VOGONS

Search

Common searches

Looking for help with analyzing disassembled code->

Topic actions

First post, by Peter Swinkels

Posted on 
User metadata
Rank Oldbie
Rank
Oldbie

Okay, so I have disassembled an MS-DOS old game (Cartooners) which was compiled using the Microsoft C 5.10 compiler. With some effort I managed to identify a few parts as a C functions for example:

000241C0 55                       PUSH BP
000241C1 8BEC                     MOV BP, SP
000241C3 8CC0                     MOV AX, ES
000241C5 C45E06                   LES [BP +0x06], BX
000241C8 26                       ES
000241C9 8C5F06                   MOV [BX +0x06], DS
000241CC 26                       ES
000241CD 8907                     MOV [BX], AX
000241CF 26                       ES
000241D0 8C4F02                   MOV [BX +0x02], CS
000241D3 26                       ES
000241D4 8C5704                   MOV [BX +0x04], SS
000241D7 8EC0                     MOV ES, AX
000241D9 8BE5                     MOV SP, BP
000241DB 5D                       POP BP
000241DC CB                       RETF

Turned out to be the segread function defined in DOS.H:

void _CDECL segread(struct SREGS *);)

However there chunks which are short and appear simple enough such as:

; Function that rotates and shifts bits to the left the number of times specified in the CL register.
0002501E  32ED              xor ch,ch		; Ensure that the CX register's value does not exceed 0xFF.
00025020  E306              jcxz 0x5028		; Return if CX equals zero.
00025022  D1E0              shl ax,1		; Shift the bits in the AX register to the left and preserve the left most bit shifted out in the carry flag.
00025024  D1D2              rcl dx,1		; Rotate the bits in the DX register to the left and preserve the left most bit rotated out in the carry flag.
00025026  E2FA              loop 0x5022		; Keep rotating and shifting until the CX register has been decremented to zero.
00025028  CB                retf

I can tell what it is doing but I can't make out what the exact purpose is. It is only called by one slightly larger function:

00025036  55                push bp
00025037  8BEC              mov bp,sp
00025039  8B5E06            mov bx,[bp+0x6]	; Retrieve the offset of the values to be rotated and shifted.
0002503C  8B07              mov ax,[bx]		; Bits to be rotated to the left.
0002503E  8B5702            mov dx,[bx+0x2]	; Bits to be shifted to the left.
00025041  8B4E08            mov cx,[bp+0x8]	; The number of shifts and rotations to be performed.
00025045  0E                push cs		; Near call with a far return.
00025046  E8D5FF            call 0x501e		; Call the leftward rotating and shifting function.
00025049  8B5E06            mov bx,[bp+0x6]	; Return the results.
0002504C  8907              mov [bx],ax		;
0002504E  895702            mov [bx+0x2],dx	;
00025051  8BE5              mov sp,bp
00025053  5D                pop bp
00025054  CA0400            retf 0x4

That one is in turn called from a much larger function , and again only that one:

...
000226DD  B008              mov al,0x8		; The number of rotations and shifts.
000226DF  50                push ax		;
000226E0  8D46F6            lea ax,[bp-0xa]	; Offset of the values to rotated and shifted.
000226E3  50                push ax		;
000226E5  0E                push cs		; Near call with far return.
000226E6  E84D29            call 0x5036		; Call the function which in turn calls the bit rotating shifting function.
...

It seems the number of left shifts/rotations is fixed at eight times. Why? No idea. The function which does the left rotating/shifting is paired with an almost identical one that rotates and shifts bits to the right:


; Function that rotates and shifts bits to the right the number of times specified in the CX register.
0002502A  55                push bp
0002502B  8BEC              mov bp,sp
0002502D  E306              jcxz 0x5034		; Return if CX equals zero.
0002502E  D1FA              sar dx,1		; Shift all bits in the DX register to the left while preserving the sign bit (left most bit).
						; 1. Unsigned values will be divided by two and rounded down.	
						; 2. Signed values will be divided by two and rounded down and recieve a copy of the sign bit in the second to left most bit.
						;    (Value = Value OR 0x4000.)
00025030  D1D8              rcr ax,1		; Rotate ax to the right and save the right most bit shifted out in the carry flag.
00025032  E2FA              loop 0x502e		; Keep rotating and shifting until the CX register has been decremented to zero.
00025034  CB                retf

It is also called in the exact same manner as the first one by another function. However there appear to be no calls to it. Given almost all of this code is located at the bottom of the disassembled code where I already identitied a few C functions I suspect the rotating/shifting code bit is some kind of C function or part of one.

