1

I am currently working to solve the stage Hanoi in the Microcorruption CTF. This CTF focusses on the MSP430 Family (RISC, 16Bit).

I stumbled across the following lines:

445c:  c443 fcff      mov.b #0x0, -0x4(r4)
.
.
.
4472:  5f44 fcff      mov.b -0x4(r4), r15

Which contains move instructions referencing a negative operand in front of (r4). I assumed this would point to the registers in front of whatever is stored in r4 (two words in front) but looking at the memory dump this assumption seems not to be correct.

I used https://www.ti.com/lit/ug/slau049f/slau049f.pdf as reference, Page 3-52 is the reference to mov.b.

Please fill me in on what happens here exactly, or give me some keywords to search for.

Any help is appreciated!

P.S.: Please do not spoil how to solve this stage, I want to figure out whatever I can on my own. Thanks!

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
Bassrelic
  • 90
  • 11
  • 1
    You can't "point to a register", this is just storing (and then reloading) to memory at the address `r4 - 4`. The memory address is the register plus a (negative) offset. – Peter Cordes Dec 22 '20 at 21:42
  • Ah i see, the result (assuming stored in f4 is 43FC) would be 43F8. (which in this case is an address). Thanks for pointing that out, I can see the change in memory now. – Bassrelic Dec 22 '20 at 22:19
  • I noticed, that you removed the tag risc, according to the reference posted, this controller uses a RISC 16-Bit CPU. Why is this tag wrong in this instance? – Bassrelic Dec 22 '20 at 22:27
  • Feel free to add your comment as answer, i will accept it then. – Bassrelic Dec 22 '20 at 22:31
  • 1
    I removed the RISC tag because MSP430 is not a standard RISC machine, and people looking for stuff about RISC in general won't find anything relevant here. Store immediate to memory is pretty non-RISC, and MSP430 has other non-RISC-like features. Apparently TI claims it has RISC-like internals (https://www.quora.com/Is-MSP430-CISC-or-RISC). It's not important how we classify MSP430, just that it works well and has compact easy-to-decode machine code, regardless of RISC purity. And this question isn't about RISC design philosophy at all, just specific details of MSP430. – Peter Cordes Dec 22 '20 at 22:42
  • Thanks for clarification – Bassrelic Dec 22 '20 at 22:47

1 Answers1

2

As pointed out in the coments by Peter Cordes, my initial thought is correct. (Even though the wording is off)

The value stored in the memoryaddress, which is equal to the sum of the value stored in r4 plus the offset -4 is decremented by the register plus -4 (offset) and stored in r15. That's it really.

Example:

If

r4 = 0x43FC and 0x43F8 = 0xAB

The instruction

mov.b -0x4(r4), r15

would result in the value 0x43FC - 0x4 = 0x43F8

At this addres, 0xAB is stored.

Result:

r15 = 0xAB

Bassrelic
  • 90
  • 11
  • It's `r15 = mem[r4 - 4]`, but what you described is `r15 = r4 - 4`. Also, "decremented" implies that `r4` is modified. I didn't check MSP430 docs, but I don't think that addressing mode writes the address back to the address register. (Some CPUs have that, e.g. ARM lets you optionally update the base register as part of a load or store instruction with a register+offset) – Peter Cordes Dec 22 '20 at 22:38
  • 1
    Nope, still wrong. You're still not mentioning loading from memory at that address, only doing math on a register value. The first sentence of my last comment still applies, and that was the more important of the 2 points. – Peter Cordes Dec 22 '20 at 23:00