补丁运行过程剖析。最新更新在线查看调试工具，可实时动态查看ram，7楼，超值推荐

JunFeng · 发表于 2006-2-15 14:21:08

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

您需要登录才可以下载或查看，没有帐号？注册会员

x

征用1、2楼作日志，原1、2楼帖已移至3楼

1.在浏览器中打开txt文件时，将当前文件名写入A:\temp.txt

  org 0B00000h
#define strlen 0C78536h
#define fileopen 0DBAF5Ch
#define FileWrite 0DBB91Ch
#define fileclose 0DBCD8Eh
MOV [-R0],R9                ;当前文件名pag
MOV [-R0],R8                ;当前文件名pof
MOV [-R0],R6
MOV R12,#POF(temp)    ;临时文件名
MOV R13,#PAG(temp) ;临时文件名
MOV R14,#0102h          ;文件打开方式，102=rewrite？
MOV R15,#0100h          ;100
CALLS fileopen
MOV R6,R4                   ;r4=filehandle，if success；fail=ffff
add    r4, #1
JMPR cc_Z,_35
MOV R12,R8
MOV R13,R9
ADD R12,#0B2h
CALLS strlen                ;取得文件名长度,结果返回在r4
MOV R15,R4                ;r15=写文件长度=文件名长度
MOV R12,R6                ;r6=filehandle
MOV R13,R8                ;point to buffer
MOV R14,R9                ;point to buffer
ADD R13,#0B2h
CALLS FileWrite
MOV R12,R6
CALLS FileClose
_35:
MOV R6,[R0+]
MOV R8,[R0+]
MOV R9,[R0+]
RETS
temp:
db 41h,3Ah,5Ch,74h,65h,6Dh,70h,2Eh,74h,78h,74h ;临时文件名A:\temp.txt

2.寻找查看短信时号码所在ram.

goto_D569CC, "Save No. into $" 保存号码到通讯录
》》》
seg0D5:69CC INBoxOption:                         ; DATA XREF: seg0D4:FC78o
seg0D5:69CC                                        ; seg0D4:FC7Co
seg0D5:69CC                mov    [-r0], r9
seg0D5:69CE                mov    [-r0], r8
seg0D5:69D0                sub    r0, #8
seg0D5:69D4                mov    [-r0], r12
seg0D5:69D6                mov    [-r0], r13
seg0D5:69D8                mov    [-r0], r14
seg0D5:69DA                mov    [-r0], r15
seg0D5:69DC                calls 0E5h, GetSelectMenuItem
seg0D5:69E0                mov    r8, r4
seg0D5:69E2                mov    r9, r5
seg0D5:69E4                mov    r15, [r0+]
seg0D5:69E6                mov    r14, [r0+]
seg0D5:69E8                mov    r13, [r0+]
seg0D5:69EA                mov    r12, [r0+]
seg0D5:69EC                mov    r1, r8
seg0D5:69EE                cmp    r9, #0
seg0D5:69F0                jmpr cc_NZ, loc_D569F6
seg0D5:6A36                cmp    r8, #6
seg0D5:6A38                jmpa cc_Z, loc_D56B1E 根据菜单序号，应该是6

》》》

seg0D5:6B1E loc_D56B1E:                            ; CODE XREF: seg0D5:6A38j
seg0D5:6B1E                mov    r12, #35E8h                   消息地址
seg0D5:6B22                mov    r13, #0Eh
seg0D5:6B26                mov    r14, #0B4h ; '?
seg0D5:6B2A                mov    r15, #0Bh
seg0D5:6B2C                calls 0B4h, pSendMessage?
seg0D5:6B30                jmpa cc_UC, loc_D56BBA

》》》消息结构

pag00E:35E8 pid_MMI:       dw 3062h, 11h          >>>>>
pag00E:35E8
pag00E:35EC                dw 3FF4h, 34Bh       》》》D2FFF4 在这里处理
pag00E:35F0                dw 0, 0
pag00E:35F4                dw 0C7Ch, 2D2h       》》》B48C7C

》》》

seg0D2:FFD8                dw 0FFF5h
seg0D2:FFDA                dw 434Eh             ; MsgHandleOff          这里 D3434E
seg0D2:FFDA                dw 0D3h                ; MsgHandlePage
seg0D2:FFDA                dw 436Ah             ; OnInit_Off
seg0D2:FFDA                dw 0D3h                ; OnInit_Page
seg0D2:FFDA                dw 43FAh             ; OnCancle_Off
seg0D2:FFDA                dw 0D3h                ; OnCanlce_Page
seg0D2:FFDA                dw 1EEh                ; MemCount
seg0D2:FFDA                dw 1                   ; field_E
seg0D2:FFDA                dw 3FD8h             ; Offset
seg0D2:FFDA                dw 34Bh                ; Page
seg0D2:FFEE                dw 5Ch
seg0D2:FFF0                dw 3A41h
seg0D2:FFF2                dw 5Ch
seg0D2:FFF4 word_D2FFF4: dw 7E8Ah             ; DATA XREF: InitMainFrame+8o
seg0D2:FFF6                dw 0D3h
seg0D2:FFF8                dw 4Dh
seg0D2:FFFA                dw 96h

>>>
顺D3434E找到
eg0D3:3D1E loc_D33D1E:
seg0D3:3D1E                mov    r12, #8
seg0D3:3D20                mov    [-r0], r12
seg0D3:3D22                mov    r12, #2
seg0D3:3D24                add    r12, r0       copy length  = 8+2=10
seg0D3:3D26                and    r12, #3FFFh
seg0D3:3D2A                mov    r13, DPP1
seg0D3:3D2E                extp r7, #2
seg0D3:3D30                mov    r15, [r6+2] r15= number pof？
seg0D3:3D34                mov    r14, [r6]    r14= number pag？
seg0D3:3D36                calls 0C7h, memcpy_NoOverlap ; copy memory from r14:r15 to r12:r13 lenght [r0]

[ 本帖最后由 JunFeng 于 2007-5-6 02:45 编辑 ]

JunFeng · 发表于 2006-2-15 14:28:14

在Patch中，一般的困惑就是，看到一段Flash，都是静态的内容，但如果做过Crack的都知道，需要加以动态调试才能深入了解软体的运行过程，可是西门子不会大方的送给我们开发板，那么只能自己想一些办法来。在Flash中，一般的如果是全局数据的话，我们可以看代码段或用AT指令看数据段。但如果是栈区的内容不同方法就无能为力了，此外还有函数的调用栈，这是使用的是系统栈。针对这个我写了两个小程序，一个是Dump一段连续内存，另一个是打印当前的调用栈，大家感兴趣的可以看一下！

;DumpMemory.asm

$Segmented
$Mod167

;Memory Function
Memchr EQU 0C78360h ;Finds characters in a buffer. R12 = Offset R13 = Page R14 = Char R15 = Size
Memcmp EQU 0C78388h ;[R0] = Size.
Memcpy_Src_LT_Dst EQU 0C77430h ;Memory copy. R4 = SrcOff R5 = SrcPag R10 = DstOff R11 = DstPag R3 = Size
Memcpy EQU 0C783DCh ;[r0] = size r12 = Dstoff  r13 = Dstpag r14 = Srcoff r15 = Srcpag
;String Function
Strcat EQU 0C784A6h ;Append a string. r12 = Dstoff  r13 = Dstpag r14 = Srcoff r15 = Srcpag
Strchr EQU 0C784CCh ;Find a character in a string. R12 = Offset R13 = Page R14 = Char
Strrchr EQU 0C785CCh ;Scan a string for the last occurrence of a character.
Strcmp EQU 0C784EEh ;Compare strings. r12 = Dstoff  r13 = Dstpag r14 = Srcoff r15 = Srcpag
Strcmp_Size EQU 0C78578h ;Compare strings. [R0] = Size
Strcpy EQU 0C78516h ;Copy a string. r12 = Dstoff  r13 = Dstpag r14 = Srcoff r15 = Srcpag
Strcpy_FillSize  EQU 0C7859Eh ;Copy a string,Fill #FF1Ch. [R0] = Size
Strcspn EQU 0C785F0h ;Find a substring in a string.r12 = Setoff  r13 = Setpag r14 = SubSrcoff r15 = SubSrcpag
Strset EQU 0C78416h ;Set characters of a string to a character.R12 = Offset R13 = Page R14 = Char R15 = Size
GetLength EQU 0C78536h ;R12 = Offset R13 = Page R4 = Length

;AT Function
SendATCommand  EQU 0CC9DCCh ;Send reply string.

;Address for Patch Data

Patch_Address EQU 1F8000h ;Free Space in Flash (CHANGE THIS)

Patch Section Code Word At Patch_address ; Start Patch at Patch_Address
;-------------------------------------------------------------------------------;
main proc far  ; start main of patch
;///////////////////////////////////////
;ToDo,补充被修改的位置的指令
;///////////////////////////////////////
MOV  [-R0],R12
MOV  [-R0],R13
MOV  [-R0],R14
MOV  [-R0],R15
MOV    R14,R12       ;需要Dump内存的offset
MOV    R15,R13       ;需要Dump内存的Page
MOV  R12,#400H       ;Dump的内存数量
MOV  [-R0],R12
MOV  R12,#1000H    ;Dump到0c:1000，有大段空间（约A00），如果是多次Dump，需递增地址
MOV  R13,#0CH
CALLS SEG(Memcpy),SOF(Memcpy)
ADD  R0,#2
MOV  R15,[R0+]
MOV  R14,[R0+]
MOV  R13,[R0+]
MOV  R12,[R0+]
;///////////////////////////////////////
;ToDo,补充被修改的位置的指令
;///////////////////////////////////////
  RETS
main endp
;-------------------------------------------------------------------------------;
Patch EndS

CHANGEBYTE Section Code Word At 0x35622A ; Start Patch at Patch_Address
CHANGE PROC FAR
CALLS  SEG(Patch_address+0xA00000),SOF(Patch_address+0xA00000)
CHANGE ENDP
CHANGEBYTE ENDS
END

;***************************************************************************************************

;DumpCS.asm

$Segmented
$Mod167

;Address for Patch Data
Patch_Address EQU 1F8000h ;Free Space in Flash (CHANGE THIS)

Patch Section Code Word At Patch_address ; Start Patch at Patch_Address
main proc far  ; start main of patch
mov  [-r0],r12
mov  [-r0],r13
mov  [-r0],r14
mov  [-r0],r15
mov  r4,#8    ;Dump栈的深度

; cmp  r12, #243h       ;可能满足某种条件才Dump
; jmp  CC_NZ, ProcEnd

mov  r15, r4
mov  r14, #1000h       ;Dump到C:1000
PopProc:
pop  r12
pop  r13
extp #0Ch, #1
mov  [r14],r12
add  r14,#2
extp #0Ch, #1
mov  [r14],r13
add  r14,#2
mov  [-r0],r12
mov  [-r0],r13
sub  r15,#1
jmp  CC_NZ,PopProc

mov  r15,r4
PushProc:
mov  r13,[r0+]
mov  r12,[r0+]
push r13
push r12
sub  r15,#1
jmp  CC_NZ,PushProc

ProcEnd:
mov  r15,[r0+]
mov  r14,[r0+]
mov  r13,[r0+]
mov  r12,[r0+]
; TODO
cmp    r12, #1388h
rets
main endp
Patch EndS

END

此外，还可以Dump所有的寄存器的值，这个Riza曾经写过一个Dump寄存器，和上面的类似，但是很简单，我也写过一个，这个找不到了，关键是要能Dump多次的信息，就是在Ram中增加一个计数，然后滚动的向前Dump。

?动态的寻找数据或转跳点真的是太需要了，大概看了一下dump程序，好像是把给定地址的数据复制400h字节到0c:000处，如何使用呢，是不是将需要的地址参数刷入，然后通过at调用查看呢？

对，是这样的。般的程序都只用R12，R13，R14，R15作参数。如果是键盘处理程序，会把按键的相关信息放在R15：R14里，而把主程序传入的参数放在R13：R12里，这样你可以在常用的mov r8,r12 mov r9,r13的地方hook，dumpR13：R12的内容，就可以看到很多感兴趣的东西，比如短消息列表V2的信息就是如此。

而DumpCS的用处也很大，比如你只知道某个地方显示了一个信息，那么你可以找到语言文件中信息的ID，然后Hook函数GetUStringByID，根据调用栈找到你感兴趣的地方。

Dump的调用栈在内存中显示从1000开始，是从栈顶到栈底，一般情况如果是键盘处理，很容易看到后面是系统的中断函数了。需要注意Jmps并不会把调用地址压入系统栈。

哦？这样子的啊。
狼大的意思是说，将程序挂载到某一函数后，还能发现是哪里的程序调用它了吗，那就太有用了。
不知道c167种调用时压入的顺序是什么，先是segment，然后是offset？如果是中断flag等是否也压入保存呢？盼狼大指点。

关于追踪jmps转跳地址，pinky在x86上一般用回调的方法，不知道在c167中是否仍然可用的说~

在X86中，系统栈和用户栈是通用的，而在C166中，一般是Push和Pop操作系统栈，主要存放系统信息，比如指令地址，它是先压Seg，后压Off。而用户栈一般是用[R0]作为栈顶来使用。

这样子啊~Pinky有些明白了
还有一点，在c166中如果用户程序碰到ret指令，是从[r0]栈中弹出返回地址，还是从系统栈呢？
系统栈里的内容有没有办法像x86那样通过指针寄存器来操作修改呢？

遇到rets才是从系统栈返回，ret并不存取系统栈。你可以用push在pop的办法修改。

比如常用的用函数指针调用一个函数的办法

push r5

push r4

rets

附上一个不错的在线调试查看工具，可实时动态查看ram并修改数据。。。
推荐，人手必备

需要刷这个补丁

;open bfb for 5508

12BC4A: 60 00

[ 本帖最后由 JunFeng 于 2006-2-20 22:56 编辑 ]

JunFeng · 发表于 2006-2-15 14:21:57

日志预留

[ 本帖最后由 JunFeng 于 2007-5-6 02:47 编辑 ]

JunFeng · 发表于 2006-2-15 14:23:33

由于我所知有限，实质也是不懂编程的菜鸟 ^&^
权充抛砖引玉，期待大师们的指点

补丁很难？？
nonono
简单的很
下面就以自动超频补丁为例，讲解补丁运行原理

先了解子程序的概念，比如我们6688的整个flash中的程序就是由许许多多的子程序组合而成，各个子程序实现不同的功用。。比如调用亮灯子程序灯就亮了，调用灭灯子程序灯就灭了。。。

实际子程序表现就是
比如汇编指令calls AABBCC，在补丁中就是DAAACCBB，意思是把当前地址压栈保存然后转到AABBCC这里执行，当执行到AACCBB这里的rets指令（补丁数据就是DB00），就从栈中取出DAXXXXX时保存的地址并继续执行此地址指令。

子程序一个简单例子，说说超频补丁用到的绿茶的待机patch表

待机patch表原理：
由于天线图标总是显示的，也就是说显示天线图标的子程序一直都运行的，那么加到这里的子程序也是会一直运行的。
这是绿茶的待机patch补丁

0x3637FA: DAB304DF DABF6000       DABF6000也就是呼叫子程序，地址为BF0060（补丁地址就是BF0060-A00000=1F0060）
0x1F0060: FFFFFFFF DAB304DF       上面的DABF6000就是转到这里来处理，DAB304DF就是原来上面对天线图标显示子程序，现在要还原，否则就没天线显示了。。。
0x1F0064: FFFFFFFF CC00CC00       cc00转为汇编就是nop，意为空，不做动作
0x1F0068: FFFFFFFF CC00CC00
0x1F006C: FFFFFFFF CC00CC00
0x1F0070: FFFFFFFF CC00CC00
0x1F0074: FFFFFFFF CC00CC00
0x1F0078: FFFFFFFF CC00CC00
0x1F007C: FFFFFFFF CC00CC00
0x1F0080: FFFFFFFF CC00CC00
0x1F0084: FFFFFFFF CC00CC00
0x1F0088: FFFFFFFF CC00CC00
0x1F008C: FFFFFFFF CC00CC00
0x1F0090: FFFFFFFF DB00FFFF       这里DB00就表示rets（返回），也就是说，BF0060这个子程序结束并返回到3637fa的下一条指令继续处理

地址冲突！！如何转移此补丁地址？
那么先来一个补丁地址在具体补丁数据中的表现方式
比如这里新补丁数据地址0x1F0060，要从补丁中转移到这个地址是直接用吗？比如DA1F0060？NO，这是我们对flash实体操作的物理地址，而在补丁数据中用的是cpu用的虚拟地址，在6688中物理地址和虚拟地址的转换有公式：

物理地址=虚拟地址+A00000

那么在补丁中调用0x1F0060是这样写DABF0060？NO，还是错误，这里BF0060中的BF表示这里是BF段，0060是偏移量，而在16进制中偏移量要颠倒，高位在后，低位在前，也就是6000，段是不变的，所以呢还是DABF6000

什么是段？什么是偏移量？
简单理解
由于6688 6m  的fullflash过于庞大，所以就分为一段段便于寻找，故我们可以理解为文件夹的意思
至于偏移量就可以理解为文件所在位置，只不过由于是16进制，所以在补丁中的时候要高低位对调。。

罗嗦了一大堆，那么说说如果绿茶的待机patch表和某个补丁冲突如何转移地址

其过程是非常简单的，如下

找个空白地址比如 0x123456
0x3637FA: DAB304DF DAB25634
0x123456: FFFFFFFF DAB304DF
0x123466: FFFFFFFF CC00CC00
0x123476: FFFFFFFF CC00CC00
0x123486: FFFFFFFF CC00CC00
0x123496: FFFFFFFF CC00CC00
0x1234a6: FFFFFFFF CC00CC00
0x1234b6: FFFFFFFF CC00CC00
0x1234C6: FFFFFFFF CC00CC00
0x1234D6: FFFFFFFF CC00CC00
0x1234E6: FFFFFFFF CC00CC00
0x1234F6: FFFFFFFF CC00CC00
0x123506: FFFFFFFF CC00CC00
0x123516: FFFFFFFF DB00FFFF

搞定，除了地址什么都不用改。。keke

然后看超频补丁：

53ED36: DACF4C36 DAE41E4A ;ExitProcess减速，中断系统exitprocess函数，转到E44A1E处理
5336B6: F07DF06C DAE4004A ;CreateProcess加速，中断系统create process，转到E44A00处理

444A00: F0 7D    : mov    r7, r13                         补原指令
444A02: F0 6C    : mov    r6, r12                         补原指令
444A04: DA E4 30 4A : calls 0E4h, loc_E44A30       保护寄存器子程序
444A08: DA B4 72 9B : calls 0B4h, loc_B49B72       加速程序
444A0C: DA E4 3E 4A : calls 0E4h, loc_E44A3E       还原寄存器子程序
444A10: DB 00    : rets                                                 返回
;------------------------------------------------------------
444A12: D7 40 34 00 : extp #34h, #1                            切换到34h
444A16: F3 F8 2B 3E : movb rl4, 0D3E2Bh ; (0034:3E2B)    34,3E2B处数据字节传送到r4低位（rl4）
444A1A: 49 81    : cmpb rl4, #1                                     比较rl4是否为1（1为待机）
444A1C: 3D 08    : jmpr cc_NZ, loc_444A2E                      不是待机就跳了
444A1E: DA E4 30 4A : calls 0E4h, loc_E44A30                      否则保护寄存器
444A22: DA B4 5E 9B : calls 0B4h, loc_B49B5E                      减速
444A26: DA E4 3E 4A : calls 0E4h, loc_E44A3E                      恢复寄存器
444A2A: DA CF 4C 36 : calls 0CFh, loc_CF364C                   补原指令
444A2E: DB 00    : loc_444A2E:
444A2E: DB 00    : rets                                                          返回
;------------------------------------------------------------
444A30: 88 80    : mov    [-r0], r8                                        保护寄存器子程序
444A32: 88 90    : mov    [-r0], r9
444A34: 88 C0    : mov    [-r0], r12
444A36: 88 D0    : mov    [-r0], r13
444A38: 88 E0    : mov    [-r0], r14
444A3A: 88 F0    : mov    [-r0], r15
444A3C: DB 00    : rets
;------------------------------------------------------------
444A3E: 98 F0    : mov    r15, [r0+]                                  恢复寄存器子程序
444A40: 98 E0    : mov    r14, [r0+]
444A42: 98 D0    : mov    r13, [r0+]
444A44: 98 C0    : mov    r12, [r0+]
444A46: 98 90    : mov    r9, [r0+]
444A48: 98 80    : mov    r8, [r0+]
444A4A: DB 00    : rets                         返回

解释一下，怎么知道待机标志位？这个是多看用ida反汇编后的6688全部程序所推断出来的，因为有待机idle状态，找到idle函数（也就是子程序），发现它向34，3e2b这里写入了数据，而在其他地方读取了34，3e2b的数据并根据数据来做不同的处理。。。

cpu功耗控制子程序，如下，可在补丁任意地方调用，需要保护积存器
26m hz
calls 0B4h, loc_B49B72 全速26m hz运行
13m hz
calls 0B4h, loc_B49B5E 半速13m hz运行

剖析可选补丁的原理
可选补丁一般都包含这样的数据
D7403600F2F4760D9AF409E0
红颜色的0d76就是ram地址，由这里判断是处于第几大项，36h，0d74是第二大项，36h，0d76是第三大项，第一大项可自行看看用到了的补丁。。。

蓝颜色的E0就是大项中的具体第几项，从00到F0一共16个选项，一般就是修改这里

如何做可选？先看汇编原理

      extp       #36h, #1          切换到ram中的36h
      mov       r4, 0D76h          取得应用程序3的数据
      jnb       r4.14, loc_1F6622       看第14项选择了没有，jnb是没有就跳
一般的是修改没有选择就跳到返回处了
如果用jb       r4.14, loc_1F6622       的话就是选择了才跳，也就是选择了才跳到相应的地方处理

再来个xinshou 发的如何转移冲突补丁地址：
原贴在这里http://mobile.0110.cn/viewthread.php?tid=194044&fpage=1&highlight=
冲突补丁可以非常容易地把地址改移好！

sfe的汇编/反汇编功能是非常好用的，可以很简单地翻过来/反过去。
本来就很简单，只要

sfe d patch.vkp,4f0000,300 a00000,p  >patch.asm

sfe 后面，d就是反汇编，patch.vkp是补丁，4f0000是补丁中新数据开始的地址，300是反汇编数量，A00000是基址（所有补丁基址都是A00000），p是输出为完全asm源码格式，>patch.asm 表示将结果写入patch.asm

可以对比一下这样和上面的区别
sfe d patch.vkp,4f0000,300
这里就是带补丁数据的源码格式了，不能用sfe编译的

用文本编辑软件打开patch.asm，开头有org 0EF0000字样，这里的EF0000就是上面的4F0000
把这个修改为你的空白地址
如：
替换为
org 0Fca050h  （也就是说补丁的新地址是0x5CA050,改成我们的空白地址）

再用 sfe a patch.asm p,10,a00000  >mypatch.vkp
就得到patch的补丁vkp了。
sfe后面的 a是表示编译，patch.asm是补丁的汇编源代码，p是表示输出patch补丁格式，a00000是基址, >mypatch.vkp表示将编译结果写入mypatch.vkp

如果是小补丁，下面这步可省略
最后将新旧两个补丁都反汇编成带补丁数据格式，也就是
sfe d patch.vkp,4f0000,300 >patch1.txt
sfe d mypatch.vkp,5CA050,300 >mypatch1.txt
一步步的看两个txt中calls，jmps，jmpr到的地方是否一致
如果确认无误，刷入测试。。。

如果补丁能正常工作

那么，恭喜，你大可以去试着移植补丁了。。。。

然后看看寒山转移某个补丁的实例集
（寒山兄，借你帖了，呵呵，大家看完了要支持啊。。）

如果你转移某个补丁不能成功，那么到这里看看实际过程及大家的讨论和云河的指点。。

http://mobile.0110.cn/viewthread.ph ... ght=%2B%BA%AE%C9%BD

继续寒山同学的成长帖，看完记得顶啊（这个是反映优先级的）

http://mobile.0110.cn/viewthread.ph ... ght=%2B%BA%AE%C9%BD

还来寒山同学的转移较大补丁实例（精华帖）

http://mobile.0110.cn/viewthread.ph ... %BA%AE%C9%BD&page=1

继续一个寒山同学转移一个补丁（涉及数据存储方式及补丁中如何调用，补丁中如果含数据地址的话，则转移补丁后数据地址也发生了相应变化，需调整，此贴有实际过程及解释，有xhjjxm大大指点）
http://mobile.0110.cn/viewthread.ph ... ght=%2B%BA%AE%C9%BD

还有寒山同学的小修改（呵呵，改了mp3和一些其他补丁的数据了）
http://mobile.0110.cn/viewthread.ph ... ght=%2B%BA%AE%C9%BD

[ 本帖最后由 JunFeng 于 2007-5-6 02:47 编辑 ]

JunFeng · 发表于 2006-2-15 14:24:49

来个补丁转移的过程几注释
27D410: E6 F1 10 00 : mov    r1, #10h                ；把立即数10写入r1
27D414: 88 10    : mov    [-r0], r1                      ；r1入栈
27D416: E6 FC 40 3D : mov    r12, #3D40h          ；向r12写入立即数3d40
27D41A: E6 FD 11 00 : mov    r13, #11h             ；向r13写入立即数11
27D41E: E6 FE 5E 14 : mov    r14, #145Eh             ；向r14写入立即数145e
27D422: E6 FF 1F 03 : mov    r15, #31Fh                ；向r15写入立即数31f
27D426: DA C7 9E 85 : calls 0C7h, loc_C7859E    ；系统库函数strncpy，Copy string ended by 0 from r15:r14 to r13:r12

27D42A: 08 02    : add    r0, #2                            ；栈加2，也就是栈顶上移2
27D42C: D7 40 36 00 : extp #36h, #1                   ；切换到36页，有效指令一条
27D430: C2 F1 62 03 : movbz r1, 0D8362h             ; (0036:0362) 把0036:0362处的数据移动到r1
27D434: E6 FD 11 00 : mov    r13, #11h                   ；向r13写入立即数11
27D438: 46 F1 2A 00 : cmp    r1, #2Ah                      ；用r1的值减2a，且不修改r1数据，我们可以理解为判断r1是否为2a
27D43C: 2D 03    : jmpr cc_Z, loc_27D444                ；2d03 意为如果相等则跳转

ok，再看系统库函数strncpy：Copy string ended by 0 from r15:r14 to r13:r12
也就是说把31f，145e处的数据复制到11，34d0，于0结束
31f，145e怎么找？
根据狼大的教导，c166是采用段页式存储，代码用段寻址，数据用页寻址
转换成file address先
公式： file address= pag*4000+pof

这里是    31f*4000+145e=C7D45E

然后转为补丁地址
C7D45E-A00000=27D45E

为什么？公式： FILE ADDRESS=FLASH ADDRESS+A00000

地址的解释告一段落，用sfe反汇编并对比一下，你就知道为什么了
玫瑰的补丁是要把27d45e处的数据613A2F6A6176612F732F782E6A616400
复制到11，34d0，看看寒山的补丁复制的是什么。。。

原贴出处：
http://mobile.0110.cn/viewthread ... ght=%2B%BA%AE%C9%BD

通俗的地址的解释
寒山：
我是求学的好学生，谁进来帮解释一下
DAC7A0E1 是执行到：27E1A0
DAC780D0 是执行到：27D080
DAE4105F 是执行到：445F10
现在我明白地址的低位是高低换位得来的，A0E1->E1A0;80D0->D080;105F->5F10

我的问题是
但地址得高位是怎么转换得，C7->27;E4->44

wwssff (天上云河) ：
6688启动时的FLASH是加载到地址A00000那儿，所以在文件中0000000对应A00000，100000对应B00000，2对C，3对D，4对E，5对F。看狼大的FLASH修改入门。

好了
到了这里就可以看狼大的入门了

[ 本帖最后由 JunFeng 于 2006-2-17 14:54 编辑 ]

JunFeng · 发表于 2006-2-15 14:26:23

来点儿6688的硬件资料，摘自www.konca.com，康大网站
http://www.konca.com/mobile/index.html
http://www.konca.com/mobile/6688i/index.html 6688专版
有反汇编fullflash的  ida 和康大的idb文件下载
我传了些小工具和开发补丁必备资料的网盘
http://patchtools.ys168.com

C166的寻址空间是16M，它对指令和数据的寻址有点不同：共分256个指令段，每个段64K，最大段偏移是0xFFFF；共1024个数据段，每个段16K，最大段偏移是0x3FFF。
　　6688i有两块共6M(2+4)的Flash芯片用于保存程序，这6M内容被映射到0xA00000开始的连续空间上（即16M寻址空间的最后的6M）。下表更详细地阐述了空间的分配：

FF0000 - FFFFFF EEPROM
C00000 - FEFFFF 第二块Flash(4M bytes)
BF0000 - BFFFFF 第一块EEPROM(6688未使用)
A00000 - BEFFFF 第一块Flash(2M bytes)
800000 - 9FFFFF C00000-DFFFFF的映射(2M bytes)
400000 - 7FFFFF C00000-FFFFFF的映射(4M bytes)
100000 - 3FFFFF D00000-FFFFFF的映射(3M bytes)
0E0000 - 0FFFFF 空地址，用0填充(128K bytes)
080000 - 0DFFFF RAM (384K bytes, 3M bits)
050000 - 07FFFF C50000-C7FFFF的映射(192K bytes)
018000 - 04FFFF RAM (224K bytes)
010800 - 017FFF 字对齐可写内存(30K bytes)
010000 - 0107FF CPU内部ROM(2K bytes)
00F000 - 00FFFF CPU寄存器内存块
000200 - 00EFFF CPU内部RAM
000000 - 0001FF 中断向量表

　　CPU加电时，0x10000-0x107FF的CPU内部ROM被映射到0地址，且CPU从0地址开始执行代码。这些在CPU内部ROM的程序做完一些初始化和检测后会跳到Flash中的程序中。

　　我利用AT+CGSN的补丁把16M的Memory Dump了出来，用IDA进行反汇编，并对照Mamaich提供的v56lg8的IDB文件找出相应的函数，这里提供下载：6688 IDA反汇编文件 (9M, Version B)

接着上云河的帖：
原帖http://mobile.0110.cn/viewthread ... highlight=%2Bwwssff

C166处理器汇编指令

这是我整理的指令, 有些地方我也搞不懂, 请知道的朋友加上:

ADD       加
ADDB       字节加
ADDC       加带进位
ADDCB       字节加带进位
SUB       减
SUBB       字节减
SUBC       减带进位
SUBCB       字节减带进位
MUL       带符号乘
MULU       无符号乘
DIV       带符号除
DIVL       带符号长除
DIVLU       无符号长除
DIVU       无符号除
CPL       置入正号
CPLB       字节置入正号
NEG       置负
NEGB       字节置负
AND       与
ANDB       字节与
OR       或
ORB       字节或
XOR       与非
XORB       字节与非
BCLR       内存清零
BSET       内存置数
BMOV       内存导入
BMOVN       内存负导入
BAND       内存与
BOR       内存或
BXOR       内存与非
BCMP       内存比较
BFLDH
BFLDL
CMP       比较
CMPB       字节比较
CMPD1
CMPD2
CMPL1
CMPL2
PRIOR       测定循环次数
SHL       左移
SHR       右移
ROL       反转左边字节
ROR       反转右边字节
ASHR
MOV       取值
MOVB       字节取值
MOVBS       取字节值
MOVBZ       同时置零
JMPA       跳绝对地址
JMPI       回跳
JMPR       跳相对地址
JMPS       跳段地址JB       有值相对跳
JBC       跳后内存值清零
JNB       无值相对跳
JNBS       无值相对跳并入值
CALLA       绝对地址调用
CALLI       回调
CALLR       相对地址调用
CALLS       段地址调用
PCALL       调用并压栈
TRAP       调用交互值
POP       出栈
PUSH       压栈
SCXT       压栈并置入新值
RET       返回调用
RETS       返回调用
RETP       返回调用并出栈
RETI       返回最上层
SRST       重置系统
IDLE       进入空闲状态
PWRDN       进入最小活动
SRVWDT       监视时钟
DISWDT       取消监视时钟
EINIT       完成标志
ATOMIC       原子次序
EXTR       开始扩展寄存器
EXTP       开始扩展页
EXTPR       开始扩展页及寄存器
EXTS       开始扩展段
EXTSR       开始扩展段及寄存器
NOP       无操作

条件判断
cc_UC       无条件
cc_Z       零
cc_NZ       非零
cc_V       溢出
cc_NV       非溢出
cc_N       负
cc_NN       非负
cc_C       进位
cc_NC       非进位
cc_EQ       相等
cc_NE       不等
cc_ULT       无符号小于
cc_ULE       无符号小于等于
cc_UGE       无符号大于等于
cc_UGT       无符号大于
cc_SLE       小于等于
cc_SGE       大于等于
cc_SGT       大于
cc_NET       不等并且不是最后
以下是引自狼大的修改入门：

在我们的修改中，见到的大多数指令都很简单，不外乎CALL，MOV，JPR，ADD，SUB等，只需注意一下段内跳转和段间跳转即可。还有EXTP等系列指令，在修改中经常见到。他是临时更换页地址的指令，比如D7 40 34 00，为EXTP #32 #1。#32（临时页地址），#1（有效指令数）。表示下面的1条指令的页地址为32H。还需要注意的是乘和除使用乘法寄存器MD进行操作。比如Mul op1，op2执行的操作时MD=op1*op2。32位寄存器MD的地址是FF0C。MDL是FF0C，而MDH是FF0E。除法时则是先把被除数放入MD。DIV op执行的是(MDL)=(MD)/(op1)，(MDH)=(MD)mod(op1。

[ 本帖最后由 JunFeng 于 2006-2-16 18:09 编辑 ]

JunFeng · 发表于 2006-2-15 14:27:11

文件存取系统函数5601
> 0xDFA73E: open (r13:r12 -> filename, r14 - flags, r15 - mode;
> return r4
> = fd, -1 on error)
> 0xDFF6AA: fstat (r12 - fd, r14:r13 -> buffer; return r4=0 - success)
> 0xDFABAE: read (r12 - fd, r14:r13 -> buffer, r15 - size; return r4 =
> Nbytes read)
> 0xDFB868: lseek (r12 - fd, r14:r13 - offset, r15 - whence)
> 0xDFC570: close (r12 - fd)

org       0E45AC0h

loc_EBIN:
      mov       r4, #0
      jmpr       cc_UC, loc_447350

      mov       r4, #1
      jmpr       cc_UC, loc_447350

      mov       r4, #2
      jmpr       cc_UC, loc_447350

      mov       r4, #3
      jmpr       cc_UC, loc_447350

      mov       r4, #4
      jmpr       cc_UC, loc_447350

      mov       r4, #5
      jmpr       cc_UC, loc_447350

      mov       r4, #6
      jmpr       cc_UC, loc_447350

      mov       r4, #7
      jmpr       cc_UC, loc_447350

      mov       r4, #8
      jmpr       cc_UC, loc_447350

      mov       r4, #9
      jmpr       cc_UC, loc_447350

      mov       r4, #0Ah
      jmpr       cc_UC, loc_447350

      mov       r4, #0Bh
      jmpr       cc_UC, loc_447350

      mov       r4, #0Ch
      jmpr       cc_UC, loc_447350

      mov       r4, #0Dh
      jmpr       cc_UC, loc_447350

      mov       r4, #0Eh
      jmpr       cc_UC, loc_447350

      mov       r4, #0Fh
      jmpr       cc_UC, loc_447350
loc_447350:
      mov       [-r0], r4
      mov r12, #10h
      mov       [-r0], r12
      mov       r12, #0000h
      mov       r13, #23h
      mov       r14, #pof(ebindw)
      mov       r15, #pag(ebindw)
      calls       0C7h, 83DCh
      add r0, #2
      mov       r4, [r0+]
      add       r4, #6161h
      mov       r13, #23h
      mov       r12, #0000h
      extp       r13, #2
      movb       [r12+#9], rh4
      movb       [r12+#0Ah], rl4
      mov       r14, r12
      mov       r15, r13
      callr loc_readbin
      rets
loc_FAM33:
      calls       0CAh, 1DC0h
      cmp       r4, #0
      jmpr       cc_Z, loc_pFAM32
      mov       r12, #1
      calls       0C5h, 0BECAh
      cmp       r4, #3
      jmpr       cc_Z, loc_callin
      mov       r12, #sof(playmp3)
      mov       r13, #seg(playmp3)
      push       r13
      push       r12
loc_callin:
      mov       r12, #35E8h
      mov       r13, #0Eh
      mov       r14, #0ACh
      mov       r15, #24h
      calls       0B4h, 724Ch
loc_445AF0:
      calls       0CAh, 1DC0h
      cmp       r4, #0
      jmpr       cc_NZ, loc_445AF0
loc_pFAM32:
      cmp       r8, #40h
      jmpr       cc_Z, loc_445B06
      cmp       r8, #22h
      jmps       0DCh, 1EDEh

loc_445B06:
      mov       r4, [r0+#0Ah]
      mov       r5, [r0+#0Ch]
      mov       r12, [r0+#0Eh]
      mov       r13, [r0+#10h]
      calls       0C7h, 0EE88h
      jmps       0DCh, 2B60h

loc_FAM32:
      mov       [-r0], r15
      mov       [-r0], r14
      mov       [-r0], r13
      mov       [-r0], r12
      mov       r12, #3870h
      mov       r13, #0Eh
      mov       r14, #40h
      mov       r15, #0
      calls       0B4h, 724Ch
      add       r0, #8
      rets
playmp3:
      mov       r12, #35E8h
      mov       r13, #0Eh
      mov       r14, #0ACh
      mov       r15, #26h
      calls       0B4h, 724Ch
loc_445B30:
      calls       0CAh, 1DC0h
      cmp       r4, #0
      jmpr       cc_Z, loc_445B30
      rets

loc_exttable:
      cmpb       rl6, #06h
      jmpr       cc_Z, loc_BFA
      cmpb       rl6, #14h
      jmpr       cc_Z, loc_TXT
loc_expret:
      jmps       0D3h, 2B0h

loc_BFA:
      callr       loc_pBFA
      jmpr       cc_UC, loc_expret

loc_TXT:
      callr       loc_pTXT
      jmpr       cc_UC, loc_expret

loc_pBFA:
      mov       r14, r8
      mov       r15, r9
      add       r14, #0B2h
loc_readbin:
      mov       r12, #sof(pBFAROUTIME)
      mov       r13, #seg(pBFAROUTIME)
      calls       0E5h, 0FFF2h
      ret
loc_pTXT:
      mov       r14, r8
      mov       r15, r9
      add       r14, #0B2h
      mov       r14, [r0+]
      mov       r15, [r0+]
      calls loc_copyname
      mov       r12, #0000h
      extp    #37h, #1
      mov       3FF2h, r12
      mov       r15, [r0+]
      mov       r14, [r0+]
      mov       r12, #sof(TXTROUTIME)
      mov       r13, #seg(TXTROUTIME)
      calls       0E5h, 0FFF2h
      ret
loc_copyname:

      mov       r12, #30h
      mov       [-r0], r12
      mov       r12, #3F00h
      mov       r13, #33h
      calls       0C7h, 83DCh
      rets

pBFAROUTIME:
      mov       r14, #0
      mov       r15, #0
      calls       0DBh, 0AF5Ch
      mov       r8, r4
      cmp       r8, #0FFFFh
      jmpa       cc_NZ, loc_445BC0
      mov       r12, #1
      mov       r13, #04B3h
      calls       0E6h, 00538h
      rets
loc_445BC0:
      mov       r12, r8
      mov       r9, #20h
loc_445B9A:
      mov       r14, r9
      mov       r13, #0
      mov       r15, #4000h
      calls       0DBh, 0B3CCh
      mov       r12, r8
      cmp       r4, #4000h
      jmpr       cc_C, loc_445BB8
      cmp       r9, #23h
      jmpr       cc_Z, loc_445BB8
      add       r9, #1
      jmpr       cc_UC, loc_445B9A

loc_445BB8:
      calls       0DBh, 0CD8Eh
      calls       8, 0
      rets


loc_IDLE:
      calls       loc_IDLESUB
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      calls       0C8h, 0C3EEh
      rets

loc_memadd:
      mov       r8, r4
      mov       r9, r5
      jmpr       cc_UC, loc_445C00

loc_bh_imeadd:
      mov r6, r4
      mov r7, r5
      jmpr       cc_UC, loc_445C00

loc_IDLESUB:
      extp       #34h, #1
      movb       rl4, 3E2Bh
      cmpb       rl4, #1
      jmpr       cc_Z, loc_445C0E
      rets

loc_Creatprocessadd:
      mov       r7, r13
      mov       r6, r12
loc_445C00:
      callr       loc_445C18
      calls       0B4h, 9B72h
      callr       loc_445C26
      rets

loc_exitprocesssub:
      calls       0CFh, 364Ch
loc_445C0E:
      callr       loc_445C18
      calls       0B4h, 9B5Eh
      callr       loc_445C26
      rets

loc_445C18:
      mov       [-r0], r8
      mov       [-r0], r9
      mov       [-r0], r12
      mov       [-r0], r13
      mov       [-r0], r14
      mov       [-r0], r15
      ret

loc_445C26:
      mov       r15, [r0+]
      mov       r14, [r0+]
      mov       r13, [r0+]
      mov       r12, [r0+]
      mov       r9, [r0+]
      mov       r8, [r0+]
      ret

TXTROUTIME:
      calls loc_readdata
      calls 0E4h, 6300h
      rets

loc_readdata:
      mov       r14, #0
      mov       r15, #0
      calls       0DBh, 0AF5Ch
      cmp       r4, #0FFFFh
      jmpr       cc_Z, loc_445CBE
      mov r8, r4
      extp       #37h, #1
      mov       3FF0h, r8
      calls       loc_txtread
      extp #37h, #1
      mov r15, 3FF2h
loc_loop:
      extp #37h, #1
      mov r4, 3FF4h
      cmp r4, #4000h
      jmpr cc_C, loc_closefile
      cmp r15, #0
      jmpr       cc_Z, loc_closefile
      mov    [-r0], r15
      calls       loc_txtread
      mov    r15, [r0+]
      sub r15, #1
      jmpr cc_UC, loc_loop

loc_closefile:
      extp       #37h, #1
      mov       r12, 3FF0h
      calls       0DBh, 0CD8Eh
loc_445CBE:
      rets

loc_txtread:
      extp       #37h, #1
      mov       r12, 3FF0h
      mov       r13, #100h
      mov       r9, #20h
      mov       r15, #3F00h
loc_445CD4:
      mov       r14, r9
      calls       0DBh, 0B3CCh
      extp       #37h, #2
      mov       3FF0h, r8
      mov 3FF4h, r4
      mov       r12, r8
      cmp       r4, #3F00h
      jmpr       cc_C, loc_445CFA
      cmp       r9, #26h
      jmpr       cc_Z, loc_445CFA
      add       r9, #1
      mov       r13, #0
      mov       r15, #4000h
      jmpr       cc_UC, loc_445CD4

loc_445CFA:
      mov       r2, r4
      cmp       r4, #4000h
      jmpr       cc_NZ, loc_445D08
      sub       r4, #4000h
      add       r9, #1
loc_445D08:
      cmp       r9, #20h
      jmpr       cc_NZ, loc_445D12
      add       r4, #100h
loc_445D12:
      mov       r12, #0
      extp       r9, #1
      mov       [r4], r12
      mov       r9, #0
      mov       r13, #20h
      mov       r14, #0FFh
      mov       r15, #100h
      calls       0C7h, 8416h
      rets
loc_loopread:
      mov    [-r0], r12
      mov    [-r0], r13
      mov    [-r0], r14
      mov    [-r0], r15
      extp #37h, #1
      mov r12, 3FF2h
      add r12, #1
      extp #37h, #1
      mov 3FF2h, r12
      mov       r12, #sof(loc_readdata)
      mov       r13, #seg(loc_readdata)
      mov       r14, #3F00h
      mov       r15, #33h
      calls       0E5h, 0FFF2h
      mov    r15, [r0+]
      mov    r14, [r0+]
      mov    r13, [r0+]
      mov    r12, [r0+]
      rets

loc_smsmp3:
      mov    r9, r13
      mov    r8, r12
      mov    [-r0], r4
      mov    [-r0], r12
      mov    [-r0], r13
      mov    [-r0], r14
      mov    [-r0], r15
      calls       loc_ispause
      mov    r15, [r0+]
      mov    r14, [r0+]
      mov    r13, [r0+]
      mov    r12, [r0+]
      mov    r4, [r0+]
      rets
loc_ispause:
      extp #32h, #1
      movb       rl4, 2F7Ch
      cmpb       rl4, #4
      jmpr       cc_Z, loc_smsplaymp3
      cmpb       rl4, #1
      jmpr       cc_Z, loc_smspausemp3
      rets
loc_smspausemp3:
      mov       r12, #35E8h
      mov       r13, #0Eh
      mov       r14, #0ACh
      mov       r15, #24h
      calls       0B4h, 724Ch
      rets
loc_smsplaymp3:
      mov       r12, #35E8h
      mov       r13, #0Eh
      mov       r14, #0ACh
      mov       r15, #26h
      calls       0B4h, 724Ch
      rets


ebindw:
      db 61h,3Ah,5Ch,7Ah,62h,69h,6Eh,5Ch,7Ah,61h,61h,2Eh,62h,69h,6Eh,00h




jmps loc_FAM33
jmps loc_FAM32
jmps loc_exttable
calls loc_IDLE
calls loc_Creatprocessadd
calls loc_exitprocesssub
calls loc_memadd

calls loc_loopread
calls loc_smsmp3
calls loc_bh_imeadd
end

下面是我改的txt关联的主程序
可以直接在ram阅读中切换到进入时的栈顶，然后calls 0E4h, 627Eh，就可以读下一部分数据，不过我找不到需要的栈顶。。。

org 0E46212h

calls 0E4h, 621Ah
jmps 0D3h, 2B0h                退出mmc浏览器

mov r14, r8                      r8，r9  point to file name  ascⅡ
mov r15, r9
add r14, #0B2h
mov r12, #6230h
mov r13, #0E4h
calls 0E4h, 484Ch                calls fam3.2，传送文件名到r12，r13并执行r到14，r15所在
rets

mov r14, #0                      r14，r15指向这里
mov r15, #0
calls 0DBh, 0AF5Ch          open file，-1=faild，if open，r4=filehandle
mov r8, r4
cmp r8, #0FFFFh             打开失败？
jmpr cc_Z, loc_44626C       失败就出去返回
extp #37h, #1
mov 3FFEh, r8                   将filehandle保存到37h，3ffe
calls 0E4h, 627Eh                自己写的ram阅读专用读文件子程序
extp #36h, #1                   取得应用程序菜单第2大项
mov r4, 0D74h
jb r4.14, loc_44625C       第二大项14处，没选跳
calls 0E4h, 627Eh                ram读文件
extp #36h, #1                      取得应用程序菜单
mov r4, 0D74h
jb r4.14, loc_44625C       没选跳
calls 0E4h, 627Eh                ram读文件

loc_44625C:
calls 0E4h, 6300h                   到ram阅读器
extp #37h, #1                      取得filehandle
mov r12, 3FFEh
calls 0DBh, 0CD8Eh                close file
loc_44626C:
rets

这里是ram阅读专用读文件子程序
extp #37h, #1
mov r12, 3FFEh             取得filehandle
mov r13, #100h             读文件的buffer pof
mov r9, #20h                                  buffer pag
mov r15, #3F00h                            size
loc_446282:
mov r14, r9
calls 0DBh, 0B3CCh readfile，r12=f hle，r13=b pof，r14=b pag，r15=size，读取完成后，r8=filehandle，r4=N bytes read

extp #37h, #1                   保存读文件后的filehandle
mov 3FFEh, r8
mov r12, r8                         filehandle到r12，为继续读做准备
cmp r4, #3F00h                   是否读了16k
jmpr cc_C, loc_4462A8          小于16k就说明文件本身小于16k，跳出
cmp r9, #2Ah                      比较b buffer pag是否为2A,限制最大为2A
jmpr cc_Z, loc_4462A8          是2a就出去
add r9, #1                            否则buffer page  +1
mov r13, #0                                  buffer pof
mov r15, #4000h                            size
jmpr cc_UC, loc_446282                循环

loc_4462A8:
cmp r4, #4000h                               是否读了16k
jmpr cc_NZ, loc_4462B4                   不是就跳
sub r4, #4000h                               否则将r4清零
add r9, #1                                        buffer page+1
loc_4462B4:
cmp r9, #20h                                  比较buffer pag是否是20
jmpr cc_NZ, loc_4462BE                   不是就跳
add r4, #100h                                  否则 r4+100=buffer pof
loc_4462BE:
mov r12, #0
extp r9, #1
mov [r4], r12                                     0写入buffer pof，即文本结束位置
mov r9, #0                                     r9清空
mov r13, #20h                               pag
mov r14, #0FFh                               用FF填充
mov r15, #100h                               size
calls 0C7h, 8416h                            内存快速填充函数，r13=pag，r12=pof，r14=填充数据，r15=数量
rets

end

; *** FTA v2.1. No Case Sensitive ***
; *** File Type Association v2.0 ***
; Copiright(C)2005 by Rst7/CBSIE
;
; Need FAM3.2 & ESI patch. Undo all FAM2 stuff
; and patches, used FAM2 (JSTV and other)
;
; Patch use text file A:\execute.ext as
;
; ...
; file_extention:full_path_and_name_of_binfile
; ...
;
; One line - one extention. Without spaces!
; If extention not found, run
; last binfile defined in execute.ext
;
; For coders: full path and name of openfile
; passed to binfile trows R12/R13 as far pointer
; to ASCIIZ string
;
; Check R13 (_pof(commandline)) for 0x35 - if equ
; then run from FTA, else run from BFA
;
; Version 2.1->Use any case of chars in file extention and record in execute.ext
;
; Необходим FAM3.2 и ESI, откатить все барахло
; FAM2 и кто его пользует (JSTV и остальное).
;
; Использует текстовый файл A:\execute.ext в виде
;
; ...
; расширение:полный_путь_и_имя_бинарника
; ...
;
; Одна строка - одно расширение. Без пробелов!
; Для неизвестных расширений - запуск
; бинарника в последней записи
;
; Для кодеров: полный путь и имя открываемого
; файла передается в бинарник через R12/R13 как
; far-указатель на ASCIIZ строку.
;
; Сравнить R13 (_pof(commandline)) с 0x35 - если равно,
; то запущен через FTA, иначе через BFA.
;
; Версия 2.1->Не зависима от регистра символов расширения и записи в execute.ext
;使用方式，在mmc根目录新建文本文件execute.ext，内容格式如下
;org:A:/bin/fileorg.bin >>意为关联org文件到A:\fileorg.bin
;txt:A:/bin/ted.bin       >>关联txt文件到A:\bin\ted.bin
;sie:A:/bin/null.bin
;注意！！！sie:A:/bin/null.bin必须在最后（该文件只需要4个16进制的字符就行db00）
;否则它会将未知文件关联到定义的最后一个bin上