My project:
https://github.com/PeterSwinkels/Cartooners-F … iewer/tree/main

EDIT:
I used the Netwide Disassembler after unpacking Cartoons.exe with my own custom unpacker. And yes, it works because Cartoons.exe runs fine after unpacking.

Last edited by Peter Swinkels on 2024-04-16, 18:43. Edited 3 times in total.

Do not read if you don't like attention seeking self-advertisements!

Did you read it anyway? Well, you can find all sorts of stuff I made using various programming languages over here:
https://github.com/peterswinkels

Reply 1 of 22, by VileR

Posted on 
User metadata
Rank l33t
Rank
l33t

Maybe someone will recognize an algorithm here, but the first thing I'd do is debug Cartooners while it's running, set some breakpoints on those functions, and try to see which user actions get them to trigger (if at all). Seeing when/where code gets used could give vital clues towards the "why" and "what".

[ WEB ] - [ BLOG ] - [ TUBE ] - [ CODE ]

Reply 2 of 22, by llm

Posted on 
User metadata
Rank Member
Rank
Member
Peter Swinkels wrote on 2024-04-16, 17:38:

Okay, so I have disassembled an MS-DOS old game (Cartooners) which was compiled using the Microsoft C 5.10 compiler. With some effort I managed to identify a few parts as a C functions for example:

the CARTOONS.EXE is packed with EXEPACK

https://www.bamsoftware.com/software/exepack/ - Win/Linux
https://bencastricum.nl/unp/ - DOS

will unpack the exe for you

what disassembler did you use?

i attached an output of my old 6.5x IDA Pro - that easily gives you all C library functions - maybe that helps a little

you found functions starts at line 78991

seg002:49A0                         ; void __cdecl segread(struct SREGS *)
seg002:49A0                         _segread        proc far                ; CODE XREF: sub_270A8+3EP
seg002:49A0                                                                 ; seg001:F39CP ...
seg002:49A0
seg002:49A0                         arg_0           = dword ptr  6
seg002:49A0
seg002:49A0 55                                      push    bp
seg002:49A1 8B EC                                   mov     bp, sp
seg002:49A3 8C C0                                   mov     ax, es
seg002:49A5 C4 5E 06                                les     bx, [bp+arg_0]
seg002:49A8 26 8C 5F 06                             mov     es:[bx+SREGS._ds], ds
seg002:49AC 26 89 07                                mov     es:[bx+SREGS._es], ax
seg002:49AF 26 8C 4F 02                             mov     es:[bx+SREGS._cs], cs
seg002:49B3 26 8C 57 04                             mov     es:[bx+SREGS._ss], ss
seg002:49B7 8E C0                                   mov     es, ax
seg002:49B9 8B E5                                   mov     sp, bp
seg002:49BB 5D                                      pop     bp
seg002:49BC CB                                      retf
seg002:49BC                         _segread        endp

Attachments

  • Filename
    CARTOONS.asm.zip
    File size
    272.07 KiB
    Downloads
    7 downloads
    File comment
    asm code with structs
    File license
    Public domain
  • Filename
    CARTOONS.exe.lst.zip
    File size
    817.16 KiB
    Downloads
    8 downloads
    File comment
    listing with opcode s- but without structs
    File license
    Public domain

Reply 3 of 22, by Peter Swinkels

Posted on 
User metadata
Rank Oldbie
Rank
Oldbie

@VileR: Yes that is worth considering.
@llm:
I used the Netwide Disassembler after unpacking Cartoons.exe with my own custom unpacker. And yes, it works because Cartoons.exe runs fine after unpacking. I will look at the stuff you provided once I have some time.

btw:
Here is my unpacker which is mostly a stand-alone module intregated in my Cartooner's File Viewer program:
https://github.com/PeterSwinkels/Cartooners-F … e%20Unpacker.vb

And yes, I know there are unpackers such unp.exe by Ben Castricum (benc@pampus.gns.getronics.nl), it produces code which is aligned in a slightly different manner from mine.

Do not read if you don't like attention seeking self-advertisements!

Did you read it anyway? Well, you can find all sorts of stuff I made using various programming languages over here:
https://github.com/peterswinkels

Reply 4 of 22, by jmarsh

Posted on 
User metadata
Rank Oldbie
Rank
Oldbie

The purpose of those functions is to shift right/left 32-bit values using 16-bit code. The bit that travels between the upper and lower halves of the 32-bit value gets moved into the carry flag with the shift operation, then inserted into the other half with the rotate.

