- 积分
- 213
- 实力分
- 点
- 金钱数
- 两
- 技术分
- 分
- 贡献分
- 分
|
发表于 2005-12-17 16:02:07
|
显示全部楼层
关于pSendMessage?函数的一点讨论.... ”
作者: JunFeng
可能是关于pSendMessage?函数的一点发现,希望能借此找找pSendMessage?函数地址定可能是关于pSendMessage?函数的一点发现,希望能借此找找pSendMessage?函数地址定义,然后调大通话音量
这里,应该就是pSendMessage?引用地址的地方
这里是编辑通讯录时跳转到的地方
CE000:B32C loc_CEB32C: ; CODE XREF: CE000:B0EE�j
CE000:B32C E6 00 34 00 mov DPP0, #34h ; '4'
CE000:B330 CC 00 nop
CE000:B332 F2 F8 86 30 mov r8, word_D3086
CE000:B336 48 84 cmp r8, #4
CE000:B338 CD 13 jmpr cc_SLT, loc_CEB360 小于4
CE000:B33A 48 87 cmp r8, #7
CE000:B33C AD 11 jmpr cc_SGT, loc_CEB360 大于7
CE000:B33E E0 49 mov r9, #4 全部作4处理,编辑通录时对456项电话号码引用的处理,引用时只会处理电话号码
CE000:B340 E0 06 mov r6, #0
CE000:B342 88 60 mov [-r0], r6 CE000:B344 88 90 mov [-r0], r9 CE000:B346 E6 FC E8 35 mov r12, #35E8h
CE000:B34A E6 FD 0E 00 mov r13, #0Eh
CE000:B34E E6 FE 94 00 mov r14, #94h ; '?
CE000:B352 E6 FF 23 00 mov r15, #23h ; '#'
CE000:B356 DA B4 4C 72 calls 0B4h, pSendMessage? 在这里
CE000:B35A 08 04 add r0, #4
CE000:B35C EA 00 CC B4 jmpa cc_UC, loc_CEB4CC
估计最后引用到了这里
seg054:57A4 mov r8, #0
seg054:57A6 mov r9, #0
seg054:57A8 mov [-r0], r9
seg054:57AA mov [-r0], r8
seg054:57AC mov r12, #5
seg054:57AE mov DPP0, #36h ; '6'
seg054:57B2 mov r13, #4 如上为4时,这里是编辑通讯录时对引用电话号码的处理
seg054:57B4 mov r14, word_D8324
seg054:57B8 mov r15, word_D8326
seg054:57BC calls 0CEh, sub_CEEF4E
seg054:57C0 add r0, #4
seg054:57C2 jmpr cc_UC, loc_5457E0
如何引用就不得而知了
以下是追踪过程:
编辑通讯录按左键在这里跳转(就是编辑时按左键引用其它号码或名字或地址的功能,显示是一张图片)
CE000:B0EA 46 FC 40 00 cmp r12, #40h ; '@'
CE000:B0EE EA 20 2C B3 jmpa cc_Z, loc_CEB32C
到这里了
CE000:B32C loc_CEB32C: ; CODE XREF: CE000:B0EE�j
CE000:B32C E6 00 34 00 mov DPP0, #34h ; '4'
CE000:B330 CC 00 nop
CE000:B332 F2 F8 86 30 mov r8, word_D3086
CE000:B336 48 84 cmp r8, #4 小于4跳
CE000:B338 CD 13 jmpr cc_SLT, loc_CEB360
CE000:B33A 48 87 cmp r8, #7 大于7跳
CE000:B33C AD 11 jmpr cc_SGT, loc_CEB360
CE000:B33E E0 49 mov r9, #4 04重要
CE000:B340 E0 06 mov r6, #0
CE000:B342 88 60 mov [-r0], r6
CE000:B344 88 90 mov [-r0], r9
CE000:B346 E6 FC E8 35 mov r12, #35E8h
CE000:B34A E6 FD 0E 00 mov r13, #0Eh
CE000:B34E E6 FE 94 00 mov r14, #94h ; '?
CE000:B352 E6 FF 23 00 mov r15, #23h ; '#'
CE000:B356 DA B4 4C 72 calls 0B4h, pSendMessage? 这里
CE000:B35A 08 04 add r0, #4
CE000:B35C EA 00 CC B4 jmpa cc_UC, loc_CEB4CC
CE000:B360 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
CE000:B360
CE000:B360 loc_CEB360: ; CODE XREF: CE000:B338�j
CE000:B360 ; CE000:B33C�j
CE000:B360 E6 00 34 00 mov DPP0, #34h ; '4'
CE000:B364 CC 00 nop
CE000:B366 F2 F8 86 30 mov r8, word_D3086
CE000:B36A 46 F8 09 00 cmp r8, #9
CE000:B36E 3D 11 jmpr cc_NZ, loc_CEB392 这里
CE000:B370 E0 79 mov r9, #7 07重要
CE000:B372 E0 06 mov r6, #0
CE000:B374 88 60 mov [-r0], r6
CE000:B376 88 90 mov [-r0], r9
CE000:B378 E6 FC E8 35 mov r12, #35E8h
CE000:B37C E6 FD 0E 00 mov r13, #0Eh
CE000:B380 E6 FE 94 00 mov r14, #94h ; '?
CE000:B384 E6 FF 23 00 mov r15, #23h ; '#'
CE000:B388 DA B4 4C 72 calls 0B4h, pSendMessage? 这里
CE000:B38C 08 04 add r0, #4
CE000:B38E EA 00 CC B4 jmpa cc_UC, loc_CEB4CC
CE000:B392 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
CE000:B392
CE000:B392 loc_CEB392: ; CODE XREF: CE000:B36E�j
CE000:B392 E6 00 34 00 mov DPP0, #34h ; '4'
CE000:B396 CC 00 nop
CE000:B398 F2 F8 86 30 mov r8, word_D3086
CE000:B39C 48 83 cmp r8, #3
CE000:B39E 3D 11 jmpr cc_NZ, loc_CEB3C2 这里
CE000:B3A0 E0 39 mov r9, #3 03重要
CE000:B3A2 E0 06 mov r6, #0
CE000:B3A4 88 60 mov [-r0], r6
CE000:B3A6 88 90 mov [-r0], r9
CE000:B3A8 E6 FC E8 35 mov r12, #35E8h
CE000:B3AC E6 FD 0E 00 mov r13, #0Eh
CE000:B3B0 E6 FE 94 00 mov r14, #94h ; '?
CE000:B3B4 E6 FF 23 00 mov r15, #23h ; '#'
CE000:B3B8 DA B4 4C 72 calls 0B4h, pSendMessage? 这里
CE000:B3BC 08 04 add r0, #4
CE000:B3BE EA 00 CC B4 jmpa cc_UC, loc_CEB4CC
CE000:B3C2 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
CE000:B3C2
CE000:B3C2 loc_CEB3C2: ; CODE XREF: CE000:B39E�j
CE000:B3C2 E6 00 34 00 mov DPP0, #34h ; '4'
CE000:B3C6 CC 00 nop
CE000:B3C8 F2 F8 86 30 mov r8, word_D3086
CE000:B3CC 46 F8 0C 00 cmp r8, #0Ch
CE000:B3D0 3D 11 jmpr cc_NZ, loc_CEB3F4 这里
CE000:B3D2 E0 A9 mov r9, #0Ah 0A重要
CE000:B3D4 E0 06 mov r6, #0
CE000:B3D6 88 60 mov [-r0], r6
CE000:B3D8 88 90 mov [-r0], r9
CE000:B3DA E6 FC E8 35 mov r12, #35E8h
CE000:B3DE E6 FD 0E 00 mov r13, #0Eh
CE000:B3E2 E6 FE 94 00 mov r14, #94h ; '?
CE000:B3E6 E6 FF 23 00 mov r15, #23h ; '#'
CE000:B3EA DA B4 4C 72 calls 0B4h, pSendMessage? 这里
CE000:B3EE 08 04 add r0, #4
CE000:B3F0 EA 00 CC B4 jmpa cc_UC, loc_CEB4CC
CE000:B3F4 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
CE000:B3F4
CE000:B3F4 loc_CEB3F4: ; CODE XREF: CE000:B3D0�j
CE000:B3F4 E0 C8 mov r8, #0Ch 0C也重要
CE000:B3F6 E0 09 mov r9, #0
CE000:B3F8 88 90 mov [-r0], r9
CE000:B3FA 88 80 mov [-r0], r8
CE000:B3FC E6 FC E8 35 mov r12, #35E8h
CE000:B400 E6 FD 0E 00 mov r13, #0Eh
CE000:B404 E6 FE 94 00 mov r14, #94h ; '?
CE000:B408 E6 FF 23 00 mov r15, #23h ; '#'
CE000:B40C DA B4 4C 72 calls 0B4h, pSendMessage?
