-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need ability to distinguish between 16- and 32- bit disassembly to RE Windows 3.X protected-mode applications #4685
Comments
You can try setting the context bits addrsize=1 and opsize=1 to change the decode of the the instructions to a 32-bit model and then re-disassemble this section. addrsize # =0 16-bit addressing =1 32-bit addressing opsize gets flipped by the 0x66 prefix, so opsize=1 will end up as 0 and match the PUSHA These will show up as registers in the set register popup menu. You can try it on this function and if it works for you, select areas that should be considered 32-bit code and use set the context registers. These settings might not quite solve this issue, but you can try it. There may be other issues with a mixed 16 and 32 bit memory model. I've used 16-bit or 32-bit base processors and overridden them depending on the majority of the code. |
Oh yeah, forgot you need to clear the instructions first before setting the context. You can't change the context if an instruction already is disassembled there because you might be changing something that was used in the instruction match. Same thing applies to changing byte values. You can't change them while an instruction exists there. |
Thanks @emteere. Trying that solution produced (what I believed to be) the correct disassembly, but had absolutely no effect upon the decompilation (see screenshot below) except for the 2 red X's complaining about "inconsistant context"! However, if I replace the two prefix bytes This implies something else is happening somewhere! Any ideas?? |
FYI, if I change either or both |
Mmm, seems the |
When REing 16-bit protected mode applications, the flag that indicates the 16-/32-bit definition of each code segment comes from the segment descriptor table (LDT/GDT). This is unavailable (or unused) by Ghidra and consequently is confusing the decompiler by using incorrect assembly when using the
66h
/67h
overrides on components.E.g. the bytes
66 60
are being disassembled intoPUSHAD
instead of (the ia.sync's definition of)PUSHA
which in this case is causing the decompiler to produce a whole load of rubbish and even messes with the parameters of the forwarding function call (which, btw is this function's sole purpose). Here's Ghidra's disassembly:and here's the corresponding (incorrect) decompilation:
If I manually replace the
66
with aNOP
, the decompilation becomes:This needs some kind of mechanism to tell Ghidra that the current code segment we are REing is actually one using 32-bit, which in turn would correctly interpret the
66
override (hopefully!).I have seen this issue in several locations throughout my application suit.
Some of this is described in "Undocumented Windows." by Andrew Schulman
Subtitle: A programmer's guide to reserved Microsoft Windows API functions
Covers Windows 3.1 and 3.0
Originally posted by @Wall-AF in #2033 (comment)
The text was updated successfully, but these errors were encountered: