Foreword
继之前说过的BLH协议,感觉最近反编译技能上升,可以尝试将电调的源程序给逆向了,然后直接拿到实际的协议进行校准,而不再通过固定字符串进行校准。
http://elmagnifico.tech/2020/06/03/BLHeli-Uart-Usb-Protocol/
查壳
第一步是查壳,看看BLH到底是啥写的。
这里出现了问号,说明这个东西可能不准确,还要再查
通过DIE查壳,发现BLH这个exe是Delphi写的,Delphi我没接触过,只是听闻很多老程序或者病毒木马之类的都是出自Delphi。
接下里就是查找到底什么软件可以反编译Delphi
反编译工具
找到有几个工具是用来Delphi反编译的,挨个尝试。
DarkDe4
DarkDe4,当场报错,整个处理完以后,forms,event啥的全都看不了,只好再换一个
DelphiDecompiler
DelphiDecompiler也是一样,当场报错
IDR
Interactive Delphi Reconstructor,真神来了,反编译过程中没报错,查看各个Forms也都正常
反编译
工具ok了,就可以开始反编译了,连接串口什么的就不看了,直接进入正文,Read Setup,看看实际上他是怎么读取配置信息的。
由于和实现的协议有关系,最好先复看一下之前的协议分析,其中具体的通信流程什么的,都会对这里的反编译有帮助
Read Setup
记一下这个button叫啥名字,actReadSetup,TBitBtn
然后跳到对应的事件,看看是执行了什么
_Unit141.TfrmBLHeliSuiteMain.actReadSetupExecute
0081C404 push ebp
0081C405 mov ebp,esp
0081C407 push ecx
0081C408 mov dword ptr [ebp-4],eax
0081C40B xor edx,edx
0081C40D mov eax,dword ptr [ebp-4]
# 这里应该是一些ui的设置
0081C410 call 00821718
0081C415 xor eax,eax
0081C417 push ebp
0081C418 push 81C449
0081C41D push dword ptr fs:[eax]
0081C420 mov dword ptr fs:[eax],esp
0081C423 mov eax,dword ptr [ebp-4]
0081C426 mov eax,dword ptr [eax+63C];TfrmBLHeliSuiteMain.Fifm:TBLHeliInterfaceManager
## 基本直接看这里就行了,直接调用了下面的函数,跳转去看下
0081C42C call TBLHeliInterfaceManager.DoBtnReadSetup
0081C431 xor eax,eax
0081C433 pop edx
0081C434 pop ecx
0081C435 pop ecx
0081C436 mov dword ptr fs:[eax],edx
0081C439 push 81C450
0081C43E mov dl,1
0081C440 mov eax,dword ptr [ebp-4]
0081C443 call 00821718
0081C448 ret
0081C449> jmp @HandleFinally
0081C44E> jmp 0081C43E
0081C450 pop ecx
0081C451 pop ebp
0081C452 ret
一些注意事项:
Delphi遵循_fastcall调用约定,但是与Windows的_fastcall略有不同,参数顺序为eax为第一个参数、edx为第二个参数、ecx为第三个参数,大于3个的参数通过堆栈传递,大于三个的堆栈顺序从左到右依次压栈,堆栈由被调用者恢复。
Delphi的按钮事件地址是通过按钮名字和地址绑定的,具体为一个按钮名称对应一个按钮事件响应函数地址。而按钮名称可以在Delphi的RCDATA资源中找到,具体为通过PE Explorer打开资源RC数据,找到相应界面的Form,找到按钮名称的字符串值。
继续追
_Unit139.TBLHeliInterfaceManager.DoBtnReadSetup
007CA1F8 push ebx
007CA1F9 mov ebx,eax
007CA1FB mov dl,1
007CA1FD mov eax,ebx
# 这里是开始连接
007CA1FF call TBLHeliInterfaceManager.DoConnectInterface
007CA204 test al,al
007CA206> je 007CA250
007CA208 mov eax,ebx
007CA20A call TBLHeliInterfaceManager.InterfaceMultiESCEnabled
007CA20F test al,al
007CA211> je 007CA236
007CA213 mov eax,ebx
007CA215 call TBLHeliInterfaceManager.GetESCTargetsCount
007CA21A test al,al
007CA21C> je 007CA22B
007CA21E mov dl,1
007CA220 mov eax,ebx
# 这里面检测了是否连接,并且保持连接
007CA222 call TBLHeliInterfaceManager.DoCheckDeviceIsPresent
007CA227 test al,al
007CA229> jne 007CA236
007CA22B mov dl,1
007CA22D mov eax,ebx
007CA22F call TBLHeliInterfaceManager.DoBtnCheckMultiESC
007CA234> jmp 007CA249
007CA236 call TStringComparer.Ordinal
007CA23B call TFirmwareHexFiles.ClearServerTimoutList
007CA240 mov dl,1
007CA242 mov eax,ebx
# 关键是这里
007CA244 call TBLHeliInterfaceManager.ReadSetupAll
007CA249 mov eax,ebx
007CA24B call TBLHeliInterfaceManager.UpdateInterfaceConnectionState
007CA250 pop ebx
007CA251 ret
函数调用关系比较明显,以上来就是连接接口(串口或者usb等),然后设置多电调,获取电调连接个数,检测电调是否在线,清空超时列表(猜测是检测在线时开启的timer),接着读取所有配置信息,最后更新UI上的连接状态
接着去看TBLHeliInterfaceManager.ReadSetupAll
ReadSetupAll
_Unit139.TBLHeliInterfaceManager.ReadSetupAll
007D5A2C push ebp
007D5A2D mov ebp,esp
007D5A2F xor ecx,ecx
007D5A31 push ecx
007D5A32 push ecx
007D5A33 push ecx
007D5A34 push ecx
007D5A35 push ecx
007D5A36 push ecx
007D5A37 push ecx
007D5A38 push ebx
007D5A39 mov byte ptr [ebp-5],dl
007D5A3C mov dword ptr [ebp-4],eax
007D5A3F xor eax,eax
007D5A41 push ebp
007D5A42 push 7D5C9E
007D5A47 push dword ptr fs:[eax]
007D5A4A mov dword ptr fs:[eax],esp
007D5A4D mov byte ptr [ebp-6],0
007D5A51 mov dl,1
007D5A53 mov eax,dword ptr [ebp-4]
007D5A56 call TBLHeliInterfaceManager.DoConnectInterface
007D5A5B test al,al
007D5A5D> je 007D5C83
007D5A63 call 006DB734
007D5A68 test al,al
007D5A6A> je 007D5A80
# 这里是log的显示内容 在拼字符串
007D5A6C mov eax,7D5CBC;'Reading Setup for'
007D5A71 call 006DC004
007D5A76 mov eax,1
007D5A7B call 006DBF4C
007D5A80 xor edx,edx
007D5A82 mov eax,dword ptr [ebp-4]
007D5A85 call TBLHeliInterfaceManager.SetLastResultMsg
007D5A8A xor eax,eax
007D5A8C push ebp
007D5A8D push 7D5C79
007D5A92 push dword ptr fs:[eax]
007D5A95 mov dword ptr fs:[eax],esp
007D5A98 mov eax,dword ptr [ebp-4]
007D5A9B call TBLHeliInterfaceManager.GetESCSelectedMasterOrFirstTarget
007D5AA0 mov edx,eax
007D5AA2 xor ecx,ecx
007D5AA4 mov eax,dword ptr [ebp-4]
007D5AA7 call TBLHeliInterfaceManager.SetCurrentESCNum
007D5AAC mov eax,dword ptr [ebp-4]
007D5AAF call TBLHeliInterfaceManager.BLHeliStored
007D5AB4 call TBLHeli.Init
007D5AB9 call 006DB734
007D5ABE test al,al
007D5AC0> je 007D5AE4
007D5AC2 lea edx,[ebp-0C]
007D5AC5 mov eax,dword ptr [ebp-4]
007D5AC8 call TBLHeliInterfaceManager.GetESCNumStr
007D5ACD mov eax,dword ptr [ebp-0C]
007D5AD0 push eax
007D5AD1 call 006DBF04
007D5AD6 mov ecx,eax
007D5AD8 dec ecx
007D5AD9 mov edx,0FF0000
007D5ADE pop eax
007D5ADF call 006DBD18
007D5AE4 xor ebx,ebx
007D5AE6 xor ecx,ecx
007D5AE8 mov dl,1
007D5AEA mov eax,dword ptr [ebp-4]
# 前面基本都是获取已有信息或者参数,这里开始连接
007D5AED call TBLHeliInterfaceManager.DoConnectDevice
007D5AF2 test al,al
007D5AF4> je 007D5B04
007D5AF6 mov dl,1
007D5AF8 mov eax,dword ptr [ebp-4]
007D5AFB call TBLHeliInterfaceManager.DoCheckDeviceIsPresent
007D5B00 test al,al
# 1.这里会跳转到下面,这里之前全都是顺序执行的
007D5B02> jne 007D5B31
007D5B04 mov eax,dword ptr [ebp-4]
007D5B07 movzx eax,byte ptr [eax+54];TBLHeliInterfaceManager.FCurrentESCNum:byte
007D5B0B mov ecx,eax
007D5B0D mov edx,eax
007D5B0F mov eax,dword ptr [ebp-4]
007D5B12 call TBLHeliInterfaceManager.ClearMultiESC
007D5B17 mov eax,dword ptr [ebp-4]
007D5B1A call TBLHeliInterfaceManager.UpdateMultiESCInfo
007D5B1F mov eax,dword ptr [ebp-4]
007D5B22 call TBLHeliInterfaceManager.SetupToControls
007D5B27 call @TryFinallyExit
007D5B2C> jmp 007D5C83
# 1.从上面跳到这里,继续往下执行
007D5B31 movzx edx,byte ptr [ebp-5]
007D5B35 mov eax,dword ptr [ebp-4]
# 读取设置信息,这里就读到了256字节了
007D5B38 call TBLHeliInterfaceManager.ReadDeviceSetupSection
007D5B3D mov byte ptr [ebp-7],al
007D5B40 mov eax,dword ptr [ebp-4]
# 存储信息,这里意义不明,可能需要追看
007D5B43 call TBLHeliInterfaceManager.BLHeliStored
007D5B48 mov edx,dword ptr [ebp-4]
007D5B4B mov edx,dword ptr [edx+44];TBLHeliInterfaceManager.FBLHeliWork:TBLHeli
007D5B4E movzx ecx,byte ptr ds:[7D5CE0];0x3 gvar_007D5CE0
# 这里这个CopyTo是什么东西,也有可能是处理数据的地方
007D5B55 call TBLHeli.CopyTo
007D5B5A mov eax,dword ptr [ebp-4]
# 将信息显示到控件
# 经过OD调试,发现拿到数据以后,在运行了TBLHeliInterfaceManager.SetupToControls之后UI就更新了,所以数据解析就在这个里面
007D5B5D call TBLHeliInterfaceManager.SetupToControls
007D5B62 mov eax,dword ptr [ebp-4]
# 检测电调内部的Flash状态
007D5B65 call TBLHeliInterfaceManager.CheckInTargetFlashState
007D5B6A test al,al
# 2.这里会进行跳转,也就是说不需要提示烧写Flash什么的
007D5B6C> je 007D5B94
007D5B6E mov eax,dword ptr [ebp-4]
007D5B71 call TBLHeliInterfaceManager.CheckOnFlashStateAndAsk
007D5B76 test al,al
007D5B78> je 007D5B90
007D5B7A mov eax,dword ptr [ebp-4]
007D5B7D call TBLHeliInterfaceManager.FlashESC
007D5B82 test eax,eax
007D5B84> jle 007D5B8A
007D5B86 mov bl,1
007D5B88> jmp 007D5B94
007D5B8A mov byte ptr [ebp-5],0
007D5B8E> jmp 007D5B94
007D5B90 mov byte ptr [ebp-5],0
# 2.跳转到这里继续顺序执行
007D5B94 test bl,bl
007D5B96> jne 007D5AE4
007D5B9C cmp byte ptr [ebp-7],0
007D5BA0> je 007D5BA6
007D5BA2 mov byte ptr [ebp-6],1
007D5BA6 xor eax,eax
007D5BA8 pop edx
007D5BA9 pop ecx
007D5BAA pop ecx
007D5BAB mov dword ptr fs:[eax],edx
007D5BAE push 7D5C83
007D5BB3 call 006DB734
007D5BB8 test al,al
007D5BBA> je 007D5BCF
007D5BBC mov eax,1
007D5BC1 call 006DBF64
007D5BC6 movzx eax,byte ptr [ebp-6]
007D5BCA call 006DBE1C
007D5BCF cmp byte ptr [ebp-6],0
007D5BD3> je 007D5C05
007D5BD5 lea edx,[ebp-14]
007D5BD8 mov eax,dword ptr [ebp-4]
# 再次获取ESC数量,显示读取成功
007D5BDB call TBLHeliInterfaceManager.GetESCNumStr
007D5BE0 lea eax,[ebp-14]
007D5BE3 mov edx,7D5CF0;' setup read successfully'
007D5BE8 call @UStrCat
007D5BED mov eax,dword ptr [ebp-14]
007D5BF0 lea edx,[ebp-10]
007D5BF3 call 006D5894
007D5BF8 mov edx,dword ptr [ebp-10]
007D5BFB mov eax,dword ptr [ebp-4]
# 设置成功的状态信息
007D5BFE call TBLHeliInterfaceManager.SetLastResultMsg
# 3.这里会进行跳转,这里应该是根据读取状态判断是成功还是失败了,对应提示的位置
007D5C03> jmp 007D5C33
007D5C05 lea edx,[ebp-1C]
007D5C08 mov eax,dword ptr [ebp-4]
007D5C0B call TBLHeliInterfaceManager.GetESCNumStr
007D5C10 lea eax,[ebp-1C]
007D5C13 mov edx,7D5D30;' setup read failed'
007D5C18 call @UStrCat
007D5C1D mov eax,dword ptr [ebp-1C]
007D5C20 lea edx,[ebp-18]
007D5C23 call 006D5894
007D5C28 mov edx,dword ptr [ebp-18]
007D5C2B mov eax,dword ptr [ebp-4]
007D5C2E call TBLHeliInterfaceManager.SetLastResultMsg
# 3.跳转到这里,继续进行,后面就是弹窗读取成功了,基本不用看了
007D5C33 mov eax,dword ptr [ebp-4]
007D5C36 movzx eax,byte ptr [eax+54];TBLHeliInterfaceManager.FCurrentESCNum:byte
007D5C3A lea eax,[eax+eax*8]
007D5C3D mov edx,dword ptr [ebp-4]
007D5C40 lea eax,[edx+eax*4+4C]
007D5C44 mov edx,dword ptr [ebp-4]
007D5C47 mov edx,dword ptr [edx+320];TBLHeliInterfaceManager.FLastResultMsg:string
007D5C4D call @UStrAsg
007D5C52 cmp byte ptr [ebp-5],0
007D5C56> je 007D5C78
007D5C58 cmp byte ptr [ebp-6],0
007D5C5C> je 007D5C78
007D5C5E mov eax,dword ptr [ebp-4]
007D5C61 cmp byte ptr [eax+338],0;TBLHeliInterfaceManager.FShowSuccessMsg:Boolean
007D5C68> je 007D5C78
007D5C6A mov eax,dword ptr [ebp-4]
007D5C6D mov eax,dword ptr [eax+320];TBLHeliInterfaceManager.FLastResultMsg:string
007D5C73 call 006DF698
007D5C78 ret
007D5C79> jmp @HandleFinally
007D5C7E> jmp 007D5BB3
007D5C83 xor eax,eax
007D5C85 pop edx
007D5C86 pop ecx
007D5C87 pop ecx
007D5C88 mov dword ptr fs:[eax],edx
007D5C8B push 7D5CA5
007D5C90 lea eax,[ebp-1C]
007D5C93 mov edx,5
007D5C98 call @UStrArrayClr
007D5C9D ret
007D5C9E> jmp @HandleFinally
007D5CA3> jmp 007D5C90
007D5CA5 movzx eax,byte ptr [ebp-6]
007D5CA9 pop ebx
007D5CAA mov esp,ebp
007D5CAC pop ebp
007D5CAD ret
ReadDeviceSetupSection
继续追TBLHeliInterfaceManager.ReadDeviceSetupSection,看看他具体怎么做的
_Unit139.TBLHeliInterfaceManager.ReadDeviceSetupSection
007D8560 push ebp
007D8561 mov ebp,esp
007D8563 add esp,0FFFFFFF0
007D8566 push ebx
007D8567 xor ecx,ecx
007D8569 mov dword ptr [ebp-10],ecx
007D856C mov dword ptr [ebp-4],ecx
007D856F mov ebx,edx
007D8571 mov dword ptr [ebp-8],eax
007D8574 xor eax,eax
007D8576 push ebp
007D8577 push 7D8804
007D857C push dword ptr fs:[eax]
007D857F mov dword ptr fs:[eax],esp
007D8582 mov byte ptr [ebp-9],0
007D8586 mov eax,dword ptr [ebp-8]
007D8589 add eax,32C;TBLHeliInterfaceManager.FLastReadSetupMem:TArray<System.Byte>
007D858E mov edx,dword ptr ds:[404B48];TArray<System.Byte>
# 这里是在清空上次的内存
007D8594 call @DynArrayClear
007D8599 call 006DB734
007D859E test al,al
007D85A0> je 007D85B6
# 这里符合log的显示
007D85A2 mov eax,7D8820;'DeviceReadSetup:'
007D85A7 call 006DBF8C
007D85AC mov eax,1
007D85B1 call 006DBF4C
007D85B6 xor edx,edx
007D85B8 push ebp
007D85B9 push 7D87D7
007D85BE push dword ptr fs:[edx]
007D85C1 mov dword ptr fs:[edx],esp
007D85C4 xor ecx,ecx
007D85C6 mov dl,1
007D85C8 mov eax,dword ptr [ebp-8]
# 再次检测连接
007D85CB call TBLHeliInterfaceManager.DoConnectDevice
007D85D0 test al,al
007D85D2> je 007D8632
007D85D4 mov eax,dword ptr [ebp-8]
007D85D7 movzx eax,byte ptr [eax+55];TBLHeliInterfaceManager.FESCInterfaceType:TESCInterfaceType
007D85DB sub al,0C
007D85DD> je 007D85E9
007D85DF dec al
007D85E1> je 007D8602
007D85E3 dec al
007D85E5> je 007D861B
007D85E7> jmp 007D8632
007D85E9 mov eax,dword ptr [ebp-8]
007D85EC lea edx,
# 具体的读内存
[eax+32C];TBLHeliInterfaceManager.FLastReadSetupMem:TArray<System.Byte>
007D85F2 mov eax,dword ptr [ebp-8]
007D85F5 mov eax,dword ptr [eax+50];TBLHeliInterfaceManager.FUniSerialInterf:TUniSerialInterface
# 这里不知道是什么口,可能是4way-if
007D85F8 call TUniSerialInterface.Send_cmd_DeviceReadBLHeliSetupSection
007D85FD mov byte ptr [ebp-9],al
007D8600> jmp 007D8632
# OD动态调试,发现走到了这里,也就是按照BLB类型进行读取了
007D8602 mov eax,dword ptr [ebp-8]
007D8605 lea edx,[eax+32C];TBLHeliInterfaceManager.FLastReadSetupMem:TArray<System.Byte>
007D860B mov eax,dword ptr [ebp-8]
007D860E mov eax,dword ptr [eax+48];TBLHeliInterfaceManager.FBLBInterf:TBLBInterface
# 由于log显示我的esc是BLB Connect to ESC,所以这里应该走的是下面这个调用
# 这里BLB其实就是指对应的电调类型,对应的就是BetaFlight或者CleanFlight之类的实现,实际上平常的也是这种方式
007D8611 call TBLBInterface.Send_cmd_DeviceReadBLHeliSetupSection
# OD调试,发现当Send_cmd_DeviceReadBLHeliSetupSection执行完成以后,256字节就读取上来了,所以要追他
007D8616 mov byte ptr [ebp-9],al
# 1.跳转
007D8619> jmp 007D8632
007D861B mov eax,dword ptr [ebp-8]
007D861E lea edx,[eax+32C];TBLHeliInterfaceManager.FLastReadSetupMem:TArray<System.Byte>
007D8624 mov eax,dword ptr [ebp-8]
007D8627 mov eax,dword ptr [eax+4C];TBLHeliInterfaceManager.FCfIntf:TFlightCtrlIntf
# 最后这个FlightCtr 估计是直接控制电调的那种接口方式了
007D862A call TFlightCtrlIntf.Send_cmd_DeviceReadBLHeliSetupSection
007D862F mov byte ptr [ebp-9],al
# 1.继续
007D8632 cmp byte ptr [ebp-9],0
007D8636> je 007D878B
007D863C mov eax,dword ptr [ebp-8]
# 接收boot
007D863F call TBLHeliInterfaceManager.DeviceBootloaderRev
007D8644 push eax
007D8645 mov eax,dword ptr [ebp-8]
007D8648 call TBLHeliInterfaceManager.BLHeliStored
007D864D pop edx
007D864E mov byte ptr [eax+0D3],dl;TBLHeli.FBootloaderRev:byte
007D8654 mov eax,dword ptr [ebp-8]
007D8657 call TBLHeliInterfaceManager.BLHeliStored
007D865C mov edx,dword ptr [ebp-8]
# 这里直接读取配置内存
007D865F mov edx,dword ptr [edx+32C];TBLHeliInterfaceManager.FLastReadSetupMem:TArray<System.Byte>
007D8665 mov ecx,ebx
# 关键
007D8667 call TBLHeli.ReadSetupFromBinString
007D866C cmp al,4
007D866E> jae 007D87AD
007D8674 mov eax,dword ptr [ebp-8]
007D8677 call TBLHeliInterfaceManager.BLHeliStored
007D867C call 006E7228
007D8681 test al,al
007D8683> jne 007D86C6
007D8685 mov eax,dword ptr [ebp-8]
007D8688 call TBLHeliInterfaceManager.BLHeliStored
007D868D call 006E7280
007D8692 test al,al
007D8694> jne 007D86C6
007D8696 mov eax,dword ptr [ebp-8]
007D8699 call TBLHeliInterfaceManager.BLHeliStored
007D869E mov edx,eax
007D86A0 mov eax,dword ptr [ebp-8]
# 读取设备激活状态
007D86A3 call TBLHeliInterfaceManager.ReadDeviceActivationStatus
007D86A8 lea edx,[ebp-4]
007D86AB mov eax,dword ptr [ebp-8]
# 获取设备uuid
007D86AE call TBLHeliInterfaceManager.ReadDeviceUUID_Str
007D86B3 mov byte ptr [ebp-9],al
007D86B6 mov eax,dword ptr [ebp-8]
007D86B9 call TBLHeliInterfaceManager.BLHeliStored
007D86BE mov edx,dword ptr [ebp-4]
007D86C1 call 006E5974
007D86C6 call 006DB734
007D86CB test al,al
007D86CD> je 007D870C
007D86CF mov eax,dword ptr [ebp-8]
007D86D2 call TBLHeliInterfaceManager.BLHeliStored
# 电流保护是否启动
007D86D7 call TBLHeli.IsCurrentProtectionFalselyHardEnabled
007D86DC test al,al
# 2.跳转
007D86DE> je 007D870C
007D86E0 mov eax,7D8850;'ESC '
007D86E5 call 006DBFA0
007D86EA mov eax,dword ptr [ebp-8]
007D86ED call TBLHeliInterfaceManager.BLHeliStored
007D86F2 lea edx,[ebp-10]
007D86F5 call 006E64CC
007D86FA mov eax,dword ptr [ebp-10]
007D86FD call 006DBFF0
007D8702 mov eax,7D8868;' with falsely indicating current sensor firmware.'
007D8707 call 006DC004
# 2.继续
007D870C mov eax,dword ptr [ebp-8]
007D870F call TBLHeliInterfaceManager.BLHeliStored
007D8714 call 006E7280
007D8719 test al,al
007D871B> jne 007D87AD
007D8721 mov eax,dword ptr [ebp-8]
007D8724 call TBLHeliInterfaceManager.BLHeliStored
007D8729 call 006E71A8
007D872E test al,al
007D8730> jne 007D87AD
007D8732 mov eax,dword ptr [ebp-8]
007D8735 call TBLHeliInterfaceManager.BLHeliStored
007D873A call 006E724C
007D873F test al,al
007D8741> jne 007D87AD
007D8743 mov eax,dword ptr [ebp-8]
007D8746 call TBLHeliInterfaceManager.BLHeliStored
007D874B call 006E7228
007D8750 test al,al
007D8752> jne 007D87AD
007D8754 mov eax,dword ptr [ebp-8]
007D8757 call TBLHeliInterfaceManager.BLHeliStored
007D875C call 006E9304
007D8761 test al,al
007D8763> jne 007D87AD
007D8765 mov eax,dword ptr [ebp-8]
# 分析ESC的主从数据
007D8768 call TBLHeliInterfaceManager.AnalyzeESCMasterSlaveData
007D876D mov eax,dword ptr [ebp-8]
007D8770 movzx eax,byte ptr [eax+54];TBLHeliInterfaceManager.FCurrentESCNum:byte
007D8774 lea eax,[eax+eax*8]
007D8777 mov edx,dword ptr [ebp-8]
007D877A cmp byte ptr [edx+eax*4+44],0
007D877F> jne 007D87AD
007D8781 mov edx,dword ptr [ebp-8]
007D8784 mov byte ptr [edx+eax*4+48],1
# 3.跳转
007D8789> jmp 007D87AD
007D878B mov byte ptr [ebp-9],0
007D878F mov eax,dword ptr [ebp-8]
007D8792 call TBLHeliInterfaceManager.BLHeliStored
007D8797 call TBLHeli.Invalidate
007D879C mov eax,dword ptr [ebp-8]
007D879F call TBLHeliInterfaceManager.BLHeliStored
007D87A4 xor ecx,ecx
007D87A6 xor edx,edx
007D87A8 call TBLHeli.ReadSetupFromBinString
# 3.继续
007D87AD xor eax,eax
007D87AF pop edx
007D87B0 pop ecx
007D87B1 pop ecx
007D87B2 mov dword ptr fs:[eax],edx
007D87B5 push 7D87DE
007D87BA call 006DB734
007D87BF test al,al
007D87C1> je 007D87D6
007D87C3 mov eax,1
007D87C8 call 006DBF64
007D87CD movzx eax,byte ptr [ebp-9]
007D87D1 call 006DBE1C
007D87D6 ret
007D87D7> jmp @HandleFinally
007D87DC> jmp 007D87BA
007D87DE mov eax,dword ptr [ebp-8]
007D87E1 call TBLHeliInterfaceManager.UpdateMultiESCInfo
007D87E6 xor eax,eax
007D87E8 pop edx
007D87E9 pop ecx
007D87EA pop ecx
007D87EB mov dword ptr fs:[eax],edx
007D87EE push 7D880B
007D87F3 lea eax,[ebp-10]
007D87F6 call @UStrClr
007D87FB lea eax,[ebp-4]
007D87FE call @UStrClr
007D8803 ret
007D8804> jmp @HandleFinally
007D8809> jmp 007D87F3
007D880B movzx eax,byte ptr [ebp-9]
007D880F pop ebx
007D8810 mov esp,ebp
007D8812 pop ebp
007D8813 ret
Send_cmd_DeviceReadBLHeliSetupSection
_Unit108.TBLBInterface.Send_cmd_DeviceReadBLHeliSetupSection
00708184 push ebx
00708185 push esi
00708186 mov esi,edx
00708188 mov ebx,eax
0070818A push 100
0070818F mov eax,ebx
00708191 call 00709B08
00708196 call 006D7C34
0070819B mov ecx,eax
0070819D mov edx,esi
0070819F mov eax,ebx
# 所以还是追他的TBLBInterface.Send_cmd_DeviceReadFlash
007081A1 call TBLBInterface.Send_cmd_DeviceReadFlash
007081A6 pop esi
007081A7 pop ebx
007081A8 ret
Send_cmd_DeviceReadFlash
追一下BLB的读flash操作
_Unit108.TBLBInterface.Send_cmd_DeviceReadFlash
007081AC push ebp
007081AD mov ebp,esp
007081AF push ecx
007081B0 mov ecx,4
007081B5 push 0
007081B7 push 0
007081B9 dec ecx
007081BA> jne 007081B5
007081BC xchg ecx,dword ptr [ebp-4]
007081BF push ebx
007081C0 push esi
007081C1 mov esi,ecx
007081C3 mov dword ptr [ebp-8],edx
007081C6 mov dword ptr [ebp-4],eax
007081C9 mov ebx,dword ptr [ebp+8]
007081CC xor eax,eax
007081CE push ebp
007081CF push 708383
007081D4 push dword ptr fs:[eax]
007081D7 mov dword ptr fs:[eax],esp
007081DA mov eax,dword ptr [ebp-8]
007081DD mov edx,dword ptr ds:[404B48];TArray<System.Byte>
007081E3 call @DynArrayClear
007081E8 mov byte ptr [ebp-9],0
007081EC mov eax,dword ptr [ebp-4]
007081EF call 00709B68
007081F4 test al,al
007081F6> je 00708345
007081FC call 006DB734
00708201 test al,al
00708203> je 00708219
# 依然符合log的显示
00708205 mov eax,7083A4;'cmd_DeviceReadFlash:'
0070820A call 006DBF8C
0070820F mov eax,1
00708214 call 006DBF4C
00708219 xor edx,edx
0070821B push ebp
0070821C push 70833B
00708221 push dword ptr fs:[edx]
00708224 mov dword ptr fs:[edx],esp
00708227 mov eax,dword ptr [ebp-4]
0070822A call 00709C84
0070822F lea eax,[ebp-10]
00708232 push eax
00708233 mov eax,dword ptr [ebp-4]
00708236 mov eax,dword ptr [eax+40];TBLBInterface.FBootloader:TBootloader
00708239 mov ecx,ebx
0070823B mov edx,esi
# 主要是这里读flash
0070823D call TBootloader.ReadFlash
00708242 mov edx,dword ptr [ebp-10]
00708245 mov eax,dword ptr [ebp-8]
00708248 mov ecx,dword ptr ds:[404B48];TArray<System.Byte>
0070824E call @DynArrayAsg
00708253 mov eax,dword ptr [ebp-4]
00708256 call 00709C6C
0070825B mov eax,dword ptr [ebp-8]
0070825E mov eax,dword ptr [eax]
00708260 test eax,eax
00708262> je 00708269
00708264 sub eax,4
00708267 mov eax,dword ptr [eax]
00708269 movzx edx,bx
0070826C cmp eax,edx
0070826E sete byte ptr [ebp-9]
00708272 xor eax,eax
00708274 pop edx
00708275 pop ecx
00708276 pop ecx
00708277 mov dword ptr fs:[eax],edx
0070827A push 70835A
0070827F call 006DB734
00708284 test al,al
00708286> je 0070833A
0070828C mov eax,[0084158C];^gvar_0085C668
00708291 cmp dword ptr [eax],1
# 1.这里跳转
00708294> jle 007082E5
00708296 mov eax,dword ptr [ebp-4]
00708299 mov eax,dword ptr [eax+40];TBLBInterface.FBootloader:TBootloader
0070829C call TBootloader.AllowLog
007082A1 test al,al
007082A3> je 007082E5
007082A5 push 7083DC;'"'
007082AA lea edx,[ebp-18]
007082AD mov eax,dword ptr [ebp-8]
007082B0 mov eax,dword ptr [eax]
007082B2 call 006D5B9C
007082B7 push dword ptr [ebp-18]
007082BA push 7083DC;'"'
007082BF lea eax,[ebp-14]
007082C2 mov edx,3
007082C7 call @UStrCatN
007082CC mov eax,dword ptr [ebp-14]
007082CF call 006DBFDC
007082D4 mov eax,dword ptr [ebp-8]
007082D7 mov eax,dword ptr [eax]
007082D9 mov ecx,800
007082DE mov dl,1
007082E0 call 006DC174
# 1.这里继续
007082E5 mov eax,1
007082EA call 006DBF64
007082EF mov ebx,dword ptr [ebp-8]
007082F2 mov ebx,dword ptr [ebx]
007082F4 test ebx,ebx
007082F6> je 007082FD
007082F8 sub ebx,4
007082FB mov ebx,dword ptr [ebx]
007082FD push 7083EC;'('
00708302 lea edx,[ebp-20]
00708305 mov eax,ebx
00708307 call IntToStr
0070830C push dword ptr [ebp-20]
0070830F push 7083FC;' Bytes)'
00708314 lea eax,[ebp-1C]
00708317 mov edx,3
0070831C call @UStrCatN
00708321 mov eax,dword ptr [ebp-1C]
00708324 or ecx,0FFFFFFFF
00708327 mov edx,0FF0000
0070832C call 006DBD18
00708331 movzx eax,byte ptr [ebp-9]
00708335 call 006DBE1C
0070833A ret
0070833B> jmp @HandleFinally
00708340> jmp 0070827F
00708345 lea edx,[ebp-24]
00708348 mov eax,708418;'Bootloader version does not support reading of flash memory!'
0070834D call 006D5894
00708352 mov eax,dword ptr [ebp-24]
00708355 call 006DF5E4
0070835A xor eax,eax
0070835C pop edx
0070835D pop ecx
0070835E pop ecx
0070835F mov dword ptr fs:[eax],edx
00708362 push 70838A
00708367 lea eax,[ebp-24]
0070836A mov edx,5
0070836F call @UStrArrayClr
00708374 lea eax,[ebp-10]
00708377 mov edx,dword ptr ds:[404B48];TArray<System.Byte>
0070837D call @DynArrayClear
00708382 ret
00708383> jmp @HandleFinally
00708388> jmp 00708367
0070838A movzx eax,byte ptr [ebp-9]
0070838E pop esi
0070838F pop ebx
00708390 mov esp,ebp
00708392 pop ebp
00708393 ret 4
ReadFlash
TBootloader.ReadFlash,接着就是读Flash的操作了
_Unit108.TBootloader.ReadFlash
00702C04 push ebp
00702C05 mov ebp,esp
00702C07 add esp,0FFFFFFC4
00702C0A push ebx
00702C0B push esi
00702C0C push edi
00702C0D xor ebx,ebx
00702C0F mov dword ptr [ebp-30],ebx
00702C12 mov dword ptr [ebp-3C],ebx
00702C15 mov dword ptr [ebp-2C],ebx
00702C18 mov dword ptr [ebp-24],ebx
00702C1B mov dword ptr [ebp-28],ebx
00702C1E mov dword ptr [ebp-20],ebx
00702C21 mov dword ptr [ebp-4],ebx
00702C24 mov esi,ecx
00702C26 mov ebx,edx
00702C28 mov dword ptr [ebp-8],eax
00702C2B xor eax,eax
00702C2D push ebp
00702C2E push 702EB0
00702C33 push dword ptr fs:[eax]
00702C36 mov dword ptr fs:[eax],esp
00702C39 mov eax,dword ptr [ebp+8]
00702C3C mov edx,dword ptr ds:[404B48];TArray<System.Byte>
00702C42 call @DynArrayClear
00702C47 mov eax,dword ptr [ebp-8]
00702C4A call 00703D94
00702C4F test al,al
00702C51> je 00702E69
00702C57 mov dword ptr [ebp-14],100
00702C5E mov eax,dword ptr [ebp-8]
00702C61 call 007040E8
00702C66 movzx eax,si
00702C69 mov dword ptr [ebp-10],eax
00702C6C cmp dword ptr [ebp-10],0
00702C70> jne 00702C7B
00702C72 mov eax,dword ptr [ebp-8]
00702C75 mov eax,dword ptr [eax+70];TBootloader.FDeviceInfo:TDeviceInfo
00702C78 mov dword ptr [ebp-10],eax
00702C7B push 0
00702C7D push 0
00702C7F push 1
00702C81 cmp dword ptr [ebp-10],100
00702C88 setg dl
00702C8B xor ecx,ecx
00702C8D mov eax,dword ptr [ebp-10]
00702C90 call 006F5090
00702C95 mov byte ptr [ebp-15],al
00702C98 xor eax,eax
00702C9A mov dword ptr [ebp-0C],eax
00702C9D xor eax,eax
00702C9F push ebp
00702CA0 push 702E62
00702CA5 push dword ptr fs:[eax]
00702CA8 mov dword ptr fs:[eax],esp
00702CAB lea edx,[ebp-20]
00702CAE mov eax,702ECC;'Reading Flash...'
00702CB3 call 006D5894
00702CB8 mov eax,dword ptr [ebp-20]
00702CBB call 006F5154
00702CC0 mov word ptr [ebp-18],bx
00702CC4 mov edi,dword ptr [ebp-10]
00702CC7 cmp edi,dword ptr [ebp-14]
00702CCA> jle 00702CCF
00702CCC mov edi,dword ptr [ebp-14]
00702CCF cmp edi,100
00702CD5> jne 00702CDB
00702CD7 xor ebx,ebx
00702CD9> jmp 00702CDD
00702CDB mov ebx,edi
00702CDD xor esi,esi
00702CDF xor eax,eax
00702CE1 mov dword ptr [ebp-0C],eax
00702CE4 movzx edx,word ptr [ebp-18]
00702CE8 mov eax,dword ptr [ebp-8]
# 设置地址
00702CEB call TBootloader.SendCMDSetAddress
00702CF0 test al,al
00702CF2> je 00702D8A
00702CF8 mov edx,ebx
00702CFA mov eax,dword ptr [ebp-8]
# 开始读
00702CFD call TBootloader.SendCMDFlashRead
00702D02 test al,al
00702D04> je 00702D8A
00702D0A push 1
00702D0C lea ecx,[edi+3]
00702D0F lea edx,[ebp-4]
00702D12 mov eax,dword ptr [ebp-8]
# 检测是否有ack,这里之前漏掉了,实际上这里非常重要
00702D15 call TBootloader.CheckStrACK
00702D1A test al,al
00702D1C> je 00702D8A
00702D1E inc dword ptr [ebp-0C]
00702D21 call 006DB734
00702D26 test al,al
00702D28> je 00702DA6
00702D2A mov eax,dword ptr [ebp-4]
00702D2D mov dword ptr [ebp-1C],eax
00702D30 cmp dword ptr [ebp-1C],0
00702D34> je 00702D41
00702D36 mov eax,dword ptr [ebp-1C]
00702D39 sub eax,4
00702D3C mov eax,dword ptr [eax]
00702D3E mov dword ptr [ebp-1C],eax
# 应该是log 显示读了多少字节内容
00702D41 push 702EFC;'('
00702D46 lea edx,[ebp-28]
00702D49 mov eax,dword ptr [ebp-1C]
00702D4C call IntToStr
00702D51 push dword ptr [ebp-28]
00702D54 push 702F0C;' Bytes)'
00702D59 lea eax,[ebp-24]
00702D5C mov edx,3
00702D61 call @UStrCatN
00702D66 mov eax,dword ptr [ebp-24]
00702D69 or ecx,0FFFFFFFF
00702D6C mov edx,0FF0000
00702D71 call 006DBD18
00702D76 or ecx,0FFFFFFFF
00702D79 mov edx,8000
# 依然是log显示ok
00702D7E mov eax,702F28;'OK'
00702D83 call 006DBD18
# 1.这里跳转
00702D88> jmp 00702DA6
00702D8A inc esi
00702D8B call 006DB734
00702D90 test al,al
00702D92> je 00702DA6
00702D94 or ecx,0FFFFFFFF
00702D97 mov edx,0FF
00702D9C mov eax,702F3C;'FAILED'
00702DA1 call 006DBD18
# 1.这里继续
00702DA6 cmp dword ptr [ebp-0C],0
00702DAA> jg 00702DB5
00702DAC cmp esi,3
00702DAF> jle 00702CE4
00702DB5 cmp dword ptr [ebp-0C],0
00702DB9> jle 00702DEA
00702DBB lea ecx,[ebp-2C]
00702DBE mov eax,dword ptr [ebp+8]
00702DC1 mov eax,dword ptr [eax]
00702DC3 mov edx,dword ptr [ebp-4]
00702DC6 call 006D5954
00702DCB mov edx,dword ptr [ebp-2C]
00702DCE mov eax,dword ptr [ebp+8]
00702DD1 mov ecx,dword ptr ds:[404B48];TArray<System.Byte>
00702DD7 call @DynArrayAsg
00702DDC add word ptr [ebp-18],di
00702DE0 sub dword ptr [ebp-10],edi
00702DE3 mov eax,edi
00702DE5 call 006F50FC
00702DEA cmp dword ptr [ebp-10],0
00702DEE> je 00702DFA
00702DF0 cmp dword ptr [ebp-0C],1
00702DF4> jge 00702CC4
00702DFA xor eax,eax
00702DFC pop edx
00702DFD pop ecx
00702DFE pop ecx
00702DFF mov dword ptr fs:[eax],edx
00702E02 push 702E69
00702E07 movzx eax,byte ptr [ebp-15]
00702E0B call 006F5204
00702E10 cmp dword ptr [ebp-10],0
00702E14> jne 00702E1C
00702E16 cmp dword ptr [ebp-0C],1
# 2.这里跳转
00702E1A> jge 00702E59
00702E1C lea eax,[ebp-30]
00702E1F push eax
00702E20 lea eax,[ebp-3C]
00702E23 push eax
00702E24 mov eax,dword ptr [ebp-8]
00702E27 movzx edx,byte ptr [eax+0A1];TBootloader.FLastACK:byte
00702E2E mov cl,1
00702E30 mov eax,dword ptr [ebp-8]
00702E33 call 00705B90
00702E38 mov eax,dword ptr [ebp-3C]
00702E3B mov dword ptr [ebp-38],eax
00702E3E mov byte ptr [ebp-34],11
00702E42 lea edx,[ebp-38]
00702E45 xor ecx,ecx
00702E47 mov eax,702F58;'Error reading from Flash!\n(%s)'
00702E4C call 006D5800
00702E51 mov eax,dword ptr [ebp-30]
00702E54 call 006DF680
# 2.这里继续
00702E59 mov eax,dword ptr [ebp-8]
00702E5C call 00704114
00702E61 ret
00702E62> jmp @HandleFinally
00702E67> jmp 00702E07
00702E69 xor eax,eax
00702E6B pop edx
00702E6C pop ecx
00702E6D pop ecx
00702E6E mov dword ptr fs:[eax],edx
00702E71 push 702EB7
00702E76 lea eax,[ebp-3C]
00702E79 call @UStrClr
00702E7E lea eax,[ebp-30]
00702E81 call @UStrClr
00702E86 lea eax,[ebp-2C]
00702E89 mov edx,dword ptr ds:[404B48];TArray<System.Byte>
00702E8F call @DynArrayClear
00702E94 lea eax,[ebp-28]
00702E97 mov edx,3
00702E9C call @UStrArrayClr
00702EA1 lea eax,[ebp-4]
00702EA4 mov edx,dword ptr ds:[404B48];TArray<System.Byte>
00702EAA call @DynArrayClear
00702EAF ret
00702EB0> jmp @HandleFinally
00702EB5> jmp 00702E76
00702EB7 pop edi
00702EB8 pop esi
00702EB9 pop ebx
00702EBA mov esp,ebp
00702EBC pop ebp
00702EBD ret 4
SendCMDSetAddress
继续追
_Unit108.TBootloader.SendCMDSetAddress
00705A44 push ebp
00705A45 mov ebp,esp
00705A47 xor ecx,ecx
00705A49 push ecx
00705A4A push ecx
00705A4B push ecx
00705A4C push ecx
00705A4D push ecx
00705A4E push ebx
00705A4F push esi
00705A50 mov esi,edx
00705A52 mov ebx,eax
00705A54 xor eax,eax
00705A56 push ebp
00705A57 push 705B54
00705A5C push dword ptr fs:[eax]
00705A5F mov dword ptr fs:[eax],esp
00705A62 call 006DB734
00705A67 test al,al
00705A69> je 00705ABA
00705A6B lea ecx,[ebp-4]
00705A6E mov dl,0FF
00705A70 mov eax,ebx
00705A72 call 0070608C
00705A77 mov eax,dword ptr [ebp-4]
00705A7A call 006DC040
# 这里是在拼字符串,显示设置的地址是什么
00705A7F push 705B70;' ($'
00705A84 lea ecx,[ebp-0C]
00705A87 mov edx,4
00705A8C mov eax,esi
00705A8E call IntToHex
00705A93 push dword ptr [ebp-0C]
00705A96 push 705B84;') : '
00705A9B lea eax,[ebp-8]
00705A9E mov edx,3
00705AA3 call @UStrCatN
00705AA8 mov eax,dword ptr [ebp-8]
00705AAB call 006DC004
00705AB0 mov eax,1
00705AB5 call 006DBF4C
00705ABA mov byte ptr [ebx+0B4],0FF;TBootloader.FLastCMD:byte
00705AC1 movzx eax,byte ptr [ebx+0B4];TBootloader.FLastCMD:byte
00705AC8 mov byte ptr [ebp-14],al
00705ACB mov eax,esi
00705ACD shr eax,10
00705AD0 mov byte ptr [ebp-13],al
00705AD3 mov eax,esi
00705AD5 shr eax,8
00705AD8 mov byte ptr [ebp-12],al
00705ADB mov eax,esi
00705ADD mov byte ptr [ebp-11],al
00705AE0 lea eax,[ebp-14]
00705AE3 lea ecx,[ebp-10]
00705AE6 mov edx,3
00705AEB call 006D59C4
00705AF0 mov edx,dword ptr [ebp-10]
00705AF3 mov eax,ebx
# 发送CRC
00705AF5 call TBootloader.SendStrCRC
00705AFA test al,al
00705AFC> je 00705B09
00705AFE mov eax,ebx
# 等待ACK
00705B00 call TBootloader.CheckAck
00705B05 test al,al
00705B07> jne 00705B0D
00705B09 xor eax,eax
00705B0B> jmp 00705B0F
00705B0D mov al,1
00705B0F mov ebx,eax
00705B11 call 006DB734
00705B16 test al,al
00705B18> je 00705B2B
00705B1A mov eax,1
00705B1F call 006DBF64
00705B24 mov eax,ebx
00705B26 call 006DBE1C
00705B2B xor eax,eax
00705B2D pop edx
00705B2E pop ecx
00705B2F pop ecx
00705B30 mov dword ptr fs:[eax],edx
00705B33 push 705B5B
00705B38 lea eax,[ebp-10]
00705B3B mov edx,dword ptr ds:[404B48];TArray<System.Byte>
00705B41 call @DynArrayClear
00705B46 lea eax,[ebp-0C]
00705B49 mov edx,3
00705B4E call @UStrArrayClr
00705B53 ret
00705B54> jmp @HandleFinally
00705B59> jmp 00705B38
00705B5B mov eax,ebx
00705B5D pop esi
00705B5E pop ebx
00705B5F mov esp,ebp
00705B61 pop ebp
00705B62 ret
SendCMDFlashRead
flash读
_Unit108.TBootloader.SendCMDFlashRead
007051BC push ebx
007051BD xor ecx,ecx
007051BF movzx ebx,byte ptr [eax+0DC];TBootloader.FDeviceBrand:TFirmwareBrand
007051C6 cmp bl,3
007051C9> jne 007051D8
007051CB mov ecx,edx
007051CD mov dl,3
# 先发送读命令,这里应该是根据传入的参数,决定如何传参给发送参数命令
# 经过OD动态调试,发现实际上调用的就是第一个TBootloader.SendCMD_Param
007051CF call TBootloader.SendCMD_Param
007051D4 mov ecx,eax
007051D6> jmp 007051FA
007051D8 cmp bl,1
007051DB> jne 007051EA
007051DD mov ecx,edx
007051DF mov dl,3
007051E1 call TBootloader.SendCMD_Param
007051E6 mov ecx,eax
007051E8> jmp 007051FA
007051EA cmp bl,2
007051ED> jne 007051FA
007051EF mov ecx,edx
007051F1 mov dl,7
007051F3 call TBootloader.SendCMD_Param
007051F8 mov ecx,eax
007051FA mov eax,ecx
007051FC pop ebx
007051FD ret
SendCMD_Param
_Unit108.TBootloader.SendCMD_Param
00704D80 push ebp
00704D81 mov ebp,esp
00704D83 push 0
00704D85 push 0
00704D87 push 0
00704D89 push 0
00704D8B push 0
00704D8D push 0
00704D8F push 0
00704D91 push ebx
00704D92 push esi
00704D93 push edi
00704D94 mov ebx,ecx
00704D96 mov byte ptr [ebp-5],dl
00704D99 mov dword ptr [ebp-4],eax
00704D9C xor eax,eax
00704D9E push ebp
00704D9F push 704F66
00704DA4 push dword ptr fs:[eax]
00704DA7 mov dword ptr fs:[eax],esp
00704DAA call 006DB734
00704DAF test al,al
00704DB1> je 00704E06
00704DB3 lea ecx,[ebp-0C]
00704DB6 movzx edx,byte ptr [ebp-5]
00704DBA mov eax,dword ptr [ebp-4]
00704DBD call 0070608C
00704DC2 mov eax,dword ptr [ebp-0C]
00704DC5 call 006DC040
# 这里是在拼地址
00704DCA push 704F84;'[$'
00704DCF lea ecx,[ebp-14]
00704DD2 movzx eax,bl
00704DD5 mov edx,2
00704DDA call IntToHex
00704DDF push dword ptr [ebp-14]
00704DE2 push 704F98;']'
00704DE7 lea eax,[ebp-10]
00704DEA mov edx,3
00704DEF call @UStrCatN
00704DF4 mov eax,dword ptr [ebp-10]
00704DF7 call 006DC054
00704DFC mov eax,1
00704E01 call 006DBF4C
00704E06 xor eax,eax
00704E08 push ebp
00704E09 push 704E61
00704E0E push dword ptr fs:[eax]
00704E11 mov dword ptr fs:[eax],esp
00704E14 mov eax,dword ptr [ebp-4]
00704E17 movzx edx,byte ptr [ebp-5]
00704E1B mov byte ptr [eax+0B4],dl;TBootloader.FLastCMD:byte
00704E21 mov eax,dword ptr [ebp-4]
00704E24 mov byte ptr [eax+0B5],bl;TBootloader.FLastCMDParam:Byte
00704E2A lea ecx,[ebp-18]
00704E2D mov eax,dword ptr [ebp-4]
00704E30 movzx eax,byte ptr [eax+0B4];TBootloader.FLastCMD:byte
00704E37 mov byte ptr [ebp-1C],al
00704E3A mov byte ptr [ebp-1B],bl
00704E3D lea eax,[ebp-1C]
00704E40 mov edx,1
00704E45 call 006D59C4
00704E4A mov edx,dword ptr [ebp-18]
00704E4D mov eax,dword ptr [ebp-4]
# 发送crc
00704E50 call TBootloader.SendStrCRC
00704E55 mov ebx,eax
00704E57 xor eax,eax
00704E59 pop edx
00704E5A pop ecx
00704E5B pop ecx
00704E5C mov dword ptr fs:[eax],edx
# 1.跳转
00704E5F> jmp 00704E6D
00704E61> jmp @HandleAnyException
00704E66 xor ebx,ebx
00704E68 call @DoneExcept
# 1.继续
00704E6D test bl,bl
# 2.跳转
00704E6F> jne 00704E9F
00704E71 call 006DB734
00704E76 test al,al
00704E78> je 00704F3D
00704E7E mov eax,1
00704E83 call 006DBF64
00704E88 or ecx,0FFFFFFFF
00704E8B mov edx,0FF
00704E90 mov eax,704FA8;'FAILED'
00704E95 call 006DBD18
00704E9A> jmp 00704F3D
# 2.继续
00704E9F movzx edx,byte ptr [ebp-5]
00704EA3 mov eax,dword ptr [ebp-4]
# 这里应该是根据命令区分了到底需不需要ack,有的不需要等ack
00704EA6 call TBootloader.CMDNeedsNoACK
00704EAB test al,al
# 3.跳转
00704EAD> je 00704EDA
00704EAF call 006DB734
00704EB4 test al,al
00704EB6> je 00704F3D
00704EBC mov eax,1
00704EC1 call 006DBF64
00704EC6 or ecx,0FFFFFFFF
00704EC9 mov edx,8000
00704ECE mov eax,704FC4;'OK'
00704ED3 call 006DBD18
00704ED8> jmp 00704F3D
# 3.继续
00704EDA movzx edx,byte ptr [ebp-5]
00704EDE mov eax,dword ptr [ebp-4]
00704EE1 call TBootloader.CMDNeedsSimpleACK
00704EE6 test al,al
# 4.跳转
00704EE8> je 00704F33
00704EEA mov eax,dword ptr [ebp-4]
# 需要ack的这里进行检测
00704EED call TBootloader.CheckAck
00704EF2 mov ebx,eax
00704EF4 call 006DB734
00704EF9 test al,al
00704EFB> je 00704F3D
00704EFD mov eax,1
00704F02 call 006DBF64
00704F07 test bl,bl
00704F09> je 00704F1F
00704F0B or ecx,0FFFFFFFF
00704F0E mov edx,8000
00704F13 mov eax,704FC4;'OK'
00704F18 call 006DBD18
00704F1D> jmp 00704F3D
00704F1F or ecx,0FFFFFFFF
00704F22 mov edx,0FF
00704F27 mov eax,704FA8;'FAILED'
00704F2C call 006DBD18
00704F31> jmp 00704F3D
# 4.继续
00704F33 mov eax,1
00704F38 call 006DBF64
00704F3D xor eax,eax
00704F3F pop edx
00704F40 pop ecx
00704F41 pop ecx
00704F42 mov dword ptr fs:[eax],edx
00704F45 push 704F6D
00704F4A lea eax,[ebp-18]
00704F4D mov edx,dword ptr ds:[404B48];TArray<System.Byte>
00704F53 call @DynArrayClear
00704F58 lea eax,[ebp-14]
00704F5B mov edx,3
00704F60 call @UStrArrayClr
00704F65 ret
00704F66> jmp @HandleFinally
00704F6B> jmp 00704F4A
00704F6D mov eax,ebx
00704F6F pop edi
00704F70 pop esi
00704F71 pop ebx
00704F72 mov esp,ebp
00704F74 pop ebp
00704F75 ret
SendStrCRC
_Unit108.TBootloader.SendStrCRC
0070673C push ebp
0070673D mov ebp,esp
0070673F push ecx
00706740 push ebx
00706741 mov dword ptr [ebp-4],edx
00706744 mov ebx,eax
00706746 mov eax,dword ptr [ebp-4]
00706749 call @DynArrayAddRef
0070674E xor eax,eax
00706750 push ebp
00706751 push 706786
00706756 push dword ptr fs:[eax]
00706759 mov dword ptr fs:[eax],esp
0070675C mov cl,1
0070675E mov edx,dword ptr [ebp-4]
00706761 mov eax,ebx
00706763 call TBootloader.SendStr
00706768 mov ebx,eax
0070676A xor eax,eax
0070676C pop edx
0070676D pop ecx
0070676E pop ecx
0070676F mov dword ptr fs:[eax],edx
00706772 push 70678D
00706777 lea eax,[ebp-4]
0070677A mov edx,dword ptr ds:[404B48];TArray<System.Byte>
00706780 call @DynArrayClear
00706785 ret
00706786> jmp @HandleFinally
0070678B> jmp 00706777
0070678D mov eax,ebx
0070678F pop ebx
00706790 pop ecx
00706791 pop ebp
00706792 ret
SendStr
_Unit108.TBootloader.SendStr
00706794 push ebp
00706795 mov ebp,esp
00706797 push ecx
00706798 mov ecx,6
0070679D push 0
0070679F push 0
007067A1 dec ecx
007067A2> jne 0070679D
007067A4 xchg ecx,dword ptr [ebp-4]
007067A7 push ebx
007067A8 push esi
007067A9 push edi
007067AA mov byte ptr [ebp-0D],cl
007067AD mov dword ptr [ebp-4],edx
007067B0 mov esi,eax
007067B2 mov eax,dword ptr [ebp-4]
007067B5 call @DynArrayAddRef
007067BA xor eax,eax
007067BC push ebp
007067BD push 706C8A
007067C2 push dword ptr fs:[eax]
007067C5 mov dword ptr fs:[eax],esp
007067C8 xor ebx,ebx
007067CA mov eax,dword ptr [ebp-4]
007067CD test eax,eax
007067CF> je 007067D6
007067D1 sub eax,4
007067D4 mov eax,dword ptr [eax]
007067D6 test eax,eax
007067D8> jle 00706C2B
007067DE cmp byte ptr [esi+0E4],0;TBootloader.FFVTLinkerMode:Boolean
007067E5> je 007067F6
007067E7 mov eax,dword ptr [esi+0E0];TBootloader.FLinker:TFVT_USBLinker
007067ED call 006EF740
007067F2 test al,al
007067F4> jne 00706813
007067F6 cmp byte ptr [esi+0E4],0;TBootloader.FFVTLinkerMode:Boolean
007067FD> jne 00706C2B
00706803 mov eax,dword ptr [esi+48];TBootloader.FComPort:TSerialPort
00706806 call 006FE934
0070680B test al,al
0070680D> je 00706C2B
00706813 cmp byte ptr [esi+0B4],0FD;TBootloader.FLastCMD:byte
0070681A> je 00706823
0070681C mov eax,esi
0070681E call 00704198
00706823 call 006DB734
00706828 test al,al
0070682A> je 0070685B
0070682C push 706CA8;'>'
00706831 push dword ptr [esi+0E8];TBootloader.FInfName:string
00706837 push 706CB8;': '
0070683C lea eax,[ebp-14]
0070683F mov edx,3
00706844 call @UStrCatN
00706849 mov eax,dword ptr [ebp-14]
0070684C call 006DC004
00706851 mov eax,1
00706856 call 006DBF4C
0070685B cmp byte ptr [esi+0E4],0;TBootloader.FFVTLinkerMode:Boolean
00706862> jne 0070686C
00706864 mov eax,dword ptr [esi+48];TBootloader.FComPort:TSerialPort
00706867 call TSerialPort.Clear
0070686C cmp byte ptr [ebp-0D],0
00706870> je 007068B8
00706872 mov edx,dword ptr [ebp-4]
00706875 mov eax,esi
00706877 call TBootloader.StringCrc
0070687C mov ebx,eax
0070687E mov word ptr [esi+0BC],bx;TBootloader.LastOutCRC:word
00706885 movzx eax,byte ptr [esi+0BC];TBootloader.LastOutCRC:word
0070688C and al,0FF
0070688E mov byte ptr [ebp-18],al
00706891 shr bx,8
00706895 mov byte ptr [ebp-17],bl
00706898 lea eax,[ebp-18]
0070689B lea ecx,[ebp-0C]
0070689E mov edx,1
007068A3 call 006D59C4
007068A8 lea ecx,[ebp-8]
007068AB mov edx,dword ptr [ebp-0C]
007068AE mov eax,dword ptr [ebp-4]
007068B1 call 006D5954
007068B6> jmp 007068C9
007068B8 lea eax,[ebp-8]
007068BB mov edx,dword ptr [ebp-4]
007068BE mov ecx,dword ptr ds:[404B48];TArray<System.Byte>
007068C4 call @DynArrayAsg
007068C9 cmp byte ptr [esi+0E4],0;TBootloader.FFVTLinkerMode:Boolean
007068D0> je 0070691E
007068D2 mov eax,dword ptr [ebp-8]
007068D5 test eax,eax
007068D7> je 007068DE
007068D9 sub eax,4
007068DC mov eax,dword ptr [eax]
007068DE mov edx,dword ptr [esi+0E0];TBootloader.FLinker:TFVT_USBLinker
007068E4 mov ecx,eax
007068E6 mov eax,dword ptr [ebp-8]
007068E9 xchg eax,edx
007068EA call TFVT_USBLinker.Write
007068EF mov edx,eax
007068F1 mov eax,dword ptr [ebp-8]
007068F4 test eax,eax
007068F6> je 007068FD
007068F8 sub eax,4
007068FB mov eax,dword ptr [eax]
007068FD cmp eax,edx
007068FF sete bl
00706902 test bl,bl
00706904> je 00706912
00706906 mov byte ptr [esi+0A1],30;TBootloader.FLastACK:byte
0070690D> jmp 00706A37
00706912 mov byte ptr [esi+0A1],0C7;TBootloader.FLastACK:byte
00706919> jmp 00706A37
0070691E mov eax,dword ptr [esi+48];TBootloader.FComPort:TSerialPort
# 跳到这里开始
00706921 call TSerialPort.ClearInput
00706926 mov eax,dword ptr [esi+48];TBootloader.FComPort:TSerialPort
00706929 mov edx,dword ptr [ebp-8]
# 这里就发送了最后的crc内容
0070692C call TSerialPort.WriteBytes
00706931 mov ebx,eax
00706933 test bl,bl
00706935> je 00706A30
0070693B cmp byte ptr [esi+0D0],0;TBootloader.FOneWire:Boolean
00706942> je 00706A27
00706948 mov eax,esi
# 获取读的超时时间
0070694A call TBootloader.GetReadTimeOut
0070694F mov edi,eax
00706951 mov eax,dword ptr [ebp-8]
00706954 test eax,eax
00706956> je 0070695D
00706958 sub eax,4
0070695B mov eax,dword ptr [eax]
0070695D mov edx,eax
0070695F add edx,edx
00706961 add edx,0FA
00706967 mov eax,esi
# 设置读超时
00706969 call TBootloader.SetReadTimeOut
0070696E call 006D91CC
# 这里应该是开了个线程还是啥东西的,用来记录读开始时间的
00706973 mov dword ptr [esi+108],eax;TBootloader.FStartTime:Int64
00706979 mov dword ptr [esi+10C],edx;TBootloader.?f10C:Integer
0070697F mov ebx,dword ptr [ebp-8]
00706982 test ebx,ebx
00706984> je 0070698B
00706986 sub ebx,4
00706989 mov ebx,dword ptr [ebx]
0070698B lea ecx,[ebp-1C]
0070698E mov edx,ebx
00706990 mov eax,esi
# 开始接收串口数据
00706992 call TBootloader.RecvString
00706997 mov edx,dword ptr [ebp-1C]
0070699A lea eax,[esi+100];TBootloader.FLastEcho:TArray<System.Byte>