CE000:B410 08 04 add r0, #4
CE000:B412 EA 00 CC B4 jmpa cc_UC, loc_CEB4CC
CE000:B416 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
再看这里
注意地址,都在ram里面(可能是c库,猜猜)
估计在编辑通讯录的所有引用操作最后都跳下面来了
54000:5720E0 08 mov r8, #0
54000:5722 E0 09 mov r9, #0
54000:5724 88 90 mov [-r0], r9
54000:5726 88 80 mov [-r0], r8
54000:5728 E0 5C mov r12, #5
54000:572A E6 00 36 00 mov DPP0, #36h ; '6'
54000:572E ; assume dpp3: 0FFFFh (page 0x3FFFC000)
54000:572E E0 7D mov r13, #7 忘了是对什么的处理
54000:5730 F2 FE 24 03 mov r14, word_D8324
54000:5734 F2 FF 26 03 mov r15, word_D8326
54000:5738 DA CE 4E EF calls 0CEh, sub_CEEF4E
54000:573C 08 04 add r0, #4
54000:573E EA 00 E0 57 jmpa cc_UC, loc_5457E0
54000:5742 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
54000:5742 E0 08 mov r8, #0
54000:5744 E0 09 mov r9, #0
54000:5746 88 90 mov [-r0], r9
54000:5748 88 80 mov [-r0], r8
54000:574A E0 5C mov r12, #5
54000:574C E6 00 36 00 mov DPP0, #36h ; '6'
54000:5750 E0 3D mov r13, #3 对引用名字的处理
54000:5752 F2 FE 24 03 mov r14, word_D8324
54000:5756 F2 FF 26 03 mov r15, word_D8326
54000:575A DA CE 4E EF calls 0CEh, sub_CEEF4E
54000:575E 08 04 add r0, #4
54000:5760 EA 00 E0 57 jmpa cc_UC, loc_5457E0
54000:5764 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
54000:5764 E0 08 mov r8, #0
54000:5766 E0 09 mov r9, #0
54000:5768 88 90 mov [-r0], r9
54000:576A 88 80 mov [-r0], r8
54000:576C E0 5C mov r12, #5
54000:576E E6 00 36 00 mov DPP0, #36h ; '6'
54000:5772 E0 AD mov r13, #0Ah 忘了,邮编吧应该
54000:5774 F2 FE 24 03 mov r14, word_D8324
54000:5778 F2 FF 26 03 mov r15, word_D8326
54000:577C DA CE 4E EF calls 0CEh, sub_CEEF4E
54000:5780 08 04 add r0, #4
54000:5782 0D 2E jmpr cc_UC, loc_5457E0
54000:5784 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
54000:5784 E0 08 mov r8, #0
54000:5786 E0 09 mov r9, #0
54000:5788 88 90 mov [-r0], r9
54000:578A 88 80 mov [-r0], r8
54000:578C E0 5C mov r12, #5
54000:578E E6 00 36 00 mov DPP0, #36h ; '6'
54000:5792 E0 CD mov r13, #0Ch 忘了,好象是网址的处理
54000:5794 F2 FE 24 03 mov r14, word_D8324
54000:5798 F2 FF 26 03 mov r15, word_D8326
54000:579C DA CE 4E EF calls 0CEh, sub_CEEF4E
54000:57A0 08 04 add r0, #4
54000:57A2 0D 1E jmpr cc_UC, loc_5457E0
54000:57A4 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
54000:57A4 E0 08 mov r8, #0
54000:57A6 E0 09 mov r9, #0
54000:57A8 88 90 mov [-r0], r9
54000:57AA 88 80 mov [-r0], r8
54000:57AC E0 5C mov r12, #5
54000:57AE E6 00 36 00 mov DPP0, #36h ; '6'
54000:57B2 E0 4D mov r13, #4 对电话号码的处理
54000:57B4 F2 FE 24 03 mov r14, word_D8324
54000:57B8 F2 FF 26 03 mov r15, word_D8326
54000:57BC DA CE 4E EF calls 0CEh, sub_CEEF4E
54000:57C0 08 04 add r0, #4
54000:57C2 0D 0E jmpr cc_UC, loc_5457E0
其实开始是想弄个发短信是按左键直接访问通讯录的,还是不懂
希望大师们能指点一二
发短信选择号码时按左键时跳到这里(显示的也是图片)
DD000:BE92 46 FE 0E 00 cmp r14, #0Eh
DD000:BE96 EA 20 1E BF jmpa cc_Z, loc_DDBF1E
跳到这里
DD000:BF1E loc_DDBF1E: ; CODE XREF: DD000:BE96�j
DD000:BF1E DC 59 extp r9, #2
DD000:BF20 D4 F8 60 00 mov r15, [r8+60h]
DD000:BF24 D4 18 62 00 mov r1, [r8+62h]
DD000:BF28 DC 51 extp r1, #2
DD000:BF2A 98 2F mov r2, [r15+]
DD000:BF2C A8 3F mov r3, [r15]
DD000:BF2E 9A F2 02 70 jnb r2.7, loc_DDBF36
DD000:BF32 EA 00 EC C0 jmpa cc_UC, loc_DDC0EC
DD000:BF36 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
DD000:BF36
DD000:BF36 loc_DDBF36: ; CODE XREF: DD000:BF2E�j
DD000:BF36 DC 47 extp r7, #1
DD000:BF38 D4 E6 04 00 mov r14, [r6+4]
DD000:BF3C 46 FE EB 00 cmp r14, #0EBh ; '?
