reverse engineering dsp code
play

Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code - PowerPoint PPT Presentation

Aug 27, 2022 •663 likes •856 views

Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion delroth@lse.epita.fr http://lse.epita.fr February 12, 2013 Context Reverse

  1. Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion delroth@lse.epita.fr http://lse.epita.fr February 12, 2013

  2. Context Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Core developer of the Dolphin Emulator GameCube DSP (GameCube / Wii) Analyzing GCN DSP code Recently working mainly on sound processing Conclusion emulation Had to understand how it worked and reverse engineer the code running on it to reimplement it

  3. What is a DSP? Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Digital Signal Processor GameCube DSP Analyzing GCN Highly specialized CPUs with several ways to make DSP code signal processing fast Conclusion Applications: sound mixing, sound e ff ects processing, signal demodulation, etc.

  4. Sound processing Reverse Engineering DSP Code Pierre Bourdon Introduction Mixing sounds together: s = a + b DSP GameCube DSP Setting a volume: s = v × i (0 < = v < = 1) Analyzing GCN You can only mix together sounds at the same DSP code Conclusion sample rate, so resampling might be needed (linear, cubic, FIR) Sound delaying to simulate precise 3D positioning Filters: LPF, FIR, etc.

  5. Tricks Reverse Engineering DSP Code Unless you need to cover a large range of values, Pierre Bourdon floating point numbers are bad compared to fixed Introduction point numbers DSP Sound samples are in [ − 1 . 0 , 1 . 0] GameCube DSP Analyzing GCN Volume is in [0 . 0 , 1 . 0] DSP code Conclusion Each sound sample can be represented as a 16 bit number in [ − 32768 , 32767] Volume can be represented as a value in [0 , 32767] Big optimization: ALU computations are a lot faster than FPU Need to be careful with overflows in intermediate computations

  6. Communication with other components Reverse Engineering DSP Code Pierre Bourdon Introduction DSP The DSP also needs to communicate with several GameCube DSP external components: CPU, RAM, hardware Analyzing GCN decoder, ... DSP code Often has interrupts and in / out ports support to get Conclusion events from the CPU Data from RAM is fetched and written using DMA to an internal, smaller RAM

  7. Specs Reverse Engineering DSP Code Pierre Bourdon Introduction Custom Macronix DSP design DSP Runs at 81MHz (fast!) GameCube DSP Hardware 32 bit multiplier with overflow handling Analyzing GCN DSP code 4K IRAM, 4K DRAM Conclusion 4K IROM, 8K DROM DMA access to the GameCube RAM and ARAM Hardware PCM8, PCM16 and ADPCM decoding from ARAM

  8. Registers Reverse Engineering DSP Code Pierre Bourdon Introduction DSP 4 Address Registers: $AR0, $AR1, $AR2, $AR3 GameCube DSP 4 Index Registers: $IX0, $IX1, $IX2, $IX3 Analyzing GCN DSP code 4 Wrapping Registers: $WR0, $WR1, $WR2, $WR3 Conclusion 2 32 bit "general" registers: $AX0, $AX1 2 40 bit accumulators: $ACC0, $ACC1 1 40 bit multiplication result register: $PROD

  9. Subregisters Reverse Engineering DSP Code Pierre Bourdon Introduction DSP GameCube DSP $AX0.H, $AX0.L (16 bit) Analyzing GCN DSP code $ACC0.H (8 bit), $ACC0.M, $ACC0.L (16 bit) Conclusion Access to $ACC0.H can be either zero-extended or sign-extended

  10. More peculiarities Reverse Engineering DSP Code Pierre Bourdon 16 bit bytes: addresses index 16 bit values Introduction Instructions can be either 16 or 32 bits long (usually DSP with a 16 bit immediate) GameCube DSP Some instructions can be merged with an "extended Analyzing GCN DSP code operation" to perform 2 operations at once Conclusion Strange control flow instructions using an internal loop register stack: LOOP, BLOOP, IFC, ... CLR $ACC0 // ACC0 = 0; LOOP $ACC1.M // while (ACC1.M--) SRRI @$AR0, $ACC0.M // *AR0++ = ACC0.M;

  11. Extended operations Reverse Engineering DSP Code Pierre Bourdon Explicit parallelization of some operations that can Introduction be performed at the same time DSP For example, "load from memory" and "multiply two GameCube DSP numbers" Analyzing GCN DSP code Used a lot to make loops faster: load and store data Conclusion at the same time you perform operations More than memory access: moving data from a register to another, adding an index register to an address register, etc. Uses parts of the CPU not used by the main instruction

  12. Example Reverse Engineering DSP Code Pierre Bourdon Introduction DSP opcode: bcf0 disasm: GameCube DSP MULAX’LD $AX0.H, $AX1.H, $ACC0 : $AX0.H, $AX1.H, @$AR0 Analyzing GCN DSP code Conclusion pseudocode: ACC0 += PROD; PROD = AX0.H * AX1.H; AX0.H = *AR0++; AX1.H = *AR3++;

  13. Example 2 Reverse Engineering DSP Code Pierre Bourdon Introduction DSP opcode: f2e7 disasm: GameCube DSP MADD’LDN $AX0.L, $AX0.H : $AX0.H, $AX1.L, @$AR3 Analyzing GCN DSP code Conclusion pseudocode: $PROD += AX0.L * AX0.H; AX0.H = *AR0++; AX1.H = *AR3; AR3 += IX3;

  14. Tools Reverse Engineering DSP Code Pierre Bourdon Only one disassembler available, no real static Introduction analysis tool DSP GameCube DSP Wrote an IDA plugin for the GCN DSP in November Analyzing GCN 2011 DSP code IDA handles surprisingly well most of the strange Conclusion features of this DSP (including 16 bit bytes) Made it a lot easier to do cross-references, renaming symbols, etc. Writing IDA plugins will make you hate it, but it’s worth the trouble in the end

  15. IDA Reverse Engineering DSP Code Pierre Bourdon Introduction DSP GameCube DSP Analyzing GCN DSP code Conclusion

  16. Confusing idioms Reverse Engineering DSP Code Pierre Bourdon Introduction All of the code is written directly in assembly, DSP GameCube DSP without respect for any kind of calling convention Analyzing GCN Branching has an impact on speed, so loops are DSP code sometimes manually unrolled Conclusion Wrapping registers used to implement circular bu ff ers Automatic multiply by 2 for volume mixing

  17. Pipelining Reverse Engineering DSP Code Pierre Bourdon Used to increase the throughput of a loop by taking Introduction advantage of the explicit parallelization. DSP LRRI $AX0.H, @$AR3 GameCube DSP LRRI $AX0.L, @$AR3 Analyzing GCN MULX $AX0.L, $AX1.L DSP code MULXMV $AX0.H, $AX1.L, $ACC0 Conclusion BLOOPI 0x30, 0x0655 ASR16’L $ACC0 : $AC1.M, @$AR1 ADDP’LN $ACC0 : $AC1.L, @$AR1 LRRI $AX0.H, @$AR3 ADD’L $ACC1, $ACC0 : $AX0.L, @$AR3 MULX’S $AX0.L, $AX1.L : @$AR1, $AC1.M MULXMV’S $AX0.H, $AX1.L, $ACC0 : @$AR1, $AC1.L

  18. Questions? Reverse Engineering DSP Code Pierre Bourdon Introduction DSP GameCube DSP Analyzing GCN @delroth_ DSP code Conclusion http://dolphin-emu.org/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Software Maintenance Overview Legacy code Reverse-engineering Re-engineering

Software Maintenance Overview Legacy code Reverse-engineering Re-engineering

Software Maintenance Overview Legacy code Reverse-engineering Re-engineering Preventative Maintenance Michal Young / Stuart Faulk 05/16/99 1 Post-Deployment Evolution a.k.a. maintenance General definition:

238 views • 10 slides
Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant Gupta Security Architect, McAfee Inc. June 3, 2013 McAfee Confidential Internal Use Only Abstract Reverse engineering and analysis of binary code

381 views • 20 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Disassemblers Instruction Set Reverse Engineering Agenda Motivation Introduction to the

Disassemblers Instruction Set Reverse Engineering Agenda Motivation Introduction to the

Building Custom Disassemblers Instruction Set Reverse Engineering Agenda Motivation Introduction to the playing field How to obtain byte code Recognizing basic properties of the byte code Implementing an IDA Pro processor

663 views • 52 slides
Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and

Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and

Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and Documentation Engineering Virus Analysis Malware Virus Needs a vector for propagation Worm No vector needed Can spread by

320 views • 21 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse engineering Reverse engineer Did anyone analyze f1 something similar A binary file f2

Reverse engineering Reverse engineer Did anyone analyze f1 something similar A binary file f2

Asm2Vec : Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization Steven H. H. Ding Benjamin C. M. Fung Philippe Charland Data Mining and Security Lab Mission Critical Cyber Security

625 views • 23 slides
CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Assembly code and binary formats (ELF)

630 views • 23 slides
CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Reverse Engineering Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Basics: encodings Code is data is code is data Learn to read hex numbers: 0x38 == 0011'1000 Python: hex(int('00111000', 2))

696 views • 54 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018

CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018

CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Basics: encodings Code is data is code is data Learn to read hex numbers: 0x38 == 0011'1000 Python:

710 views • 49 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Semantics-based reverse engineering of data models from programs Komondoor V Raghavan IBM India

Semantics-based reverse engineering of data models from programs Komondoor V Raghavan IBM India

Semantics-based reverse engineering of data models from programs Komondoor V Raghavan IBM India Research Lab (with G. Ramalingam, J. Field, et al) 1 / 51 Understanding legacy software Common scenario huge existing legacy code base

652 views • 46 slides
TELECOMMUNICATION (DECT) ETI 2506 Monday, 21 November 2016 LOOK AT THE SYLLABUS 2 REVISITED

TELECOMMUNICATION (DECT) ETI 2506 Monday, 21 November 2016 LOOK AT THE SYLLABUS 2 REVISITED

DIGITAL ENHANCED CORDELESS TELECOMMUNICATION (DECT) ETI 2506 Monday, 21 November 2016 LOOK AT THE SYLLABUS 2 REVISITED CORDLESS TELEPHONE GENERATION ONE (CT CT1) 1. CT1 were developed at around 1980 to provide for limited mobility of

515 views • 26 slides
Quality of service CSCI 466: Networks Keith Vertanen

Quality of service CSCI 466: Networks Keith Vertanen

Quality of service CSCI 466: Networks Keith Vertanen Fall 2011 Overview Conges5on control and avoidance Prevent collapse of network

497 views • 30 slides
Design Space Explorer for FPGAs Dong Liu 1 , Benjamin Carrion Schafer 2 Department of Electronic

Design Space Explorer for FPGAs Dong Liu 1 , Benjamin Carrion Schafer 2 Department of Electronic

Efficient and Reliable High-Level Synthesis Design Space Explorer for FPGAs Dong Liu 1 , Benjamin Carrion Schafer 2 Department of Electronic and Information Engineering The Hong Kong Polytechnic University adam.d.liu@connect.polyu.hk 1 ,

423 views • 27 slides
Dynamic Zero Compression for Cache Energy Reduction

Dynamic Zero Compression for Cache Energy Reduction

Dynamic Zero Compression for Cache Energy Reduction

255 views • 10 slides
Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department of Computer Science Portland State University 1 Agenda Introduction Related work and Background Our Approach Evaluation

717 views • 32 slides
INTEGRATED WCET ESTIMATION OF MULTICORE APPLICATIONS Dumitru Potop-Butucaru, Isabelle Puaut

INTEGRATED WCET ESTIMATION OF MULTICORE APPLICATIONS Dumitru Potop-Butucaru, Isabelle Puaut

1 INTEGRATED WCET ESTIMATION OF MULTICORE APPLICATIONS Dumitru Potop-Butucaru, Isabelle Puaut Motivation: Scalable timing analysis 2 Real-time systems: complexity steadily increases Hardware: Multi-core, networks-on-chips Software:

546 views • 28 slides
Motivations Instruction cache (icache) misses can FICO drastically decrease code performance a

Motivations Instruction cache (icache) misses can FICO drastically decrease code performance a

Motivations Instruction cache (icache) misses can FICO drastically decrease code performance a Fast Instruction Cache Optimizer The problem is even more important for 1-level direct mapped caches Author: Marco Garatti On Lx ST210 the icache

477 views • 4 slides
VideoLAN VLC 3.0.0 Jean-Baptiste Kempf samedi 30 janvier 2016 Ecole Centrale Paris The Cone

VideoLAN VLC 3.0.0 Jean-Baptiste Kempf samedi 30 janvier 2016 Ecole Centrale Paris The Cone

VideoLAN VLC 3.0.0 Jean-Baptiste Kempf samedi 30 janvier 2016 Ecole Centrale Paris The Cone VLC 1M per day More than 2B over VLC lifetime 1 every 6 Mac Top 15 Windows Most used French software VLC 2.2.0 8 VLC 2.2.0 VLC 2.2.0

635 views • 27 slides

More recommend