fi01 · June 17, 2013 03:51
diff --git a/Get address for ptmx_fops and perf_swevent_enabled b/Get address for ptmx_fops and perf_swevent_enabled
 -- How to disassemble kernel
 Disassemble uncompressed kernel image binary by arm-linux-androideabi-objdump command in ndk
 arm-linux-androideabi-objdump --disassemble-all -b binary -m arm --adjust-vma=0xc0008000 kernel.Image > kernel.dasm


 -- How to get address for variable ptmx_fops
 ptmx_fops is used in function unix98_pty_init.

  unix98_pty_init()
  {
    ...

    /* Now create the /dev/ptmx special device */
    tty_default_fops(&ptmx_fops);
    ptmx_fops.open = ptmx_open;

    cdev_init(&ptmx_cdev, &ptmx_fops);
    ...
  }

 Search it in disassembly, hints are:
 c0316cac tty_default_fops
 c0155564 cdev_init
 c031ea48 ptmx_open

  c0a1d184:       e2850008        add     r0, r5, #8                            ; R0 = &ptmx_fops
  c0a1d188:       ebe3e6c7        bl      0xc0316cac                            ; tty_default_fops(&ptmx_fops)
  c0a1d18c:       e59f30c0        ldr     r3, [pc, #192]  ; 0xc0a1d254          ; R3 = ptmx_open
  c0a1d190:       e2850070        add     r0, r5, #112    ; 0x70                ; R0 = &ptmx_cdev
  c0a1d194:       e2851008        add     r1, r5, #8                            ; R1 = &ptmx_fops
  c0a1d198:       e5853034        str     r3, [r5, #52]   ; 0x34                ; ptmx_fops.open = ptmx_open;
  c0a1d19c:       ebdce0f0        bl      0xc0155564                            ; cdev_init(&ptmx_cdev, &ptmx_fops)
    ...
  c0a1d254:       c031ea48        eorsgt  lr, r1, r8, asr #20                   ; [0xc0a1d254] = ptmx_open

 Now you know "ptmx_fops = R5 + 8", then search backword to get is R5

  c0a1d02c:       e59f51fc        ldr     r5, [pc, #508]  ; 0xc0a1d230
    ...
  c0a1d230:       c0cc37e0        sbcgt   r3, ip, r0, ror #15                   ; [0xc0a1d230] = 0xc0cc37e0

 OK, you found "ptmx_fops = R5 + 8 = 0xc0cc37e0 + 8 = 0xc0cc37e8"


 -- How to get address for perf_swevent_enabled
 perf_swevent_enabled is used in function sw_perf_event_destroy

 static void sw_perf_event_destroy(struct perf_event *event)
 {
        u64 event_id = event->attr.config;

        WARN_ON(event->parent);

        static_key_slow_dec(&perf_swevent_enabled[event_id]);
        swevent_hlist_put(event);
 }

 Search it in disassembly
 c010ba7c sw_perf_event_destroy

  c010ba7c:       e92d4070        push    {r4, r5, r6, lr}
  c010ba80:       e1a04000        mov     r4, r0
  c010ba84:       e590319c        ldr     r3, [r0, #412]  ; 0x19c
  c010ba88:       e5905080        ldr     r5, [r0, #128]  ; 0x80                ; R5 = event->attr.config
  c010ba8c:       e3530000        cmp     r3, #0
  c010ba90:       0a000002        beq     0xc010baa0
  c010ba94:       e59f0070        ldr     r0, [pc, #112]  ; 0xc010bb0c
  c010ba98:       e30113f9        movw    r1, #5113       ; 0x13f9
  c010ba9c:       ebfdf2cf        bl      0xc00885e0
  c010baa0:       e59f3068        ldr     r3, [pc, #104]  ; 0xc010bb10          ; R3 = perf_swevent_enabled
  c010baa4:       e0835105        add     r5, r3, r5, lsl #2                    ; R5 = &perf_swevent_enabled[event_id]
    ...
  c010bb10:       c0caf3b4        strhgt  pc, [sl], #52   ; 0x34                ; [0xc010bb10] = 0xc0caf3b4

 OK, you found "perf_swevent_enabled = 0xc0caf3b4"
	-- How to disassemble kernel
	Disassemble uncompressed kernel image binary by arm-linux-androideabi-objdump command in ndk
	arm-linux-androideabi-objdump --disassemble-all -b binary -m arm --adjust-vma=0xc0008000 kernel.Image > kernel.dasm


	-- How to get address for variable ptmx_fops
	ptmx_fops is used in function unix98_pty_init.

	unix98_pty_init()
	{
	...