003874CE: EAE01876 FAE4304F
0x445BE0: FAD3B002 FAE4304F
00444F20: 2A2A2A204654412076322E31202A2A2AFAE4384FFAD3B002F0E8F0F906FEB200
00444F40: E6FCBA51E6FDE400DAE5F2FFFAD3B002F04CF05DFAE4C07E
00444F58: 413A5C657865637574652E657874000000000000000000000000000000000000
00444F78: 071291032E1291031E129103
00444F84: 889088808870886026F00801F07DF06CE009E00CE00DC4C00201C4D00401F0C6
00444FA4: F0D7DAC73685F084EA20A85146F87F00EAE0A851F0C6F0D7DAC736850064F0C6
00444FC4: F0D70D0828813D05E6F60612E6F791030D072861DC47F426FFFF47F22E003DF2
00444FE4: E6FC580FE6FD9103E00EE00FDADB5CAFC440000146F4FFFFEA209E51F0C4F0D0
00445004: 66FDFF3FF2FE02FEE6FF8000DADBCCB3F084E6FC8000C4C0060146F880009D17
00445024: E1020080B9280D2CE6F880008880E02C00C066FCFF3FF2FD02FEE6FE820000E0
00445044: 66FEFF3FF2FF02FEDAC7B4830802D4C00001E6FD800000D066FDFF3FF2FE02FE
00445064: E6FF8000DADBCCB3F08446F880009D08E1020080E4288000E6F80001C4800601
00445084: E008D4C00601408C2DCFF0D8088100D0A92DEA20205146F9FFFF2D0446F9FEFF
004450A4: 2D0F0D1647F23A003D0BF0C066FCFF3FF2FD02FE00C8C4C00201C4D004012891
004450C4: 47F20D002D0347F20A003DDBE0090DD947F20D002D0347F20A003D02E0090DD1
004450E4: 47F23A003D06F0C6F0D700C9DC4DA94C2D21F011C02CDADBA6D88840F0C6F0D7
00445104: 00C9DC4DA92CC02CDADBA6D8981041283D0208910DB6E6F9FFFF0DB3D4800201
00445124: D490040170893D10E01CE6FD290EDAE638050D38F09066F9FF3FF2F602FE0098
00445144: C4900201C4600401D4C00001DADB8ECDE0080D010881D4C00201D4D0040100C8
00445164: DC4DA9CC47FC1F00EDF5E10CDC4DB9CCD4C00201D4D00401E00EE00FDADB5CAF
00445184: C440000146F4FFFF3D05E01CE6FD280EDAE63805D44000010D07E01CE6FD270E
004451A4: DAE63805E6F4FFFF06F008019860987098809890DB00889088808860F06DF09C
004451C4: E6FC780FE6FD9103DAE4504FF0C9F0D6DAE4844FF08446F8FFFF2D0FF0C8E00D
004451E4: E6FE2000E6FF0040DADBCCB3F0C8DADB8ECDF0C9F0D6DA080000986098809890
00445204: DB00
00445206: 00455845435554452E4558540D6E6F7420666F756E6421004E6F7468696E6720
00445226: 746F2072756E210042696E2066696C650D6E6F7420666F756E642

org       0E45AC0h

loc_EBIN:
      mov       r4, #0
      jmpr       cc_UC, loc_447350

      mov       r4, #1
      jmpr       cc_UC, loc_447350

      mov       r4, #2
      jmpr       cc_UC, loc_447350

      mov       r4, #3
      jmpr       cc_UC, loc_447350

      mov       r4, #4
      jmpr       cc_UC, loc_447350

      mov       r4, #5
      jmpr       cc_UC, loc_447350

      mov       r4, #6
      jmpr       cc_UC, loc_447350

      mov       r4, #7
      jmpr       cc_UC, loc_447350

      mov       r4, #8
      jmpr       cc_UC, loc_447350

      mov       r4, #9
      jmpr       cc_UC, loc_447350

      mov       r4, #0Ah
      jmpr       cc_UC, loc_447350

      mov       r4, #0Bh
      jmpr       cc_UC, loc_447350

      mov       r4, #0Ch
      jmpr       cc_UC, loc_447350

      mov       r4, #0Dh
      jmpr       cc_UC, loc_447350

      mov       r4, #0Eh
      jmpr       cc_UC, loc_447350

      mov       r4, #0Fh
      jmpr       cc_UC, loc_447350
loc_447350:
      mov       [-r0], r4
      mov r12, #10h
      mov       [-r0], r12
      mov       r12, #0000h
      mov       r13, #23h
      mov       r14, #pof(ebindw)
      mov       r15, #pag(ebindw)
      calls       0C7h, 83DCh
      add r0, #2
      mov       r4, [r0+]
      add       r4, #6161h
      mov       r13, #23h
      mov       r12, #0000h
      extp       r13, #2
      movb       [r12+#9], rh4
      movb       [r12+#0Ah], rl4
      mov       r14, r12
      mov       r15, r13
      callr loc_readbin
      rets
loc_FAM33:
      calls       0CAh, 1DC0h
      cmp       r4, #0
      jmpr       cc_Z, loc_pFAM32
      mov       r12, #1
      calls       0C5h, 0BECAh
      cmp       r4, #3
      jmpr       cc_Z, loc_callin
      mov       r12, #sof(playmp3)
      mov       r13, #seg(playmp3)
      push       r13
      push       r12
loc_callin:
      mov       r12, #35E8h
      mov       r13, #0Eh
      mov       r14, #0ACh
      mov       r15, #24h
      calls       0B4h, 724Ch
loc_445AF0:
      calls       0CAh, 1DC0h
      cmp       r4, #0
      jmpr       cc_NZ, loc_445AF0
loc_pFAM32:
      cmp       r8, #40h
      jmpr       cc_Z, loc_445B06
      cmp       r8, #22h
      jmps       0DCh, 1EDEh

loc_445B06:
      mov       r4, [r0+#0Ah]
      mov       r5, [r0+#0Ch]
      mov       r12, [r0+#0Eh]
      mov       r13, [r0+#10h]
      calls       0C7h, 0EE88h
      jmps       0DCh, 2B60h

loc_FAM32:
      mov       [-r0], r15
      mov       [-r0], r14
      mov       [-r0], r13
      mov       [-r0], r12
      mov       r12, #3870h
      mov       r13, #0Eh
      mov       r14, #40h
      mov       r15, #0
      calls       0B4h, 724Ch
      add       r0, #8
      rets
playmp3:
      mov       r12, #35E8h
      mov       r13, #0Eh
      mov       r14, #0ACh
      mov       r15, #26h
      calls       0B4h, 724Ch
loc_445B30:
      calls       0CAh, 1DC0h
      cmp       r4, #0
      jmpr       cc_Z, loc_445B30
      rets

loc_exttable:
      cmpb       rl6, #6h
      jmpr       cc_Z, loc_BFA
      cmpb       rl6, #14
      jmpr       cc_Z, loc_TXT
loc_expret:
      jmps       0D3h, 2B0h

loc_BFA:
      callr       loc_pBFA
      jmpr       cc_UC, loc_expret

loc_TXT:
      callr       loc_pTXT
      jmpr       cc_UC, loc_expret

loc_pBFA:
      mov       r14, r8
      mov       r15, r9
      add       r14, #0B2h
loc_readbin:
      mov       r12, #sof(pBFAROUTIME)
      mov       r13, #seg(pBFAROUTIME)
      calls       0E5h, 0FFF2h
      ret
loc_pTXT:

      mov       r14, r8
      mov       r15, r9
      add       r14, #0B2h
      mov       r14, [r0+]
      mov       r15, [r0+]
      calls loc_copyname
      mov       r12, #0000h
      extp    #37h, #1
      mov       3FF2h, r12
      mov       r15, [r0+]
      mov       r14, [r0+]
      mov       r12, #sof(ptxtread)
      mov       r13, #seg(ptxtread)
      calls       0E5h, 0FFF2h
      ret

pBFAROUTIME:
      mov       r14, #0
      mov       r15, #0
      calls       0DBh, 0AF5Ch
      mov       r8, r4
      cmp       r8, #0FFFFh
      jmpa       cc_NZ, loc_445BC0
      mov       r12, #1
      mov       r13, #04B3h
      calls       0E6h, 00538h
      rets
loc_445BC0:
      mov       r12, r8
      mov       r9, #20h
loc_445B9A:
      mov       r14, r9
      mov       r13, #0
      mov       r15, #4000h
      calls       0DBh, 0B3CCh
      mov       r12, r8
      cmp       r4, #4000h
      jmpr       cc_C, loc_445BB8
      cmp       r9, #23h
      jmpr       cc_Z, loc_445BB8
      add       r9, #1
      jmpr       cc_UC, loc_445B9A

loc_445BB8:
      calls       0DBh, 0CD8Eh
      calls       8, 0
      rets


loc_IDLE:
      calls       loc_IDLESUB
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      calls       0C8h, 0C3EEh
      rets

loc_memadd:
      mov       r8, r4
      mov       r9, r5
      jmpr       cc_UC, loc_445C00

loc_IDLESUB:
      extp       #34h, #1
      movb       rl4, 3E2Bh
      cmpb       rl4, #1
      jmpr       cc_Z, loc_445C0E
      rets

loc_Creatprocessadd:
      mov       r7, r13
      mov       r6, r12
loc_445C00:
      callr       loc_445C18
      calls       0B4h, 9B72h
      callr       loc_445C26
      rets

loc_exitprocesssub:
      calls       0CFh, 364Ch
loc_445C0E:
      callr       loc_445C18
      calls       0B4h, 9B5Eh
      callr       loc_445C26
      rets

loc_445C18:
      mov       [-r0], r8
      mov       [-r0], r9
      mov       [-r0], r12
      mov       [-r0], r13
      mov       [-r0], r14
      mov       [-r0], r15
      ret

loc_445C26:
      mov       r15, [r0+]
      mov       r14, [r0+]
      mov       r13, [r0+]
      mov       r12, [r0+]
      mov       r9, [r0+]
      mov       r8, [r0+]
      ret

ptxtread:

      calls loc_readdata
      calls 0E4h, 6300h
      RETS
loc_readdata:
      mov       r14, #0
      mov       r15, #0
      calls       0DBh, 0AF5Ch
      cmp       r4, #0FFFFh
      jmpr       cc_Z, loc_445CBE
      mov r8, r4
      extp       #37h, #1
      mov       3FF0h, r8
      calls       loc_txtread
      extp #37h, #1
      mov r15, 3FF2h

loc_loop:
      extp #37h, #1
      mov r4, 3FF4h
      cmp r4, #4000h
      jmpr cc_C, loc_closefile
      cmp r15, #0
      jmpr       cc_Z, loc_closefile
      mov       [-r0], r15
      calls       loc_txtread
      mov    r15, [r0+]
      sub    r15, #1
      jmpr cc_UC, loc_loop


loc_closefile:
      extp       #37h, #1
      mov       r12, 3FF0h
      calls       0DBh, 0CD8Eh
loc_445CBE:
      rets

loc_txtread:
      extp       #37h, #1
      mov       r12, 3FF0h
      mov       r13, #100h
      mov       r9, #20h
      mov       r15, #3F00h
loc_445CD4:
      mov       r14, r9
      calls       0DBh, 0B3CCh
      extp       #37h, #2
      mov       3FF0h, r8
      mov 3FF4h, r4
      mov       r12, r8
      cmp       r4, #3F00h
      jmpr       cc_C, loc_445CFA
      cmp       r9, #26h
      jmpr       cc_Z, loc_445CFA
      add       r9, #1
      mov       r13, #0
      mov       r15, #4000h
      jmpr       cc_UC, loc_445CD4

loc_445CFA:
      cmp       r4, #4000h
      jmpr       cc_NZ, loc_445D08
      sub       r4, #4000h
      add       r9, #1
loc_445D08:
      cmp       r9, #20h
      jmpr       cc_NZ, loc_445D12
      add       r4, #100h
loc_445D12:
      mov       r12, #0
      extp       r9, #1
      mov       [r4], r12
      mov       r9, #0
      mov       r13, #20h
      mov       r14, #0FFh
      mov       r15, #100h
      calls       0C7h, 8416h
      rets
loc_loopread:
      mov    [-r0], r12
      mov    [-r0], r13
      mov    [-r0], r14
      mov    [-r0], r15
      extp #37h, #1
      mov r12, 3FF2h
      add r12, #1
      extp #37h, #1
      mov 3FF2h, r12
      mov       r12, #sof(loc_readdata)
      mov       r13, #seg(loc_readdata)
      mov       r14, #3F00h
      mov       r15, #33h
      calls       0E5h, 0FFF2h
      mov    r15, [r0+]
      mov    r14, [r0+]
      mov    r13, [r0+]
      mov    r12, [r0+]
      rets

loc_smsmp3:
      mov    r9, r13
      mov    r8, r12
      mov    [-r0], r4
      mov    [-r0], r12
      mov    [-r0], r13
      mov    [-r0], r14
      mov    [-r0], r15
      calls       loc_ispause
      mov    r15, [r0+]
      mov    r14, [r0+]
      mov    r13, [r0+]
      mov    r12, [r0+]
      mov    r4, [r0+]
      rets
loc_ispause:
      extp #32h, #1
      movb       rl4, 2F7Ch
      cmpb       rl4, #4
      jmpr       cc_Z, loc_smsplaymp3
      cmpb       rl4, #1
      jmpr       cc_Z, loc_smspausemp3
      rets
loc_smspausemp3:
      mov       r12, #35E8h
      mov       r13, #0Eh
      mov       r14, #0ACh
      mov       r15, #24h
      calls       0B4h, 724Ch
      rets
loc_smsplaymp3:
      mov       r12, #35E8h
      mov       r13, #0Eh
      mov       r14, #0ACh
      mov       r15, #26h
      calls       0B4h, 724Ch
      rets

loc_copyname:

      mov       r12, #30h
      mov       [-r0], r12
      mov       r12, #3F00h
      mov       r13, #33h
      calls       0C7h, 83DCh
      rets

ebindw:
      db 61h,3Ah,5Ch,7Ah,62h,69h,6Eh,5Ch,7Ah,61h,61h,2Eh,62h,69h,6Eh,00h




jmps loc_FAM33
jmps loc_FAM32
jmps loc_exttable
calls loc_IDLE
calls loc_Creatprocessadd
calls loc_exitprocesssub
calls loc_memadd
calls loc_loopread
calls loc_smsmp3
end

[ 本帖最后由 JunFeng 于 2006-4-22 05:00 编辑 ]

JunFeng · 发表于 2006-2-15 14:28:45

这里由于直接用的memcpy函数复制文件名,不知是否完整复制了文件名,连续读也许会有问题,但是mmc exp里开txt文件该不死机了(原来的的确是出错了,把文件名弄丢了^}^.
很久想弄个复制文件名的小函数,能够返回文件名的长度,在设想的一些补丁中较多处需要调用...(比如增加历史记录就需要)

txt读取大小改到了安全范围.改成调用输入法加速(减少死机)

读ansi格式txt死机记得在用b大的文件关联1.2的时候就有读某些ansi格式txt死机的情况(用的fam0.9),而且我曾经试过,对于ansi的txt,在读数据的时候就已经死机了...未知原因,可能难以解决

;UNI 0.2b
;改为真正的连续读,按2直接读下一部分,需要测试,我无数据线
;忘了很多东西,也许会有些许小错误,呵呵,请再测试
;如果有时间就完善之,看看filewrite函数也许还会加入历史记录,如同microreader,就算重启也可回到最后读到的部分

;BFA 2.2 FINAL
0x32cc34: 6C6462 747874
0032cbf2: 6C6462 747874
;txt文件关联到ram阅读
0x32cca4: 6C6E67 62696E
0x32ccba: 6C6E67 62696E

0x3C1EDA: 46F82200 FAE43E5B ;FAM 3.31
0x45FFF2: FFFFFFFF FAE49C5B ;FAM 3.2
0x330184: EA00B002 FAE4D65B ;系统扩展文件关联表
0x3CF78E: DAC8EEC3 DAE4905C ;IDLE表

;0x5336B6: F07DF06C DAE4D05C ;创建应用程序立即加速,默认未启用
;0x53ED36: DACF4C36 DAE4DE5C ;退出应用程序立即减速
;0x3389AA: F084F095 DAE4B65C ;有动作就全速，功耗较高，不推荐

446696: DAE47A68 DAE4D25D ;开启ram连续读功能
;34441C: F09DF08C DAE40A5E ;查看短消息暂停mp3
;34437E: F09DF08C DAE40A5E ;查看短消息暂停mp3
2E94AC: F09DF08C DAE40A5E ;访问通讯录暂停mp3
2E965A: F09DF08C DAE40A5E ;访问通讯录暂停mp3
2EECCC: F09DF08C DAE40A5E ;访问通讯录暂停mp3
2EED5A: F09DF08C DAE40A5E ;访问通讯录暂停mp3

0x43F224: F064F075 DAE4BC5C ;笔画加速
0x43C7B2: F084F095 DAE4B65C ;拼音加速

0x445AC0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E0040D1EE0140D1CE0240D1AE0340D18
0x445AD0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E0440D16E0540D14E0640D12E0740D10
0x445AE0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E0840D0EE0940D0CE0A40D0AE0B40D08
0x445AF0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E0C40D06E0D40D04E0E40D02E0F40D00
0x445B00: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 8840E6FC100088C0E6FC0000E6FD2300
0x445B10: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FE621EE6FF9103DAC7DC8308029840
0x445B20: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 06F46161E6FD2300E6FC0000DC5DE49C
0x445B30: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 0900E48C0A00F0ECF0FDBB5CDB00DACA
0x445B40: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF C01D48402D18E01CDAC5CABE48432D06
0x445B50: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FCBA5BE6FDE400ECFDECFCE6FCE835
0x445B60: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E0EDE6FEAC00E6FF2400DAB44C72DACA
0x445B70: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF C01D48403DFC46F840002D0446F82200
0x445B80: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FADCDE1ED4400A00D4500C00D4C00E00
0x445B90: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF D4D01000DAC788EEFADC602B88F088E0
0x445BA0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 88D088C0E6FC7038E0EDE6FE4000E00F
0x445BB0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DAB44C7206F00800DB00E6FCE835E0ED
0x445BC0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FEAC00E6FF2600DAB44C72DACAC01D
0x445BD0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 48402DFCDB0049C62D0547FC14002D04
0x445BE0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FAD3B002BB030DFCBB0C0DFAF0E8F0F9
0x445BF0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 06FEB200E6FC445CE6FDE400DAE5F2FF
0x445C00: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF CB00F0E8F0F906FEB20098E098F0DAE4
0x445C10: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 305CE6FC0000D7403700F6FCF23F98F0
0x445C20: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 98E0E6FC085DE6FDE400DAE5F2FFCB00
0x445C30: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FC300088C0E6FC003FE6FD3300DAC7
0x445C40: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DC83DB00E00EE00FDADB5CAFF08446F8
0x445C50: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFEA30625CE01CE6FDB304DAE63805
0x445C60: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DB00F0C8E6F92000F0E9E00DE6FF0040
0x445C70: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DADBCCB3F0C846F400408D0546F92300
0x445C80: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 2D0208910DF1DADB8ECDDA080000DB00
0x445C90: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DAE4C25CCC00CC00CC00CC00CC00CC00
0x445CA0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF CC00CC00CC00CC00CC00CC00CC00CC00
0x445CB0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DAC8EEC3DB00F084F0950D0CF064F075
0x445CC0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 0D09D7403400F3F82B3E49812D0ADB00
0x445CD0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF F07DF06CBB0BDAB4729BBB0FDB00DACF
0x445CE0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 4C36BB04DAB45E9BBB08DB0088808890
0x445CF0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 88C088D088E088F0CB0098F098E098D0
0x445D00: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 98C098909880CB00DAE4125DDAE40063
0x445D10: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DB00E00EE00FDADB5CAF46F4FFFF2D20
0x445D20: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF F084D7403700F6F8F03FDAE4625DD740
0x445D30: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 3700F2FFF23FD7403700F2F4F43F46F4
0x445D40: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 00408D0848F02D0688F0DAE4625D98F0
0x445D50: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 28F10DF1D7403700F2FCF03FDADB8ECD
0x445D60: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DB00D7403700F2FCF03FE6FD0001E6F9
0x445D70: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 2000E6FF003FF0E9DADBCCB3D7503700
0x445D80: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF F6F8F03FF6F4F43FF0C846F4003F8D08
0x445D90: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 46F926002D050891E00DE6FF00400DEB
0x445DA0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF F02446F400403D0326F40040089146F9
0x445DB0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 20003D0206F40001E00CDC49B8C4E009
0x445DC0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FD2000E6FEFF00E6FF0001DAC71684
0x445DD0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DB0088C088D088E088F0D7403700F2FC
0x445DE0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF F23F08C1D7403700F6FCF23FE6FC125D
0x445DF0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FDE400E6FE003FE6FF3300DAE5F2FF
0x445E00: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 98F098E098D098C0DB00F09DF08C8840
0x445E10: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 88C088D088E088F0DAE4285E98F098E0
0x445E20: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 98D098C09840DB00D7403200F3F87C2F
0x445E30: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 49842D0D49812D01DB00E6FCE835E0ED
0x445E40: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E6FEAC00E6FF2400DAB44C72DB00E6FC
0x445E50: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E835E0EDE6FEAC00E6FF2600DAB44C72
0x445E60: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DB00613A5C7A62696E5C7A61612E6269
0x445E70: FFFF 6E00

org 0E45AC0h

loc_EBIN:
mov r4, #0
jmpr cc_UC, loc_447350

mov r4, #1
jmpr cc_UC, loc_447350

mov r4, #2
jmpr cc_UC, loc_447350

mov r4, #3
jmpr cc_UC, loc_447350

mov r4, #4
jmpr cc_UC, loc_447350

mov r4, #5
jmpr cc_UC, loc_447350

mov r4, #6
jmpr cc_UC, loc_447350

mov r4, #7
jmpr cc_UC, loc_447350

mov r4, #8
jmpr cc_UC, loc_447350

mov r4, #9
jmpr cc_UC, loc_447350

mov r4, #0Ah
jmpr cc_UC, loc_447350

mov r4, #0Bh
jmpr cc_UC, loc_447350

mov r4, #0Ch
jmpr cc_UC, loc_447350

mov r4, #0Dh
jmpr cc_UC, loc_447350

mov r4, #0Eh
jmpr cc_UC, loc_447350

mov r4, #0Fh
jmpr cc_UC, loc_447350
loc_447350:
mov [-r0], r4
mov r12, #10h
mov [-r0], r12
mov r12, #0000h
mov r13, #23h
mov r14, #pof(ebindw)
mov r15, #pag(ebindw)
calls 0C7h, 83DCh
add r0, #2
mov r4, [r0+]
add r4, #6161h
mov r13, #23h
mov r12, #0000h
extp r13, #2
movb [r12+#9], rh4
movb [r12+#0Ah], rl4
mov r14, r12
mov r15, r13
callr loc_readbin
rets
loc_FAM33:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_Z, loc_pFAM32
mov r12, #1
calls 0C5h, 0BECAh
cmp r4, #3
jmpr cc_Z, loc_callin
mov r12, #sof(playmp3)
mov r13, #seg(playmp3)
push r13
push r12
loc_callin:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h
calls 0B4h, 724Ch
loc_445AF0:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_NZ, loc_445AF0
loc_pFAM32:
cmp r8, #40h
jmpr cc_Z, loc_445B06
cmp r8, #22h
jmps 0DCh, 1EDEh

loc_445B06:
mov r4, [r0+#0Ah]
mov r5, [r0+#0Ch]
mov r12, [r0+#0Eh]
mov r13, [r0+#10h]
calls 0C7h, 0EE88h
jmps 0DCh, 2B60h

loc_FAM32:
mov [-r0], r15
mov [-r0], r14
mov [-r0], r13
mov [-r0], r12
mov r12, #3870h
mov r13, #0Eh
mov r14, #40h
mov r15, #0
calls 0B4h, 724Ch
add r0, #8
rets
playmp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #26h
calls 0B4h, 724Ch
loc_445B30:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_Z, loc_445B30
rets

loc_exttable:
cmpb rl6, #14h
jmpr cc_Z, loc_BFA
cmpb rl6, #6
jmpr cc_Z, loc_TXT
loc_expret:
jmps 0D3h, 2B0h

loc_BFA:
callr loc_pBFA
jmpr cc_UC, loc_expret

loc_TXT:
callr loc_pTXT
jmpr cc_UC, loc_expret

loc_pBFA:
mov r14, r8
mov r15, r9
add r14, #0B2h
loc_readbin:
mov r12, #sof(pBFAROUTIME)
mov r13, #seg(pBFAROUTIME)
calls 0E5h, 0FFF2h
ret
loc_pTXT:
mov r14, r8
mov r15, r9
add r14, #0B2h
mov r12, #sof(TXTROUTIME)
mov r13, #seg(TXTROUTIME)
calls 0E5h, 0FFF2h
ret

pBFAROUTIME:
mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch
mov r8, r4
cmp r8, #0FFFFh
jmpa cc_NZ, loc_445BC0
mov r12, #1
mov r13, #04B3h
calls 0E6h, 00538h
rets
loc_445BC0:
mov r12, r8
mov r9, #20h
loc_445B9A:
mov r14, r9
mov r13, #0
mov r15, #4000h
calls 0DBh, 0B3CCh
mov r12, r8
cmp r4, #4000h
jmpr cc_C, loc_445BB8
cmp r9, #23h
jmpr cc_Z, loc_445BB8
add r9, #1
jmpr cc_UC, loc_445B9A

loc_445BB8:
calls 0DBh, 0CD8Eh
calls 8, 0
rets

loc_IDLE:
calls loc_IDLESUB
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
calls 0C8h, 0C3EEh
rets

loc_memadd:
mov r8, r4
mov r9, r5
jmpr cc_UC, loc_445C00

loc_IDLESUB:
extp #34h, #1
movb rl4, 3E2Bh
cmpb rl4, #1
jmpr cc_Z, loc_445C0E
rets

loc_Creatprocessadd:
mov r7, r13
mov r6, r12
loc_445C00:
callr loc_445C18
calls 0B4h, 9B72h
callr loc_445C26
rets

loc_exitprocesssub:
calls 0CFh, 364Ch
loc_445C0E:
callr loc_445C18
calls 0B4h, 9B5Eh
callr loc_445C26
rets

loc_445C18:
mov [-r0], r8
mov [-r0], r9
mov [-r0], r12
mov [-r0], r13
mov [-r0], r14
mov [-r0], r15
ret

loc_445C26:
mov r15, [r0+]
mov r14, [r0+]
mov r13, [r0+]
mov r12, [r0+]
mov r9, [r0+]
mov r8, [r0+]
ret

TXTROUTIME:
mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch
cmp r4, #0FFFFh
jmpr cc_Z, loc_445CBE
mov r8, r4
extp #37h, #1
mov 3FF0h, r8
calls loc_txtread
extp #20h,#1
mov r12, 0100h
cmp r12, #0FEFFh
jmpr cc_Z, loc_loop
mov r12, #1
mov r13, #09E5h
calls 0E6h, 00538h
mov r12, #0h
mov r13, #0100h
extp #20h, #1
mov [r13], r12
jmps loc_closefile

loc_loop:
extp #37h, #1
mov r4, 3FF4h
cmp r4, #4000h
jmpr cc_C, loc_view
extp #37h, #1
mov r15, 3FF2h
cmp r15, #0
jmpr cc_Z, loc_view
cmp r15, #4
jmpr cc_SLE, loc_1
sub r15, #3
loc_1:
sub r15, #1
extp #37h, #1
mov 3FF2h, r15
calls loc_txtread
jmpr cc_UC, loc_loop
loc_view:
calls 0E4h, 6300h
loc_closefile:
extp #37h, #1
mov r12, 3FF0h
calls 0DBh, 0CD8Eh
loc_445CBE:
rets

loc_txtread:
extp #37h, #1
mov r12, 3FF0h
mov r13, #100h
mov r9, #20h
mov r15, #3F00h
loc_445CD4:
mov r14, r9
calls 0DBh, 0B3CCh
extp #37h, #2
mov 3FF0h, r8
mov 3FF4h, r4
mov r12, r8
cmp r4, #3F00h
jmpr cc_C, loc_445CFA
cmp r9, #29h
jmpr cc_Z, loc_445CFA
add r9, #1
mov r13, #0
mov r15, #4000h
jmpr cc_UC, loc_445CD4

loc_445CFA:
mov r2, r4
cmp r4, #4000h
jmpr cc_NZ, loc_445D08
sub r4, #4000h
add r9, #1
loc_445D08:
cmp r9, #20h
jmpr cc_NZ, loc_445D12
add r4, #100h
loc_445D12:
mov r12, #0
extp r9, #1
mov [r4], r12
mov r9, #0
mov r13, #20h
mov r14, #0FFh
mov r15, #100h
calls 0C7h, 8416h
rets
loc_loopread:
mov    [-r0], r12
mov    [-r0], r13
extp #37h, #1
mov r12, 3FF2h
add r12, #1
extp #37h, #1
mov 3FF2h, r12
mov r12, #1
mov r13, #05CAh
calls 0E6h, 00538h
mov    r13, [r0+]
mov    r12, [r0+]
rets

loc_smsmp3:
mov    r9, r13
mov    r8, r12
mov    [-r0], r4
mov    [-r0], r12
mov    [-r0], r13
mov    [-r0], r14
mov    [-r0], r15
calls loc_ispause
mov    r15, [r0+]
mov    r14, [r0+]
mov    r13, [r0+]
mov    r12, [r0+]
mov    r4, [r0+]
rets
loc_ispause:
extp #32h, #1
movb rl4, 2F7Ch
cmpb rl4, #4
jmpr cc_Z, loc_smsplaymp3
cmpb rl4, #1
jmpr cc_Z, loc_smspausemp3
rets
loc_smspausemp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h
calls 0B4h, 724Ch
rets
loc_smsplaymp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #26h
calls 0B4h, 724Ch
rets

ebindw:
db 61h,3Ah,5Ch,7Ah,62h,69h,6Eh,5Ch,7Ah,61h,61h,2Eh,62h,69h,6Eh,00h

jmps loc_FAM33
jmps loc_FAM32
jmps loc_exttable
calls loc_IDLE
calls loc_Creatprocessadd
calls loc_exitprocesssub
calls loc_memadd
calls loc_loopread
calls loc_smsmp3
end

;Siemens Flash Explorer v2.51c (c)Dec.03 by RizaPN <rizapn@yahoo.com>

;File arc.txt (pos=0x0,sz=0x552,rd=0x552) buffered
;Disassembly: offset=0x0, size=0x552, baseAddr=0xA00000
;35B474:F0C8F0D9 DAF700E0
;0334F2:DAE1D0FC DAF764E0
;2F66E2:
org 0F7E000h

extp #37h, #1
movb rl4, 3FB0h
cmpb rl4, #0h
jmpr , cc_Z, loc_40D298
extp #0Eh, #1
mov r12, 3A42h
jb r12.2, loc_40D298
mov [-r0], r8
mov [-r0], r9
mov [-r0], r4
calls 0B5h, 146Ch
mov r12, #1Ch
mov [-r0], r12
mov r12, #3F00h
mov r13, #33h
mov r14, #pof(auto)
mov r15, #pag(auto)
calls 0C7h, 83DCh
add r0, #2
mov r4, [r0+]
add r4, #302Fh
mov r13, #33h
mov r12, #3F00h
extp r13, #2
movb [r12+#16h], rh4
movb [r12+#17h], rl4
calls 0CFh, 0AC98h
mov r12, #0
mov r13, #1
extp #37h, #2
mov 3FB0h, r12
mov 3FB2h, r13
loc_40D294:
mov r9, [r0+]
mov r8, [r0+]
loc_40D298:
mov r12, r8
mov r13, r9
rets

loc_clearanm:
mov [-r0], r4
extp #37h, #1
movb rl4, 3FB2h
cmpb rl4, #1
jmpr cc_NZ, loc_jmpenablemic
calls 0B5h, 147Ch
loc_jmpenablemic:
mov r4, [r0+]
mov r12, #0
extp #37h, #2
mov 3FB0h, r12
mov 3FB2h, r12
extp #0Ch, #1
mov r12, 2574h
bclr r12.0
extp #0Ch, #1
mov 2574h, r12
extp #0Ch, #1
mov r12, 2576h
bclr r12.0
extp #0Ch, #1
mov 2576h, r12
extp #0Ch, #1
mov r12, 2578h
bclr r12.0
extp #0Ch, #1
mov 2578h, r12
extp #36h, #1
mov r12, 0D84h
bclr r12.0
extp #36h, #1
mov 0D84h, r12
mov r12, r8
jmps 0E1h, 0FCD0h

auto:
db 041h,03Ah,05Ch,76h,6Fh,69h,63h,65h,20h,6Eh,6Fh,74h,69h,63h,65h,5Ch,61h,6Eh,73h,77h,65h,72h,30h,30h,2Eh,76h,6Dh,6Fh

end

;Siemens Flash Explorer v2.51c (c)Dec.03 by RizaPN <rizapn@yahoo.com>

;File fam3.31.vkp (pos=0x0,sz=0x289,rd=0x289) buffered
;Disassembly: offset=0x0, size=0x289, baseAddr=0xA00000

org 0E44A50h

calls 0CAh, 1DC0h       ;is mp3 playing?
cmp r4, #0
jmpr cc_Z, loc_444888 ;0=N,1=Y
mov r12, #1             ;is calling?
calls 0C5h, 0BECAh    ;is calling?
cmp r4, #3
jmpr cc_Z, loc_44486E ;3= calling
mov r12, #484Ch ;goto FAM3.2
mov r13, #0E4h  ;goto FAM3.2
push r13
push r12
loc_44486E:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h       ;消息号，24为暂停mp3
calls 0B4h, 724Ch
loc_444880:
calls 0CAh, 1DC0h    ;is mp3 playing?
cmp r4, #0
jmpr cc_NZ, loc_444880
loc_444888:
jmps 0E4h, 4800h

mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh       ;mp3进程 id
mov r15, #26h       ;消息号，26为播放mp3
calls 0B4h, 724Ch ;sendmessage
loc_44489E:
calls 0CAh, 1DC0h
cmp r4, #0
jmpr cc_Z, loc_44489E
rets
loc_smsmp3:
mov    r9, r13
mov    r8, r12
mov    [-r0], r4          ;保护寄存器
mov    [-r0], r12       ;保护寄存器
mov    [-r0], r13       ;保护寄存器
mov    [-r0], r14       ;保护寄存器
mov    [-r0], r15       ;保护寄存器
calls loc_ispause
mov    r15, [r0+]       ;恢复寄存器
mov    r14, [r0+]       ;恢复寄存器
mov    r13, [r0+]       ;恢复寄存器
mov    r12, [r0+]       ;恢复寄存器
mov    r4, [r0+]          ;恢复寄存器
rets
loc_ispause:
extp #32h, #1
movb rl4, 2F7Ch       ;mp3播放状态，32h，2F7C
cmpb rl4, #4          ;4=暂停，1=播放
jmpr cc_Z, loc_smsplaymp3
cmpb rl4, #1
jmpr cc_Z, loc_smspausemp3
rets
loc_smspausemp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #24h
calls 0B4h, 724Ch
rets
loc_smsplaymp3:
mov r12, #35E8h
mov r13, #0Eh
mov r14, #0ACh
mov r15, #26h
calls 0B4h, 724Ch
rets
calls loc_smsmp3

end

org 0E448D0h

calls 0E4h, 48D8h
jmps 0D3h, 2B0h

mov r14, r8
mov r15, r9
add r14, #0B2h
mov r12, #48EEh
mov r13, #0E4h
calls 0E4h, 484Ch
rets

mov r14, #0
mov r15, #0
calls 0DBh, 0AF5Ch
mov r8, r4
cmp r8, #0FFFFh
jmpa cc_Z, loc_44492C
mov r12, r8
mov r9, #20h
loc_444906:
mov r14, r9
mov r13, #0
mov r15, #4000h
calls 0DBh, 0B3CCh
mov r12, r8
cmp r4, #4000h
jmpr cc_C, loc_444924
cmp r9, #23h
jmpr cc_Z, loc_444924
add r9, #1
jmpr cc_UC, loc_444906

loc_444924:
calls 0DBh, 0CD8Eh
calls 8, 0
loc_44492C:
rets

end

;Siemens Flash Explorer v2.51c (c)Dec.03 by RizaPN <rizapn@yahoo.com>

;File v5.txt (pos=0x0,sz=0x2CF,rd=0x2CF) buffered
;Disassembly: offset=0x0, size=0x2CF, baseAddr=0xA00000

org 0C7E9D0h

extp #0Ch, #2
mov r2, 326Ch
mov r1, 2E94h
jmpr cc_Z, loc_27EA1A
cmp r13, #29h
jmpr cc_UGT, loc_27EA1A
cmpb rl2, #58h
jmpr cc_Z, loc_27EA1E
cmpb rl2, #41h
jmpr cc_Z, loc_27EA2E
cmpb rl2, #44h
jmpr cc_Z, loc_27EA36
cmpb rl2, #57h
jmpr cc_Z, loc_27EA26
cmpb rl2, #30h
jmpr cc_C, loc_27EA20
cmpb rl2, #39h
jmpr cc_NC, loc_27EA20
subb rl2, #2Fh
extp #37h, #1
movb 3FB0h, rl2
callr loc_27EA42
calls 0A3h, 0C78h
jmpr cc_UC, loc_27EA3E
loc_27EA20:
subb rh2, #30h
cmpb rl2, #60h
jmpr cc_UGT, loc_27EA18
mov r1, #2A6Ah
loc_27EA0A:
extp #31Fh, #1
mov r3, [r1+]
jmpr cc_Z, loc_27EA1A
cmpb rl2, rl3
jmpr cc_NZ, loc_27EA0A
addb rh2, rh3
loc_27EA18:
movbz r13, rh2
loc_27EA1A:
jmps 0E2h, 3796h

loc_27EA1E:
callr loc_27EA42
calls 0A3h, 0C9Ch
jmpr cc_UC, loc_27EA3E

loc_27EA26:
callr loc_27EA42
calls 0A3h, 0DB0h
jmpr cc_UC, loc_27EA3E

loc_27EA2E:
callr loc_27EA42
calls 0A3h, 0C78h
jmpr cc_UC, loc_27EA3E

loc_27EA36:
callr loc_27EA42
calls 0A3h, 0CF8h
jmpr cc_UC, loc_27EA3E

loc_27EA3E:
mov r4, [r0+]
rets

loc_27EA42:
mov r13, #6
calls 0E2h, 3796h
mov [-r0], r4
ret

end

[ 本帖最后由 JunFeng 于 2006-4-22 04:54 编辑 ]

JunFeng · 发表于 2006-2-15 14:30:01

rizaasm
\

mov       r12, #44h
extp       #0Ch, #1
mov       326Ch, r12
mov       r12, #1
mov       r13, #038h
calls       0E6h, 00538h
rets

end

org       0C7E9D0h

      extp       #36h, #1
      mov       r4, 0D76h
      jnb       r4.14, loc_v5
loc_readautoendlist:
      mov       [-r0], r4
      mov       [-r0], r8
      mov       [-r0], r9
      mov    r14, #pof(listtxt)
      mov    r15, #pag(listtxt)
      mov       r12, #sof(pautoendROUTIME)
      mov       r13, #seg(pautoendROUTIME)
      calls       0E5h, 0FFF2h
      mov       r9, [r0+]
      mov       r9, [r0+]
      mov       r4, [r0+]
      rets
pautoendROUTIME:
calls       loc_readlist

calls       0C7h, #8388h
readlist:
      mov       r14, #0
      mov       r15, #0
      calls       0DBh, 0AF5Ch
      mov       r8, r4
      cmp       r8, #0FFFFh
      jmpa       cc_Z, loc_ret
      mov       r12, r8
      mov       r13, #0
      mov       r14, #22
      mov       r15, #4000h
      calls       0DBh, 0B3CCh
      mov       r12, r8
      calls       0DBh, 0CD8Eh
      rets
loc_ret:
      rets

loc_v5:
      extp       #0Ch, #2
      mov       r2, 326Ch
      mov       r1, 2E94h
      jmpr       cc_Z, loc_27EA1A
      cmp       r13, #29h
      jmpr       cc_UGT, loc_27EA1A
      cmpb       rl2, #58h
      jmpr       cc_Z, loc_27EA1E
      cmpb       rl2, #41h
      jmpr       cc_Z, loc_27EA2E
      cmpb       rl2, #44h
      jmpr       cc_Z, loc_27EA36
      cmpb       rl2, #57h
      jmpr       cc_Z, loc_27EA26
      cmpb       rl2, #30h
      jmpr       cc_C, loc_27EA20
      cmpb       rl2, #39h
      jmpr       cc_NC, loc_27EA20
      subb       rl2, #2Fh
      extp       #37h, #1
      movb 3FB0h, rl2
      callr       loc_27EA42
      calls       0A3h, 0C78h
      jmpr       cc_UC, loc_27EA3E
loc_27EA20:
      subb       rh2, #30h
      cmpb       rl2, #60h
      jmpr       cc_UGT, loc_27EA18
      mov       r1, #2A6Ah
loc_27EA0A:
      extp       #31Fh, #1
      mov       r3, [r1+]
      jmpr       cc_Z, loc_27EA1A
      cmpb       rl2, rl3
      jmpr       cc_NZ, loc_27EA0A
      addb       rh2, rh3
loc_27EA18:
      movbz       r13, rh2
loc_27EA1A:
      jmps       0E2h, 3796h

loc_27EA1E:
      callr       loc_27EA42
      calls       0A3h, 0C9Ch
      jmpr       cc_UC, loc_27EA3E

loc_27EA26:
      callr       loc_27EA42
      calls       0A3h, 0DB0h
      jmpr       cc_UC, loc_27EA3E

loc_27EA2E:
      callr       loc_27EA42
      calls       0A3h, 0C78h
      jmpr       cc_UC, loc_27EA3E

loc_27EA36:
      callr       loc_27EA42
      calls       0A3h, 0CF8h
      jmpr       cc_UC, loc_27EA3E

loc_27EA3E:
      mov       r4, [r0+]
      rets

loc_27EA42:
      mov       r13, #6
      calls       0E2h, 3796h
      mov       [-r0], r4
      ret

end

org       0E45AC0h

loc_EBIN:
      mov       r4, #0
      jmpr       cc_UC, loc_447350

      mov       r4, #1
      jmpr       cc_UC, loc_447350

      mov       r4, #2
      jmpr       cc_UC, loc_447350

      mov       r4, #3
      jmpr       cc_UC, loc_447350

      mov       r4, #4
      jmpr       cc_UC, loc_447350

      mov       r4, #5
      jmpr       cc_UC, loc_447350

      mov       r4, #6
      jmpr       cc_UC, loc_447350

      mov       r4, #7
      jmpr       cc_UC, loc_447350

      mov       r4, #8
      jmpr       cc_UC, loc_447350

      mov       r4, #9
      jmpr       cc_UC, loc_447350

      mov       r4, #0Ah
      jmpr       cc_UC, loc_447350

      mov       r4, #0Bh
      jmpr       cc_UC, loc_447350

      mov       r4, #0Ch
      jmpr       cc_UC, loc_447350

      mov       r4, #0Dh
      jmpr       cc_UC, loc_447350

      mov       r4, #0Eh
      jmpr       cc_UC, loc_447350

      mov       r4, #0Fh
      jmpr       cc_UC, loc_447350
loc_447350:
      mov       [-r0], r4
      mov r12, #10h
      mov       [-r0], r12
      mov       r12, #0000h
      mov       r13, #23h
      mov       r14, #pof(ebindw)
      mov       r15, #pag(ebindw)
      calls       0C7h, 83DCh
      add r0, #2
      mov       r4, [r0+]
      add       r4, #6161h
      mov       r13, #23h
      mov       r12, #0000h
      extp       r13, #2
      movb       [r12+#9], rh4
      movb       [r12+#0Ah], rl4
      mov       r14, r12
      mov       r15, r13
      callr loc_readbin
      rets
loc_FAM33:
      calls       0CAh, 1DC0h
      cmp       r4, #0
      jmpr       cc_Z, loc_pFAM32
      mov       r12, #1
      calls       0C5h, 0BECAh
      cmp       r4, #3
      jmpr       cc_Z, loc_callin
      mov       r12, #sof(playmp3)
      mov       r13, #seg(playmp3)
      push       r13
      push       r12
loc_callin:
      mov       r12, #35E8h
      mov       r13, #0Eh
      mov       r14, #0ACh
      mov       r15, #24h
      calls       0B4h, 724Ch
loc_445AF0:
      calls       0CAh, 1DC0h
      cmp       r4, #0
      jmpr       cc_NZ, loc_445AF0
loc_pFAM32:
      cmp       r8, #40h
      jmpr       cc_Z, loc_445B06
      cmp       r8, #22h
      jmps       0DCh, 1EDEh

loc_445B06:
      mov       r4, [r0+#0Ah]
      mov       r5, [r0+#0Ch]
      mov       r12, [r0+#0Eh]
      mov       r13, [r0+#10h]
      calls       0C7h, 0EE88h
      jmps       0DCh, 2B60h

loc_FAM32:
      mov       [-r0], r15
      mov       [-r0], r14
      mov       [-r0], r13
      mov       [-r0], r12
      mov       r12, #3870h
      mov       r13, #0Eh
      mov       r14, #40h
      mov       r15, #0
      calls       0B4h, 724Ch
      add       r0, #8
      rets
playmp3:
      mov       r12, #35E8h
      mov       r13, #0Eh
      mov       r14, #0ACh
      mov       r15, #26h
      calls       0B4h, 724Ch
loc_445B30:
      calls       0CAh, 1DC0h
      cmp       r4, #0
      jmpr       cc_Z, loc_445B30
      rets

loc_exttable:
      cmpb       rl6, #14h
      jmpr       cc_Z, loc_BFA  ;bin
      cmpb       rl6, #6h
      jmpr       cc_Z, loc_TXT  ;txt
loc_expret:
      jmps       0D3h, 2B0h    ;exit mmc exp

loc_BFA:
      callr       loc_pBFA
      jmpr       cc_UC, loc_expret

loc_TXT:
      callr       loc_pTXT
      jmpr       cc_UC, loc_expret

loc_pBFA:
      mov       r14, r8
      mov       r15, r9
      add       r14, #0B2h
loc_readbin:
;readbinfile
      mov       r12, #sof(pBFAROUTIME)    ;bfaroutime sof
      mov       r13, #seg(pBFAROUTIME)    ;bfaroutime seg
      calls       0E5h, 0FFF2h
      ret
loc_pTXT:

      mov       r14, r8
      mov       r15, r9
      add       r14, #0B2h          ;r14.r15=point to filename
      mov       [-r0], r14          ;point to filename [pof]
      mov       [-r0], r15          ;poing to filename [pag]
      calls loc_copyname             ;copy filename to 33,3f00h [*.txt]
      mov       r12, #0000h
      extp    #37h, #1
      mov       3FF2h, r12          ;连续读记录部分清0
      mov       r15, [r0+]
      mov       r14, [r0+]
      mov       r12, #sof(ptxtread) ;同上
      mov       r13, #seg(ptxtread) ;同上
      calls       0E5h, 0FFF2h       ;             ;fam3.2,要读文件或写文件就用到了fam3.2
      ret
      ;fam3.2具体用法r12,r13=routime, r14,r15=point to filename,然后它转到routime处执行，并把r14，r15的文件名传送到r12，r13

pBFAROUTIME:
      mov       r14, #0
      mov       r15, #0
      calls       0DBh, 0AF5Ch
      mov       r8, r4
      cmp       r8, #0FFFFh
      jmpa       cc_NZ, loc_445BC0
      mov       r12, #1
      mov       r13, #04B3h
      calls       0E6h, 00538h
      rets
loc_445BC0:
      mov       r12, r8
      mov       r9, #20h
loc_445B9A:
      mov       r14, r9
      mov       r13, #0
      mov       r15, #4000h
      calls       0DBh, 0B3CCh
      mov       r12, r8
      cmp       r4, #4000h
      jmpr       cc_C, loc_445BB8
      cmp       r9, #23h
      jmpr       cc_Z, loc_445BB8
      add       r9, #1
      jmpr       cc_UC, loc_445B9A

loc_445BB8:
      calls       0DBh, 0CD8Eh
      calls       8, 0
      rets


loc_IDLE:
      calls       loc_IDLESUB
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      calls       0C8h, 0C3EEh
      rets

loc_memadd:
      mov       r8, r4
      mov       r9, r5
      jmpr       cc_UC, loc_445C00

loc_IDLESUB:
      extp       #34h, #1
      movb       rl4, 3E2Bh
      cmpb       rl4, #1
      jmpr       cc_Z, loc_445C0E
      rets

loc_Creatprocessadd:
      mov       r7, r13
      mov       r6, r12
loc_445C00:
      callr       loc_445C18
      calls       0B4h, 9B72h
      callr       loc_445C26
      rets

loc_exitprocesssub:
      calls       0CFh, 364Ch
loc_445C0E:
      callr       loc_445C18
      calls       0B4h, 9B5Eh
      callr       loc_445C26
      rets

loc_445C18:
      mov       [-r0], r8
      mov       [-r0], r9
      mov       [-r0], r12
      mov       [-r0], r13
      mov       [-r0], r14
      mov       [-r0], r15
      ret

loc_445C26:
      mov       r15, [r0+]
      mov       r14, [r0+]
      mov       r13, [r0+]
      mov       r12, [r0+]
      mov       r9, [r0+]
      mov       r8, [r0+]
      ret

ptxtread:
;txtread routime
      calls loc_readdata
      calls 0E4h, 6300h    ;ram阅读
      RETS
loc_readdata:
      mov       r14, #0
      mov       r15, #0
      calls       0DBh, 0AF5Ch          ;open file
      cmp       r4, #0FFFFh             ;if failed= -1 ,other r4= file handle
      jmpr       cc_Z, loc_445CBE
      mov r8, r4
      extp       #37h, #1
      mov       3FF0h, r8                ;保存filehandle
      calls       loc_txtread          ;ram专用读数据程序
      extp #37h, #1
      mov r15, 3FF2h                      ;取得连续读数据

loc_loop:
      extp #37h, #1
      mov r4, 3FF4h
      cmp r4, #4000h
      jmpr cc_C, loc_closefile
      cmp r15, #0
      jmpr       cc_Z, loc_closefile
      mov       [-r0], r15
      calls       loc_txtread
      mov    r15, [r0+]
      sub    r15, #1
      jmpr cc_UC, loc_loop


loc_closefile:
      extp       #37h, #1
      mov       r12, 3FF0h
      calls       0DBh, 0CD8Eh
loc_445CBE:
      rets

loc_txtread:
      extp       #37h, #1
      mov       r12, 3FF0h
      mov       r13, #100h
      mov       r9, #20h
      mov       r15, #3F00h
loc_445CD4:
      mov       r14, r9
      calls       0DBh, 0B3CCh
      extp       #37h, #2
      mov       3FF0h, r8
      mov 3FF4h, r4
      mov       r12, r8
      cmp       r4, #3F00h
      jmpr       cc_C, loc_445CFA
      cmp       r9, #26h
      jmpr       cc_Z, loc_445CFA
      add       r9, #1
      mov       r13, #0
      mov       r15, #4000h
      jmpr       cc_UC, loc_445CD4

loc_445CFA:
      cmp       r4, #4000h
      jmpr       cc_NZ, loc_445D08
      sub       r4, #4000h
      add       r9, #1
loc_445D08:
      cmp       r9, #20h
      jmpr       cc_NZ, loc_445D12
      add       r4, #100h
loc_445D12:
      mov       r12, #0
      extp       r9, #1
      mov       [r4], r12
      mov       r9, #0
      mov       r13, #20h
      mov       r14, #0FFh
      mov       r15, #100h
      calls       0C7h, 8416h
      rets
loc_loopread:
;按2的读文件程序
      mov    [-r0], r12
      mov    [-r0], r13
      mov    [-r0], r14
      mov    [-r0], r15
      extp #37h, #1       ;
      mov r12, 3FF2h       ;取得第几部分
      add r12, #1          ;+1
      extp #37h, #1
      mov 3FF2h, r12
      mov       r12, #sof(loc_readdata) ;routime sof
      mov       r13, #seg(loc_readdata) ;routime seg
      mov       r14, #3F00h          ;point to file name
      mov       r15, #33h             ;poing to file name
      calls       0E5h, 0FFF2h       ;fam3.2
      mov    r15, [r0+]
      mov    r14, [r0+]
      mov    r13, [r0+]
      mov    r12, [r0+]
      rets

loc_smsmp3:
      mov    r9, r13
      mov    r8, r12
      mov    [-r0], r4
      mov    [-r0], r12
      mov    [-r0], r13
      mov    [-r0], r14
      mov    [-r0], r15
      calls       loc_ispause
      mov    r15, [r0+]
      mov    r14, [r0+]
      mov    r13, [r0+]
      mov    r12, [r0+]
      mov    r4, [r0+]
      rets
loc_ispause:
      extp #32h, #1
      movb       rl4, 2F7Ch
      cmpb       rl4, #4
      jmpr       cc_Z, loc_smsplaymp3
      cmpb       rl4, #1
      jmpr       cc_Z, loc_smspausemp3
      rets
loc_smspausemp3:
      mov       r12, #35E8h
      mov       r13, #0Eh
      mov       r14, #0ACh
      mov       r15, #24h
      calls       0B4h, 724Ch
      rets
loc_smsplaymp3:
      mov       r12, #35E8h
      mov       r13, #0Eh
      mov       r14, #0ACh
      mov       r15, #26h
      calls       0B4h, 724Ch
      rets

loc_copyname:

      mov       r12, #30h       ;拷贝字节数
      mov       [-r0], r12
      mov       r12, #3F00h    ;pof
      mov       r13, #33h       ;pag
      calls       0C7h, 83DCh ;memcpy
      rets

ebindw:
      db 61h,3Ah,5Ch,7Ah,62h,69h,6Eh,5Ch,7Ah,61h,61h,2Eh,62h,69h,6Eh,00h




jmps loc_FAM33
jmps loc_FAM32
jmps loc_exttable
calls loc_IDLE
calls loc_Creatprocessadd
calls loc_exitprocesssub
calls loc_memadd
calls loc_loopread
calls loc_smsmp3
end

[ 本帖最后由 JunFeng 于 2006-4-21 19:10 编辑 ]

JunFeng · 发表于 2006-2-15 14:31:27

These two bytes lie among other - this is the table of passages on the contents of register with the base for address off_.A9BDBA. The table thus appears:
Code:

seg2A6:3DBA 82 36          off_A9BDBA:dw loc_C13682             ; DATA XREF: sub_C130E0+6Ao
seg2A6:3DBC 56 31                dw loc_C13156
seg2A6:3DBE 94 31                dw loc_C13194
seg2A6:3DC0 A4 31                dw loc_C131A4
seg2A6:3DC2 C0 31                dw loc_C131C0
seg2A6:3DC4 90 32                dw loc_C13290
seg2A6:3DC6 A4 31                dw loc_C131A4
seg2A6:3DC8 BC 36                dw loc_C136BC
seg2A6:3DCA BC 36                dw loc_C136BC
seg2A6:3DCC F2 32                dw loc_C132F2
seg2A6:3DCE 42 33                dw loc_C13342
seg2A6:3DD0 74 33                dw loc_C13374
seg2A6:3DD2 B0 33                dw loc_C133B0
seg2A6:3DD4 BC 33                dw loc_C133BC !!!!!!!!!!!!!!
seg2A6:3DD6 C8 33                dw loc_C133C8
seg2A6:3DD8 46 34                dw loc_C13446
seg2A6:3DDA C6 34                dw loc_C134C6
seg2A6:3DDC 46 35                dw loc_C13546
seg2A6:3DDE CE 35                dw loc_C135CE
seg2A6:3DE0 54 36                dw loc_C13654

But here is the piece of the code, using this table:
Code:

csegC1:3138                loc_C13138:                            ; CODE XREF: sub_C130E0+24j
csegC1:3138 DC 49                extp r9, #1
csegC1:313A A9 28                movb rl1, [r8]
csegC1:313C 29 21                subb rl1, #1
csegC1:313E 47 F2 13 00          cmpb rl1, #13h
csegC1:3142 EA E0 BC 36          jmpa cc_UGT, loc_C136BC
csegC1:3146 C0 2C                movbz r12, rl1
csegC1:3148 5C 1C                shl r12, #1
csegC1:314A 06 FC BA 3D          add r12, #off_A9BDBA
csegC1:314E D7 40 A6 02          extp #2A6h, #1
csegC1:3152 A8 CC                mov r12, [r12]
csegC1:3154 9C 0C                jmpi cc_UC, [r12] !!! This is principal here instruction!!!

csegC1:3156                ; ---------------------------------------------------------------------------

Further go all these loc _... from the table - i.e., branch, where is accomplished passage in the dependence on the contents r12. As a rule, all branches converge then in one place - restoration of registers of the stack and reset from p \p. T.e., in such cases simply you search for instruction jmpi. Questions?[/code

here nakovyryal another pair of functions more exactly found che they make, clog into the bases
C7:8032 longtohexstr - Convert HEX number lenght [ r0 ] bytes from pag-r15 pof-r14 to HEX String to pag-r13 pof-r12
and
C7:7430 cpyBufferToStack - Copy buffer from pag-r5 pof-r4?? stack r3-bytes

by the way by all who digs lay out syubda also that they found simpler will be

csegDB:8738 ; PlayMP3MPL (char far* folder, char far* filename);

r13:r12 folder
r15:r14 filename

a question to the diggers: to ktonit' did attempt to vkurit' as they do work file functions? more accurate as to determine loaded file or not, and the yesterday stalknulsya with this paradox that
for example we have two regions Filebuff and Membuff the first is filled 00 second FF, on MMS we also have a file with the symbols in the standard coding we further make progu of the type

calls loadfile
copy mem from filebuff to membuff
rets

loadfile: fileopen
fileread to filebuff
fileclose
rets

in this by the case into Membuff we will obtain zero, although the file will load in Filebuff, yeslizhe to make thus

calls loadfile
rets

loadfile: fileopen
fileread to filebuff
fileclose
copy mem from filebuff to membuff
rets

Vatchdog like in Mamaicha in patche to the on-line- piercing was disconnected.

On the motive of your old idea of hours on the turned-off tele-: try this
225461: 25 da
or this
225461: 25 c2; is still possible ce, e0 - this quite strange version,
and on off. by tele- press red briefly.

Even on the theme of loaded ringtonov:

; at the input: r12=1,2,3 - number indiv. the melody
CsegDC:12DC SelectAndLoadIndividualMelody:
selection from the list and loading indiv.melody 1..3, truth to select necessary by knobs, but somewhere there converter midi- Bean must be!

;
; Open file
;
Dialog1_proc3:
mov r12,#pof(GBSS_buf)
mov r13,#pag(GBSS_buf)
mov [-r0],r13
mov [-r0],r12
mov r12,#pof(FileName)
mov r13,#pag(FileName)
mov r14,#102h
mov r15,#100h
calls GBSS_po_open
add r0,#4
extp #pag(FileHandle),#1
mov pof(FileHandle),r4
mov r12,#pof(text3)
mov r13,#pag(text3)
calls r4_.to_.hex; This is printing r4 into the line
mov r14,#y2*2
jmpa cc_.UC,drawtxt; Printing line on the screen

text3:
db '0000 - Open',0
FileName:
db 'A:\upor',0
FileHandle:
dw 0
GBSS_buf:
dw 0

With the pressure on 1 must print "FHND - Open", FHND - khandler, which returned GBSS_.po_.open. By the way, before the passage to this code stands printing the code of symbol in another line.

As a result we have - we start binarnik (by the way, work with the dialogue of podsmotrenna in vibra.bin), dialogue comes, we press 2,3,4 - it is normal, we print 32,33,34, we press 1 - nothing is printed (here here 4 and ofigel, occurs drawString - this is another task!), telephone is turned off.

How to be butted?

PS Funkitsii fileopen and t.d. to treat not hunting, judging by everything, they must be caused only in flow MMC_.FILESYSTEM_.proc

Thus far it sat it was investigated, what thought into the head arrived: can binarnik it is executed in some flow not such, made printing PidAct with the start of binarnika (more exact, only it is memorized with the start, it is printed in onCreate) and in function onCreate of dialogue, as a result it was explained this is what:

1. With the first starting (menyu+ #, the selection of file, to open) control to address 80000 is transmitted from flow MMC_.FILE_.SYSTEM, up
struct DIALOG
{
void huge *onKeyPress;
void huge *onDummy1;
void huge *onDummy2;
void huge *onDummy3;
void huge *onCreate;
void huge *onRun;
};

extern void pShowDialog(const struct DIALOG far *,char far *);
extern void pDialogOnRun(void);
extern void doBack0A(void);
extern void DrawString(int x,int y,int w,int h,const char far *str,int font);
extern void FillRect(int x,int y,int w,int h,int color);
extern char keybQueneIdx;
extern char keybQueneBuf[];
extern int GbsLock_ifNZ;
extern int GbsLock_ifZ;
typedef char far * STR;

STR nibble(STR s, char b)
{
b&=0x0F;
if (b>9) b+='A'-10-'0';
b+='0';
*s++=b;
return(s);
}

void hexbyte(STR s, char b)
{
s=nibble(s,b>>4);
s=nibble(s,b);
}

void hexint(STR s, int b)
{
s=nibble(s,b>>12);
s=nibble(s,b>>;
s=nibble(s,b>>4);
s=nibble(s,b);
}

void locret(void)
{}

static const int L1;
static const int L2;

void DrawGBSLocks(int l1, int l2)
{
static const char s1[]="GbsLock_ifZ: ????";
static const char s2[]="GbsLock_ifNZ: ????";
hexint((STR)(s1+13),l1);
hexint((STR)(s2+14),l2);
DrawString(0,24,101,80,s1,3);
DrawString(0,36,101,80,s2,3);
}

void md_onkey(void)
{
char c=keybQueneIdx;
static const char s1[]="Key code: ??";
if (!(c&1)) return;
c=keybQueneBuf[c];
if (c==0x0c) {doBack0A(); return;}
hexbyte((far char *)(s1+10),c);
DrawString(0,12,101,80,s1,3);
if (c=='1')
{
DrawGBSLocks(GbsLock_ifZ,GbsLock_ifNZ);
}
}

void md_oncreate(void);
static const struct DIALOG maindialog={md_onkey,locret,locret,locret,md_oncreate,pDialogOnRun};

void md_oncreate(void)
{
FillRect(0,0,101,80,0);
DrawString(0,0,101,80,"Hello!",3);
DrawGBSLocks(L1,L2);
}

void main(void)
{
char db[16];
*(int *)&L1=GbsLock_ifZ;
*(int *)&L2=GbsLock_ifNZ;
pShowDialog(&maindialog,db);
}

AllHeapsPointers+6, //This is indicator to the heap, in which we will reserve variables, I use FarHeap8 = > +6 there is a reference to it in file AllHeapsPointers - it also extern cm. sl45.h (my)
Sizeof(.struct VARS), //The overall size of all our variables
"FOOPATCH"//But this name, on which is carried out the search for the already created buffers
};

IMHO the way is:

0. Find place for variable CopyFlag. Don't use Java memory! Better of all is using PMM patch, but u must relocate it.

1. Add menu option "Copy" and code:

CopyFlag=1;
jmp 0D8786Ah

2. Change this:
csegE4:A9D2 DA DF 40 E0 calls 0DFh, rename
to call MyRename

3. Do: (source R12:R13, dest R14:R15)

int MyRename(char far *s, char far *d)
{
if (CopyFlag)
{
....
copy file from s to d, use direct call to FileOpen etc, coz there r
context of MMC_FILE_SYSTEM_proc
....
return(0); //Success or
rerurn(1); //Error
}
else
{
return(rename(s,d));
}
}

4. Change
seg2E2:2446 F2 B3 dw loc_D8B3F2 ; Finishing move
seg2E2:2448 D8 00 dw 0D8h

dw sof(MyFinish)
dw seg(MyFinish)

MyFinish:
EXTP #pag(CopyFlag),#1
mov pof(CopyFlag),ZEROS ; CopyFlag=0
jmp 0D8B3F2h

While you copy file, use MMCEXPL_HeapMalloc (D7D374) and EX_heap_free_with_lock (D7D3B0) for allocate and free memory for file buffer. Don't use Java or other unknown memory - it's a way to make unstable patch!!!!

AllHeapsPointers+6, //This is indicator to the heap, in which we will reserve variables, I use FarHeap8 = > +6 there is a reference to it in file AllHeapsPointers - it also extern cm. sl45.h (my)
Sizeof(.struct VARS), //The overall size of all our variables
"FOOPATCH"//But this name, on which is carried out the search for the already created buffers
};

static const struct PVARD
{
struct _heap_ far ** pp_heap;
unsigned int siz;
char name[8];
} VARD=
{
AllHeapsPointers+6, //This is indicator to the heap, in which we will reserve variables, I use FarHeap8 = > +6 there is a reference to it in file AllHeapsPointers - it also extern cm. sl45.h (my)
Sizeof(.struct VARS), //The overall size of all our variables
"FOOPATCH"//But this name, on which is carried out the search for the already created buffers
};

//Procedures in patche PMM
//To obtain indicator to the variables, if yet not zarezervirovanno, we reserve and clear 0
extern struct VARS far * GetVars(.const struct PVARD far * p);
//To free the variables
Void FreeVars(.const Struct PVARD Far * p);

//Now our programpatch - for example, it consists of the pair of the functions caused from the different places

void foo1(void)
{
  struct VARS far *VP=GetVars(&VARD); //Indicator to the variables was obtained

....
VP->var1++; ///For example....
if (VP->var1==100) VP->var2="Upor";
....
}

void foo2(void)
{
  struct VARS far *VP=GetVars(&VARD); //Indicator to the variables was obtained
  if (VP->var2)
  {
DrawString(0,0,101,80,VP->var2);
FreeVars(&VARD);
  }
}

Example, it is certainly sucked out of x$я.
For example is caused procedure foo1. For the first time variables are reserved also with all following calls are used precisely they, respectively var1 increases by 1 with each call, when it became 100, in var2 is written the indicator to the line (it also in ROM).

Now when we cause foo2 and to eat an indicator to the line, it is printed, and variables are freed. Only if we use ourselves release, is desirable still critical sections to organize through AcquireGbsLock() and FreeGbsLock().

For example, patch CDR in connection with this competently must appear thus:

Code:

//Our variables - for the program they will be global, but where it is convenient
Struct VARS
{
char str_.to_.write[100 ];
}; //Note, this is only description, the code not it generitsya

//Description of data, note const - it is stored in PZU, some or are more to patch/program - here this already generitsya in the stage of the compilation
static const struct PVARD
{
struct _heap_ far ** pp_heap;
unsigned int siz;
char name[8];
} VARD=
{
AllHeapsPointers+6, //This is indicator to the heap, in which we will reserve variables, I use FarHeap8 = > +6 there is a reference to it in file AllHeapsPointers - it also extern cm. sl45.h (my)
Sizeof(.struct VARS), //The overall size of all our variables
"CDR vX.X"//But this name, on which is carried out the search for the already created buffers
};

//Procedures in patche PMM
//To obtain indicator to the variables, if yet not zarezervirovanno, we reserve and clear 0
extern struct VARS far * GetVars(.const struct PVARD far * p);
//To free the variables
Void FreeVars(.const Struct PVARD Far * p);

void WriteToLogFile(void)
{
int f;
struct VARS far *VP=GetVars(&VARD);
f=FileOpen("A:\\cdr.log",_O_CREAT+_O_RDWR+_O_APPEND,_S_IREAD);
if (f!=-1)
{
  FileWrite(f,VP->str_to_write,strlen(VP->str_to_write));
  FileClose(f);
}
FreeVars(&VARD);
}

void IncomingCall(void)
{
  struct VARS far *VP=GetVars(&VARD); //Indicator to the variables was obtained

  .....
  sprinf(VP->str_to_write,"Incoming at %02d:%02d",_hour,_minute);
  FilesysICall(WriteToLogFile);
}

void IncomingSMS(void)
{
_ VARD LABEL WORD
DPPTR (_ AllHeapsPointers+24); This is indicator to that, what heap will use, in particular FarHeap8
DW 106; How many bytes of the brain to us are must
DB "PatchNam '; Unique name

...It is analogous...
}

There are no here critical sections, t.k. by itself FILE_.SYSTEM_.PROC - this critical section is still that....

Voobshchem, went 4 patch PMM to bodyazhit', and the entire raspal'tseval, and there is no patcha itself, more exact it is fixed in binarnike, it is necessary it to alter in ROM. Through the pair of hours to zababakhayu.

#define _AllHeapsPointers 039DCEh

_ VARD LABEL WORD
DPPTR (_ AllHeapsPointers+24); This is indicator to that, what heap will use, in particular FarHeap8
DW 106; How many bytes of the brain to us are must
DB "PatchNam '; Unique name

;Displacement of variables from the beginning of the buffer
Var1 equ 0; Variable 1 - 2 bytes
Var2 equ 2; Variable 2 - 100 bytes
Var3 equ 102; Variable 3 - 4 bytes

my_.str: db ' Upor!',0

......
Now the function
Foo1:
MOV R12,#POF _VARD
MOV R13,#PAG _VARD
CALLS SEG _GetVars,_GetVars
MOV R8,R4
MOV R9,R5
; Now in R8/R9 - indicator to our storage, after the first rotation it will be cleared by zero.
EXTP # 1,R9
MOV [ R8+#.Var1 ],#y2eya; Now the variable Var1=1
MOV R14,# POF(.my_.str)
MOV R15,# PAG(.my_.str); R14/R15 - from where
MOV R12,R8
ADD R12,# Var2
MOV R13,R9; R12/R13 - where
CALLS strcpy; We copy line from ROM into our storage
; But now we cause procedure in the context of the file system
mov R12,SOF(DoFileWrite)
mov R13,SEG(DoFileWrite)
calls FilesysICall
rets

filename: db 'A:\file.file',0

DoFileWrite:
MOV [-R0],R9
MOV [-R0],R8
MOV [-R0],R6
MOV R12,#POF _VARD
MOV R13,#PAG _VARD
CALLS SEG _GetVars,_GetVars ; Is discovered file for final writing
MOV R8,R4
MOV R9,R5
MOV R12,#POF filename
MOV R13,#PAG filename
MOV R14,#010Ah
MOV R15,#0100h
CALLS SEG _FileOpen,_FileOpen ; Открываем файл для дописывания
MOV R6,R4
CMP R6,#0FFFFh
JMPR cc_EQ,_35 ; If it did not grow together itself with the file - nakhuy
MOV R12,R8
MOV R13,R9
ADD R12,#Var2 ; Это наша переменная Var2
CALLS SEG _strlen,_strlen ; We obtain the length of the line
MOV R15,R4
MOV R12,R6
MOV R13,R8
MOV R14,R9
ADD R13,#Var2
CALLS SEG _FileWrite,_FileWrite ; And we write in file Var2
MOV R12,R6
CALLS SEG _FileClose,_FileClose ; We shut
_35:
MOV R12,#POF _VARD
MOV R13,#PAG _VARD
CALLS SEG _FreeVars,_FreeVars ; For example, we free the variables
MOV R6,[R0+]
MOV R8,[R0+]
MOV R9,[R0+]
RETS

For those, who wants to popechatat' on the screen

Code:

//In asm the file of the address of the functions
@EQUP(_STRtoWSTRP,0F19EA0h)
@EQUP(_DrawObject,0C1400Ah)
@EQUP(_PrepDrawObj_type01,0C14A4Ch)

//В си
struct rectXYXY
{
unsigned int X1;
unsigned int Y1;
unsigned int X2;
unsigned int Y2;
};
typedef char far * STR;
typedef unsigned int far * WSTR;

extern STRtoWSTRP(WSTR *,STR);
extern DrawObject(void far *);

extern PrepDrawObj_type01(
void far *drwobj,
struct rectXYXY far *,
unsigned int flag1,
WSTR *,
unsigned int font,
unsigned int flag2);

struct VARS
{
{
WSTR up; //Indicator on unicode the line
unsigned int us[40 ]; //Line itself in unicode, the first word - it is long
char dobj[.0x1A ]; //Object for the drawing
}

//Strictly the printing
{
  struct rectXYXY rc;
  rc.X1=0; //Rectangle, note, X2 Y2 And not height and the width
  rc.Y1=40;
  rc.X2=100;
  rc.Y2=48;
  VP->.up=.VP->.us;
  STRtoWSTRP(&.VP->.up,(STR)".Upor"); //Instead of (STR)".Upor" - there can be your line or indicator
  //Flag 1 - to pozhozhe, it relates to the rectangle, in which it is sketched
  //.0kh20 - inversion
  //.0khya0 - to erase everything
  //Flag 2 - relates already to the output of the text
  //0 - not to center
  //1 - to center
  //2 - to even on the right edge
  //4 - underlining
  //8 -????
  //.0khy0 - inversion of fonta
  //.0kh20:?????
  //.0khya0 - strange zhopa
  //.0kh80 - not to formatirovat' the text
  //.0khy00 - again the inversion
  PrepDrawObj_.type01(.VP->.dobj,&.rch,VP->.flag1,&.VP->.up, 0,VP->.flag2); //0 - number of type 0... 11
  DrawObject(.VP->.dobj);
}
}

csegD6:31D2                ShowEggDialog:

seg2E1:1B6C 08 31 D6 00    eggDialog:dw 3108h, 0D6h             ; CODE XREF: eggDialog_OnKeyP
seg2E1:1B6C                                                          ; DATA XREF: ShowEggDialog+4o
seg2E1:1B70 28 31 D6 00    dword_B85B70:dw 3128h, 0D6h          ; CODE XREF: eggDialog_RunP
seg2E1:1B74 7E 31 D6 00    dword_B85B74:dw 317Eh, 0D6h          ; CODE XREF: eggDialog_rets1?P
seg2E1:1B78 80 31 D6 00    dword_B85B78:dw 3180h, 0D6h          ; CODE XREF: eggDialog_rets2?P
seg2E1:1B7C 82 31 D6 00    dword_B85B7C:dw 3182h, 0D6h          ; CODE XREF: eggDialog_InitP

cabbage soup question.

