-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handling of CONCAT22 in syscall wrappers #1
Comments
It is a bit hard to tell without seeing the actual assembler code. This looks like an internal function, which takes all its "parameters" in registers, but Ghidra has detected none of those. So the function expects that BP[+4] contains a pointer to the name of the file, but BP is not set inside the function, nor is BP defined as a parameter to this function. This "confuses" the disassembler. Another problem is that Ghidra has problems with Segment:Offest addresses. Another problem is that all internal library functions never conforms to any calling convention and the standard parameter passing, which Ghidra tries to do. So __stdcall is all wrong. This should be a custom calling convention, see below. So if you want to "fix" this, you need to create the missing register parameters. The input being DS, BP and CL. What you really would like (need), is a FID library to identify the higher levels functions like fopen, fwrite ... and simply ignore these internal functions. But of course you need to identify them first. :/ What the function does, is open a file passed into the upper function as first parameter and return the handle number or -1 in case of error (in AX). |
@Gravelbones Thank you so much -- I really appreciate you taking the time to write all this! It has given me a lot of options, and also helped me understand why I'm seeing the results I'm seeing while using this project. I'm going to use this as a way forward, and see if I can make it work internally to this file, and then evaluate whether or not that's worth moving on to a FID. I'm reasonably sure the application was programmed with Borland Turbo C 2.0, but the assembly in the I'll investigate other avenues about how to address the Segment:Offset issues. I've noticed that Ghidra will happily reference the correct locations in the string names of variables (i.e., While I really do appreciate you taking the time to reply to me, please go ahead and close this issue if you feel that any further discussion is out of scope! Thanks for your lengthy and helpful reply. |
You are welcome. |
Hi! This is a really awesome and very helpful toolbox, and has made my janky python script to insert 0x21 handlers totally unnecessary!
I was wondering if there was a way to automatically handle stack pointers to syscalls. It's entirely possible I'm doing something incorrect, but when looking at a syscall-wrapping function (which I assume comes from a stdlib of sorts for my executable) I am getting Ghidra disassembly that looks like:
It's correctly getting the
DosOpenFile
reference, but it's unable to see that the second half of the pointer((short)&stack0x00000000 + 4)
is part of the function call. All of the storage forDosOpenFile
seems correct, and it's definitely working with that, but somehow the function call isn't matching up and it's trying to turn it into a fullchar*
rather than the custom storage one. (I think?)I recognize it might be out of the purview of GhidraDosToolbox to address this, but is this an issue you've encountered before and might have an idea of how to solve? Thanks again for your hard work on this, and any tips you might have.
The text was updated successfully, but these errors were encountered: