Mark Nord
kartu
In this version LDR at 0x0000CE04 uses immediate value (0x3FC) thereby releases dword at 0x0000CEF8. 0x0000CEF8 contains format string address now. LDR at 0x0000CE28 takes address from there.
Code:
.text:0000CDE8 BNE loc_CE20
.text:0000CDEC LDRB R3, [R5,#0x84]
.text:0000CDF0 CMP R3, #0
.text:0000CDF4 BNE loc_CE98
.text:0000CDF8 MOV R4, SP
.text:0000CDFC MOV R0, SP ; s
.text:0000CE00 NOP
.text:0000CE04 LDR R1, [R10,#0x3FC] ; format
.text:0000CE08 MOV R2, R6
.text:0000CE0C BL .sprintf
.text:0000CE10 MOV R0, R5
.text:0000CE14 MOV R1, SP
.text:0000CE18 BL SubcpuThreadPostDigitEvent
.text:0000CE1C B loc_CE98
.text:0000CE20 ; ---------------------------------------------------------------------------
.text:0000CE20
.text:0000CE20 loc_CE20.text:0000CE20 MOV R4, SP
.text:0000CE24 MOV R0, SP ; s
.text:0000CE28 LDR R1, =aKholdD ; "kHold%d"
.text:0000CE2C NOP
.text:0000CE30 MOV R2, R6
.text:0000CE34 BL .sprintf
.text:0000CE38 MOV R0, R5
.text:0000CE3C MOV R1, SP
.text:0000CE40 BL SubcpuThreadPostDigitEvent
.text:0000CE44 B loc_CED8
.text:0000CE48 ; ---------------------------------------------------------------------------
…
.text:0000CEF8 ; char *format
.text:0000CEF8 format DCD aKholdD ; DATA XREF: SubcpuThreadPostKeyEvent+130 r
.text:0000CEF8 ; "kHold%d"
kartu, you can try this ebook.so but be ready to little crash)))