	/* Now create the /dev/ptmx special device */
	tty_default_fops(&ptmx_fops);
	ptmx_fops.open = ptmx_open;

	cdev_init(&ptmx_cdev, &ptmx_fops);
	...
	}

	Search it in disassembly, hints are:
	c0316cac tty_default_fops
	c0155564 cdev_init
	c031ea48 ptmx_open

	c0a1d184: e2850008 add r0, r5, #8 ; R0 = &ptmx_fops
	c0a1d188: ebe3e6c7 bl 0xc0316cac ; tty_default_fops(&ptmx_fops)
	c0a1d18c: e59f30c0 ldr r3, [pc, #192] ; 0xc0a1d254 ; R3 = ptmx_open
	c0a1d190: e2850070 add r0, r5, #112 ; 0x70 ; R0 = &ptmx_cdev
	c0a1d194: e2851008 add r1, r5, #8 ; R1 = &ptmx_fops
	c0a1d198: e5853034 str r3, [r5, #52] ; 0x34 ; ptmx_fops.open = ptmx_open;
	c0a1d19c: ebdce0f0 bl 0xc0155564 ; cdev_init(&ptmx_cdev, &ptmx_fops)
	...
	c0a1d254: c031ea48 eorsgt lr, r1, r8, asr #20 ; [0xc0a1d254] = ptmx_open

	Now you know "ptmx_fops = R5 + 8", then search backword to get is R5

	c0a1d02c: e59f51fc ldr r5, [pc, #508] ; 0xc0a1d230
	...
	c0a1d230: c0cc37e0 sbcgt r3, ip, r0, ror #15 ; [0xc0a1d230] = 0xc0cc37e0

	OK, you found "ptmx_fops = R5 + 8 = 0xc0cc37e0 + 8 = 0xc0cc37e8"


	-- How to get address for perf_swevent_enabled
	perf_swevent_enabled is used in function sw_perf_event_destroy

	static void sw_perf_event_destroy(struct perf_event *event)
	{
	u64 event_id = event->attr.config;

	WARN_ON(event->parent);

	static_key_slow_dec(&perf_swevent_enabled[event_id]);
	swevent_hlist_put(event);
	}

	Search it in disassembly
	c010ba7c sw_perf_event_destroy

	c010ba7c: e92d4070 push {r4, r5, r6, lr}
	c010ba80: e1a04000 mov r4, r0
	c010ba84: e590319c ldr r3, [r0, #412] ; 0x19c
	c010ba88: e5905080 ldr r5, [r0, #128] ; 0x80 ; R5 = event->attr.config
	c010ba8c: e3530000 cmp r3, #0
	c010ba90: 0a000002 beq 0xc010baa0
	c010ba94: e59f0070 ldr r0, [pc, #112] ; 0xc010bb0c
	c010ba98: e30113f9 movw r1, #5113 ; 0x13f9
	c010ba9c: ebfdf2cf bl 0xc00885e0
	c010baa0: e59f3068 ldr r3, [pc, #104] ; 0xc010bb10 ; R3 = perf_swevent_enabled
	c010baa4: e0835105 add r5, r3, r5, lsl #2 ; R5 = &perf_swevent_enabled[event_id]
	...
	c010bb10: c0caf3b4 strhgt pc, [sl], #52 ; 0x34 ; [0xc010bb10] = 0xc0caf3b4

	OK, you found "perf_swevent_enabled = 0xc0caf3b4"