DD000:BF40 3D 09 jmpr cc_NZ, loc_DDBF54
DD000:BF42 88 C0 mov [-r0], r12
DD000:BF44 88 D0 mov [-r0], r13
DD000:BF46 DC 47 extp r7, #1
DD000:BF48 D4 C6 06 00 mov r12, [r6+6]
DD000:BF4C DA B5 DA D2 calls 0B5h, sub_B5D2DA
DD000:BF50 98 D0 mov r13, [r0+]
DD000:BF52 98 C0 mov r12, [r0+]
DD000:BF54
DD000:BF54 loc_DDBF54: ; CODE XREF: DD000:BF40�j
DD000:BF54 E0 16 mov r6, #1
DD000:BF56 DC 49 extp r9, #1
DD000:BF58 C4 68 64 00 mov [r8+64h], r6
DD000:BF5C F0 8D mov r8, r13
DD000:BF5E F0 9C mov r9, r12
DD000:BF60 DA DC 00 00 calls 0DCh, IsMMCError? 呵呵检查mmc是否错误
DD000:BF64 F0 C9 mov r12, r9
DD000:BF66 F0 D8 mov r13, r8
DD000:BF68 48 40 cmp r4, #0
DD000:BF6A 2D 0D jmpr cc_Z, loc_DDBF86
DD000:BF6C F0 8C mov r8, r12
DD000:BF6E F0 9D mov r9, r13
DD000:BF70 DC 59 extp r9, #2
DD000:BF72 D4 C8 02 00 mov r12, [r8+2]
DD000:BF76 D4 D8 04 00 mov r13, [r8+4]
DD000:BF7A DC 49 extp r9, #1
DD000:BF7C A8 E8 mov r14, [r8]
DD000:BF7E DA CD F4 FF calls 0CDh, sub_CDFFF4 这个重点的,内容看下面
DD000:BF82 EA 00 FE C0 jmpa cc_UC, loc_DDC0FE
calls 0CDh, sub_CDFFF4如下:
CD000:FFF4 sub_CDFFF4: ; CODE XREF: DD000:BF7E�P
CD000:FFF4 E0 4F mov r15, #4
CD000:FFF6 FA CE AC EF jmps 0CEh, loc_CEEFAC
跳到这里
CE000:EFAC loc_CEEFAC: ; CODE XREF: sub_CDFFF4+2�J
CE000:EFAC 26 F0 1C 03 sub r0, #31Ch
CE000:EFB0 88 E0 mov [-r0], r14
CE000:EFB2 88 D0 mov [-r0], r13
CE000:EFB4 88 C0 mov [-r0], r12
CE000:EFB6 E0 01 mov r1, #0
CE000:EFB8 E0 02 mov r2, #0
CE000:EFBA 88 20 mov [-r0], r2
CE000:EFBC 88 10 mov [-r0], r1
CE000:EFBE E0 03 mov r3, #0
CE000:EFC0 E0 04 mov r4, #0
CE000:EFC2 88 40 mov [-r0], r4
CE000:EFC4 88 30 mov [-r0], r3
CE000:EFC6 E0 EC mov r12, #0Eh
CE000:EFC8 00 C0 add r12, r0
CE000:EFCA 66 FC FF 3F and r12, #3FFFh
CE000:EFCE F2 FD 02 FE mov r13, DPP1
CE000:EFD2 E0 4E mov r14, #4 这里4时有sim卡和讯录两个选项,改为2则直接访问通讯录,但是不能保存号码并发送,不懂
CE000:EFD4 DA CE 52 EE calls 0CEh, sub_CEEE52 CE000:EFD8 06 F0 0E 00 add r0, #0Eh CE000:EFDC E0 0C mov r12, #0 CE000:EFDE 88 C0 mov [-r0], r12
CE000:EFE0 E6 FC D8 1B mov r12, #1BD8h
CE000:EFE4 E6 FD 3B 03 mov r13, #33Bh
CE000:EFE8 E0 2E mov r14, #2
CE000:EFEA 00 E0 add r14, r0
CE000:EFEC 66 FE FF 3F and r14, #3FFFh
CE000:EFF0 E6 FF 02 00 mov r15, #2
CE000:EFF4 DA BF A2 03 calls 0BFh, sub_BF03A2 这里奇怪,和coollang的汇编文件子程序显示不同,他的是sub_F336AA ,这个是konka的文件
CE000:EFF8 06 F0 1E 03 add r0, #31Eh
CE000:EFFC DB 00 rets
其实用calls 0CEh, sub_CEEF4E来处理更快,可以选择,可是也不能保存号码。不懂
由于我什么语言都不懂,以上都是臆测。(呵呵,我也就会修改些个跳转)
但会继续寻找pSendMessage?的参数定义的,想调大通话音量
下面是音量调整的部分
找到通话音量调整的核心了,由于不懂pSendMessage的参数定义,没找到具体的内容修改,对pSendMessage有所了解的请看:
B500014EC sub_B514EC ; CODE XREF CC000B598�P
B500014EC ; CF0007D9C�J ...
B500014EC F0 1C mov r1, r12
B500014EE 49 24 cmpb rl1, #4 ;rl1音量值,音量只有4格,如大于4就不处理,=byte_3E8A4的bit2
B500014F0 ED 0D jmpr cc_UGT, loc_B5150C
B500014F2 88 10 mov [-r0], r1
B500014F4 E6 FC D0 34 mov r12, #34D0h ;
B500014F8 E6 FD 0E 00 mov r13, #0Eh ;
B500014FC E6 FE 16 00 mov r14, #16h ;
B50001500 98 10 mov r1, [r0+]
B50001502 C0 2F movbz r15, rl1 ;
B50001504 DA B4 4C 72 calls 0B4h, pSendMessage
B50001508 E0 14 mov r4, #1
B5000150A DB 00 rets
铃声调整时函数用到的数据也找到了,但是懒的去追
不知道算不算扔板砖,呵呵
还是期望大师能突破pSendMessage
------------------------------------------------------------------------------------------------------------------------------------------
近日又研究了一下,发现音量调整的确是读取D6000:2C26的数据,
这是按右键时调用到D6000:2C26的
D6000:2C60 loc_D62C60:
D6000:2C60 E6 FC 26 2C mov r12, #2C26h
D6000:2C64 E6 FD 58 03 mov r13, #358h
D6000:2C68 FA DC 7E 93 jmps 0DCh, sub_DC937E
通话时按+-调音量时调用到
D5000:AD6E 46 FC 0D 00 cmp r12, #0Dh
D5000:AD72 EA 20 72 AE jmpa cc_Z, loc_D5AE72
D5000:AD76 46 FC 0E 00 cmp r12, #0Eh
D5000:AD7A EA 20 72 AE jmpa cc_Z, loc_D5AE72
执行到
D5000:AE86 DA D6 AC 2C calls 0D6h, sub_D62CAC ;就在这里
子程序如下:
D6000:2CAC sub_D62CAC: ; CODE XREF: D5000:AE86�P
D6000:2CAC ; D5000:C7CC�P
D6000:2CAC E6 FC 36 2C mov r12, #2C36h ;用到了D6000:2C36的数据(往下子程序中好象D6000:2CB0 E6 FD 58 03 mov r13, #358h ;是从D6000:2C46开始引用,keke,不知对不对?
再看D6000:2C26的数据:
00362c24h: 20 00 AC 2C D6 00 02 4F DD 00 00 00 04 06 02 00 ; .??.O?......
00362c34h: 03 00 01 00 00 00 02 00 B8 0B 00 00 FF 7F 00 00 ; ........?.. |
|
IP卡
狗仔卡
发表于 2005-12-15 15:39:48
显身卡
发表于 2005-12-16 12:27:37
楼主