Conversation

Notices

1. Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 07:12:58 JST Foone🏳️‍⚧️

   Solar Winds (DOS, 2013) annoyingly doesn't use C-strings in the text embedded into the executable. It seems to use the PC BIOS convention of ending strings by a $.

   Sadly Ghidra doesn't seem to natively support this

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 07:22:31 JST Foone🏳️‍⚧️

     in reply to

     I wonder if anyone has made an extension for 16bit DOS reversing. Seems there's a lot of low-hanging-fruit involving automatically analyzing interrupts

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 07:34:19 JST Foone🏳️‍⚧️

     in reply to

     I think this code is why the game froze on my packard bell back when I was a kid:
     It's setting up the timer and then going into an infinite loop, expecting an interrupt to kick it out of loop eventually.

     Something about the packard bell's PIT means that sometimes that wouldn't happen, and the cutscene would just hang forever

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 07:40:40 JST Foone🏳️‍⚧️

     in reply to

     ugh. this was definitely written in assembly. Compilers like consistent registers for calling conventions, not randomly deciding to use BX for the single argument

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 07:42:17 JST Foone🏳️‍⚧️

     in reply to

     • William D. Jones

     @cr1901 maybe I'm mixing it up

   • William D. Jones (cr1901@mastodon.social)'s status on Wednesday, 13-Dec-2023 07:42:18 JST William D. Jones

     in reply to

     @foone Huh, I thought '$' was specifically a DOS convention (and PC-BIOS requires you to know the length ahead of time).

   • Tathar is dragons! ΘΔ (tathar@dragon.style)'s status on Wednesday, 13-Dec-2023 07:48:44 JST Tathar is dragons! ΘΔ

     in reply to

     @foone

     I thought it was a 1993 game.

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 07:48:44 JST Foone🏳️‍⚧️

     in reply to

     • Tathar is dragons! ΘΔ

     @Tathar huh. that was a major thinko, considering I checked before posting. fixed, thanks!

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:03:25 JST Foone🏳️‍⚧️

     in reply to

     well I'm in a new function and I know what the value of DS is, but I have zero idea how to tell Ghidra that.

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:06:57 JST Foone🏳️‍⚧️

     in reply to

     oh here we go: ctrl+r, Set Register Values

   • Niko (lethal_guitar) (lethal_guitar@mastodon.social)'s status on Wednesday, 13-Dec-2023 08:08:40 JST Niko (lethal_guitar)

     in reply to

     @foone these loops look weird - wouldn't the interrupt just return to the same place when done and the loop would keep running? How would these loops ever stop?

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:08:40 JST Foone🏳️‍⚧️

     in reply to

     • Niko (lethal_guitar)

     @lethal_guitar They seem to be waiting for AX to change: I think they set up an interrupt that doesn't properly save/restore registers, so AX ends up changing

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:10:45 JST Foone🏳️‍⚧️

     in reply to

     they must have had a macro or compiler for strings. A lot of the filenames are double-terminatored:
     BH_MU8.DAT\0$

   • Niko (lethal_guitar) (lethal_guitar@mastodon.social)'s status on Wednesday, 13-Dec-2023 08:12:48 JST Niko (lethal_guitar)

     in reply to

     @foone or is this just Ghidra misinterpreting the Assembly?

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:12:48 JST Foone🏳️‍⚧️

     in reply to

     • Niko (lethal_guitar)

     @lethal_guitar
     so the disassembly sets AX and CX to 0, then loops on waiting for AX to turn to non-zero, then it does it again waiting for it to turn to zero, then it loops again incrementing CX while waiting for AX to turn non-zero.
     So with an interrupt handler that toggles AX, this lets them calibrate how many CPU cycles (roughly) equals the set PIT frequency

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:22:49 JST Foone🏳️‍⚧️

     in reply to

     • Niko (lethal_guitar)

     @lethal_guitar yeah. so much hand-written assembly does shit like that, in my experience. just things that feel COMPLETELY WRONG because you can't realistically connect that kind of code to anything written by a compiler

   • Niko (lethal_guitar) (lethal_guitar@mastodon.social)'s status on Wednesday, 13-Dec-2023 08:22:50 JST Niko (lethal_guitar)

     in reply to

     @foone I guess when you're programming in Assembly it's more convenient to use registers instead of setting up variables in memory. But still feels wrong for the interrupt to not save/restore all registers.

   • Niko (lethal_guitar) (lethal_guitar@mastodon.social)'s status on Wednesday, 13-Dec-2023 08:22:51 JST Niko (lethal_guitar)

     in reply to

     @foone interesting!!

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:25:08 JST Foone🏳️‍⚧️

     in reply to

     maybe I need to switch back to Ida Pro. Ghidra makes a lot of questionable or just plain bad assumptions when dealing with 16bit code

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:26:40 JST Foone🏳️‍⚧️

     in reply to

     like I've got this code:
     MOV byte ptr [0x4678],0x1

     and I know DS is 0x1019. I have told Ghidra as much. but if I click on 4678, it tries to look up 0000:4678, which is the wrong address

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:29:47 JST Foone🏳️‍⚧️

     in reply to

     yeah this code has a lot of NOPs in it for something a compiler would write.
     x86-16 doesn't have delay slots, so... that's definitely a human writing this

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:32:01 JST Foone🏳️‍⚧️

     in reply to

     • Aiden Fox Ivey

     @aidenfoxivey I tried a while back but at the time it wasn't very good at 16bit x86 at all. maybe it's improved since then

   • Aiden Fox Ivey (aidenfoxivey@mastodon.social)'s status on Wednesday, 13-Dec-2023 08:32:02 JST Aiden Fox Ivey

     in reply to

     @foone Foone have you tried Binja for this?

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:35:30 JST Foone🏳️‍⚧️

     in reply to

     although I wouldn't be surprised if they're using some macros or existing libraries for basic program stuff. I've found two different ways they set interrupts.

     They've got their own function that writes the IVT directly, and then sometimes they call INT 21h,AH=9

   • Luis Correia (luisfcorreia@mastodon.social)'s status on Wednesday, 13-Dec-2023 08:44:05 JST Luis Correia

     in reply to

     @foone byte/segment/bank alignment?

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:44:05 JST Foone🏳️‍⚧️

     in reply to

     • Luis Correia

     @luisfcorreia 16-bit x86 doesn't care about alignment, so nope

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:46:07 JST Foone🏳️‍⚧️

     in reply to

     okay yeah they definitely are using some library.
     They register a interrupt handler for interrupt 10: That's an FPU error. this program doesn't use the floating point unit!

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:47:19 JST Foone🏳️‍⚧️

     in reply to

     ahh. and printer errors.
     yeah, I doubt there's very many printer errors in this video game

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 08:54:12 JST Foone🏳️‍⚧️

     in reply to

     I'm sorry, what?

     This is the whole function.
     First, we save DS.
     Then we set AX to 1BF9
     Then we set DS to AX
     then we set AX to DS (?!)
     then we restore the old value of DS

     So... the only result is setting AX to 1BF9?

   • Foone🏳️‍⚧️ (foone@digipres.club)'s status on Wednesday, 13-Dec-2023 09:12:51 JST Foone🏳️‍⚧️

     in reply to

     and now I found some strings terminated with \x01.

     that's THREE terminators so far

   • moralrecordings (moralrecordings@digipres.club)'s status on Wednesday, 13-Dec-2023 10:01:06 JST moralrecordings

     in reply to

     @foone yeah, the lack of fat pointer support for 16-bit segmented addressing is frustrating. If memory serves it's not something that can be fixed in the SLEIGH definition, it needs a bunch of changes to the Java model.

     Still, people are actively contributing fixes for DOS stuff, eventually Ghidra will support Earth's worst address space.