Reply 6 of 22, by Peter Swinkels

Posted on 
User metadata
Rank Oldbie
Rank
Oldbie

@llm: goes to show how things have progressed. 😀

Do not read if you don't like attention seeking self-advertisements!

Did you read it anyway? Well, you can find all sorts of stuff I made using various programming languages over here:
https://github.com/peterswinkels

Reply 7 of 22, by Peter Swinkels

Posted on 
User metadata
Rank Oldbie
Rank
Oldbie

@llm: I have gotten around to looking at the disassembled code you generated with IDAPro, it's a great help! I have made a lot of progress figuring out all that assembly code. Thank you! 😀

Do not read if you don't like attention seeking self-advertisements!

Did you read it anyway? Well, you can find all sorts of stuff I made using various programming languages over here:
https://github.com/peterswinkels

Reply 8 of 22, by llm

Posted on 
User metadata
Rank Member
Rank
Member
Peter Swinkels wrote on 2024-04-19, 18:02:

@llm: I have gotten around to looking at the disassembled code you generated with IDAPro, it's a great help! I have made a lot of progress figuring out all that assembly code. Thank you! 😀

...and you didn't felt the magic of using the interactive disassembler itself - only the boring dead results 😀

Reply 9 of 22, by Peter Swinkels

Posted on 
User metadata
Rank Oldbie
Rank
Oldbie

Those boring dead results are quite useful. Perhaps I will some day try IDAPro again. For now I am hoping to learn enough about Cartooners to be able to make useful changes to the executable, which is going to be a lot of work.

Do not read if you don't like attention seeking self-advertisements!

Did you read it anyway? Well, you can find all sorts of stuff I made using various programming languages over here:
https://github.com/peterswinkels

Reply 10 of 22, by Peter Swinkels

Posted on 
User metadata
Rank Oldbie
Rank
Oldbie

I found a reference in the IDAPro assembly code to a function called "dtoxmode" but I can't find any information about it online. Has anyone ever heard of it? The assembly code in question is attached a post by llm in this thread.

Do not read if you don't like attention seeking self-advertisements!

Did you read it anyway? Well, you can find all sorts of stuff I made using various programming languages over here:
https://github.com/peterswinkels

Reply 11 of 22, by llm

Posted on 
User metadata
Rank Member
Rank
Member
Peter Swinkels wrote on 2024-04-21, 13:04:

I found a reference in the IDAPro assembly code to a function called "dtoxmode" but I can't find any information about it online. Has anyone ever heard of it? The assembly code in question is attached a post by llm in this thread.

the game is compiled with Microsoft C 5.1 (according to IDA Pro and the String 'Microsoft Corp\x11' with hex 11 at End) and the function comes from the std library libcmt, stat.obj - but i got no source of the standard lib in my MSC 5.1 installation (don't know if they released the source like in later editions)

at some other place on the internet i've found something about this function in relation to allowed extensions for system()

found something in the VC98 source that seems to be related (or more or less the same implementation)

https://shrutisagarashram.org/ashram/VC/VC98/CRT/SRC/STAT.C

nearly the same strings are getting compared and the shifts and adds at the end are equal (0x1C0 hex -> octal 0700)
i can see same ".exe" ".bat" ".com" strings in the function in CARTOONS.EXE when resolving the offsets in IDA to strings

seg002:525A                         ; Attributes: library function static bp-based frame
seg002:525A
seg002:525A                         ; int __cdecl dtoxmode(char, char *)
seg002:525A                         _dtoxmode       proc near               ; CODE XREF: _stat+16Dp
seg002:525A
seg002:525A                         var_8           = word ptr -8
seg002:525A                         var_4           = dword ptr -4
seg002:525A                         arg_0           = byte ptr  4
seg002:525A                         arg_2           = dword ptr  6
seg002:525A
seg002:525A 55                                      push    bp
seg002:525B 8B EC                                   mov     bp, sp
seg002:525D 83 EC 08                                sub     sp, 8
seg002:5260 56                                      push    si
seg002:5261 8A 46 04                                mov     al, [bp+arg_0]
seg002:5264 2A E4                                   sub     ah, ah
seg002:5266 89 46 F8                                mov     [bp+var_8], ax
seg002:5269 C4 5E 06                                les     bx, [bp+arg_2]
seg002:526C 89 5E FC                                mov     word ptr [bp+var_4], bx
seg002:526F 8C 46 FE                                mov     word ptr [bp+var_4+2], es
seg002:5272 26 80 7F 01 3A                          cmp     byte ptr es:[bx+1], ':'
seg002:5277 75 04                                   jnz     short loc_34A9D
seg002:5279 83 46 FC 02                             add     word ptr [bp+var_4], 2
seg002:527D
seg002:527D                         loc_34A9D:                              ; CODE XREF: _dtoxmode+1Dj
seg002:527D 8B 5E FC                                mov     bx, word ptr [bp+var_4]
seg002:5280 26 80 3F 5C                             cmp     byte ptr es:[bx], '\'
seg002:5284 74 06                                   jz      short loc_34AAC
seg002:5286 26 80 3F 2F                             cmp     byte ptr es:[bx], '/'
seg002:528A 75 07                                   jnz     short loc_34AB3
seg002:528C
seg002:528C                         loc_34AAC:                              ; CODE XREF: _dtoxmode+2Aj
seg002:528C 26 80 7F 01 00                          cmp     byte ptr es:[bx+1], 0
seg002:5291 74 0C                                   jz      short loc_34ABF
seg002:5293
seg002:5293                         loc_34AB3:                              ; CODE XREF: _dtoxmode+30j
seg002:5293 F6 46 F8 10                             test    byte ptr [bp+var_8], 10h
seg002:5297 75 06                                   jnz     short loc_34ABF
seg002:5299 26 80 3F 00                             cmp     byte ptr es:[bx], 0
seg002:529D 75 05                                   jnz     short loc_34AC4
seg002:529F
seg002:529F                         loc_34ABF:                              ; CODE XREF: _dtoxmode+37j
seg002:529F                                                                 ; _dtoxmode+3Dj
seg002:529F B8 40 40                                mov     ax, 4040h
seg002:52A2 EB 03                                   jmp     short loc_34AC7
seg002:52A4                         ; ---------------------------------------------------------------------------
seg002:52A4
seg002:52A4                         loc_34AC4:                              ; CODE XREF: _dtoxmode+43j
seg002:52A4 B8 00 80                                mov     ax, 8000h
seg002:52A7
seg002:52A7                         loc_34AC7:                              ; CODE XREF: _dtoxmode+48j
seg002:52A7 8B F0                                   mov     si, ax
seg002:52A9 F6 46 F8 05                             test    byte ptr [bp+var_8], 5
seg002:52AD 74 05                                   jz      short loc_34AD4
seg002:52AF B8 00 01                                mov     ax, 100h
seg002:52B2 EB 03                                   jmp     short loc_34AD7
seg002:52B4                         ; ---------------------------------------------------------------------------
seg002:52B4
seg002:52B4                         loc_34AD4:                              ; CODE XREF: _dtoxmode+53j
seg002:52B4 B8 80 01                                mov     ax, 180h
Show last 72 lines
seg002:52B7
seg002:52B7                         loc_34AD7:                              ; CODE XREF: _dtoxmode+58j
seg002:52B7 0B F0                                   or      si, ax
seg002:52B9 B8 2E 00                                mov     ax, '.'
seg002:52BC 50                                      push    ax              ; int
seg002:52BD FF 76 08                                push    word ptr [bp+arg_2+2]
seg002:52C0 FF 76 06                                push    word ptr [bp+arg_2] ; char *
seg002:52C3 90                                      nop
seg002:52C4 0E                                      push    cs
seg002:52C5 E8 6A F7                                call    near ptr _strrchr
seg002:52C8 83 C4 06                                add     sp, 6
seg002:52CB 89 46 FC                                mov     word ptr [bp+var_4], ax
seg002:52CE 89 56 FE                                mov     word ptr [bp+var_4+2], dx
seg002:52D1 0B D0                                   or      dx, ax
seg002:52D3 74 49                                   jz      short loc_34B3E
seg002:52D5 B8 4C 5F                                mov     ax, offset a_exe ; ".exe"  <==================
seg002:52D8 1E                                      push    ds
seg002:52D9 50                                      push    ax              ; char *
seg002:52DA FF 76 FE                                push    word ptr [bp+var_4+2]
seg002:52DD FF 76 FC                                push    word ptr [bp+var_4] ; char *
seg002:52E0 90                                      nop
seg002:52E1 0E                                      push    cs
seg002:52E2 E8 07 F7                                call    near ptr _stricmp
seg002:52E5 83 C4 08                                add     sp, 8
seg002:52E8 0B C0                                   or      ax, ax
seg002:52EA 74 2E                                   jz      short loc_34B3A
seg002:52EC B8 51 5F                                mov     ax, offset a_bat ; ".bat"  <==================
seg002:52EF 1E                                      push    ds
seg002:52F0 50                                      push    ax              ; char *
seg002:52F1 FF 76 FE                                push    word ptr [bp+var_4+2]
seg002:52F4 FF 76 FC                                push    word ptr [bp+var_4] ; char *
seg002:52F7 90                                      nop
seg002:52F8 0E                                      push    cs
seg002:52F9 E8 F0 F6                                call    near ptr _stricmp
seg002:52FC 83 C4 08                                add     sp, 8
seg002:52FF 0B C0                                   or      ax, ax
seg002:5301 74 17                                   jz      short loc_34B3A
seg002:5303 B8 56 5F                                mov     ax, offset a_com ; ".com"  <==================
seg002:5306 1E                                      push    ds
seg002:5307 50                                      push    ax              ; char *
seg002:5308 FF 76 FE                                push    word ptr [bp+var_4+2]
seg002:530B FF 76 FC                                push    word ptr [bp+var_4] ; char *
seg002:530E 90                                      nop
seg002:530F 0E                                      push    cs
seg002:5310 E8 D9 F6                                call    near ptr _stricmp
seg002:5313 83 C4 08                                add     sp, 8
seg002:5316 0B C0                                   or      ax, ax
seg002:5318 75 04                                   jnz     short loc_34B3E
seg002:531A
seg002:531A                         loc_34B3A:                              ; CODE XREF: _dtoxmode+90j
seg002:531A                                                                 ; _dtoxmode+A7j
seg002:531A 81 CE 40 00                             or      si, 40h
seg002:531E
seg002:531E                         loc_34B3E:                              ; CODE XREF: _dtoxmode+79j
seg002:531E                                                                 ; _dtoxmode+BEj
seg002:531E 8B C6                                   mov     ax, si
seg002:5320 25 C0 01                                and     ax, 1C0h  <==================
seg002:5323 B1 03                                   mov     cl, 3  <==================
seg002:5325 D3 E8                                   shr     ax, cl
seg002:5327 0B F0                                   or      si, ax
seg002:5329 8B C6                                   mov     ax, si
seg002:532B 25 C0 01                                and     ax, 1C0h  <==================
seg002:532E B1 06                                   mov     cl, 6  <==================
seg002:5330 D3 E8                                   shr     ax, cl
seg002:5332 0B F0                                   or      si, ax
seg002:5334 8B C6                                   mov     ax, si
seg002:5336 5E                                      pop     si
seg002:5337 8B E5                                   mov     sp, bp
seg002:5339 5D                                      pop     bp
seg002:533A C3                                      retn
seg002:533A                         _dtoxmode       endp

