Disassembler

[tin]

Interesting stuff. Been on-and-off looking for a way to disassemble a binary for a long time, and this looks like the key!

Having teething issues with getting the python environment working at the moment, and I don't know 68000 (but familiar enough with 6502 so hopefully not too much to learn) but I thought I'd supply a little feedback!

[copse]

You're probably better off using Resource until I am a little further along the road.

[kamelito]

@copse did you hit the road?

[jotd]

@copse that's exactly what "cheapres.py" does. finds the names passed to openlibrary and figures out the lib base variable.

But the program can be lost when there are wrappers around the OpenLibrary calls. For instance a C program adds a lot of wrappers and then you need to manually rename the calls for the tool to continue. Unless you execute the program formally, which is not a piece of cake.

[kamelito]

@Jotd
is there's a way to help cheapres.py to handle non recognzied lib call.
Ex : MOVE.L D0,2016(A4) ;00000324: 294007e0 is saving localbase
Can I tell cheapres that MOVE.L D0,2016(A4) = saving localbase to 2016(A4) so it could put the right function call when seeing things like move.l 2016(A4),a6 followed by a system call ?

[jotd]

Not possible ATM. The only way is to change 2016(A4) to the library base then run the tool again. Which I admit is a weakness of the tool because you destroy the -offset(A4) address so the tool can detect LVOs. And if you want to reassemble the code, you can't. No biggie for me most of the time because i only use those sources for reverse engineering, but...

That would be much better to provide a configuration file to specify that those offsets are actually library bases. I may do that in a next future.

About those A4 register-based variables that are hell... I know IRA can handle them, and so yesterday I added this feature as well here.

say you have located the LEA to A4 in your code:

Code:

LEA	lb_00314+32766,A4	;2b2be: 49f900008312

use cheapres like this

Code:

cheapres.py -i source.asm -b A4:2b2be
cheapres.py: Base offset for A4 is $8312

cheapres parses the LEA expression (can't be too complex either!) and computes offset for A4. Then it's able to link the A4 addresses to offsets by annotating them in comments

Code:

	MOVE.L	A7,-13628(A4)		;2b268: 294fcac4 (links:aka=lb_04dd6)

I have added the ability to recognize jump tables in DATA section so

Code:

   dc.w  $4EF9
   dc.w  some_func

becomes

Code:

  jmp some_func

Also, the A4 link checks if the offset contains a label (as shown above), if it doesn't, it tries to see if it's not _jumping_ to a label (idirection) and sets link accordingly.

To conclude, cheapres also detects wrapper functions that just get args from stack and JMP to OS function. Both features above are illustrated below

Code:

lb_2b474:
	JMP	-30780(A4)		;2b474: 4eec87c4 (links:jmp=dos_Rename)

	SECTION S_67,CODE

dos_Rename:
	MOVEM.L	4(A7),D1-D2		;2b478: 4cef00060004
	MOVEA.L	DosBase,A6		;2b47e: 2c6ccad0
	JMP	(_LVORename,A6)	;2b482: 4eeeffb2 dos.library (off=-78)
	DC.W	$0000			;2b486

We see that as soon as DosBase has been identified and set, the tool detects the wrapping function. And when it detects it, it also detects the other fake wrapping function that calls it (renaming of lb_2b474 isn't done, do it manually)

available in my repository now.

[kamelito]

Thanks I’ll look into it.