New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snowman handling x86-16bit as 32bit in IDA Plugin #161

Open
enusbaum opened this Issue Mar 26, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@enusbaum

enusbaum commented Mar 26, 2018

I'm working on the disassembly of a 16-bit NE file using IDA Pro (6.9) and noticed the Snowman plugin appears to be treating the disassembly as 32-bit.

This is leading to very strange decompilation.

Thoughts?

IDA Disassembly of the start of a subroutine:

cseg02:8236                 enter   60h, 0
cseg02:823A                 push    si
cseg02:823B                 push    di
cseg02:823C                 push    ds
cseg02:823D                 mov     ax, seg dseg28
cseg02:8240                 mov     ds, ax
cseg02:8242                 mov     [bp+var_4], 0

What Snowman plugin says are the 'Instructions':

8ee6:	enter 0x60, 0x0
8eea:	push esi
8eeb:	push edi
8eec:	push ds
8eed:	mov eax, 0xd88e6ffb
8ef2:	mov dword [esi-0x4], 0xe99a0000
@yegord

This comment has been minimized.

Owner

yegord commented Mar 26, 2018

Probably something goes wrong here: https://github.com/yegord/snowman/blob/master/src/ida-plugin/IdaFrontend.cpp#L219 (instead of "8086" something else is returned; maybe you do not have .text section).

Would you like to debug further or provide a minimal example?

Also I would like to note that 16-bit code decompilation was never really tested. So, even if disassembling goes fine, you will likely come across other problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment