E4h, 627Eh 自己写的ram阅读专用读文件子程序
extp #36h, #1 取得应用程序菜单第2大项
mov r4, 0D74h
jb r4.14, loc_44625C 第二大项14处,没选跳
calls 0E4h, 627Eh ram读文件
extp #36h, #1 取得应用程序菜单
mov r4, 0D74h
jb r4.14, loc_44625C 没选跳
calls 0E4h, 627Eh ram读文件
loc_44625C:
calls 0E4h, 6300h 到ram阅读器
extp #37h, #1 取得filehandle
mov r12, 3FFEh
calls 0DBh, 0CD8Eh close file
loc_44626C:
rets
这里是ram阅读专用读文件子程序
extp #37h, #1
mov r12, 3FFEh 取得filehandle
mov r13, #100h 读文件的buffer pof
mov r9, #20h buffer pag
mov r15, #3F00h size
loc_446282:
mov r14, r9
calls 0DBh, 0B3CCh readfile,r12=f hle,r13=b pof,r14=b pag,r15=size,读取完成后,r8=filehandle,r4=N bytes read
extp #37h, #1 保存读文件后的filehandle
mov 3FFEh, r8
mov r12, r8 filehandle到r12,为继续读做准备
cmp r4, #3F00h 是否读了16k
jmpr cc_C, loc_4462A8 小于16k就说明文件本身小于16k,跳出
cmp r9, #2Ah 比较b buffer pag是否为2A,限制最大为2A
jmpr cc_Z, loc_4462A8 是2a就出去
add r9, #1 否则buffer page+1
mov r13, #0 buffer pof
mov r15, #4000h size
jmpr cc_UC, loc_446282 循环
loc_4462A8:
cmp r4, #4000h 是否读了16k
jmpr cc_NZ, loc_4462B4 不是就跳
sub r4, #4000h 否则将r4清零
add r9, #1 buffer page+1
loc_4462B4:
cmp r9, #20h 比较buffer pag是否是20
jmpr cc_NZ, loc_4462BE 不是就跳
add r4, #100h 否则 r4+100=buffer pof
loc_4462BE:
mov r12, #0
extp r9, #1
mov , r12 0写入buffer pof,即文本结束位置
mov r9, #0 r9清空
mov r13, #20h pag
mov r14, #0FFh 用FF填充
mov r15, #100h size
calls 0C7h, 8416h 内存快速填充函数,r13=pag,r12=pof,r14=填充数据,r15=数量
rets
end
; *** FTA v2.1. No Case Sensitive ***
; *** File Type Association v2.0 ***
; Copiright(C)2005 by Rst7/CBSIE
;
; Need FAM3.2 & ESI patch. Undo all FAM2 stuff
; and patches, used FAM2 (JSTV and other)
;
; Patch use text file A:\execute.ext as
;
; ...
; file_extention:full_path_and_name_of_binfile
; ...
;
; One line - one extention. Without spaces!
; If extention not found, run
; last binfile defined in execute.ext
;
; For coders: full path and name of openfile
; passed to binfile trows R12/R13 as far pointer
; to ASCIIZ string
;
; Check R13 (_pof(commandline)) for 0x35 - if equ
; then run from FTA, else run from BFA
;
; Version 2.1->Use any case of chars in file extention and record in execute.ext
;
; Необходим FAM3.2 и ESI, откатить все барахло
; FAM2 и кто его пользует (JSTV и остальное).
;
; Использует текстовый файл A:\execute.ext в виде
;
; ...
; расширение:полный_путь_и_имя_бинарника
; ...
;
; Одна строка - одно расширение. Без пробелов!
; Для неизвестных расширений - запуск
; бинарника в последней записи
;
; Для кодеров: полный путь и имя открываемого
; файла передается в бинарник через R12/R13 как
; far-указатель на ASCIIZ строку.
;
; Сравнить R13 (_pof(commandline)) с 0x35 - если равно,
; то запущен через FTA, иначе через BFA.
;
; Версия 2.1->Не зависима от регистра символов расширения и записи в execute.ext
;使用方式,在mmc根目录新建文本文件execute.ext,内容格式如下
;org:A:/bin/fileorg.bin >>意为关联org文件到A:\fileorg.bin
;txt:A:/bin/ted.bin >>关联txt文件到A:\bin\ted.bin
;sie:A:/bin/null.bin
;注意!!!sie:A:/bin/null.bin必须在最后(该文件只需要4个16进制的字符就行db00)
;否则它会将未知文件关联到定义的最后一个bin上
003874CE: EAE01876 FAE4304F
0x445BE0: FAD3B002 FAE4304F
00444F20: 2A2A2A204654412076322E31202A2A2AFAE4384FFAD3B002F0E8F0F906FEB200
00444F40: E6FCBA51E6FDE400DAE5F2FFFAD3B002F04CF05DFAE4C07E
00444F58: 413A5C657865637574652E657874000000000000000000000000000000000000
00444F78: 071291032E1291031E129103
00444F84: 889088808870886026F00801F07DF06CE009E00CE00DC4C00201C4D00401F0C6
00444FA4: F0D7DAC73685F084EA20A85146F87F00EAE0A851F0C6F0D7DAC736850064F0C6
00444FC4: F0D70D0828813D05E6F60612E6F791030D072861DC47F426FFFF47F22E003DF2
00444FE4: E6FC580FE6FD9103E00EE00FDADB5CAFC440000146F4FFFFEA209E51F0C4F0D0
00445004: 66FDFF3FF2FE02FEE6FF8000DADBCCB3F084E6FC8000C4C0060146F880009D17
00445024: E1020080B9280D2CE6F880008880E02C00C066FCFF3FF2FD02FEE6FE820000E0
00445044: 66FEFF3FF2FF02FEDAC7B4830802D4C00001E6FD800000D066FDFF3FF2FE02FE
00445064: E6FF8000DADBCCB3F08446F880009D08E1020080E4288000E6F80001C4800601
00445084: E008D4C00601408C2DCFF0D8088100D0A92DEA20205146F9FFFF2D0446F9FEFF
004450A4: 2D0F0D1647F23A003D0BF0C066FCFF3FF2FD02FE00C8C4C00201C4D004012891
004450C4: 47F20D002D0347F20A003DDBE0090DD947F20D002D0347F20A003D02E0090DD1
004450E4: 47F23A003D06F0C6F0D700C9DC4DA94C2D21F011C02CDADBA6D88840F0C6F0D7
00445104: 00C9DC4DA92CC02CDADBA6D8981041283D0208910DB6E6F9FFFF0DB3D4800201
00445124: D490040170893D10E01CE6FD290EDAE638050D38F09066F9FF3FF2F602FE0098
00445144: C4900201C4600401D4C00001DADB8ECDE0080D010881D4C00201D4D0040100C8
00445164: DC4DA9CC47FC1F00EDF5E10CDC4DB9CCD4C00201D4D00401E00EE00FDADB5CAF
00445184: C440000146F4FFFF3D05E01CE6FD280EDAE63805D44000010D07E01CE6FD270E
004451A4: DAE63805E6F4FFFF06F008019860987098809890DB00889088808860F06DF09C
004451C4: E6FC780FE6FD9103DAE4504FF0C9F0D6DAE4844FF08446F8FFFF2D0FF0C8E00D
004451E4: E6FE2000E6FF0040DADBCCB3F0C8DADB8ECDF0C9F0D6DA080000986098809890
00445204: DB00
00445206: 00455845435554452E4558540D6E6F7420666F756E6421004E6F7468696E6720
00445226: 746F2072756E210042696E2066696C650D6E6F7420666F756E642
org 0E45AC0h
loc_EBIN:
mov r4, #0
jmpr cc_UC, loc_447350
mov r4, #1
jmpr cc_UC, loc_447350
mov r4, #2
jmpr cc_UC, loc_447350
mov r4, #3
jmpr cc_UC, loc_447350
mov r4, #4
jmpr cc_UC, loc_447350
mov r4, #5
jmpr cc_UC, loc_447350
mov r4, #6
jmpr cc_UC, loc_447350
mov r4, #7
jmpr cc_UC, loc_447350
mov r4, #8
jmpr cc_UC, loc_447350
mov r4, #9
jmpr cc_UC, loc_447350
mov r4, #0Ah
jmpr cc_UC, loc_447350
mov r4, #0Bh
jmpr cc_UC, loc_447350
mov r4, #0Ch
jmpr cc_UC, loc_447350
mov r4, #0Dh
jmpr cc_UC, loc_447350
mov r4, #0Eh
jmpr cc_UC, loc_447350
mov r4, #0Fh
jmpr cc_UC, loc_447350
loc_447350:
mov [-r0], r4
mov r12, #10h
mov [-r0], r12
mov r12, #0000h
mov r13, #23h
mov r14, #pof(ebindw)
mov r15, #pag(ebindw)
calls 0C7h, 83DCh
add r0, #2
mov r4,
add r4, #6161h
mov r13, #23h
mov r12, #0000h
extp r13, #2
movb , rh4
movb , rl4
mov r14, r12
mov r15, r13
callr loc_readbin
rets
loc_FAM33:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_Z, loc_pFAM32
mov r12, #1
calls 0C5h, 0BECAh
cmp r4, #3
jmpr cc_Z, loc_callin
mov r12, #sof(playmp3)
mov r13, #seg(playmp3)
push r13
push r12
loc_callin:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h
calls 0B4h, 724Ch
loc_445AF0:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_NZ, loc_445AF0
loc_pFAM32:
cmp r8, #40h
jmpr cc_Z, loc_445B06
cmp r8, #22h
jmps 0DCh, 1EDEh
loc_445B06:
mov r4,
mov r5,
mov r12,
mov r13,
calls 0C7h, 0EE88h
jmps 0DCh, 2B60h
loc_FAM32:
mov [-r0], r15
mov [-r0], r14
mov [-r0], r13
mov [-r0], r12
mov r12, #3870h
mov r13, #0Eh
mov r14, #40h
mov r15, #0
calls 0B4h, 724Ch
add r0, #8
rets
playmp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #26h
calls 0B4h, 724Ch
loc_445B30:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_Z, loc_445B30
rets
loc_exttable:
cmpb rl6, #6h
jmpr cc_Z, loc_BFA
cmpb rl6, #14
jmpr cc_Z, loc_TXT
loc_expret:
jmps 0D3h, 2B0h
loc_BFA:
callr loc_pBFA
jmpr cc_UC, loc_expret
loc_TXT:
callr loc_pTXT
jmpr cc_UC, loc_expret
loc_pBFA:
mov r14, r8
mov r15, r9
add r14, #0B2h
loc_readbin:
mov r12, #sof(pBFAROUTIME)
mov r13, #seg(pBFAROUTIME)
calls 0E5h, 0FFF2h
ret
loc_pTXT:
mov r14, r8
mov r15, r9
add r14, #0B2h
mov r14,
mov r15,
calls loc_copyname
mov r12, #0000h
extp #37h, #1
mov 3FF2h, r12
mov r15,
mov r14,
mov r12, #sof(ptxtread)
mov r13, #seg(ptxtread)
calls 0E5h, 0FFF2h
ret
pBFAROUTIME:
mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch
mov r8, r4
cmp r8, #0FFFFh
jmpa cc_NZ, loc_445BC0
mov r12, #1
mov r13, #04B3h
calls 0E6h, 00538h
rets
loc_445BC0:
mov r12, r8
mov r9, #20h
loc_445B9A:
mov r14, r9
mov r13, #0
mov r15, #4000h
calls 0DBh, 0B3CCh
mov r12, r8
cmp r4, #4000h
jmpr cc_C, loc_445BB8
cmp r9, #23h
jmpr cc_Z, loc_445BB8
add r9, #1
jmpr cc_UC, loc_445B9A
loc_445BB8:
calls 0DBh, 0CD8Eh
calls 8, 0
rets
loc_IDLE:
calls loc_IDLESUB
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
calls 0C8h, 0C3EEh
rets
loc_memadd:
mov r8, r4
mov r9, r5
jmpr cc_UC, loc_445C00
loc_IDLESUB:
extp #34h, #1
movb rl4, 3E2Bh
cmpb rl4, #1
jmpr cc_Z, loc_445C0E
rets
loc_Creatprocessadd:
mov r7, r13
mov r6, r12
loc_445C00:
callr loc_445C18
calls 0B4h, 9B72h
callr loc_445C26
rets
loc_exitprocesssub:
calls 0CFh, 364Ch
loc_445C0E:
callr loc_445C18
calls 0B4h, 9B5Eh
callr loc_445C26
rets
loc_445C18:
mov [-r0], r8
mov [-r0], r9
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
