#win16 — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #win16, aggregated by home.social.
-
Well, some success. I think I figured out some kind of address for these types:
#ghidra #reverseengineering #win16 -
Back to my antics.. I think I seem to have figured out the RTTI stuff somewhat thanks to this resource:
http://hwreblog.com/projects/ghidra.html -
Well, live and learn. There is actually a better search option which supports wildcards under: Search -> "Memory..." .
-
If we look closely and chew through some endianness magic, we can now start searching for the "magic bytes" using the knowledge that `CALLF` instruction starts with 0x9a and the next four bytes is the address of the thunk.
One way so far is via Search -> "For Instruction Patterns" and looking up all the possible locations for these calls.
All this is manual work though, until I figure out a way to script this... -
Some minor progress with Ghidra:
Firstly, it recognizes imports from various libraries (GDI, KERNEL and MMSYSTEM), but as it hasn't fully decompiled the game, most of the imports are marked as unused. On the image below `GDI::CREATECOMPATIBLEDC` is referenced from the code, but `GDI::CREATEDC` isn't.
So if we dig further, we can see that the library calls use `CALLF address_of_thunk` which in hex is `9a4000b811`...
#ghidra #reverseengineering #win16