There is this function - CreateDialogWithSoftKeys(.DIALOG_.WSK *, data_.area *,int flag), where E

struct DIALOG_WSK
{
void huge *onKeyPress; //Message handler
void huge *onCreate; //as is
void huge *onClose; //as is
unsigned int datasize; //Min 0x2C
unsigned int tablesize; //Usialy 1
const unsigned int far *table; //&(0xFFF5)
};

Different thing, the caused menu from procedure onKey does not kill my dialogue, voobshchem all very in a cultured way. But there is one but: prompt analog doBack0A for this dialogue. Therefore as I can thus far only by long red button shoot down it.

Yes, another usefulness, approximately each second this dialogue obtains communication Msg==.0xB8, it will go well instead of the timer

int md_onKey(void *data, struct MSG far *Msg)
{
if ((Msg->Msg==KEY_DOWN))
{
switch(Msg->Param[0])
{
case RED_BUTTON:
CloseDialogWithSoftKeys(((int far *)data)[6]); //0EE13D0h
break;
}
}
return(1);
}

struct StatOfFile
{
unsigned int flag1;//=8081 - file, =8041 - folder
unsigned int Zero;
unsigned long filesize;
char Unk[20]; // Dates?
};

extern int GetFileStat(char far* fname, struct StatOfFile far*); //0DFF720h //from MMC_FILE_SYSTEM_proc
extern int FileStat(int file_hndl, struct StatOfFile far*); //0DFF6AAh

java.log:
22779ms: Warning: natasync.c: Unknown event received: 13
38489ms: Warning: natasync.c: Unknown event received: 13
57761ms: Warning: natasync.c: Unknown event received: 13

Code:

java_net.log:
20414364ms: Info: Networking initalized
470ms: Info: Networking initalized
17947ms: Info: Shutting down network
18012ms: Info: Networking disabled
151219ms: Info: Freeing application.
151219ms: Info: Application freed.
151219ms: Info: Shutting down network
151219ms: Info: JAM terminated
20414364ms: Info: Networking initalized
419ms: Info: Networking initalized
22507ms: Info: socket_Protocol_open0
22571ms: Info: Activating profile number 2
22636ms: Info: Active profile data: 2, addr:port: 192.168.10.10:9201
22710ms: Info: jnfnet_doDial: dialing
30588ms: Info: JavaNetMessageHandler: M_DIALER_UP received, state = e_jnfnet_going_up
30685ms: Info: JavaNetMessageHandler: start PPP stack
32997ms: Info: JavaNetMessageHandler: M_DIALER_DOWN received, state = e_jnfnet_going_up
33075ms: Info: JavaNetMessageHandler: remaining retries: 3
33158ms: Info: JavaNetMessageHandler: M_NET_DOWN received, state = e_jnfnet_going_up
38156ms: Info: JavaNetMessageHandler: JAVA_TIMER_EXPIRED, state = e_jnfnet_going_up
38221ms: Info: JavaNetMessageHandler: redialing
38309ms: Info: Activating profile number 2
38382ms: Info: Active profile data: 2, addr:port: 192.168.10.10:9201
46182ms: Info: JavaNetMessageHandler: M_DIALER_UP received, state = e_jnfnet_going_up
46279ms: Info: JavaNetMessageHandler: start PPP stack
52274ms: Info: JavaNetMessageHandler: M_DIALER_DOWN received, state = e_jnfnet_going_up
52361ms: Info: JavaNetMessageHandler: remaining retries: 2
52440ms: Info: JavaNetMessageHandler: M_NET_DOWN received, state = e_jnfnet_going_up
57438ms: Info: JavaNetMessageHandler: JAVA_TIMER_EXPIRED, state = e_jnfnet_going_up
57502ms: Info: JavaNetMessageHandler: redialing
57576ms: Info: Activating profile number 2
57650ms: Info: Active profile data: 2, addr:port: 192.168.10.10:9201
66142ms: Info: JavaNetMessageHandler: M_DIALER_UP received, state = e_jnfnet_going_up
66234ms: Info: JavaNetMessageHandler: start PPP stack
68218ms: Info: JavaNetMessageHandler: M_NET_UP received, state = e_jnfnet_going_up
68311ms: Info: JavaNetMessageHandler: PPP is up. Connecting
68398ms: Info: socket_open_callback: socket = 4, succeeded
68481ms: Info: jnfnet_socketCreate succeeded, returning 1
68574ms: Info: createTCPsocket - hostname:port == pop3.rambler.ru:110
69511ms: Info: connectSocket - hostname:port == pop3.rambler.ru(81.19.66.20):110, return = 0(0)
69603ms: Info: createTCPSocket: socket = 1 succeded. Waiting for connect.
70304ms: Info: createTCPSocket_callback: socket = 1, succeeded
70420ms: Info: available0: 0
70507ms: Info: available0: 0
70609ms: Info: available0: 0
70701ms: Info: available0: 0
70798ms: Info: available0: 0
70895ms: Info: available0: 0
70992ms: Info: available0: 0
71094ms: Info: available0: 0
71181ms: Info: available0: 0
71278ms: Info: Data received from socket 1
71380ms: Info: available0: 70
71467ms: Info: available0: 70
71578ms: Info: read0(1, 70) = 70: +OK mail.rambler.ru pop3 ready <47177c46.1137350009@mail.rambler.ru>

Code:

rms.log:
369ms: Info: JNF_FileSystem_Init()
8297ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RMS_RC.db). Waiting for response
8376ms: Info: Response for AsyncGetFirst(). Found
8496ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RMS_RC.db). Wait for response
8602ms: Info: Response for AsyncOpen, result = 4
8690ms: Info: AsyncRead(4, 4). Waiting for response
8782ms: Info: Response for AsyncRead(4), result = 4, errno = 0
8874ms: Info: AsyncLength(4), result = 0  errno = 0
8962ms: Info: AsyncSeek(4, 4). Waiting for response
9059ms: Info: Response for AsyncSeek(4), result = 4
9151ms: Info: AsyncRead(4, 66). Waiting for response
9234ms: Info: Response for AsyncRead(4), result = 66, errno = 0
9336ms: Info: AsyncSeek(4, 0). Waiting for response
9419ms: Info: Response for AsyncSeek(4), result = 0
9534ms: Info: AsyncWrite(4, 4). Waiting for response
9663ms: Info: Response for AsyncWrite(4), result = 4, errno = 0
9746ms: Info: SyncClose(4), result = 0  errno = 0
9880ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RMS_RC.db). Waiting for response
10005ms: Info: Response for AsyncGetFirst(). Found
10134ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RMS_RC.db). Wait for response
10249ms: Info: Response for AsyncOpen, result = 4
10328ms: Info: AsyncRead(4, 4). Waiting for response
10411ms: Info: Response for AsyncRead(4), result = 4, errno = 0
10503ms: Info: AsyncLength(4), result = 0  errno = 0
10591ms: Info: AsyncSeek(4, 70). Waiting for response
10669ms: Info: Response for AsyncSeek(4), result = 70
10776ms: Info: AsyncRead(4, 66). Waiting for response
10863ms: Info: Response for AsyncRead(4), result = 66, errno = 0
10951ms: Info: AsyncSeek(4, 0). Waiting for response
11029ms: Info: Response for AsyncSeek(4), result = 0
11126ms: Info: AsyncWrite(4, 4). Waiting for response
11255ms: Info: Response for AsyncWrite(4), result = 4, errno = 0
11334ms: Info: SyncClose(4), result = 0  errno = 0
11417ms: Info: AsyncSpaceAvailable(). Waiting for response
11500ms: Info: Response for AsyncFree(), result = 161644544
11648ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RMS_RC.db). Waiting for response
11763ms: Info: Response for AsyncGetFirst(). Found
11883ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RMS_RC.db). Wait for response
11994ms: Info: Response for AsyncOpen, result = 4
12077ms: Info: AsyncRead(4, 4). Waiting for response
12160ms: Info: Response for AsyncRead(4), result = 4, errno = 0
12252ms: Info: AsyncLength(4), result = 0  errno = 0
12363ms: Info: AsyncSeek(4, 4). Waiting for response
12446ms: Info: Response for AsyncSeek(4), result = 4
12543ms: Info: AsyncRead(4, 66). Waiting for response
12622ms: Info: Response for AsyncRead(4), result = 66, errno = 0
12751ms: Info: AsyncSeek(4, 0). Waiting for response
12834ms: Info: Response for AsyncSeek(4), result = 0
12926ms: Info: AsyncWrite(4, 4). Waiting for response
13060ms: Info: Response for AsyncWrite(4), result = 4, errno = 0
13143ms: Info: SyncClose(4), result = 0  errno = 0
13258ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RS@1.db). Waiting for response
13388ms: Info: Response for AsyncGetFirst(). Found
13531ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RS@1.db). Wait for response
13637ms: Info: Response for AsyncOpen, result = 4
13725ms: Info: AsyncSeek(4, 0). Waiting for response
13808ms: Info: Response for AsyncSeek(4), result = 0
13891ms: Info: AsyncRead(4, 40). Waiting for response
13983ms: Info: Response for AsyncRead(4), result = 40, errno = 0
17767ms: Info: SyncClose(4), result = 0  errno = 0
17855ms: Info: Java_FileSystem_Exit()
373ms: Info: JNF_FileSystem_Init()
8265ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RMS_RC.db). Waiting for response
8343ms: Info: Response for AsyncGetFirst(). Found
8463ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RMS_RC.db). Wait for response
8574ms: Info: Response for AsyncOpen, result = 4
8657ms: Info: AsyncRead(4, 4). Waiting for response
8745ms: Info: Response for AsyncRead(4), result = 4, errno = 0
8833ms: Info: AsyncLength(4), result = 0  errno = 0
8930ms: Info: AsyncSeek(4, 4). Waiting for response
9022ms: Info: Response for AsyncSeek(4), result = 4
9114ms: Info: AsyncRead(4, 66). Waiting for response
9193ms: Info: Response for AsyncRead(4), result = 66, errno = 0
9299ms: Info: AsyncSeek(4, 0). Waiting for response
9377ms: Info: Response for AsyncSeek(4), result = 0
9465ms: Info: AsyncWrite(4, 4). Waiting for response
9599ms: Info: Response for AsyncWrite(4), result = 4, errno = 0
9682ms: Info: SyncClose(4), result = 0  errno = 0
9797ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RMS_RC.db). Waiting for response
9926ms: Info: Response for AsyncGetFirst(). Found
10065ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RMS_RC.db). Wait for response
10171ms: Info: Response for AsyncOpen, result = 4
10249ms: Info: AsyncRead(4, 4). Waiting for response
10332ms: Info: Response for AsyncRead(4), result = 4, errno = 0
10420ms: Info: AsyncLength(4), result = 0  errno = 0
10508ms: Info: AsyncSeek(4, 70). Waiting for response
10586ms: Info: Response for AsyncSeek(4), result = 70
10692ms: Info: AsyncRead(4, 66). Waiting for response
10771ms: Info: Response for AsyncRead(4), result = 66, errno = 0
10859ms: Info: AsyncSeek(4, 0). Waiting for response
10937ms: Info: Response for AsyncSeek(4), result = 0
11029ms: Info: AsyncWrite(4, 4). Waiting for response
11163ms: Info: Response for AsyncWrite(4), result = 4, errno = 0
11251ms: Info: SyncClose(4), result = 0  errno = 0
11334ms: Info: AsyncSpaceAvailable(). Waiting for response
11408ms: Info: Response for AsyncFree(), result = 161644544
11560ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RMS_RC.db). Waiting for response
11675ms: Info: Response for AsyncGetFirst(). Found
11795ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RMS_RC.db). Wait for response
11911ms: Info: Response for AsyncOpen, result = 4
11989ms: Info: AsyncRead(4, 4). Waiting for response
12072ms: Info: Response for AsyncRead(4), result = 4, errno = 0
12165ms: Info: AsyncLength(4), result = 0  errno = 0
12275ms: Info: AsyncSeek(4, 4). Waiting for response
12368ms: Info: Response for AsyncSeek(4), result = 4
12455ms: Info: AsyncRead(4, 66). Waiting for response
12538ms: Info: Response for AsyncRead(4), result = 66, errno = 0
12672ms: Info: AsyncSeek(4, 0). Waiting for response
12755ms: Info: Response for AsyncSeek(4), result = 0
12848ms: Info: AsyncWrite(4, 4). Waiting for response
12981ms: Info: Response for AsyncWrite(4), result = 4, errno = 0
13060ms: Info: SyncClose(4), result = 0  errno = 0
13180ms: Info: AsyncFileExist(A:\java\jam\Outlook ME\storage\RS@1.db). Waiting for response
13295ms: Info: Response for AsyncGetFirst(). Found
13425ms: Info: AsyncFileOpen(A:\java\jam\Outlook ME\storage\RS@1.db). Wait for response
13545ms: Info: Response for AsyncOpen, result = 4
13637ms: Info: AsyncSeek(4, 0). Waiting for response
13715ms: Info: Response for AsyncSeek(4), result = 0
13808ms: Info: AsyncRead(4, 40). Waiting for response
13900ms: Info: Response for AsyncRead(4), result = 40, errno = 0
15437ms: Info: AsyncSeek(4, 486). Waiting for response
15534ms: Info: Response for AsyncSeek(4), result = 486
15631ms: Info: AsyncRead(4, 28). Waiting for response
15723ms: Info: Response for AsyncRead(4), result = 28, errno = 0
15815ms: Info: AsyncSeek(4, 40). Waiting for response
15894ms: Info: Response for AsyncSeek(4), result = 40
15990ms: Info: AsyncRead(4, 28). Waiting for response
16078ms: Info: Response for AsyncRead(4), result = 28, errno = 0
16175ms: Info: AsyncSeek(4, 486). Waiting for response
16258ms: Info: Response for AsyncSeek(4), result = 486
16346ms: Info: AsyncRead(4, 28). Waiting for response
16401ms: Info: Response for AsyncRead(4), result = 28, errno = 0
16512ms: Info: AsyncSeek(4, 514). Waiting for response
16604ms: Info: Response for AsyncSeek(4), result = 514
16692ms: Info: AsyncRead(4, 129). Waiting for response
16780ms: Info: Response for AsyncRead(4), result = 129, errno = 0
16872ms: Info: AsyncSeek(4, 486). Waiting for response
16960ms: Info: Response for AsyncSeek(4), result = 486
17047ms: Info: AsyncRead(4, 28). Waiting for response
17440ms: Info: Response for AsyncRead(4), result = 28, errno = 0
17532ms: Info: AsyncSeek(4, 40). Waiting for response
17615ms: Info: Response for AsyncSeek(4), result = 40
17698ms: Info: AsyncRead(4, 28). Waiting for response
17800ms: Info: Response for AsyncRead(4), result = 28, errno = 0
17901ms: Info: AsyncSeek(4, 68). Waiting for response
17980ms: Info: Response for AsyncSeek(4), result = 68
18063ms: Info: AsyncRead(4, 308). Waiting for response
18178ms: Info: Response for AsyncRead(4), result = 308, errno = 0
20610ms: Info: AsyncSeek(4, 486). Waiting for response
20689ms: Info: Response for AsyncSeek(4), result = 486
20776ms: Info: AsyncRead(4, 28). Waiting for response
20864ms: Info: Response for AsyncRead(4), result = 28, errno = 0
20970ms: Info: AsyncSeek(4, 40). Waiting for response
21053ms: Info: Response for AsyncSeek(4), result = 40
21141ms: Info: AsyncRead(4, 28). Waiting for response
21242ms: Info: Response for AsyncRead(4), result = 28, errno = 0
21404ms: Info: AsyncSeek(4, 514). Waiting for response
21501ms: Info: Response for AsyncSeek(4), result = 514
21588ms: Info: AsyncRead(4, 129). Waiting for response
21681ms: Info: Response for AsyncRead(4), result = 129, errno = 0
21939ms: Info: AsyncSeek(4, 68). Waiting for response
22027ms: Info: Response for AsyncSeek(4), result = 68
22115ms: Info: AsyncRead(4, 308). Waiting for response
22211ms: Info: Response for AsyncRead(4), result = 308, errno = 0
99859ms: Info: AsyncSpaceAvailable(). Waiting for response
99947ms: Info: Response for AsyncFree(), result = 161619968
140706ms: Info: SyncClose(4), result = 0  errno = 0
140785ms: Info: Java_FileSystem_Exit()

[ 本帖最后由 JunFeng 于 2006-2-27 10:55 编辑 ]

mygod999 · 发表于 2006-2-15 14:39:28

跟，想学习

yusongchina · 发表于 2006-2-15 15:07:19

先顶后看！！！！！

Xinshou · 发表于 2006-2-15 15:25:35

“……发现它向34，3e2b这里写入了数据，……”
这个地方#34h （具体34，3e2b）是在eep那里吗？

xp0080 · 发表于 2006-2-15 15:35:01

流名学习
。

songfoming · 发表于 2006-2-15 15:40:25

这个要看～～～～～～～～～～～～～

05220621 · 发表于 2006-2-15 16:18:08

zh站着听......................

SZH_523 · 发表于 2006-2-15 17:20:51

好好好好好好好好好好好。。。贴！！！
通俗易懂！！收藏受教！！

seacore · 发表于 2006-2-15 17:59:02

搬张凳子排排坐！！！

JunFeng · 发表于 2006-2-15 18:26:30

ram

看5楼

czad · 发表于 2006-2-15 19:24:48

好教程，我顶！

帐号		自动登录	找回密码
密码			注册会员

补丁运行过程剖析。最新更新在线查看调试工具，可实时动态查看ram，7楼，超值推荐

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

评分

回复 #13 Xinshou 的帖子