007069A0 mov ecx,dword ptr ds:[404B48];TArray<System.Byte>
007069A6 call @DynArrayAsg
007069AB call 006DB734
007069B0 test al,al
007069B2> je 007069C5
007069B4 call 006D91CC
007069B9 mov dword ptr [esi+110],eax;TBootloader.FEndTime:Int64
007069BF mov dword ptr [esi+114],edx;TBootloader.?f114:Pointer
007069C5 mov edx,edi
007069C7 mov eax,esi
007069C9 call TBootloader.SetReadTimeOut
007069CE mov eax,dword ptr [esi+100];TBootloader.FLastEcho:TArray<System.Byte>
007069D4 test eax,eax
007069D6> je 007069DD
007069D8 sub eax,4
007069DB mov eax,dword ptr [eax]
007069DD mov ecx,dword ptr [ebp-8]
007069E0 mov edx,ecx
007069E2 test edx,edx
007069E4> je 007069EB
007069E6 sub edx,4
007069E9 mov edx,dword ptr [edx]
007069EB cmp edx,eax
007069ED> jne 00706A0D
007069EF mov eax,ecx
007069F1 test eax,eax
007069F3> je 007069FA
007069F5 sub eax,4
007069F8 mov eax,dword ptr [eax]
007069FA mov edx,dword ptr [esi+100];TBootloader.FLastEcho:TArray<System.Byte>
00706A00 mov ecx,eax
00706A02 mov eax,dword ptr [ebp-8]
00706A05 xchg eax,edx
00706A06 call CompareMem
00706A0B> jmp 00706A0F
00706A0D xor eax,eax
00706A0F mov ebx,eax
00706A11 test bl,bl
00706A13> jne 00706A1E
00706A15 mov byte ptr [esi+0A1],0C9;TBootloader.FLastACK:byte
00706A1C> jmp 00706A37
00706A1E mov byte ptr [esi+0A1],30;TBootloader.FLastACK:byte
00706A25> jmp 00706A37
00706A27 mov byte ptr [esi+0A1],30;TBootloader.FLastACK:byte
00706A2E> jmp 00706A37
00706A30 mov byte ptr [esi+0A1],0C7;TBootloader.FLastACK:byte
00706A37 call 006DB734
00706A3C test al,al
00706A3E> je 00706C1B
00706A44 test bl,bl
00706A46> je 00706AB3
00706A48 mov eax,706CA8;'>'
00706A4D call 006DC018
00706A52 mov eax,esi
00706A54 call TBootloader.AllowLog
00706A59 mov edx,eax
00706A5B mov ecx,800
00706A60 mov eax,dword ptr [ebp-8]
00706A63 call 006DC174
00706A68 cmp byte ptr [ebp-0D],0
00706A6C> je 00706A80
00706A6E push 0
00706A70 movzx edx,word ptr [esi+0BC];TBootloader.LastOutCRC:word
00706A77 xor ecx,ecx
00706A79 mov eax,esi
00706A7B call 00706584
00706A80 mov eax,1
00706A85 call 006DBF64
00706A8A lea eax,[ebp-20]
00706A8D push eax
00706A8E movzx edx,byte ptr [esi+0A1];TBootloader.FLastACK:byte
00706A95 mov cl,1
00706A97 mov eax,esi
00706A99 call 00705B90
00706A9E mov eax,dword ptr [ebp-20]
00706AA1 or ecx,0FFFFFFFF
00706AA4 mov edx,8000
00706AA9 call 006DBD18
00706AAE> jmp 00706C1B
00706AB3 mov eax,706CCC;'>: '
00706AB8 call 006DC018
00706ABD mov edi,dword ptr [ebp-8]
00706AC0 test edi,edi
00706AC2> je 00706AC9
00706AC4 sub edi,4
00706AC7 mov edi,dword ptr [edi]
00706AC9 lea edx,[ebp-24]
00706ACC mov eax,edi
00706ACE call IntToStr
00706AD3 mov eax,dword ptr [ebp-24]
00706AD6 call 006DBFC8
00706ADB mov eax,706CE0;' Bytes = '
00706AE0 call 006DC018
00706AE5 mov eax,esi
00706AE7 call TBootloader.AllowLog
00706AEC mov edx,eax
00706AEE mov ecx,800
00706AF3 mov eax,dword ptr [ebp-8]
00706AF6 call 006DC174
00706AFB cmp byte ptr [ebp-0D],0
00706AFF> je 00706B13
00706B01 push 0
00706B03 movzx edx,word ptr [esi+0BC];TBootloader.LastOutCRC:word
00706B0A xor ecx,ecx
00706B0C mov eax,esi
00706B0E call 00706584
00706B13 cmp byte ptr [esi+0A1],0C9;TBootloader.FLastACK:byte
00706B1A> jne 00706BED
00706B20 mov eax,706D00;'E: '
00706B25 call 006DC068
00706B2A mov eax,dword ptr [esi+100];TBootloader.FLastEcho:TArray<System.Byte>
00706B30 mov edi,eax
00706B32 test edi,edi
00706B34> je 00706B3B
00706B36 sub edi,4
00706B39 mov edi,dword ptr [edi]
00706B3B lea edx,[ebp-28]
00706B3E mov eax,edi
00706B40 call IntToStr
00706B45 mov eax,dword ptr [ebp-28]
00706B48 call 006DBFC8
00706B4D mov eax,706CE0;' Bytes = '
00706B52 call 006DC018
00706B57 mov eax,esi
00706B59 call TBootloader.AllowLog
00706B5E mov edx,eax
00706B60 mov eax,dword ptr [esi+100];TBootloader.FLastEcho:TArray<System.Byte>
00706B66 mov ecx,800
00706B6B call 006DC174
00706B70 cmp byte ptr [ebp-0D],0
00706B74> je 00706BB9
00706B76 mov eax,dword ptr [esi+100];TBootloader.FLastEcho:TArray<System.Byte>
00706B7C mov edi,eax
00706B7E test edi,edi
00706B80> je 00706B87
00706B82 sub edi,4
00706B85 mov edi,dword ptr [edi]
00706B87 push 0
00706B89 sub edi,2
00706B8C push edi
00706B8D lea eax,[ebp-2C]
00706B90 push eax
00706B91 mov eax,dword ptr [esi+100];TBootloader.FLastEcho:TArray<System.Byte>
00706B97 xor ecx,ecx
00706B99 mov edx,dword ptr ds:[404B48];TArray<System.Byte>
00706B9F call @DynArrayCopyRange
00706BA4 mov edx,dword ptr [ebp-2C]
00706BA7 mov eax,esi
00706BA9 call TBootloader.StringCrc
00706BAE mov edx,eax
00706BB0 xor ecx,ecx
00706BB2 mov eax,esi
00706BB4 call 00706584
00706BB9 mov eax,706D14;'Time elapsed (ms): '
00706BBE call 006DBFA0
00706BC3 mov eax,dword ptr [esi+110];TBootloader.FEndTime:Int64
00706BC9 mov edx,dword ptr [esi+114];TBootloader.?f114:Pointer
00706BCF sub eax,dword ptr [esi+108]
00706BD5 sbb edx,dword ptr [esi+10C]
00706BDB push edx
00706BDC push eax
00706BDD lea eax,[ebp-30]
00706BE0 call IntToStr
00706BE5 mov eax,dword ptr [ebp-30]
00706BE8 call 006DC004
00706BED mov eax,1
00706BF2 call 006DBF64
00706BF7 lea eax,[ebp-34]
00706BFA push eax
00706BFB movzx edx,byte ptr [esi+0A1];TBootloader.FLastACK:byte
00706C02 xor ecx,ecx
00706C04 mov eax,esi
00706C06 call 00705B90
00706C0B mov eax,dword ptr [ebp-34]
00706C0E or ecx,0FFFFFFFF
00706C11 mov edx,0FF
00706C16 call 006DBD18
00706C1B cmp byte ptr [esi+0B4],0FD;TBootloader.FLastCMD:byte
# 最后直接到这里
00706C22> je 00706C2B
00706C24 mov eax,esi
00706C26 call 00704154
00706C2B xor eax,eax
00706C2D pop edx
00706C2E pop ecx
00706C2F pop ecx
00706C30 mov dword ptr fs:[eax],edx
00706C33 push 706C91
00706C38 lea eax,[ebp-34]
00706C3B mov edx,2
00706C40 call @UStrArrayClr
00706C45 lea eax,[ebp-2C]
00706C48 mov edx,dword ptr ds:[404B48];TArray<System.Byte>
00706C4E call @DynArrayClear
00706C53 lea eax,[ebp-28]
00706C56 mov edx,3
00706C5B call @UStrArrayClr
00706C60 lea eax,[ebp-1C]
00706C63 mov edx,dword ptr ds:[404B48];TArray<System.Byte>
00706C69 call @DynArrayClear
00706C6E lea eax,[ebp-14]
00706C71 call @UStrClr
00706C76 lea eax,[ebp-0C]
00706C79 mov edx,dword ptr ds:[404B48];TArray<System.Byte>
00706C7F mov ecx,3
00706C84 call @FinalizeArray
00706C89 ret
00706C8A> jmp @HandleFinally
00706C8F> jmp 00706C38
00706C91 mov eax,ebx
00706C93 pop edi
00706C94 pop esi
00706C95 pop ebx
00706C96 mov esp,ebp
00706C98 pop ebp
00706C99 ret
这里追了半天,都找不到对应串口返回时的读取操作,看起来有,实际上并不是。
心跳维持
TBLHeliInterfaceManager.DeviceConnected 这个函数被调用的太频繁了,猜测这个是用来维持心跳的
_Unit139.TBLHeliInterfaceManager.DeviceConnected
007CCCB0 xor edx,edx
007CCCB2 movzx ecx,byte ptr [eax+55];TBLHeliInterfaceManager.FESCInterfaceType:TESCInterfaceType
007CCCB6 sub cl,0C
007CCCB9> je 007CCCC5
007CCCBB dec cl
007CCCBD> je 007CCCCF
007CCCBF dec cl
007CCCC1> je 007CCCDC
007CCCC3> jmp 007CCCE6
007CCCC5 mov eax,dword ptr [eax+50];TBLHeliInterfaceManager.FUniSerialInterf:TUniSerialInterface
007CCCC8 movzx edx,byte ptr [eax+4C];TUniSerialInterface.FDeviceConnected:Boolean
007CCCCC mov eax,edx
007CCCCE ret
007CCCCF mov eax,dword ptr [eax+48];TBLHeliInterfaceManager.FBLBInterf:TBLBInterface
007CCCD2 call 00709A58
007CCCD7 mov edx,eax
007CCCD9 mov eax,edx
007CCCDB ret
007CCCDC mov eax,dword ptr [eax+4C];TBLHeliInterfaceManager.FCfIntf:TFlightCtrlIntf
007CCCDF call 007166E4
007CCCE4 mov edx,eax
007CCCE6 mov eax,edx
007CCCE8 ret
可以看到这里应该是判定具体是啥接口,然后对应接口发送
DeviceConnectionAlive 这个明显就是发送命令,维持在线了
_Unit108.TBLBInterface.DeviceConnectionAlive
00709108 push ebx
00709109 push esi
0070910A mov esi,eax
0070910C mov eax,dword ptr [esi+40];TBLBInterface.FBootloader:TBootloader
0070910F call 00703D94
00709114 test al,al
00709116> je 00709132
00709118 mov eax,esi
0070911A call 00709C84
0070911F mov eax,dword ptr [esi+40];TBLBInterface.FBootloader:TBootloader
00709122 call TBootloader.SendCMDKeepAlive
00709127 mov ebx,eax
00709129 mov eax,esi
0070912B call 00709C6C
00709130> jmp 00709134
00709132 xor ebx,ebx
00709134 mov eax,ebx
00709136 pop esi
00709137 pop ebx
00709138 ret
SendCMDKeepAlive 这里完全是底层TBootloader的实现了
_Unit108.TBootloader.SendCMDKeepAlive
# ebx 入栈
0070559C push ebx
# ebx = eax
0070559D mov ebx,eax
# 这里实际上是从内存85C678读了一个什么东西到eax
0070559F call 006DB734
# test = al & al 这里应该是一个断言检测
007055A4 test al,al
# 根据test导致的ZF标记决定跳转,这个跳转应该是退出函数了
007055A6> je 007055D5
007055A8 mov eax,[0084158C];^gvar_0085C668
007055AD cmp dword ptr [eax],4
007055B0> jge 007055B7
007055B2 call 006DB87C
007055B7 xor ecx,ecx
# 看到这个FD 这不就是保持在线的FD00嘛,下面的发送参数应该是自动做了一个CRC,把校验加到了后面
007055B9 mov dl,0FD
007055BB mov eax,ebx
007055BD call TBootloader.SendCMD_Param
007055C2 mov ebx,eax
007055C4 mov eax,[0084158C];^gvar_0085C668
007055C9 cmp dword ptr [eax],4
007055CC> jge 007055E2
007055CE call 006DB89C
007055D3> jmp 007055E2
# ecx 异或 ecx 直接=0
007055D5 xor ecx,ecx
# dl = 0xFD
007055D7 mov dl,0FD
# eax = ebx 这里应该是恢复了eax的值,之前由ebx存着
007055D9 mov eax,ebx
# 调用发送参数
007055DB call TBootloader.SendCMD_Param
# 这两句感觉好像没用
007055E0 mov ebx,eax
007055E2 mov eax,ebx
# 把ebx给恢复回来
007055E4 pop ebx
007055E5 ret
框架
边反编译,边看一下程序的框架。
TBLHeliInterfaceManager
则是整个接口的抽象类,主要逻辑是在他来控制
这三个是不同方式的读取具体实现
TUniSerialInterface
TBLBInterface
TFlightCtrlIntf
TBootloader
是各种接口下,最底层的协议,主要是读写Flash和E2PROM
TBLHeliInterfaceManager.FBLHeliWork
的数据类型是 TBLHeli
也就是电调设置对象
TBLHeli
TBLHeli中记录的就是所有配置的参数什么的,显示或者操作的时候,他就是真正的后端对象。
从TBLHeli.Init
就能看出他初始化了什么东西。
_Unit102.TBLHeli.Init
006E5044 push ebx
006E5045 push esi
006E5046 mov esi,eax
006E5048 lea eax,[esi+0BC];TBLHeli.FErrMsg:string
006E504E call @UStrClr
006E5053 mov byte ptr [esi+0C0],4;TBLHeli.FStatus:TSetupStatus
006E505A mov byte ptr [esi+0BA],0;TBLHeli.FIsAlternateSettingsKey:Boolean
006E5061 mov byte ptr [esi+0D1],0;TBLHeli.FIs_64k:Boolean
006E5068 mov byte ptr [esi+0B9],0;TBLHeli.FActivationStatus:TActivationStatus
006E506F xor eax,eax
006E5071 mov dword ptr [esi+0C4],eax;TBLHeli.FDshotGoodFrames:Cardinal
006E5077 xor eax,eax
006E5079 mov dword ptr [esi+0C8],eax;TBLHeli.FDshotBadFrames:Cardinal
006E507F xor eax,eax
# mcu类型
006E5081 mov dword ptr [esi+0B4],eax;TBLHeli.FMCU_DeviceID:Integer
006E5087 mov byte ptr [esi+0D2],0;TBLHeli.FMCUManufacturer:TMCUManufacturer
006E508E lea eax,[esi+0CC];TBLHeli.FUUID:string
006E5094 call @UStrClr
006E5099 lea eax,[esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E509F call @UStrClr
006E50A4 lea eax,[esi+30];TBLHeli.FEep_ESC_Layout:TESC_Layout
006E50A7 mov ecx,0FF
006E50AC mov edx,20
006E50B1 call @FillChar
# esc name
006E50B6 lea eax,[esi+70];TBLHeli.FEep_Name:TESC_Name
006E50B9 mov ecx,20
006E50BE mov edx,10
006E50C3 call @FillChar
# 版本号
006E50C8 mov byte ptr [esi+6],2C;TBLHeli.FEep_Layout_Revision:byte
006E50CC mov byte ptr [esi+4],20;TBLHeli.FEep_FW_Main_Revision:byte
006E50D0 mov byte ptr [esi+5],46;TBLHeli.FEep_FW_Sub_Revision:byte
006E50D4 lea eax,[esi+50];TBLHeli.FEep_ESC_MCU:TESC_MCU
006E50D7 mov ecx,0FF
006E50DC mov edx,20
006E50E1 call @FillChar
# 这里就是音乐的配置了
006E50E6 lea eax,[esi+80];TBLHeli.FEep_Note_Array:TEep_Note_Array
006E50EC mov ecx,0FF
006E50F1 mov edx,30
006E50F6 call @FillChar
006E50FB mov bl,4
006E50FD cmp bl,1F
006E5100> je 006E510B
006E5102 mov edx,ebx
006E5104 mov eax,esi
# 这里很关键,他把通用的部分设置作为了parameter,初始化这里就是给这些参数一个默认值
006E5106 call TBLHeli.SetParameterValueToDefault
006E510B inc ebx
006E510C cmp bl,2A
006E510F> jne 006E50FD
006E5111 pop esi
006E5112 pop ebx
006E5113 ret
SetParameterValueToDefault
这里比较简单就是获取参数,然后设置参数值
_Unit102.TBLHeli.SetParameterValueToDefault
006E5954 push ebx
006E5955 push esi
006E5956 mov ebx,edx
006E5958 mov esi,eax
006E595A mov edx,ebx
006E595C mov eax,esi
006E595E call TBLHeli.GetParameterValueDefault
006E5963 mov edx,ebx
006E5965 mov ecx,eax
006E5967 mov eax,esi
006E5969 call TBLHeli.SetParameterValue
006E596E pop esi
006E596F pop ebx
006E5970 ret
获取默认值这里参数显示的还是比较少,这里应该只是枚举类型或者和版本有关系的参数才会在这里
_Unit102.TBLHeli.GetParameterValueDefault
006E7430 push ebx
006E7431 push esi
006E7432 push edi
006E7433 push ebp
006E7434 mov ebx,edx
006E7436 mov esi,eax
006E7438 mov edi,dword ptr ds:[840DF4];^gvar_00839102
006E743E movzx edi,word ptr [edi]
006E7441 mov edx,ebx
006E7443 mov eax,esi
# 这里应该是枚举那个Layout Rev的版本号
006E7445 call TBLHeli.IsParameterExisting
006E744A test al,al
006E744C> je 006E7817
006E7452 movzx eax,bl
006E7455 cmp eax,2D
006E7458> ja 006E7812
006E745E jmp dword ptr [eax*4+6E7465]
006E7465 dd 006E7812
006E7469 dd 006E7817
006E746D dd 006E7817
006E7471 dd 006E7817
006E7475 dd 006E7522
006E7479 dd 006E752B
006E747D dd 006E7534
006E7481 dd 006E75B8
006E7485 dd 006E761E
006E7489 dd 006E7627
006E748D dd 006E7647
006E7491 dd 006E7650
006E7495 dd 006E7670
006E7499 dd 006E7679
006E749D dd 006E76C4
006E74A1 dd 006E76EA
006E74A5 dd 006E7701
006E74A9 dd 006E775D
006E74AD dd 006E7764
006E74B1 dd 006E776D
006E74B5 dd 006E7776
006E74B9 dd 006E777F
006E74BD dd 006E7786
006E74C1 dd 006E778D
006E74C5 dd 006E77BD
006E74C9 dd 006E77C3
006E74CD dd 006E77CE
006E74D1 dd 006E77D2
006E74D5 dd 006E7802
006E74D9 dd 006E7808
006E74DD dd 006E780E
006E74E1 dd 006E7812
006E74E5 dd 006E7817
006E74E9 dd 006E7817
006E74ED dd 006E7817
006E74F1 dd 006E7817
006E74F5 dd 006E7817
006E74F9 dd 006E7817
006E74FD dd 006E7817
006E7501 dd 006E7817
006E7505 dd 006E7817
006E7509 dd 006E7817
006E750D dd 006E7812
006E7511 dd 006E7812
006E7515 dd 006E7812
006E7519 dd 006E7817
006E751D> jmp 006E7817
006E7522 mov di,1
006E7526> jmp 006E7817
006E752B mov di,32
006E752F> jmp 006E7817
006E7534 mov eax,esi
006E7536 call TBLHeli.IsProgrammablePwmFreqMinMaxCapable
006E753B test al,al
006E753D> je 006E7545
006E753F movzx edi,byte ptr [esi+2C];TBLHeli.FEep_Hw_Pwm_Freq_Min:byte
006E7543> jmp 006E7549
006E7545 mov di,18
006E7549 mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E754F mov edx,dword ptr ds:[8396A4];^'RF1'
006E7555 call @UStrEqual
006E755A> jne 006E7565
006E755C mov di,20
006E7560> jmp 006E7817
006E7565 mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E756B mov edx,dword ptr ds:[8396A8];^'XILO_ESC'
006E7571 call @UStrEqual
006E7576> jne 006E7581
006E7578 mov di,30
006E757C> jmp 006E7817
006E7581 cmp byte ptr [esi+6],2C;TBLHeli.FEep_Layout_Revision:byte
006E7585> jb 006E7817
006E758B mov ebp,18
006E7590 mov ebx,8396AC;^'FL1_Afterburner'
006E7595 mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E759B mov edx,dword ptr [ebx]
006E759D call @UStrEqual
006E75A2> jne 006E75AD
006E75A4 movzx edi,word ptr [ebx+4]
006E75A8> jmp 006E7817
006E75AD add ebx,8
006E75B0 dec ebp
006E75B1> jne 006E7595
006E75B3> jmp 006E7817
006E75B8 mov di,10
006E75BC mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E75C2 mov edx,dword ptr ds:[839668];^'Hobbywing_XRotor_BLHeli32'
006E75C8 call @UStrEqual
006E75CD> je 006E75E2
006E75CF mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E75D5 mov edx,dword ptr ds:[839664];^'Hobbywing_XRotor_40A_BLHeli32'
006E75DB call @UStrEqual
006E75E0> jne 006E75E9
006E75E2 xor edi,edi
006E75E4> jmp 006E7817
006E75E9 cmp byte ptr [esi+6],2C;TBLHeli.FEep_Layout_Revision:byte
006E75ED> jb 006E7817
006E75F3 mov ebp,15
006E75F8 mov ebx,839778;^'FL1_Afterburner'
006E75FD mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E7603 mov edx,dword ptr [ebx]
006E7605 call @UStrEqual
006E760A> jne 006E7613
006E760C xor edi,edi
006E760E> jmp 006E7817
006E7613 add ebx,4
006E7616 dec ebp
006E7617> jne 006E75FD
006E7619> jmp 006E7817
006E761E mov di,2
006E7622> jmp 006E7817
006E7627 mov eax,esi
006E7629 call 006E677C
006E762E cmp eax,0CA8
006E7633> jl 006E763E
006E7635 mov di,410
006E7639> jmp 006E7817
006E763E mov di,3E8
006E7642> jmp 006E7817
006E7647 mov di,5DC
006E764B> jmp 006E7817
006E7650 mov eax,esi
006E7652 call 006E677C
006E7657 cmp eax,0CA8
006E765C> jl 006E7667
006E765E mov di,7A8
006E7662> jmp 006E7817
006E7667 mov di,7D0
006E766B> jmp 006E7817
006E7670 mov di,1
006E7674> jmp 006E7817
006E7679 mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E767F mov edx,dword ptr ds:[839698];^'HAKRC_45A'
006E7685 call @UStrEqual
006E768A> je 006E76B2
006E768C mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E7692 mov edx,dword ptr ds:[83969C];^'HAKRC_E45A'
006E7698 call @UStrEqual
006E769D> je 006E76B2
006E769F mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E76A5 mov edx,dword ptr ds:[8396A0];^'HAKRC_E50A'
006E76AB call @UStrEqual
006E76B0> jne 006E76BB
006E76B2 mov di,78
006E76B6> jmp 006E7817
006E76BB mov di,8C
006E76BF> jmp 006E7817
006E76C4 movzx eax,byte ptr [esi+26];TBLHeli.FEep_Hw_Voltage_Sense_Capable:byte
006E76C8 cmp al,0FF
006E76CA> jae 006E76E3
006E76CC test al,al
006E76CE> jbe 006E76DC
006E76D0 movzx edi,al
006E76D3 sub di,18
006E76D7> jmp 006E7817
006E76DC xor edi,edi
006E76DE> jmp 006E7817
006E76E3 xor edi,edi
006E76E5> jmp 006E7817
006E76EA movzx eax,byte ptr [esi+27];TBLHeli.FEep_Hw_Current_Sense_Capable:byte
006E76EE cmp al,0FF
006E76F0> jae 006E76FA
006E76F2 movzx edi,al
006E76F5> jmp 006E7817
006E76FA xor edi,edi
006E76FC> jmp 006E7817
006E7701 mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E7707 mov edx,dword ptr ds:[839680];^'Sunrise_DHCrop_ST'
006E770D call @UStrEqual
006E7712> je 006E774D
006E7714 mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E771A mov edx,dword ptr ds:[839684];^'Sunrise_DHCrop_GD'
006E7720 call @UStrEqual
006E7725> je 006E774D
006E7727 mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E772D mov edx,dword ptr ds:[839688];^'Empire_ST'
006E7733 call @UStrEqual
006E7738> je 006E774D
006E773A mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E7740 mov edx,dword ptr ds:[83968C];^'Empire_GD'
006E7746 call @UStrEqual
006E774B> jne 006E7754
006E774D xor edi,edi
006E774F> jmp 006E7817
006E7754 mov di,1
006E7758> jmp 006E7817
006E775D xor edi,edi
006E775F> jmp 006E7817
006E7764 mov di,28
006E7768> jmp 006E7817
006E776D mov di,50
006E7771> jmp 006E7817
006E7776 mov di,258
006E777A> jmp 006E7817
006E777F xor edi,edi
006E7781> jmp 006E7817
006E7786 xor edi,edi
006E7788> jmp 006E7817
006E778D mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E7793 mov edx,dword ptr ds:[839688];^'Empire_ST'
006E7799 call @UStrEqual
006E779E> je 006E77B3
006E77A0 mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E77A6 mov edx,dword ptr ds:[83968C];^'Empire_GD'
006E77AC call @UStrEqual
006E77B1> jne 006E77B9
006E77B3 mov di,1
006E77B7> jmp 006E7817
006E77B9 xor edi,edi
006E77BB> jmp 006E7817
006E77BD mov di,64
006E77C1> jmp 006E7817
006E77C3 mov edi,dword ptr ds:[841854];^gvar_0083922C
006E77C9 movzx edi,byte ptr [edi]
006E77CC> jmp 006E7817
006E77CE xor edi,edi
006E77D0> jmp 006E7817
006E77D2 mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E77D8 mov edx,dword ptr ds:[83967C];^'FrESC_80A'
006E77DE call @UStrEqual
006E77E3> je 006E77F8
006E77E5 mov eax,dword ptr [esi+0B0];TBLHeli.FESC_Layout_Org_Str:string
006E77EB mov edx,dword ptr ds:[839774];^'WINGTRA'
006E77F1 call @UStrEqual
006E77F6> jne 006E77FE
006E77F8 mov di,1
006E77FC> jmp 006E7817
006E77FE xor edi,edi
006E7800> jmp 006E7817
006E7802 mov di,1
006E7806> jmp 006E7817
006E7808 mov di,11
006E780C> jmp 006E7817
006E780E xor edi,edi
006E7810> jmp 006E7817
006E7812 call 0042E5A8
006E7817 mov eax,edi
006E7819 pop ebp
006E781A pop edi
006E781B pop esi
006E781C pop ebx
006E781D ret
设置参数的值就能看到基本所有UI上的参数了
_Unit102.TBLHeli.SetParameterValue
006E56B8 push ebx
006E56B9 push esi
006E56BA push edi
006E56BB push ecx
006E56BC mov esi,ecx
006E56BE mov ebx,edx
006E56C0 mov edi,eax
006E56C2 mov byte ptr [esp],1
006E56C6 mov eax,ebx
006E56C8 call 006DEB58
006E56CD cmp al,2
006E56CF> jae 006E56D8
006E56D1 mov eax,esi
006E56D3 movzx eax,al
006E56D6 mov esi,eax
006E56D8 movzx eax,bl
006E56DB cmp eax,29
006E56DE> ja 006E5904
006E56E4 jmp dword ptr [eax*4+6E56EB]
006E56EB dd 006E5904
006E56EF dd 006E5793
006E56F3 dd 006E579D
006E56F7 dd 006E57A7
006E56FB dd 006E57B1
006E56FF dd 006E57BB
006E5703 dd 006E57C5
006E5707 dd 006E57CF
006E570B dd 006E57D9
006E570F dd 006E57E3
006E5713 dd 006E57EC
006E5717 dd 006E57F5
006E571B dd 006E57FE
006E571F dd 006E5808
006E5723 dd 006E5812
006E5727 dd 006E581C
006E572B dd 006E5826
006E572F dd 006E5830
006E5733 dd 006E5855
006E5737 dd 006E585F
006E573B dd 006E5869
006E573F dd 006E5872
006E5743 dd 006E587C
006E5747 dd 006E5886
006E574B dd 006E588D
006E574F dd 006E5894
006E5753 dd 006E589B
006E5757 dd 006E58A2
006E575B dd 006E58A9
006E575F dd 006E58B0
006E5763 dd 006E58B7
006E5767 dd 006E5904
006E576B dd 006E58BE
006E576F dd 006E58C5
006E5773 dd 006E58CC
006E5777 dd 006E58D3
006E577B dd 006E58DA
006E577F dd 006E58E1
006E5783 dd 006E58E8
006E5787 dd 006E58EF
006E578B dd 006E58F6
006E578F dd 006E58FD
006E5793 mov eax,esi
006E5795 mov byte ptr [edi+4],al;TBLHeli.FEep_FW_Main_Revision:byte
006E5798> jmp 006E5908
006E579D mov eax,esi
006E579F mov byte ptr [edi+5],al;TBLHeli.FEep_FW_Sub_Revision:byte
006E57A2> jmp 006E5908
006E57A7 mov eax,esi
006E57A9 mov byte ptr [edi+6],al;TBLHeli.FEep_Layout_Revision:byte
006E57AC> jmp 006E5908
006E57B1 mov eax,esi
006E57B3 mov byte ptr [edi+7],al;TBLHeli.FEep_Pgm_Direction:byte
006E57B6> jmp 006E5908
006E57BB mov eax,esi
006E57BD mov byte ptr [edi+8],al;TBLHeli.FEep_Pgm_Rampup_Pwr:byte
006E57C0> jmp 006E5908
006E57C5 mov eax,esi
006E57C7 mov byte ptr [edi+9],al;TBLHeli.FEep_Pgm_Pwm_Frequency:byte
006E57CA> jmp 006E5908
006E57CF mov eax,esi
006E57D1 mov byte ptr [edi+0A],al;TBLHeli.FEep_Pgm_Comm_Timing:byte
006E57D4> jmp 006E5908
006E57D9 mov eax,esi
006E57DB mov byte ptr [edi+0B],al;TBLHeli.FEep_Pgm_Demag_Comp:byte
006E57DE> jmp 006E5908
006E57E3 mov word ptr [edi+0C],si;TBLHeli.FEep_Pgm_Min_Throttle:word
006E57E7> jmp 006E5908
006E57EC mov word ptr [edi+0E],si;TBLHeli.FEep_Pgm_Center_Throttle:word
006E57F0> jmp 006E5908
006E57F5 mov word ptr [edi+10],si;TBLHeli.FEep_Pgm_Max_Throttle:word
006E57F9> jmp 006E5908
006E57FE mov eax,esi
006E5800 mov byte ptr [edi+12],al;TBLHeli.FEep_Pgm_Enable_Throttle_Cal:Boolean
006E5803> jmp 006E5908
006E5808 mov eax,esi
006E580A mov byte ptr [edi+13],al;TBLHeli.FEep_Pgm_Temp_Prot:byte
006E580D> jmp 006E5908
006E5812 mov eax,esi
006E5814 mov byte ptr [edi+14],al;TBLHeli.FEep_Pgm_Volt_Prot:byte
006E5817> jmp 006E5908
006E581C mov eax,esi
006E581E mov byte ptr [edi+15],al;TBLHeli.FEep_Pgm_Curr_Prot:byte
006E5821> jmp 006E5908
006E5826 mov eax,esi
006E5828 mov byte ptr [edi+16],al;TBLHeli.FEep_Pgm_Enable_Power_Prot:byte
006E582B> jmp 006E5908
006E5830 mov eax,edi
006E5832 call TBLHeli.IsProgrammableBrakeForceCapable
006E5837 test al,al
006E5839> jne 006E584B
006E583B test si,si
006E583E> jbe 006E584B
006E5840 mov dl,11
006E5842 mov eax,edi
006E5844 call TBLHeli.GetParameterMax
006E5849 mov esi,eax
006E584B mov eax,esi
006E584D mov byte ptr [edi+17],al;TBLHeli.FEep_Pgm_Brake_On_Stop:byte
006E5850> jmp 006E5908
006E5855 mov eax,esi
006E5857 mov byte ptr [edi+18],al;TBLHeli.FEep_Pgm_Beep_Strength:byte
006E585A> jmp 006E5908
006E585F mov eax,esi
006E5861 mov byte ptr [edi+19],al;TBLHeli.FEep_Pgm_Beacon_Strength:byte
006E5864> jmp 006E5908
006E5869 mov word ptr [edi+1A],si;TBLHeli.FEep_Pgm_Beacon_Delay:word
006E586D> jmp 006E5908
006E5872 mov eax,esi
006E5874 mov byte ptr [edi+1C],al;TBLHeli.FEep_Pgm_LED_Control:byte
006E5877> jmp 006E5908
006E587C mov eax,esi
006E587E mov byte ptr [edi+1D],al;TBLHeli.FEep_Pgm_Max_Acceleration:byte
006E5881> jmp 006E5908
006E5886 mov eax,esi
006E5888 mov byte ptr [edi+1E],al;TBLHeli.FEep_Pgm_Nondamped_Mode:byte
006E588B> jmp 006E5908
006E588D mov eax,esi
006E588F mov byte ptr [edi+1F],al;TBLHeli.FEep_Pgm_Curr_Sense_Cal:byte
006E5892> jmp 006E5908
006E5894 mov eax,esi
006E5896 mov byte ptr [edi+20],al;TBLHeli.FEep_Note_Config:byte
006E5899> jmp 006E5908
006E589B mov eax,esi
006E589D mov byte ptr [edi+21],al;TBLHeli.FEep_Pgm_Sine_Mode:byte
006E58A0> jmp 006E5908
006E58A2 mov eax,esi
006E58A4 mov byte ptr [edi+22],al;TBLHeli.FEep_Pgm_Auto_Tlm_Mode:byte
006E58A7> jmp 006E5908
006E58A9 mov eax,esi
006E58AB mov byte ptr [edi+23],al;TBLHeli.FEep_Pgm_Stall_Prot:byte
006E58AE> jmp 006E5908
006E58B0 mov eax,esi
006E58B2 mov byte ptr [edi+24],al;TBLHeli.FEep_Pgm_SBUS_Channel:byte
006E58B5> jmp 006E5908
006E58B7 mov eax,esi
006E58B9 mov byte ptr [edi+25],al;TBLHeli.FEep_Pgm_SPORT_Physical_ID:byte
006E58BC> jmp 006E5908
006E58BE mov eax,esi
006E58C0 mov byte ptr [edi+26],al;TBLHeli.FEep_Hw_Voltage_Sense_Capable:byte
006E58C3> jmp 006E5908
006E58C5 mov eax,esi
006E58C7 mov byte ptr [edi+27],al;TBLHeli.FEep_Hw_Current_Sense_Capable:byte
006E58CA> jmp 006E5908
006E58CC mov eax,esi
006E58CE mov byte ptr [edi+28],al;TBLHeli.FEep_Hw_LED_Capable_0:byte
006E58D1> jmp 006E5908
006E58D3 mov eax,esi
006E58D5 mov byte ptr [edi+29],al;TBLHeli.FEep_Hw_LED_Capable_1:byte
006E58D8> jmp 006E5908
006E58DA mov eax,esi
006E58DC mov byte ptr [edi+2A],al;TBLHeli.FEep_Hw_LED_Capable_2:byte
006E58DF> jmp 006E5908
006E58E1 mov eax,esi
006E58E3 mov byte ptr [edi+2B],al;TBLHeli.FEep_Hw_LED_Capable_3:byte
006E58E6> jmp 006E5908
006E58E8 mov eax,esi
006E58EA mov byte ptr [edi+2C],al;TBLHeli.FEep_Hw_Pwm_Freq_Min:byte
006E58ED> jmp 006E5908
006E58EF mov eax,esi
006E58F1 mov byte ptr [edi+2D],al;TBLHeli.FEep_Hw_Pwm_Freq_Max:byte
006E58F4> jmp 006E5908
006E58F6 mov eax,esi
006E58F8 mov byte ptr [edi+2E],al;TBLHeli.FEep_SPORT_Capable:byte
006E58FB> jmp 006E5908
006E58FD mov eax,esi
006E58FF mov byte ptr [edi+2F],al;TBLHeli.FEep_Nondamped_Capable:byte
006E5902> jmp 006E5908
006E5904 mov byte ptr [esp],0
006E5908 movzx eax,byte ptr [esp]
006E590C pop edx
006E590D pop edi
006E590E pop esi
006E590F pop ebx
006E5910 ret
Logged Messages
把BLH的log功能打开
然后就能看到右侧窗口的日志了,不得不说这个日志有点东西,这个树状结构挺好的
仔细一看这里实际上走的是BLB的模式,而不是UniSerial(我第一次追错地方了),也就是说我前面追的代码不太对。特别好的是这个树状结构其实和我从汇编里看到的调用层次是一致的。
然后这里还能看到对应的地址信息,第一次读的地址是0x7C00,第二次是0xEB00,第三次是0xF7AC。
之前的文章里说过只有第一次读取的信息有用,而后两次信息基本不包括设置参数,从这里就能看到,第二次读取的是激活状态信息,第三次是又读了一次Flash信息,只是具体有啥用没有说明。
Summary
走了好多弯路,先是看完了IDR逆向后的代码,然后发现根本找不到具体的数据解析,只好选择用动态调试。然后动态调试,发现代码位置和IDR对不上,导致我根本断点断不住读取配置的地方。后来发现是IDR逆向的客户端和OD调试的不是一个,弄成同一个之后代码地址啥的都一样了。
然后追代码发现有些地方走向和我之前想的不一样,我之前追的太过底层了,陷入其中出不来,动态调试以后发现关键的不是读,而是读以后的处理流程。
追踪处理流程,又发现整个数据的来源并不是当初读上来的原数据而是被加工后的数据,又得退回到读取得地方再去找raw数据的处理,然后看完了ReadFlash竟然发现还是没有真正串口读取代码,我惊了。
直到我看到了一个不起眼的函数CheckStrACK,才发现真相。这篇实在太长了,所以再开一篇继续。
Quote
https://www.52pojie.cn/thread-615448-1-1.html
http://www.youngroe.com/2019/07/01/Windows/delphi_reverse_summary/