lwz %r9 0×2A(%r3)

Thomas Ptacek | December 22nd, 2005 | Filed Under: Uncategorized

A confession: despite being a Mac person for going on 5 years now, I’ve yet to write more than 4 lines of PowerPC assembly code. No shell code, unlike Dino —- who, for reasons passing understanding, is taking the Amtrak train from NYC to New Mexico, and had a convenient stop-over today; in exchange for lunch, I got 5 minutes of PowerPC help, which was pretty much all I needed.

Two great things about PowerPC assembly that I learned today:

  1. Apple documents it, and Apple’s documentation rocks. Long story short: return values in %r3, function arguments in %r3 and above, test-for-zero is mov. %gpr %gpr ; bne cr1 address.

  2. PPCExplain ships with the developer tools; from the command line, given an instruction mnemonic, it gives the description.

PowerPC is, of course, a load-store architecture, which I think makes the assembly code much easier to read than X86; memory access always involves an “l…” instruction or an “s…” instruction. IDA feature request that won’t get read because I’m too lazy to write it up and send it: have a mode that highlights instructions in the same class as the one I’m over now, rather than just literally the same instruction. Highlight all branches, or all stores, or whatever.

Finally, a stocking stuffer for our network programmer audience: I got tired of translating C header files into TCP/IP field offsets; I almost wrote a “offsetexplain” function, but came up with something simpler: Matasano’s Periodic Table Of The Offsets, from the base of the Ethernet header, IP header, or UDP/TCP header.

5 Comments so far

  • Ryan Russell

    December 22nd, 2005 6:55 pm

    Re: periodic table

    Not bad! Needs color, and cute abbreviations for each field.

  • Mark Grimes

    December 22nd, 2005 7:19 pm

    Thomas,

    Here’s an alternate layout for you that for me is a bit easier on screen real estate when developing from my powerbook. [packet.txt]

  • Mark Grimes

    December 22nd, 2005 7:36 pm

    I forgot to mention that although I have no idea who originally generated the 70 column version, I got this from Jeff Nathan several years ago when I was working on Nemesis. I believe it was conceived during Snort development. Anyhow, if you need an active reference on the same screen as your development, it’s probably handy.

  • tqbf

    December 23rd, 2005 10:43 am

    Mark: your Snort table is indeed easier to fit on a screen. I did a version in this format (redundant offsets, single field names), but realized that my goal was to minimize thought while reading code, and I really just needed to jump to the row with the hexidecimal load offset I saw in IDA and read across to see what field it was.

    Still, it’s uncanny how close your table is to mine, and I’m glad I know about it. Thanks!

  • Matt Beaumont

    June 21st, 2006 7:13 pm

    Hi Thomas,

    Reading through the archives, quite entertained so far. This post is fantastic — the PPC assembly and offset table links are definite keepers, PPCExplain is infinitely preferable to paging through IBM’s ISA documentation. Thanks!

    Cheers,
    Matt

    • Leave a reply