18 Dec
2012
18 Dec
'12
2:06 a.m.
[W]hen we had problems like this we had to code up
small runtime
routines to scan the memory space for what were JMP and JMP indirect
instructions in our Microdata 1621 object code to find out who was
connected to what.
Maybe if holme had such a routine he could run it and
find the
runtime setup ones.
Or throw grep at the text version of the disassaembly.
My disassembler was originally written specifically to pick apart a
captured malware binary, and it is most usable for jobs similar to
that. It's not "this is the only tool you'll need", but in my
experience it is a major help with such things - I used it for a Y2K
consulting gig back when Y2K was an issue (someone had an x86 binary
whose vendor no longer existed and found it had bugs).
Or maybe if one is lucky, the code you have at 0x04c8
is a table and
could just be dumped to continue the hunt.
Looking at what's at 4c8, I think more likely r8 is a pointer to some
kind of large state struct, with 4c8 an offset within that struct.
I probably will not have the leisure to look at this all that much more
anytime soon. There is a version of my disassembler up for anonymous
FTP (probably at least a little out of date) and the current source is
available for git clone; anyone who cares to is welcome to fetch it and
take over. I really should update the FTPable copy....
ftp.rodents-montreal.org:/mouse/disas/src/ is the FTPable copy; the git
repo is git://git.rodents-montreal.org/Mouse/disas.
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B