home .. forth .. colorforth mail list archive ..

RE: [colorforth] Reverse engineering the BIOS (2)

Subject: RE: [colorforth] Reverse engineering the BIOS (2)
From: <howerd.oakford@xxxxxxxxxxxx>
Date: Sat, 24 Apr 2004 11:28:22 +0100
Importance: Normal

Hi Albert,

An obvious question - how do you decide on the name and address of the
labels based only on the BIOS code?
Are the sections of code always bounded by call-ret pairs?

Regards

Howerd

-----Original Message-----
From: Albert van der Horst [mailto:albert@xxxxxxxxxxxxxxxxxx]
Sent: 23 April 2004 15:34
To: colorforth mailing list
Subject: [colorforth] Reverse engineering the BIOS (2)


INTRODUCTION

I have been working on a disassembler with the ultimate goal to
better boot colorforth by analysing the bios. Here I report on the
progress thus far.

REVERSE ENGINEERING THE BIOS

Now that some groundwork has been laid I make progress.

I have a label mechanism along the line of

1000 BAG LABELS

(A bag is a sort of array that can be popped and pushed and knows
how much is in there. Or if you want a set without duplicates.)

A label is a forth word: its name is the label and if executes
it leaves a number, i.e. the labels address.
The forth words dea's (dictionary entry address, aka execution token)
is stored in the bag.

I have the defining word LABEL :

\ Associate ADDRES with "NAME". (Store it in ``LABELS'')
: LABEL   CONSTANT   LATEST LABELS SET+! ;

And some auxiliary words as LABELS[] .LABELS BAG-BOUNDS LAB< LAB<->
 SORT-LABELS L< FIND-LABEL ( uses binary search) >LABEL

This is the bottom line :
(ID. prints the name of the label.)

\ Adorn the ADDRESS we are currently disassembling with a label
\ if any.
: ADORN-WITH-LABEL   HOST>TARGET  >LABEL DUP IF &: EMIT ID. CR _ THEN DROP ;

( Print X as a symbolic label if possible, else as a number             )
: .LABEL/.   DUP >LABEL DUP IF ID. DROP ELSE DROP U. THEN ;

Now I am at an impasse. I can duplicate those words for
MULTIPLE-LINE-COMMENT COMMENT: etc. but I prefer to make LABEL
an instance of a class, and then have more instances.

If LABEL is defined like
: LABEL CREATE ,  DOES> @ ... store in bag ... ;
then COMMENT: is defined like
: COMMENT: ... get remainder of line, store and leave pointer ...
        SWAP CREATE , , DOES> @ ..store in bag .. ;

So COMMENT: is in fact a label with an extra payload that we can fetch
with `` ' somecomment >BODY CELL+''

So first I will make a class where labels are an instance,
before proceeding.

What I can do now is best shown by an example.

(Note: this assembler may look weird, because it is a special
reverse engineering assembler. More on my website below.)
(The cost up till now is 487 WOC or 5 screens, on top of the
existing assembler and utilities.)

--------------- assemble sample --------------

ASSEMBLER
1278 ORG
    CLD,
    MOV, X| T| DI'| MEM| XXX X,
:QQQ
    POP|ES,
    ADD, B| F| AL'| D0| [SI]
    MOV, X| T| DI'| MEM| XXX X,
:XXX
    MOV, X| T| DI'| MEM| QQQ X,
    JMP, XXX RX,
    JMP, XXX _AP_ 4 + - (RX,)
    JMP, XXX 1- RX,
    JMPS, XXX RB,
    JMPS, XXX 1- RB,
    JMP, YYY RX,
    JMP, YYY 1- RX,
    JMPS, YYY RB,
    JMPS, YYY 1- RB,
    LEA, AX'| DB| [AX +4* AX] 0 B,
:YYY

PREVIOUS
-------------- output of disassembler -------------------
1278  ORG               \ This is a bug, actually
   CLD,
   MOV,   X|   T|   DI'|   MEM|   1294 X,
   POP|ES,
   ADD,   B|   F|   AL'|   D0|   [SI]
   MOV,   X|   T|   DI'|   MEM|   1294 X,
   MOV,   X|   T|   DI'|   MEM|   1285 X,
   JMP,   -11 (RX,)
   JMP,   -16 (RX,)
   JMP,   -22 (RX,)
   JMPS,   -23 (RB,)
   JMPS,   -26 (RB,)
   JMP,   13 (RX,)
   JMP,   7 (RX,)
   JMPS,   6 (RB,)
   JMPS,   3 (RB,)
   LEA,   AX'|   DB|      [AX   +4*   AX]   0 B,

-------------- reverse engineering information ----------
1278 ORG
1285  LABEL QQQ
1294  LABEL XXX
1337  LABEL YYY
-------------- output of disassembler (+re) --------------

80386 ciforth 4.0.4

1278  ORG
   CLD,
   MOV,   X|   T|   DI'|   MEM|   XXX   X,
:QQQ
   POP|ES,
   ADD,   B|   F|   AL'|   D0|   [SI]
   MOV,   X|   T|   DI'|   MEM|   XXX   X,
:XXX
   MOV,   X|   T|   DI'|   MEM|   QQQ   X,
   JMP,   XXX   RX,
   JMP,   XXX   RX,
   JMP,   -22 (RX,)
   JMPS,   XXX   RB,
   JMPS,   -26 (RB,)
   JMP,   YYY   RX,
   JMP,   7 (RX,)
   JMPS,   YYY   RB,
   JMPS,   3 (RB,)
   LEA,   AX'|   DB|      [AX   +4*   AX]   0 B,
:YYY

------------  Difference with assembler input ----------------------
> ASSEMBLER
53,54c14,15
<    JMP,   XXX   RX,
<    JMP,   -22 (RX,)
---
>     JMP, XXX _AP_ 4 + - (RX,)
>     JMP, XXX 1- RX,
56c17
<    JMPS,   -26 (RB,)
---
>     JMPS, XXX 1- RB,
58c19
<    JMP,   7 (RX,)
---
>     JMP, YYY 1- RX,
60c21
<    JMPS,   3 (RB,)
---
>     JMPS, YYY 1- RB,
62a24,25
>
> PREVIOUS
----------------------------------------------------

Groetjes Albert

Albert van der Horst,Oranjestr 8,3511 RA UTRECHT,THE NETHERLANDS
        One man-hour to invent,
                One man-week to implement,
                        One lawyer-year to patent.
albertt@xxxxxxxxxxxxxxxxxx http://home.hccnet.nl/a.w.m.van.der.horst

---------------------------------------------------------------------
To unsubscribe, e-mail: colorforth-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, e-mail: colorforth-help@xxxxxxxxxxxxxxxxxx
Main web page - http://www.colorforth.com


---------------------------------------------------------------------
To unsubscribe, e-mail: colorforth-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, e-mail: colorforth-help@xxxxxxxxxxxxxxxxxx
Main web page - http://www.colorforth.com

Follow-Ups:
- RE: [colorforth] Reverse engineering the BIOS (2)
  - From: Albert van der Horst

References:
- [colorforth] Reverse engineering the BIOS (2)
  - From: Albert van der Horst

Previous by thread: [colorforth] Reverse engineering the BIOS (2)
Next by thread: RE: [colorforth] Reverse engineering the BIOS (2)
Index(es):
- Thread