ret
loc_445C26:
mov r15,
mov r14,
mov r13,
mov r12,
mov r9,
mov r8,
ret
ptxtread:
calls loc_readdata
calls 0E4h, 6300h
RETS
loc_readdata:
mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch
cmp r4, #0FFFFh
jmpr cc_Z, loc_445CBE
mov r8, r4
extp #37h, #1
mov 3FF0h, r8
calls loc_txtread
extp #37h, #1
mov r15, 3FF2h
loc_loop:
extp #37h, #1
mov r4, 3FF4h
cmp r4, #4000h
jmpr cc_C, loc_closefile
cmp r15, #0
jmpr cc_Z, loc_closefile
mov [-r0], r15
calls loc_txtread
mov r15,
sub r15, #1
jmpr cc_UC, loc_loop
loc_closefile:
extp #37h, #1
mov r12, 3FF0h
calls 0DBh, 0CD8Eh
loc_445CBE:
rets
loc_txtread:
extp #37h, #1
mov r12, 3FF0h
mov r13, #100h
mov r9, #20h
mov r15, #3F00h
loc_445CD4:
mov r14, r9
calls 0DBh, 0B3CCh
extp #37h, #2
mov 3FF0h, r8
mov 3FF4h, r4
mov r12, r8
cmp r4, #3F00h
jmpr cc_C, loc_445CFA
cmp r9, #26h
jmpr cc_Z, loc_445CFA
add r9, #1
mov r13, #0
mov r15, #4000h
jmpr cc_UC, loc_445CD4
loc_445CFA:
cmp r4, #4000h
jmpr cc_NZ, loc_445D08
sub r4, #4000h
add r9, #1
loc_445D08:
cmp r9, #20h
jmpr cc_NZ, loc_445D12
add r4, #100h
loc_445D12:
mov r12, #0
extp r9, #1
mov , r12
mov r9, #0
mov r13, #20h
mov r14, #0FFh
mov r15, #100h
calls 0C7h, 8416h
rets
loc_loopread:
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
extp #37h, #1
mov r12, 3FF2h
add r12, #1
extp #37h, #1
mov 3FF2h, r12
mov r12, #sof(loc_readdata)
mov r13, #seg(loc_readdata)
mov r14, #3F00h
mov r15, #33h
calls 0E5h, 0FFF2h
mov r15,
mov r14,
mov r13,
mov r12,
rets
loc_smsmp3:
mov r9, r13
mov r8, r12
mov [-r0], r4
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
calls loc_ispause
mov r15,
mov r14,
mov r13,
mov r12,
mov r4,
rets
loc_ispause:
extp #32h, #1
movb rl4, 2F7Ch
cmpb rl4, #4
jmpr cc_Z, loc_smsplaymp3
cmpb rl4, #1
jmpr cc_Z, loc_smspausemp3
rets
loc_smspausemp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h
calls 0B4h, 724Ch
rets
loc_smsplaymp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #26h
calls 0B4h, 724Ch
rets
loc_copyname:
mov r12, #30h
mov [-r0], r12
mov r12, #3F00h
mov r13, #33h
calls 0C7h, 83DCh
rets
ebindw:
db 61h,3Ah,5Ch,7Ah,62h,69h,6Eh,5Ch,7Ah,61h,61h,2Eh,62h,69h,6Eh,00h
jmps loc_FAM33
jmps loc_FAM32
jmps loc_exttable
calls loc_IDLE
calls loc_Creatprocessadd
calls loc_exitprocesssub
calls loc_memadd
calls loc_loopread
calls loc_smsmp3
end
[ 本帖最后由 JunFeng 于 2006-4-22 05:00 编辑 ] 这里由于直接用的memcpy函数复制文件名,不知是否完整复制了文件名,连续读也许会有问题,但是mmc exp里开txt文件该不死机了(原来的的确是出错了,把文件名弄丢了^}^.
很久想弄个复制文件名的小函数,能够返回文件名的长度,在设想的一些补丁中较多处需要调用...(比如增加历史记录就需要)
txt读取大小改到了安全范围.改成调用输入法加速(减少死机)
读ansi格式txt死机记得在用b大的文件关联1.2的时候就有读某些ansi格式txt死机的情况(用的fam0.9),而且我曾经试过,对于ansi的txt,在读数据的时候就已经死机了...未知原因,可能难以解决
;UNI 0.2b
;改为真正的连续读,按2直接读下一部分,需要测试,我无数据线
;忘了很多东西,也许会有些许小错误,呵呵,请再测试
;如果有时间就完善之,看看filewrite函数也许还会加入历史记录,如同microreader,就算重启也可回到最后读到的部分
;BFA 2.2 FINAL
0x32cc34: 6C6462 747874
0032cbf2: 6C6462 747874
;txt文件关联到ram阅读
0x32cca4: 6C6E67 62696E
0x32ccba: 6C6E67 62696E
0x3C1EDA: 46F82200 FAE43E5B ;FAM 3.31
0x45FFF2: FFFFFFFF FAE49C5B ;FAM 3.2
0x330184: EA00B002 FAE4D65B ;系统扩展文件关联表
0x3CF78E: DAC8EEC3 DAE4905C ;IDLE表
;0x5336B6: F07DF06C DAE4D05C ;创建应用程序立即加速,默认未启用
;0x53ED36: DACF4C36 DAE4DE5C ;退出应用程序立即减速
;0x3389AA: F084F095 DAE4B65C ;有动作就全速,功耗较高,不推荐
446696: DAE47A68 DAE4D25D ;开启ram连续读功能
;34441C: F09DF08C DAE40A5E ;查看短消息暂停mp3
;34437E: F09DF08C DAE40A5E ;查看短消息暂停mp3
2E94AC: F09DF08C DAE40A5E ;访问通讯录暂停mp3
2E965A: F09DF08C DAE40A5E ;访问通讯录暂停mp3
2EECCC: F09DF08C DAE40A5E ;访问通讯录暂停mp3
2EED5A: F09DF08C DAE40A5E ;访问通讯录暂停mp3
0x43F224: F064F075 DAE4BC5C ;笔画加速
0x43C7B2: F084F095 DAE4B65C ;拼音加速
0x445AC0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E0040D1EE0140D1CE0240D1AE0340D18
0x445AD0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E0440D16E0540D14E0640D12E0740D10
0x445AE0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E0840D0EE0940D0CE0A40D0AE0B40D08
0x445AF0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E0C40D06E0D40D04E0E40D02E0F40D00
0x445B00: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 8840E6FC100088C0E6FC0000E6FD2300
0x445B10: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FE621EE6FF9103DAC7DC8308029840
0x445B20: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 06F46161E6FD2300E6FC0000DC5DE49C
0x445B30: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 0900E48C0A00F0ECF0FDBB5CDB00DACA
0x445B40: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF C01D48402D18E01CDAC5CABE48432D06
0x445B50: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FCBA5BE6FDE400ECFDECFCE6FCE835
0x445B60: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E0EDE6FEAC00E6FF2400DAB44C72DACA
0x445B70: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF C01D48403DFC46F840002D0446F82200
0x445B80: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FADCDE1ED4400A00D4500C00D4C00E00
0x445B90: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF D4D01000DAC788EEFADC602B88F088E0
0x445BA0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 88D088C0E6FC7038E0EDE6FE4000E00F
0x445BB0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DAB44C7206F00800DB00E6FCE835E0ED
0x445BC0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FEAC00E6FF2600DAB44C72DACAC01D
0x445BD0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 48402DFCDB0049C62D0547FC14002D04
0x445BE0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FAD3B002BB030DFCBB0C0DFAF0E8F0F9
0x445BF0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 06FEB200E6FC445CE6FDE400DAE5F2FF
0x445C00: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF CB00F0E8F0F906FEB20098E098F0DAE4
0x445C10: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 305CE6FC0000D7403700F6FCF23F98F0
0x445C20: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 98E0E6FC085DE6FDE400DAE5F2FFCB00
0x445C30: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FC300088C0E6FC003FE6FD3300DAC7
0x445C40: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DC83DB00E00EE00FDADB5CAFF08446F8
0x445C50: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFEA30625CE01CE6FDB304DAE63805
0x445C60: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DB00F0C8E6F92000F0E9E00DE6FF0040
0x445C70: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DADBCCB3F0C846F400408D0546F92300
0x445C80: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 2D0208910DF1DADB8ECDDA080000DB00
0x445C90: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DAE4C25CCC00CC00CC00CC00CC00CC00
0x445CA0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF CC00CC00CC00CC00CC00CC00CC00CC00
0x445CB0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DAC8EEC3DB00F084F0950D0CF064F075
0x445CC0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 0D09D7403400F3F82B3E49812D0ADB00
0x445CD0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF F07DF06CBB0BDAB4729BBB0FDB00DACF
0x445CE0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 4C36BB04DAB45E9BBB08DB0088808890
0x445CF0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 88C088D088E088F0CB0098F098E098D0
0x445D00: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 98C098909880CB00DAE4125DDAE40063
0x445D10: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DB00E00EE00FDADB5CAF46F4FFFF2D20
0x445D20: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF F084D7403700F6F8F03FDAE4625DD740
0x445D30: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 3700F2FFF23FD7403700F2F4F43F46F4
0x445D40: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 00408D0848F02D0688F0DAE4625D98F0
0x445D50: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 28F10DF1D7403700F2FCF03FDADB8ECD
0x445D60: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DB00D7403700F2FCF03FE6FD0001E6F9
0x445D70: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 2000E6FF003FF0E9DADBCCB3D7503700
0x445D80: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF F6F8F03FF6F4F43FF0C846F4003F8D08
0x445D90: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 46F926002D050891E00DE6FF00400DEB
0x445DA0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF F02446F400403D0326F40040089146F9
0x445DB0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 20003D0206F40001E00CDC49B8C4E009
0x445DC0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FD2000E6FEFF00E6FF0001DAC71684
0x445DD0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DB0088C088D088E088F0D7403700F2FC
0x445DE0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF F23F08C1D7403700F6FCF23FE6FC125D
0x445DF0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FDE400E6FE003FE6FF3300DAE5F2FF
0x445E00: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 98F098E098D098C0DB00F09DF08C8840
0x445E10: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 88C088D088E088F0DAE4285E98F098E0
0x445E20: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 98D098C09840DB00D7403200F3F87C2F
0x445E30: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 49842D0D49812D01DB00E6FCE835E0ED
0x445E40: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FEAC00E6FF2400DAB44C72DB00E6FC
0x445E50: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E835E0EDE6FEAC00E6FF2600DAB44C72
0x445E60: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DB00613A5C7A62696E5C7A61612E6269
0x445E70: FFFF 6E00
org 0E45AC0h
loc_EBIN:
mov r4, #0
jmpr cc_UC, loc_447350
mov r4, #1
jmpr cc_UC, loc_447350
mov r4, #2
jmpr cc_UC, loc_447350
mov r4, #3
jmpr cc_UC, loc_447350
mov r4, #4
jmpr cc_UC, loc_447350
mov r4, #5
jmpr cc_UC, loc_447350
mov r4, #6
jmpr cc_UC, loc_447350
mov r4, #7
jmpr cc_UC, loc_447350
mov r4, #8
jmpr cc_UC, loc_447350
mov r4, #9
jmpr cc_UC, loc_447350
mov r4, #0Ah
jmpr cc_UC, loc_447350
mov r4, #0Bh
jmpr cc_UC, loc_447350
mov r4, #0Ch
jmpr cc_UC, loc_447350
mov r4, #0Dh
jmpr cc_UC, loc_447350
mov r4, #0Eh
jmpr cc_UC, loc_447350
mov r4, #0Fh
jmpr cc_UC, loc_447350
loc_447350:
mov [-r0], r4
mov r12, #10h
mov [-r0], r12
mov r12, #0000h
mov r13, #23h
mov r14, #pof(ebindw)
mov r15, #pag(ebindw)
calls 0C7h, 83DCh
add r0, #2
mov r4,
add r4, #6161h
mov r13, #23h
mov r12, #0000h
extp r13, #2
movb , rh4
movb , rl4
mov r14, r12
mov r15, r13
callr loc_readbin
rets
loc_FAM33:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_Z, loc_pFAM32
mov r12, #1
calls 0C5h, 0BECAh
cmp r4, #3
jmpr cc_Z, loc_callin
mov r12, #sof(playmp3)
mov r13, #seg(playmp3)
push r13
push r12
loc_callin:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h
calls 0B4h, 724Ch
loc_445AF0:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_NZ, loc_445AF0
loc_pFAM32:
cmp r8, #40h
jmpr cc_Z, loc_445B06
cmp r8, #22h
jmps 0DCh, 1EDEh
loc_445B06:
mov r4,
mov r5,
mov r12,
mov r13,
calls 0C7h, 0EE88h
jmps 0DCh, 2B60h
loc_FAM32:
mov [-r0], r15
mov [-r0], r14
mov [-r0], r13
mov [-r0], r12
mov r12, #3870h
mov r13, #0Eh
mov r14, #40h
mov r15, #0
calls 0B4h, 724Ch
add r0, #8
rets
playmp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #26h
calls 0B4h, 724Ch
loc_445B30:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_Z, loc_445B30
rets
loc_exttable:
cmpb rl6, #14h
jmpr cc_Z, loc_BFA
cmpb rl6, #6
jmpr cc_Z, loc_TXT
loc_expret:
jmps 0D3h, 2B0h
loc_BFA:
callr loc_pBFA
jmpr cc_UC, loc_expret
loc_TXT:
callr loc_pTXT
jmpr cc_UC, loc_expret
loc_pBFA:
mov r14, r8
mov r15, r9
add r14, #0B2h
loc_readbin:
mov r12, #sof(pBFAROUTIME)
mov r13, #seg(pBFAROUTIME)
calls 0E5h, 0FFF2h
ret
loc_pTXT:
mov r14, r8
mov r15, r9
add r14, #0B2h
mov r12, #sof(TXTROUTIME)
mov r13, #seg(TXTROUTIME)
calls 0E5h, 0FFF2h
ret
pBFAROUTIME:
mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch
mov r8, r4
cmp r8, #0FFFFh
jmpa cc_NZ, loc_445BC0
mov r12, #1
mov r13, #04B3h
calls 0E6h, 00538h
rets
loc_445BC0:
mov r12, r8
mov r9, #20h
loc_445B9A:
mov r14, r9
mov r13, #0
mov r15, #4000h
calls 0DBh, 0B3CCh
mov r12, r8
cmp r4, #4000h
jmpr cc_C, loc_445BB8
cmp r9, #23h
jmpr cc_Z, loc_445BB8
add r9, #1
jmpr cc_UC, loc_445B9A
loc_445BB8:
calls 0DBh, 0CD8Eh
calls 8, 0
rets
loc_IDLE:
calls loc_IDLESUB
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
calls 0C8h, 0C3EEh
rets
loc_memadd:
mov r8, r4
mov r9, r5
jmpr cc_UC, loc_445C00
loc_IDLESUB:
extp #34h, #1
movb rl4, 3E2Bh
cmpb rl4, #1
jmpr cc_Z, loc_445C0E
rets
loc_Creatprocessadd:
mov r7, r13
mov r6, r12
loc_445C00:
callr loc_445C18
calls 0B4h, 9B72h
callr loc_445C26
rets
loc_exitprocesssub:
calls 0CFh, 364Ch
loc_445C0E:
callr loc_445C18
calls 0B4h, 9B5Eh
callr loc_445C26
rets
loc_445C18:
mov [-r0], r8
mov [-r0], r9
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
ret
loc_445C26:
mov r15,
mov r14,
mov r13,
mov r12,
mov r9,
mov r8,
ret
TXTROUTIME:
mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch
cmp r4, #0FFFFh
jmpr cc_Z, loc_445CBE
mov r8, r4
extp #37h, #1
mov 3FF0h, r8
calls loc_txtread
extp #20h,#1
mov r12, 0100h
cmp r12, #0FEFFh
jmpr cc_Z, loc_loop
mov r12, #1
mov r13, #09E5h
calls 0E6h, 00538h
mov r12, #0h
mov r13, #0100h
extp #20h, #1
mov , r12
jmps loc_closefile
loc_loop:
extp #37h, #1
mov r4, 3FF4h
cmp r4, #4000h
jmpr cc_C, loc_view
extp #37h, #1
mov r15, 3FF2h
cmp r15, #0
jmpr cc_Z, loc_view
cmp r15, #4
jmpr cc_SLE, loc_1
sub r15, #3
loc_1:
sub r15, #1
extp #37h, #1
mov 3FF2h, r15
calls loc_txtread
jmpr cc_UC, loc_loop
loc_view:
calls 0E4h, 6300h
loc_closefile:
extp #37h, #1
mov r12, 3FF0h
calls 0DBh, 0CD8Eh
loc_445CBE:
rets
loc_txtread:
extp #37h, #1
mov r12, 3FF0h
mov r13, #100h
mov r9, #20h
mov r15, #3F00h
loc_445CD4:
mov r14, r9
calls 0DBh, 0B3CCh
extp #37h, #2
mov 3FF0h, r8
mov 3FF4h, r4
mov r12, r8
cmp r4, #3F00h
jmpr cc_C, loc_445CFA
cmp r9, #29h
jmpr cc_Z, loc_445CFA
add r9, #1
mov r13, #0
mov r15, #4000h
jmpr cc_UC, loc_445CD4
loc_445CFA:
mov r2, r4
cmp r4, #4000h
jmpr cc_NZ, loc_445D08
sub r4, #4000h
add r9, #1
loc_445D08:
cmp r9, #20h
jmpr cc_NZ, loc_445D12
add r4, #100h
loc_445D12:
mov r12, #0
extp r9, #1
mov , r12
mov r9, #0
mov r13, #20h
mov r14, #0FFh
mov r15, #100h
calls 0C7h, 8416h
rets
loc_loopread:
mov [-r0], r12
mov [-r0], r13
extp #37h, #1
mov r12, 3FF2h
add r12, #1
extp #37h, #1
mov 3FF2h, r12
mov r12, #1
mov r13, #05CAh
calls 0E6h, 00538h
mov r13,
mov r12,
rets
loc_smsmp3:
mov r9, r13
mov r8, r12
mov [-r0], r4
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
calls loc_ispause
mov r15,
mov r14,
mov r13,
mov r12,
mov r4,
rets
loc_ispause:
extp #32h, #1
movb rl4, 2F7Ch
cmpb rl4, #4
jmpr cc_Z, loc_smsplaymp3
cmpb rl4, #1
jmpr cc_Z, loc_smspausemp3
rets
loc_smspausemp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h
calls 0B4h, 724Ch
rets
loc_smsplaymp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #26h
calls 0B4h, 724Ch
rets
ebindw:
db 61h,3Ah,5Ch,7Ah,62h,69h,6Eh,5Ch,7Ah,61h,61h,2Eh,62h,69h,6Eh,00h
jmps loc_FAM33
jmps loc_FAM32
jmps loc_exttable
calls loc_IDLE
calls loc_Creatprocessadd
calls loc_exitprocesssub
calls loc_memadd
calls loc_loopread
calls loc_smsmp3
end
;Siemens Flash Explorer v2.51c (c)Dec.03 by RizaPN <rizapn@yahoo.com>
;File arc.txt (pos=0x0,sz=0x552,rd=0x552) buffered
;Disassembly: offset=0x0, size=0x552, baseAddr=0xA00000
;35B474:F0C8F0D9 DAF700E0
;0334F2:DAE1D0FC DAF764E0
;2F66E2:
org 0F7E000h
extp #37h, #1
movb rl4, 3FB0h
cmpb rl4, #0h
jmpr , cc_Z, loc_40D298
extp #0Eh, #1
mov r12, 3A42h
jb r12.2, loc_40D298
mov [-r0], r8
mov [-r0], r9
mov [-r0], r4
calls 0B5h, 146Ch
mov r12, #1Ch
mov [-r0], r12
mov r12, #3F00h
mov r13, #33h
mov r14, #pof(auto)
mov r15, #pag(auto)
calls 0C7h, 83DCh
add r0, #2
mov r4,
add r4, #302Fh
mov r13, #33h
mov r12, #3F00h
extp r13, #2
movb , rh4
movb , rl4
calls 0CFh, 0AC98h
mov r12, #0
mov r13, #1
extp #37h, #2
mov 3FB0h, r12
mov 3FB2h, r13
loc_40D294:
mov r9,
mov r8,
loc_40D298:
mov r12, r8
mov r13, r9
rets
loc_clearanm:
mov [-r0], r4
extp #37h, #1
movb rl4, 3FB2h
cmpb rl4, #1
jmpr cc_NZ, loc_jmpenablemic
calls 0B5h, 147Ch
loc_jmpenablemic:
mov r4,
mov r12, #0
extp #37h, #2
mov 3FB0h, r12
mov 3FB2h, r12
extp #0Ch, #1
mov r12, 2574h
bclr r12.0
extp #0Ch, #1
mov 2574h, r12
extp #0Ch, #1
mov r12, 2576h
bclr r12.0
extp #0Ch, #1
mov 2576h, r12
extp #0Ch, #1
mov r12, 2578h
bclr r12.0
extp #0Ch, #1
mov 2578h, r12
extp #36h, #1
mov r12, 0D84h
bclr r12.0
extp #36h, #1
mov 0D84h, r12
mov r12, r8
jmps 0E1h, 0FCD0h
auto:
db 041h,03Ah,05Ch,76h,6Fh,69h,63h,65h,20h,6Eh,6Fh,74h,69h,63h,65h,5Ch,61h,6Eh,73h,77h,65h,72h,30h,30h,2Eh,76h,6Dh,6Fh
end
;Siemens Flash Explorer v2.51c (c)Dec.03 by RizaPN <rizapn@yahoo.com>
;File fam3.31.vkp (pos=0x0,sz=0x289,rd=0x289) buffered
;Disassembly: offset=0x0, size=0x289, baseAddr=0xA00000
org 0E44A50h
calls 0CAh, 1DC0h ;is mp3 playing?
cmp r4, #0
jmpr cc_Z, loc_444888 ;0=N,1=Y
mov r12, #1 ;is calling?
calls 0C5h, 0BECAh ;is calling?
cmp r4, #3
jmpr cc_Z, loc_44486E ;3= calling
mov r12, #484Ch ;goto FAM3.2
mov r13, #0E4h;goto FAM3.2
push r13
push r12
loc_44486E:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h ;消息号,24为暂停mp3
calls 0B4h, 724Ch
loc_444880:
calls 0CAh, 1DC0h ;is mp3 playing?
cmp r4, #0
jmpr cc_NZ, loc_444880
loc_444888:
jmps 0E4h, 4800h
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh ;mp3进程 id
mov r15, #26h ;消息号,26为播放mp3
calls 0B4h, 724Ch ;sendmessage
loc_44489E:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_Z, loc_44489E
rets
loc_smsmp3:
mov r9, r13
mov r8, r12
mov [-r0], r4 ;保护寄存器
mov [-r0], r12 ;保护寄存器
mov [-r0], r13 ;保护寄存器
mov [-r0], r14 ;保护寄存器
mov [-r0], r15 ;保护寄存器
calls loc_ispause
mov r15, ;恢复寄存器
mov r14, ;恢复寄存器
mov r13, ;恢复寄存器
mov r12, ;恢复寄存器
mov r4, ;恢复寄存器
rets
loc_ispause:
extp #32h, #1
movb rl4, 2F7Ch ;mp3播放状态,32h,2F7C
cmpb rl4, #4 ;4=暂停,1=播放
jmpr cc_Z, loc_smsplaymp3
cmpb rl4, #1
jmpr cc_Z, loc_smspausemp3
rets
loc_smspausemp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h
calls 0B4h, 724Ch
rets
loc_smsplaymp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #26h
calls 0B4h, 724Ch
rets
calls loc_smsmp3
end
org 0E448D0h
calls 0E4h, 48D8h
jmps 0D3h, 2B0h
mov r14, r8
mov r15, r9
add r14, #0B2h
mov r12, #48EEh
mov r13, #0E4h
calls 0E4h, 484Ch
rets
mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch
mov r8, r4
cmp r8, #0FFFFh
jmpa cc_Z, loc_44492C
mov r12, r8
mov r9, #20h
loc_444906:
mov r14, r9
mov r13, #0
mov r15, #4000h
calls 0DBh, 0B3CCh
mov r12, r8
cmp r4, #4000h
jmpr cc_C, loc_444924
cmp r9, #23h
jmpr cc_Z, loc_444924
add r9, #1
jmpr cc_UC, loc_444906
loc_444924:
calls 0DBh, 0CD8Eh
calls 8, 0
loc_44492C:
rets
end
;Siemens Flash Explorer v2.51c (c)Dec.03 by RizaPN <rizapn@yahoo.com>
;File v5.txt (pos=0x0,sz=0x2CF,rd=0x2CF) buffered
;Disassembly: offset=0x0, size=0x2CF, baseAddr=0xA00000
org 0C7E9D0h
extp #0Ch, #2
mov r2, 326Ch
mov r1, 2E94h
jmpr cc_Z, loc_27EA1A
cmp r13, #29h
jmpr cc_UGT, loc_27EA1A
cmpb rl2, #58h
jmpr cc_Z, loc_27EA1E
cmpb rl2, #41h
jmpr cc_Z, loc_27EA2E
cmpb rl2, #44h
jmpr cc_Z, loc_27EA36
cmpb rl2, #57h
jmpr cc_Z, loc_27EA26
cmpb rl2, #30h
jmpr cc_C, loc_27EA20
cmpb rl2, #39h
jmpr cc_NC, loc_27EA20
subb rl2, #2Fh
extp #37h, #1
movb 3FB0h, rl2
callr loc_27EA42
calls 0A3h, 0C78h
jmpr cc_UC, loc_27EA3E
loc_27EA20:
subb rh2, #30h
cmpb rl2, #60h
jmpr cc_UGT, loc_27EA18
mov r1, #2A6Ah
loc_27EA0A:
extp #31Fh, #1
mov r3,
jmpr cc_Z, loc_27EA1A
cmpb rl2, rl3
jmpr cc_NZ, loc_27EA0A
addb rh2, rh3
loc_27EA18:
movbz r13, rh2
loc_27EA1A:
jmps 0E2h, 3796h
loc_27EA1E:
callr loc_27EA42
calls 0A3h, 0C9Ch
jmpr cc_UC, loc_27EA3E
loc_27EA26:
callr loc_27EA42
calls 0A3h, 0DB0h
jmpr cc_UC, loc_27EA3E
loc_27EA2E:
callr loc_27EA42
calls 0A3h, 0C78h
jmpr cc_UC, loc_27EA3E
loc_27EA36:
callr loc_27EA42
calls 0A3h, 0CF8h
jmpr cc_UC, loc_27EA3E
loc_27EA3E:
mov r4,
rets
loc_27EA42:
mov r13, #6
calls 0E2h, 3796h
mov [-r0], r4
ret
end
[ 本帖最后由 JunFeng 于 2006-4-22 04:54 编辑 ] rizaasm
\
mov r12, #44h
extp #0Ch, #1
mov 326Ch, r12
mov r12, #1
mov r13, #038h
calls 0E6h, 00538h
rets
end
org 0C7E9D0h
extp #36h, #1
mov r4, 0D76h
jnb r4.14, loc_v5
loc_readautoendlist:
mov [-r0], r4
mov [-r0], r8
mov [-r0], r9
mov r14, #pof(listtxt)
mov r15, #pag(listtxt)
mov r12, #sof(pautoendROUTIME)
mov r13, #seg(pautoendROUTIME)
calls 0E5h, 0FFF2h
mov r9,
mov r9,
mov r4,
rets
pautoendROUTIME:
calls loc_readlist
calls 0C7h, #8388h
readlist:
mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch
mov r8, r4
cmp r8, #0FFFFh
jmpa cc_Z, loc_ret
mov r12, r8
mov r13, #0
mov r14, #22
mov r15, #4000h
calls 0DBh, 0B3CCh
mov r12, r8
calls 0DBh, 0CD8Eh
rets
loc_ret:
rets
loc_v5:
extp #0Ch, #2
mov r2, 326Ch
mov r1, 2E94h
jmpr cc_Z, loc_27EA1A
cmp r13, #29h
jmpr cc_UGT, loc_27EA1A
cmpb rl2, #58h
jmpr cc_Z, loc_27EA1E
cmpb rl2, #41h
jmpr cc_Z, loc_27EA2E
cmpb rl2, #44h
jmpr cc_Z, loc_27EA36
cmpb rl2, #57h
jmpr cc_Z, loc_27EA26
cmpb rl2, #30h
jmpr cc_C, loc_27EA20
cmpb rl2, #39h
jmpr cc_NC, loc_27EA20
subb rl2, #2Fh
extp #37h, #1
movb 3FB0h, rl2
callr loc_27EA42
calls 0A3h, 0C78h
jmpr cc_UC, loc_27EA3E
loc_27EA20:
subb rh2, #30h
cmpb rl2, #60h
jmpr cc_UGT, loc_27EA18
mov r1, #2A6Ah
loc_27EA0A:
extp #31Fh, #1
mov r3,
jmpr cc_Z, loc_27EA1A
cmpb rl2, rl3
jmpr cc_NZ, loc_27EA0A
addb rh2, rh3
loc_27EA18:
movbz r13, rh2
loc_27EA1A:
jmps 0E2h, 3796h
loc_27EA1E:
callr loc_27EA42
calls 0A3h, 0C9Ch
jmpr cc_UC, loc_27EA3E
loc_27EA26:
callr loc_27EA42
calls 0A3h, 0DB0h
jmpr cc_UC, loc_27EA3E
loc_27EA2E:
callr loc_27EA42
calls 0A3h, 0C78h
jmpr cc_UC, loc_27EA3E
loc_27EA36:
callr loc_27EA42
calls 0A3h, 0CF8h
jmpr cc_UC, loc_27EA3E
loc_27EA3E:
mov r4,
rets
loc_27EA42:
mov r13, #6
calls 0E2h, 3796h
mov [-r0], r4
ret
end
org 0E45AC0h
loc_EBIN:
mov r4, #0
jmpr cc_UC, loc_447350
mov r4, #1
jmpr cc_UC, loc_447350
mov r4, #2
jmpr cc_UC, loc_447350
mov r4, #3
jmpr cc_UC, loc_447350
mov r4, #4
jmpr cc_UC, loc_447350
mov r4, #5
jmpr cc_UC, loc_447350
mov r4, #6
jmpr cc_UC, loc_447350
mov r4, #7
jmpr cc_UC, loc_447350
mov r4, #8
jmpr cc_UC, loc_447350
mov r4, #9
jmpr cc_UC, loc_447350
mov r4, #0Ah
jmpr cc_UC, loc_447350
mov r4, #0Bh
jmpr cc_UC, loc_447350
mov r4, #0Ch
jmpr cc_UC, loc_447350
mov r4, #0Dh
jmpr cc_UC, loc_447350
mov r4, #0Eh
jmpr cc_UC, loc_447350
mov r4, #0Fh
jmpr cc_UC, loc_447350
loc_447350:
mov [-r0], r4
mov r12, #10h
mov [-r0], r12
mov r12, #0000h
mov r13, #23h
mov r14, #pof(ebindw)
mov r15, #pag(ebindw)
calls 0C7h, 83DCh
add r0, #2
mov r4,
add r4, #6161h
mov r13, #23h
mov r12, #0000h
extp r13, #2
movb , rh4
movb , rl4
mov r14, r12
mov r15, r13
callr loc_readbin
rets
loc_FAM33:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_Z, loc_pFAM32
mov r12, #1
calls 0C5h, 0BECAh
cmp r4, #3
jmpr cc_Z, loc_callin
mov r12, #sof(playmp3)
mov r13, #seg(playmp3)
push r13
push r12
loc_callin:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h
calls 0B4h, 724Ch
loc_445AF0:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_NZ, loc_445AF0
loc_pFAM32:
cmp r8, #40h
jmpr cc_Z, loc_445B06
cmp r8, #22h
jmps 0DCh, 1EDEh
loc_445B06:
mov r4,
mov r5,
mov r12,
mov r13,
calls 0C7h, 0EE88h
jmps 0DCh, 2B60h
loc_FAM32:
mov [-r0], r15
mov [-r0], r14
mov [-r0], r13
mov [-r0], r12
mov r12, #3870h
mov r13, #0Eh
mov r14, #40h
mov r15, #0
calls 0B4h, 724Ch
add r0, #8
rets
playmp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #26h
calls 0B4h, 724Ch
loc_445B30:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_Z, loc_445B30
rets
loc_exttable:
cmpb rl6, #14h
jmpr cc_Z, loc_BFA;bin
cmpb rl6, #6h
jmpr cc_Z, loc_TXT;txt
loc_expret:
jmps 0D3h, 2B0h ;exit mmc exp
loc_BFA:
callr loc_pBFA
jmpr cc_UC, loc_expret
loc_TXT:
callr loc_pTXT
jmpr cc_UC, loc_expret
loc_pBFA:
mov r14, r8
mov r15, r9
add r14, #0B2h
loc_readbin:
;readbinfile
mov r12, #sof(pBFAROUTIME) ;bfaroutime sof
mov r13, #seg(pBFAROUTIME) ;bfaroutime seg
calls 0E5h, 0FFF2h
ret
loc_pTXT:
mov r14, r8
mov r15, r9
add r14, #0B2h ;r14.r15=point to filename
mov [-r0], r14 ;point to filename
mov [-r0], r15 ;poing to filename
calls loc_copyname ;copy filename to 33,3f00h [*.txt]
mov r12, #0000h
extp #37h, #1
mov 3FF2h, r12 ;连续读记录部分清0
mov r15,
mov r14,
mov r12, #sof(ptxtread) ;同上
mov r13, #seg(ptxtread) ;同上
calls 0E5h, 0FFF2h ; ;fam3.2,要读文件或写文件就用到了fam3.2
ret
;fam3.2具体用法r12,r13=routime, r14,r15=point to filename,然后它转到routime处执行,并把r14,r15的文件名传送到r12,r13
pBFAROUTIME:
mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch
mov r8, r4
cmp r8, #0FFFFh
jmpa cc_NZ, loc_445BC0
mov r12, #1
mov r13, #04B3h
calls 0E6h, 00538h
rets
loc_445BC0:
mov r12, r8
mov r9, #20h
loc_445B9A:
mov r14, r9
mov r13, #0
mov r15, #4000h
calls 0DBh, 0B3CCh
mov r12, r8
cmp r4, #4000h
jmpr cc_C, loc_445BB8
cmp r9, #23h
jmpr cc_Z, loc_445BB8
add r9, #1
jmpr cc_UC, loc_445B9A
loc_445BB8:
calls 0DBh, 0CD8Eh
calls 8, 0
rets
loc_IDLE:
calls loc_IDLESUB
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
calls 0C8h, 0C3EEh
rets
loc_memadd:
mov r8, r4
mov r9, r5
jmpr cc_UC, loc_445C00
loc_IDLESUB:
extp #34h, #1
movb rl4, 3E2Bh
cmpb rl4, #1
jmpr cc_Z, loc_445C0E
rets
loc_Creatprocessadd:
mov r7, r13
mov r6, r12
loc_445C00:
callr loc_445C18
calls 0B4h, 9B72h
callr loc_445C26
rets
loc_exitprocesssub:
calls 0CFh, 364Ch
loc_445C0E:
callr loc_445C18
calls 0B4h, 9B5Eh
callr loc_445C26
rets
loc_445C18:
mov [-r0], r8
mov [-r0], r9
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
ret
loc_445C26:
mov r15,
mov r14,
mov r13,
mov r12,
mov r9,
mov r8,
ret
ptxtread:
;txtread routime
calls loc_readdata
calls 0E4h, 6300h ;ram阅读
RETS
loc_readdata:
mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch ;open file
cmp r4, #0FFFFh ;if failed= -1 ,other r4= file handle
jmpr cc_Z, loc_445CBE
mov r8, r4
extp #37h, #1
mov 3FF0h, r8 ;保存filehandle
calls loc_txtread ;ram专用读数据程序
extp #37h, #1
mov r15, 3FF2h ;取得连续读数据
loc_loop:
extp #37h, #1
mov r4, 3FF4h
cmp r4, #4000h
jmpr cc_C, loc_closefile
cmp r15, #0
jmpr cc_Z, loc_closefile
mov [-r0], r15
calls loc_txtread
mov r15,
sub r15, #1
jmpr cc_UC, loc_loop
loc_closefile:
extp #37h, #1
mov r12, 3FF0h
calls 0DBh, 0CD8Eh
loc_445CBE:
rets
loc_txtread:
extp #37h, #1
mov r12, 3FF0h
mov r13, #100h
mov r9, #20h
mov r15, #3F00h
loc_445CD4:
mov r14, r9
calls 0DBh, 0B3CCh
extp #37h, #2
mov 3FF0h, r8
mov 3FF4h, r4
mov r12, r8
cmp r4, #3F00h
jmpr cc_C, loc_445CFA
cmp r9, #26h
jmpr cc_Z, loc_445CFA
add r9, #1
mov r13, #0
mov r15, #4000h
jmpr cc_UC, loc_445CD4
loc_445CFA:
cmp r4, #4000h
jmpr cc_NZ, loc_445D08
sub r4, #4000h
add r9, #1
loc_445D08:
cmp r9, #20h
jmpr cc_NZ, loc_445D12
add r4, #100h
loc_445D12:
mov r12, #0
extp r9, #1
mov , r12
mov r9, #0
mov r13, #20h
mov r14, #0FFh
mov r15, #100h
calls 0C7h, 8416h
rets
loc_loopread:
;按2的读文件程序
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
extp #37h, #1 ;
mov r12, 3FF2h ;取得第几部分
add r12, #1 ;+1
extp #37h, #1
mov 3FF2h, r12
mov r12, #sof(loc_readdata) ;routime sof
mov r13, #seg(loc_readdata) ;routime seg
mov r14, #3F00h ;point to file name
mov r15, #33h ;poing to file name
calls 0E5h, 0FFF2h ;fam3.2
mov r15,
mov r14,
mov r13,
mov r12,
rets
loc_smsmp3:
mov r9, r13
mov r8, r12
mov [-r0], r4
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
calls loc_ispause
mov r15,
mov r14,
mov r13,
mov r12,
mov r4,
rets
loc_ispause:
extp #32h, #1
movb rl4, 2F7Ch
cmpb rl4, #4
jmpr cc_Z, loc_smsplaymp3
cmpb rl4, #1
jmpr cc_Z, loc_smspausemp3
rets
loc_smspausemp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h
calls 0B4h, 724Ch
rets
loc_smsplaymp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #26h
calls 0B4h, 724Ch
rets
loc_copyname:
mov r12, #30h ;拷贝字节数
mov [-r0], r12
mov r12, #3F00h ;pof
mov r13, #33h ;pag
calls 0C7h, 83DCh ;memcpy
rets
ebindw:
db 61h,3Ah,5Ch,7Ah,62h,69h,6Eh,5Ch,7Ah,61h,61h,2Eh,62h,69h,6Eh,00h
jmps loc_FAM33
jmps loc_FAM32
jmps loc_exttable
calls loc_IDLE
calls loc_Creatprocessadd
calls loc_exitprocesssub
calls loc_memadd
calls loc_loopread
calls loc_smsmp3
end
[ 本帖最后由 JunFeng 于 2006-4-21 19:10 编辑 ] These two bytes lie among other - this is the table of passages on the contents of register with the base for address off_.A9BDBA. The table thus appears:
Code:
seg2A6:3DBA 82 36 off_A9BDBA:dw loc_C13682 ; DATA XREF: sub_C130E0+6Ao
seg2A6:3DBC 56 31 dw loc_C13156
seg2A6:3DBE 94 31 dw loc_C13194
seg2A6:3DC0 A4 31 dw loc_C131A4
seg2A6:3DC2 C0 31 dw loc_C131C0
seg2A6:3DC4 90 32 dw loc_C13290
seg2A6:3DC6 A4 31 dw loc_C131A4
seg2A6:3DC8 BC 36 dw loc_C136BC
seg2A6:3DCA BC 36 dw loc_C136BC
seg2A6:3DCC F2 32 dw loc_C132F2
seg2A6:3DCE 42 33 dw loc_C13342
seg2A6:3DD0 74 33 dw loc_C13374
seg2A6:3DD2 B0 33 dw loc_C133B0
seg2A6:3DD4 BC 33 dw loc_C133BC !!!!!!!!!!!!!!
seg2A6:3DD6 C8 33 dw loc_C133C8
seg2A6:3DD8 46 34 dw loc_C13446
seg2A6:3DDA C6 34 dw loc_C134C6
seg2A6:3DDC 46 35 dw loc_C13546
seg2A6:3DDE CE 35 dw loc_C135CE
seg2A6:3DE0 54 36 dw loc_C13654
But here is the piece of the code, using this table:
Code:
csegC1:3138 loc_C13138: ; CODE XREF: sub_C130E0+24j
csegC1:3138 DC 49 extp r9, #1
csegC1:313A A9 28 movb rl1,
csegC1:313C 29 21 subb rl1, #1
csegC1:313E 47 F2 13 00 cmpb rl1, #13h
csegC1:3142 EA E0 BC 36 jmpa cc_UGT, loc_C136BC
csegC1:3146 C0 2C movbz r12, rl1
csegC1:3148 5C 1C shl r12, #1
csegC1:314A 06 FC BA 3D add r12, #off_A9BDBA
csegC1:314E D7 40 A6 02 extp #2A6h, #1
csegC1:3152 A8 CC mov r12,
csegC1:3154 9C 0C jmpi cc_UC, !!! This is principal here instruction!!!
csegC1:3156 ; ---------------------------------------------------------------------------
Further go all these loc _... from the table - i.e., branch, where is accomplished passage in the dependence on the contents r12. As a rule, all branches converge then in one place - restoration of registers of the stack and reset from p \p. T.e., in such cases simply you search for instruction jmpi. Questions?[/code
here nakovyryal another pair of functions more exactly found che they make, clog into the bases
C7:8032 longtohexstr - Convert HEX number lenght [ r0 ] bytes from pag-r15 pof-r14 to HEX String to pag-r13 pof-r12
and
C7:7430 cpyBufferToStack - Copy buffer from pag-r5 pof-r4?? stack r3-bytes
by the way by all who digs lay out syubda also that they found simpler will be
csegDB:8738 ; PlayMP3MPL (char far* folder, char far* filename);
r13:r12 folder
r15:r14 filename
a question to the diggers: to ktonit' did attempt to vkurit' as they do work file functions? more accurate as to determine loaded file or not, and the yesterday stalknulsya with this paradox that
for example we have two regions Filebuff and Membuff the first is filled 00 second FF, on MMS we also have a file with the symbols in the standard coding we further make progu of the type
calls loadfile
copy mem from filebuff to membuff
rets
loadfile: fileopen
fileread to filebuff
fileclose
rets
in this by the case into Membuff we will obtain zero, although the file will load in Filebuff, yeslizhe to make thus
calls loadfile
rets
loadfile: fileopen
fileread to filebuff
fileclose
copy mem from filebuff to membuff
rets
Vatchdog like in Mamaicha in patche to the on-line- piercing was disconnected.
On the motive of your old idea of hours on the turned-off tele-: try this
225461: 25 da
or this
225461: 25 c2; is still possible ce, e0 - this quite strange version,
and on off. by tele- press red briefly.
Even on the theme of loaded ringtonov:
; at the input: r12=1,2,3 - number indiv. the melody
CsegDC:12DC SelectAndLoadIndividualMelody:
selection from the list and loading indiv.melody 1..3, truth to select necessary by knobs, but somewhere there converter midi- Bean must be!
;
; Open file
;
Dialog1_proc3:
mov r12,#pof(GBSS_buf)
mov r13,#pag(GBSS_buf)
mov [-r0],r13
mov [-r0],r12
mov r12,#pof(FileName)
mov r13,#pag(FileName)
mov r14,#102h
mov r15,#100h
calls GBSS_po_open
add r0,#4
extp #pag(FileHandle),#1
mov pof(FileHandle),r4
mov r12,#pof(text3)
mov r13,#pag(text3)
calls r4_.to_.hex; This is printing r4 into the line
mov r14,#y2*2
jmpa cc_.UC,drawtxt; Printing line on the screen
text3:
db '0000 - Open',0
FileName:
db 'A:\upor',0
FileHandle:
dw 0
GBSS_buf:
dw 0
With the pressure on 1 must print "FHND - Open", FHND - khandler, which returned GBSS_.po_.open. By the way, before the passage to this code stands printing the code of symbol in another line.
As a result we have - we start binarnik (by the way, work with the dialogue of podsmotrenna in vibra.bin), dialogue comes, we press 2,3,4 - it is normal, we print 32,33,34, we press 1 - nothing is printed (here here 4 and ofigel, occurs drawString - this is another task!), telephone is turned off.
How to be butted?
PS Funkitsii fileopen and t.d. to treat not hunting, judging by everything, they must be caused only in flow MMC_.FILESYSTEM_.proc
Thus far it sat it was investigated, what thought into the head arrived: can binarnik it is executed in some flow not such, made printing PidAct with the start of binarnika (more exact, only it is memorized with the start, it is printed in onCreate) and in function onCreate of dialogue, as a result it was explained this is what:
1. With the first starting (menyu+ #, the selection of file, to open) control to address 80000 is transmitted from flow MMC_.FILE_.SYSTEM, up
struct DIALOG
{
void huge *onKeyPress;
void huge *onDummy1;
void huge *onDummy2;
void huge *onDummy3;
void huge *onCreate;
void huge *onRun;
};
extern void pShowDialog(const struct DIALOG far *,char far *);
extern void pDialogOnRun(void);
extern void doBack0A(void);
extern void DrawString(int x,int y,int w,int h,const char far *str,int font);
extern void FillRect(int x,int y,int w,int h,int color);
extern char keybQueneIdx;
extern char keybQueneBuf[];
extern int GbsLock_ifNZ;
extern int GbsLock_ifZ;
typedef char far * STR;
STR nibble(STR s, char b)
{
b&=0x0F;
if (b>9) b+='A'-10-'0';
b+='0';
*s++=b;
return(s);
}
void hexbyte(STR s, char b)
{
s=nibble(s,b>>4);
s=nibble(s,b);
}
void hexint(STR s, int b)
{
s=nibble(s,b>>12);
s=nibble(s,b>>;
s=nibble(s,b>>4);
s=nibble(s,b);
}
void locret(void)
{}
static const int L1;
static const int L2;
void DrawGBSLocks(int l1, int l2)
{
static const char s1[]="GbsLock_ifZ: ????";
static const char s2[]="GbsLock_ifNZ: ????";
hexint((STR)(s1+13),l1);
hexint((STR)(s2+14),l2);
DrawString(0,24,101,80,s1,3);
DrawString(0,36,101,80,s2,3);
}
void md_onkey(void)
{
char c=keybQueneIdx;
static const char s1[]="Key code: ??";
if (!(c&1)) return;
c=keybQueneBuf;
if (c==0x0c) {doBack0A(); return;}
hexbyte((far char *)(s1+10),c);
DrawString(0,12,101,80,s1,3);
if (c=='1')
{
DrawGBSLocks(GbsLock_ifZ,GbsLock_ifNZ);
}
}
void md_oncreate(void);
static const struct DIALOG maindialog={md_onkey,locret,locret,locret,md_oncreate,pDialogOnRun};
void md_oncreate(void)
{
FillRect(0,0,101,80,0);
DrawString(0,0,101,80,"Hello!",3);
DrawGBSLocks(L1,L2);
}
void main(void)
{
char db;
*(int *)&L1=GbsLock_ifZ;
*(int *)&L2=GbsLock_ifNZ;
pShowDialog(&maindialog,db);
}
AllHeapsPointers+6, //This is indicator to the heap, in which we will reserve variables, I use FarHeap8 = > +6 there is a reference to it in file AllHeapsPointers - it also extern cm. sl45.h (my)
Sizeof(.struct VARS), //The overall size of all our variables
"FOOPATCH"//But this name, on which is carried out the search for the already created buffers
};
IMHO the way is:
0. Find place for variable CopyFlag. Don't use Java memory! Better of all is using PMM patch, but u must relocate it.
1. Add menu option "Copy" and code:
CopyFlag=1;
jmp 0D8786Ah
2. Change this:
csegE4:A9D2 DA DF 40 E0 calls 0DFh, rename
to call MyRename
3. Do: (source R12:R13, dest R14:R15)
int MyRename(char far *s, char far *d)
{
if (CopyFlag)
{
....
copy file from s to d, use direct call to FileOpen etc, coz there r
context of MMC_FILE_SYSTEM_proc
....
return(0); //Success or
rerurn(1); //Error
}
else
{
return(rename(s,d));
}
}
4. Change
seg2E2:2446 F2 B3 dw loc_D8B3F2 ; Finishing move
seg2E2:2448 D8 00 dw 0D8h
dw sof(MyFinish)
dw seg(MyFinish)
MyFinish:
EXTP #pag(CopyFlag),#1
mov pof(CopyFlag),ZEROS ; CopyFlag=0
jmp 0D8B3F2h
While you copy file, use MMCEXPL_HeapMalloc (D7D374) and EX_heap_free_with_lock (D7D3B0) for allocate and free memory for file buffer. Don't use Java or other unknown memory - it's a way to make unstable patch!!!!
AllHeapsPointers+6, //This is indicator to the heap, in which we will reserve variables, I use FarHeap8 = > +6 there is a reference to it in file AllHeapsPointers - it also extern cm. sl45.h (my)
Sizeof(.struct VARS), //The overall size of all our variables
"FOOPATCH"//But this name, on which is carried out the search for the already created buffers
};
static const struct PVARD
{
struct _heap_ far ** pp_heap;
unsigned int siz;
char name;
} VARD=
{
AllHeapsPointers+6, //This is indicator to the heap, in which we will reserve variables, I use FarHeap8 = > +6 there is a reference to it in file AllHeapsPointers - it also extern cm. sl45.h (my)
Sizeof(.struct VARS), //The overall size of all our variables
"FOOPATCH"//But this name, on which is carried out the search for the already created buffers
};
//Procedures in patche PMM
//To obtain indicator to the variables, if yet not zarezervirovanno, we reserve and clear 0
extern struct VARS far * GetVars(.const struct PVARD far * p);
//To free the variables
Void FreeVars(.const Struct PVARD Far * p);
//Now our programpatch - for example, it consists of the pair of the functions caused from the different places
void foo1(void)
{
struct VARS far *VP=GetVars(&VARD); //Indicator to the variables was obtained
....
VP->var1++; ///For example....
if (VP->var1==100) VP->var2="Upor";
....
}
void foo2(void)
{
struct VARS far *VP=GetVars(&VARD); //Indicator to the variables was obtained
if (VP->var2)
{
DrawString(0,0,101,80,VP->var2);
FreeVars(&VARD);
}
}
Example, it is certainly sucked out of x$я.
For example is caused procedure foo1. For the first time variables are reserved also with all following calls are used precisely they, respectively var1 increases by 1 with each call, when it became 100, in var2 is written the indicator to the line (it also in ROM).
Now when we cause foo2 and to eat an indicator to the line, it is printed, and variables are freed. Only if we use ourselves release, is desirable still critical sections to organize through AcquireGbsLock() and FreeGbsLock().
For example, patch CDR in connection with this competently must appear thus:
Code:
//Our variables - for the program they will be global, but where it is convenient
Struct VARS
{
char str_.to_.write;
}; //Note, this is only description, the code not it generitsya
//Description of data, note const - it is stored in PZU, some or are more to patch/program - here this already generitsya in the stage of the compilation
static const struct PVARD
{
struct _heap_ far ** pp_heap;
unsigned int siz;
char name;
} VARD=
{
AllHeapsPointers+6, //This is indicator to the heap, in which we will reserve variables, I use FarHeap8 = > +6 there is a reference to it in file AllHeapsPointers - it also extern cm. sl45.h (my)
Sizeof(.struct VARS), //The overall size of all our variables
"CDR vX.X"//But this name, on which is carried out the search for the already created buffers
};
//Procedures in patche PMM
//To obtain indicator to the variables, if yet not zarezervirovanno, we reserve and clear 0
extern struct VARS far * GetVars(.const struct PVARD far * p);
//To free the variables
Void FreeVars(.const Struct PVARD Far * p);
void WriteToLogFile(void)
{
int f;
struct VARS far *VP=GetVars(&VARD);
f=FileOpen("A:\\cdr.log",_O_CREAT+_O_RDWR+_O_APPEND,_S_IREAD);
if (f!=-1)
{
FileWrite(f,VP->str_to_write,strlen(VP->str_to_write));
FileClose(f);
}
FreeVars(&VARD);
}
void IncomingCall(void)
{
struct VARS far *VP=GetVars(&VARD); //Indicator to the variables was obtained
.....
sprinf(VP->str_to_write,"Incoming at %02d:%02d",_hour,_minute);
FilesysICall(WriteToLogFile);
}
void IncomingSMS(void)
{
_ VARD LABEL WORD
DPPTR (_ AllHeapsPointers+24); This is indicator to that, what heap will use, in particular FarHeap8
DW 106; How many bytes of the brain to us are must
DB "PatchNam '; Unique name
...It is analogous...
}
There are no here critical sections, t.k. by itself FILE_.SYSTEM_.PROC - this critical section is still that....
Voobshchem, went 4 patch PMM to bodyazhit', and the entire raspal'tseval, and there is no patcha itself, more exact it is fixed in binarnike, it is necessary it to alter in ROM. Through the pair of hours to zababakhayu.
#define _AllHeapsPointers 039DCEh
_ VARD LABEL WORD
DPPTR (_ AllHeapsPointers+24); This is indicator to that, what heap will use, in particular FarHeap8
DW 106; How many bytes of the brain to us are must
DB "PatchNam '; Unique name
;Displacement of variables from the beginning of the buffer
Var1 equ 0; Variable 1 - 2 bytes
Var2 equ 2; Variable 2 - 100 bytes
Var3 equ 102; Variable 3 - 4 bytes
my_.str: db ' Upor!',0
......
Now the function
Foo1:
MOV R12,#POF _VARD
MOV R13,#PAG _VARD
CALLS SEG _GetVars,_GetVars
MOV R8,R4
MOV R9,R5
; Now in R8/R9 - indicator to our storage, after the first rotation it will be cleared by zero.
EXTP # 1,R9
MOV [ R8+#.Var1 ],#y2eya; Now the variable Var1=1
MOV R14,# POF(.my_.str)
MOV R15,# PAG(.my_.str); R14/R15 - from where
MOV R12,R8
ADD R12,# Var2
MOV R13,R9; R12/R13 - where
CALLS strcpy; We copy line from ROM into our storage
; But now we cause procedure in the context of the file system
mov R12,SOF(DoFileWrite)
mov R13,SEG(DoFileWrite)
calls FilesysICall
rets
filename: db 'A:\file.file',0
DoFileWrite:
MOV [-R0],R9
MOV [-R0],R8
MOV [-R0],R6
MOV R12,#POF _VARD
MOV R13,#PAG _VARD
CALLS SEG _GetVars,_GetVars ; Is discovered file for final writing
MOV R8,R4
MOV R9,R5
MOV R12,#POF filename
MOV R13,#PAG filename
MOV R14,#010Ah
MOV R15,#0100h
CALLS SEG _FileOpen,_FileOpen ; Открываем файл для дописывания
MOV R6,R4
CMP R6,#0FFFFh
JMPR cc_EQ,_35 ; If it did not grow together itself with the file - nakhuy
MOV R12,R8
MOV R13,R9
ADD R12,#Var2 ; Это наша переменная Var2
CALLS SEG _strlen,_strlen ; We obtain the length of the line
MOV R15,R4
MOV R12,R6
MOV R13,R8
MOV R14,R9
ADD R13,#Var2
CALLS SEG _FileWrite,_FileWrite ; And we write in file Var2
MOV R12,R6
CALLS SEG _FileClose,_FileClose ; We shut
_35:
MOV R12,#POF _VARD
MOV R13,#PAG _VARD
CALLS SEG _FreeVars,_FreeVars ; For example, we free the variables
MOV R6,
MOV R8,
MOV R9,
RETS
For those, who wants to popechatat' on the screen
Code:
//In asm the file of the address of the functions
@EQUP(_STRtoWSTRP,0F19EA0h)
@EQUP(_DrawObject,0C1400Ah)
@EQUP(_PrepDrawObj_type01,0C14A4Ch)
//В си
struct rectXYXY
{
unsigned int X1;
unsigned int Y1;
unsigned int X2;
unsigned int Y2;
};
typedef char far * STR;
typedef unsigned int far * WSTR;
extern STRtoWSTRP(WSTR *,STR);
extern DrawObject(void far *);
extern PrepDrawObj_type01(
void far *drwobj,
struct rectXYXY far *,
unsigned int flag1,
WSTR *,
unsigned int font,
unsigned int flag2);
struct VARS
{
{
WSTR up; //Indicator on unicode the line
unsigned int us; //Line itself in unicode, the first word - it is long
char dobj[.0x1A ]; //Object for the drawing
}
//Strictly the printing
{
struct rectXYXY rc;
rc.X1=0; //Rectangle, note, X2 Y2 And not height and the width
rc.Y1=40;
rc.X2=100;
rc.Y2=48;
VP->.up=.VP->.us;
STRtoWSTRP(&.VP->.up,(STR)".Upor"); //Instead of (STR)".Upor" - there can be your line or indicator
//Flag 1 - to pozhozhe, it relates to the rectangle, in which it is sketched
//.0kh20 - inversion
//.0khya0 - to erase everything
//Flag 2 - relates already to the output of the text
//0 - not to center
//1 - to center
//2 - to even on the right edge
//4 - underlining
//8 -????
//.0khy0 - inversion of fonta
//.0kh20:?????
//.0khya0 - strange zhopa
//.0kh80 - not to formatirovat' the text
//.0khy00 - again the inversion
PrepDrawObj_.type01(.VP->.dobj,&.rch,VP->.flag1,&.VP->.up, 0,VP->.flag2); //0 - number of type 0... 11
DrawObject(.VP->.dobj);
}
}
csegD6:31D2 ShowEggDialog:
seg2E1:1B6C 08 31 D6 00 eggDialog:dw 3108h, 0D6h ; CODE XREF: eggDialog_OnKeyP
seg2E1:1B6C ; DATA XREF: ShowEggDialog+4o
seg2E1:1B70 28 31 D6 00 dword_B85B70:dw 3128h, 0D6h ; CODE XREF: eggDialog_RunP
seg2E1:1B74 7E 31 D6 00 dword_B85B74:dw 317Eh, 0D6h ; CODE XREF: eggDialog_rets1?P
seg2E1:1B78 80 31 D6 00 dword_B85B78:dw 3180h, 0D6h ; CODE XREF: eggDialog_rets2?P
seg2E1:1B7C 82 31 D6 00 dword_B85B7C:dw 3182h, 0D6h ; CODE XREF: eggDialog_InitP
cabbage soup question.
There is this function - CreateDialogWithSoftKeys(.DIALOG_.WSK *, data_.area *,int flag), where E
struct DIALOG_WSK
{
void huge *onKeyPress; //Message handler
void huge *onCreate; //as is
void huge *onClose; //as is
unsigned int datasize; //Min 0x2C
unsigned int tablesize; //Usialy 1
const unsigned int far *table; //&(0xFFF5)
};
Different thing, the caused menu from procedure onKey does not kill my dialogue, voobshchem all very in a cultured way. But there is one but: prompt analog doBack0A for this dialogue. Therefore as I can thus far only by long red button shoot down it.
Yes, another usefulness, approximately each second this dialogue obtains communication Msg==.0xB8, it will go well instead of the timer
int md_onKey(void *data, struct MSG far *Msg)
{
if ((Msg->Msg==KEY_DOWN))
{
switch(Msg->Param)
{
case RED_BUTTON:
CloseDialogWithSoftKeys(((int far *)data)); //0EE13D0h
break;
}
}
return(1);
}
struct StatOfFile
{
unsigned int flag1;//=8081 - file, =8041 - folder
unsigned int Zero;
unsigned long filesize;
char Unk; // Dates?
};
extern int GetFileStat(char far* fname, struct StatOfFile far*); //0DFF720h //from MMC_FILE_SYSTEM_proc
extern int FileStat(int file_hndl, struct StatOfFile far*); //0DFF6AAh
java.log:
22779ms: Warning: natasync.c: Unknown event received: 13
38489ms: Warning: natasync.c: Unknown event received: 13
57761ms: Warning: natasync.c: Unknown event received: 13
Code:
java_net.log:
20414364ms: Info: Networking initalized
470ms: Info: Networking initalized
17947ms: Info: Shutting down network
18012ms: Info: Networking disabled
151219ms: Info: Freeing application.
151219ms: Info: Application freed.
151219ms: Info: Shutting down network
151219ms: Info: JAM terminated
20414364ms: Info: Networking initalized
419ms: Info: Networking initalized
22507ms: Info: socket_Protocol_open0
22571ms: Info: Activating profile number 2
22636ms: Info: Active profile data: 2, addr:port: 192.168.10.10:9201
22710ms: Info: jnfnet_doDial: dialing
30588ms: Info: JavaNetMessageHandler: M_DIALER_UP received, state = e_jnfnet_going_up
30685ms: Info: JavaNetMessageHandler: start PPP stack
32997ms: Info: JavaNetMessageHandler: M_DIALER_DOWN received, state = e_jnfnet_going_up
33075ms: Info: JavaNetMessageHandler: remaining retries: 3
33158ms: Info: JavaNetMessageHandler: M_NET_DOWN received, state = e_jnfnet_going_up
38156ms: Info: JavaNetMessageHandler: JAVA_TIMER_EXPIRED, state = e_jnfnet_going_up
38221ms: Info: JavaNetMessageHandler: redialing
38309ms: Info: Activating profile number 2
38382ms: Info: Active profile data: 2, addr:port: 192.168.10.10:9201
46182ms: Info: JavaNetMessageHandler: M_DIALER_UP received, state = e_jnfnet_going_up
46279ms: Info: JavaNetMessageHandler: start PPP stack
52274ms: Info: JavaNetMessageHandler: M_DIALER_DOWN received, state = e_jnfnet_going_up
52361ms: Info: JavaNetMessageHandler: remaining retries: 2
52440ms: Info: JavaNetMessageHandler: M_NET_DOWN received, state = e_jnfnet_going_up
57438ms: Info: JavaNetMessageHandler: JAVA_TIMER_EXPIRED, state = e_jnfnet_going_up
57502ms: Info: JavaNetMessageHandler: redialing
57576ms: Info: Activating profile number 2
57650ms: Info: Active profile data: 2, addr:port: 192.168.10.10:9201
66142ms: Info: JavaNetMessageHandler: M_DIALER_UP received, state = e_jnfnet_going_up
66234ms: Info: JavaNetMessageHandler: start PPP stack
68218ms: Info: JavaNetMessageHandler: M_NET_UP received, state = e_jnfnet_going_up
68311ms: Info: JavaNetMessageHandler: PPP is up. Connecting
68398ms: Info: socket_open_callback: socket = 4, succeeded
68481ms: Info: jnfnet_socketCreate succeeded, returning 1
68574ms: Info: createTCPsocket - hostname:port == pop3.rambler.ru:110
69511ms: Info: connectSocket - hostname:port == pop3.rambler.ru(81.19.66.20):110, return = 0(0)
69603ms: Info: createTCPSocket: socket = 1 succeded. Waiting for connect.
70304ms: Info: createTCPSocket_callback: socket = 1, succeeded
70420ms: Info: available0: 0
70507ms: Info: available0: 0
70609ms: Info: available0: 0
70701ms: Info: available0: 0
70798ms: Info: available0: 0
70895ms: Info: available0: 0
70992ms: Info: available0: 0
71094ms: Info: available0: 0
71181ms: Info: available0: 0
71278ms: Info: Data received from socket 1
71380ms: Info: available0: 70
71467ms: Info: available0: 70
71578ms: Info: read0(1, 70) = 70: +OK mail.rambler.ru pop3 ready <47177c46.1137350009@mail.rambler.ru>
Code:
rms.log:
369ms: Info: JNF_FileSystem_Init()
8297ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RMS_RC.db). Waiting for response
8376ms: Info: Response for AsyncGetFirst(). Found
8496ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RMS_RC.db). Wait for response
8602ms: Info: Response for AsyncOpen, result = 4
8690ms: Info: AsyncRead(4, 4). Waiting for response
8782ms: Info: Response for AsyncRead(4), result = 4, errno = 0
8874ms: Info: AsyncLength(4), result = 0errno = 0
8962ms: Info: AsyncSeek(4, 4). Waiting for response
9059ms: Info: Response for AsyncSeek(4), result = 4
9151ms: Info: AsyncRead(4, 66). Waiting for response
9234ms: Info: Response for AsyncRead(4), result = 66, errno = 0
9336ms: Info: AsyncSeek(4, 0). Waiting for response
9419ms: Info: Response for AsyncSeek(4), result = 0
9534ms: Info: AsyncWrite(4, 4). Waiting for response
9663ms: Info: Response for AsyncWrite(4), result = 4, errno = 0
9746ms: Info: SyncClose(4), result = 0errno = 0
9880ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RMS_RC.db). Waiting for response
10005ms: Info: Response for AsyncGetFirst(). Found
10134ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RMS_RC.db). Wait for response
10249ms: Info: Response for AsyncOpen, result = 4
10328ms: Info: AsyncRead(4, 4). Waiting for response
10411ms: Info: Response for AsyncRead(4), result = 4, errno = 0
10503ms: Info: AsyncLength(4), result = 0errno = 0
10591ms: Info: AsyncSeek(4, 70). Waiting for response
10669ms: Info: Response for AsyncSeek(4), result = 70
10776ms: Info: AsyncRead(4, 66). Waiting for response
10863ms: Info: Response for AsyncRead(4), result = 66, errno = 0
10951ms: Info: AsyncSeek(4, 0). Waiting for response
11029ms: Info: Response for AsyncSeek(4), result = 0
11126ms: Info: AsyncWrite(4, 4). Waiting for response
11255ms: Info: Response for AsyncWrite(4), result = 4, errno = 0
11334ms: Info: SyncClose(4), result = 0errno = 0
11417ms: Info: AsyncSpaceAvailable(). Waiting for response
11500ms: Info: Response for AsyncFree(), result = 161644544
11648ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RMS_RC.db). Waiting for response
11763ms: Info: Response for AsyncGetFirst(). Found
11883ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RMS_RC.db). Wait for response
11994ms: Info: Response for AsyncOpen, result = 4
12077ms: Info: AsyncRead(4, 4). Waiting for response
12160ms: Info: Response for AsyncRead(4), result = 4, errno = 0
12252ms: Info: AsyncLength(4), result = 0errno = 0
12363ms: Info: AsyncSeek(4, 4). Waiting for response
12446ms: Info: Response for AsyncSeek(4), result = 4
12543ms: Info: AsyncRead(4, 66). Waiting for response
12622ms: Info: Response for AsyncRead(4), result = 66, errno = 0
12751ms: Info: AsyncSeek(4, 0). Waiting for response
12834ms: Info: Response for AsyncSeek(4), result = 0
12926ms: Info: AsyncWrite(4, 4). Waiting for response
13060ms: Info: Response for AsyncWrite(4), result = 4, errno = 0
13143ms: Info: SyncClose(4), result = 0errno = 0
13258ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RS@1.db). Waiting for response
13388ms: Info: Response for AsyncGetFirst(). Found
13531ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RS@1.db). Wait for response
13637ms: Info: Response for AsyncOpen, result = 4
13725ms: Info: AsyncSeek(4, 0). Waiting for response
13808ms: Info: Response for AsyncSeek(4), result = 0
13891ms: Info: AsyncRead(4, 40). Waiting for response
13983ms: Info: Response for AsyncRead(4), result = 40, errno = 0
17767ms: Info: SyncClose(4), result = 0errno = 0
17855ms: Info: Java_FileSystem_Exit()
373ms: Info: JNF_FileSystem_Init()
8265ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RMS_RC.db). Waiting for response
8343ms: Info: Response for AsyncGetFirst(). Found
8463ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RMS_RC.db). Wait for response
8574ms: Info: Response for AsyncOpen, result = 4
8657ms: Info: AsyncRead(4, 4). Waiting for response
8745ms: Info: Response for AsyncRead(4), result = 4, errno = 0
8833ms: Info: AsyncLength(4), result = 0errno = 0
8930ms: Info: AsyncSeek(4, 4). Waiting for response
9022ms: Info: Response for AsyncSeek(4), result = 4
9114ms: Info: AsyncRead(4, 66). Waiting for response
9193ms: Info: Response for AsyncRead(4), result = 66, errno = 0
9299ms: Info: AsyncSeek(4, 0). Waiting for response
9377ms: Info: Response for AsyncSeek(4), result = 0
9465ms: Info: AsyncWrite(4, 4). Waiting for response
9599ms: Info: Response for AsyncWrite(4), result = 4, errno = 0
9682ms: Info: SyncClose(4), result = 0errno = 0
9797ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RMS_RC.db). Waiting for response
9926ms: Info: Response for AsyncGetFirst(). Found
10065ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RMS_RC.db). Wait for response
10171ms: Info: Response for AsyncOpen, result = 4
10249ms: Info: AsyncRead(4, 4). Waiting for response
10332ms: Info: Response for AsyncRead(4), result = 4, errno = 0
10420ms: Info: AsyncLength(4), result = 0errno = 0
10508ms: Info: AsyncSeek(4, 70). Waiting for response
10586ms: Info: Response for AsyncSeek(4), result = 70
10692ms: Info: AsyncRead(4, 66). Waiting for response
10771ms: Info: Response for AsyncRead(4), result = 66, errno = 0
10859ms: Info: AsyncSeek(4, 0). Waiting for response
10937ms: Info: Response for AsyncSeek(4), result = 0
11029ms: Info: AsyncWrite(4, 4). Waiting for response
11163ms: Info: Response for AsyncWrite(4), result = 4, errno = 0
11251ms: Info: SyncClose(4), result = 0errno = 0
11334ms: Info: AsyncSpaceAvailable(). Waiting for response
11408ms: Info: Response for AsyncFree(), result = 161644544
11560ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RMS_RC.db). Waiting for response
11675ms: Info: Response for AsyncGetFirst(). Found
11795ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RMS_RC.db). Wait for response
11911ms: Info: Response for AsyncOpen, result = 4
11989ms: Info: AsyncRead(4, 4). Waiting for response
12072ms: Info: Response for AsyncRead(4), result = 4, errno = 0
12165ms: Info: AsyncLength(4), result = 0errno = 0
12275ms: Info: AsyncSeek(4, 4). Waiting for response
12368ms: Info: Response for AsyncSeek(4), result = 4
12455ms: Info: AsyncRead(4, 66). Waiting for response
12538ms: Info: Response for AsyncRead(4), result = 66, errno = 0
12672ms: Info: AsyncSeek(4, 0). Waiting for response
12755ms: Info: Response for AsyncSeek(4), result = 0
12848ms: Info: AsyncWrite(4, 4). Waiting for response
12981ms: Info: Response for AsyncWrite(4), result = 4, errno = 0
13060ms: Info: SyncClose(4), result = 0errno = 0
13180ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RS@1.db). Waiting for response
13295ms: Info: Response for AsyncGetFirst(). Found
13425ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RS@1.db). Wait for response
13545ms: Info: Response for AsyncOpen, result = 4
13637ms: Info: AsyncSeek(4, 0). Waiting for response
13715ms: Info: Response for AsyncSeek(4), result = 0
13808ms: Info: AsyncRead(4, 40). Waiting for response
13900ms: Info: Response for AsyncRead(4), result = 40, errno = 0
15437ms: Info: AsyncSeek(4, 486). Waiting for response
15534ms: Info: Response for AsyncSeek(4), result = 486
15631ms: Info: AsyncRead(4, 28). Waiting for response
15723ms: Info: Response for AsyncRead(4), result = 28, errno = 0
15815ms: Info: AsyncSeek(4, 40). Waiting for response
15894ms: Info: Response for AsyncSeek(4), result = 40
15990ms: Info: AsyncRead(4, 28). Waiting for response
16078ms: Info: Response for AsyncRead(4), result = 28, errno = 0
16175ms: Info: AsyncSeek(4, 486). Waiting for response
16258ms: Info: Response for AsyncSeek(4), result = 486
16346ms: Info: AsyncRead(4, 28). Waiting for response
16401ms: Info: Response for AsyncRead(4), result = 28, errno = 0
16512ms: Info: AsyncSeek(4, 514). Waiting for response
16604ms: Info: Response for AsyncSeek(4), result = 514
16692ms: Info: AsyncRead(4, 129). Waiting for response
16780ms: Info: Response for AsyncRead(4), result = 129, errno = 0
16872ms: Info: AsyncSeek(4, 486). Waiting for response
16960ms: Info: Response for AsyncSeek(4), result = 486
17047ms: Info: AsyncRead(4, 28). Waiting for response
17440ms: Info: Response for AsyncRead(4), result = 28, errno = 0
17532ms: Info: AsyncSeek(4, 40). Waiting for response
17615ms: Info: Response for AsyncSeek(4), result = 40
17698ms: Info: AsyncRead(4, 28). Waiting for response
17800ms: Info: Response for AsyncRead(4), result = 28, errno = 0
17901ms: Info: AsyncSeek(4, 68). Waiting for response
17980ms: Info: Response for AsyncSeek(4), result = 68
18063ms: Info: AsyncRead(4, 308). Waiting for response
18178ms: Info: Response for AsyncRead(4), result = 308, errno = 0
20610ms: Info: AsyncSeek(4, 486). Waiting for response
20689ms: Info: Response for AsyncSeek(4), result = 486
20776ms: Info: AsyncRead(4, 28). Waiting for response
20864ms: Info: Response for AsyncRead(4), result = 28, errno = 0
20970ms: Info: AsyncSeek(4, 40). Waiting for response
21053ms: Info: Response for AsyncSeek(4), result = 40
21141ms: Info: AsyncRead(4, 28). Waiting for response
21242ms: Info: Response for AsyncRead(4), result = 28, errno = 0
21404ms: Info: AsyncSeek(4, 514). Waiting for response
21501ms: Info: Response for AsyncSeek(4), result = 514
21588ms: Info: AsyncRead(4, 129). Waiting for response
21681ms: Info: Response for AsyncRead(4), result = 129, errno = 0
21939ms: Info: AsyncSeek(4, 68). Waiting for response
22027ms: Info: Response for AsyncSeek(4), result = 68
22115ms: Info: AsyncRead(4, 308). Waiting for response
22211ms: Info: Response for AsyncRead(4), result = 308, errno = 0
99859ms: Info: AsyncSpaceAvailable(). Waiting for response
99947ms: Info: Response for AsyncFree(), result = 161619968
140706ms: Info: SyncClose(4), result = 0errno = 0
140785ms: Info: Java_FileSystem_Exit()
[ 本帖最后由 JunFeng 于 2006-2-27 10:55 编辑 ] 跟,想学习 先顶后看!!!!! “……发现它向34,3e2b这里写入了数据,……”
这个地方#34h (具体34,3e2b)是在eep那里吗? 流名学习
。 这个要看~~~~~~~~~~~~~ zh站着听...................... 好好好好好好好好好好好。。。贴!!!
通俗易懂!!收藏受教!! 搬张凳子排排坐!!!
回复 #13 Xinshou 的帖子
ram看5楼 好教程,我顶!