what are you searching for - file interaction?

i've got an dosbox staging fork with printing of DOS file operations (wich read/write content) etc. and function hooking - its C/C++ but very useable

Reply 12 of 22, by Peter Swinkels

Posted on 
User metadata
Rank Oldbie
Rank
Oldbie

Yes, I am aware of what compiler was used and those extensions being mentioned in the data section.

Are you saying dtoxmode refers to that particular data?

I will look at the source code you linked to later.

No, I am not looking for file interaction per se, I just wanted to know what dtoxmode does.

Do not read if you don't like attention seeking self-advertisements!

Did you read it anyway? Well, you can find all sorts of stuff I made using various programming languages over here:
https://github.com/peterswinkels

Reply 14 of 22, by llm

Posted on 
User metadata
Rank Member
Rank
Member
Peter Swinkels wrote on 2024-04-22, 12:35:

Are you saying dtoxmode refers to that particular data?

dtoxmode referes to some string with file extensions

Peter Swinkels wrote on 2024-04-22, 12:35:

No, I am not looking for file interaction per se, I just wanted to know what dtoxmode does.

jmarsh got the answer

most of the std clib functions are wrappers or mappers for DOS details into the C world - i think only the functions with a single underscore are relevant (these are the public c functions) the rest is more or less
implementation details

Reply 15 of 22, by Peter Swinkels

Posted on 
User metadata
Rank Oldbie
Rank
Oldbie

I think I understand now. My copy of stat.h refers to "System V" so dtoxmode basically converts between MS-DOS file attributes and Unix/Linux (POSIX?) file attributes and has to refer to the .bat, .com and .exe extensions because MS-DOS doesn't have an "executable" attribute like Linux/Unix (POSIX?) ?

Correct?

And,
Whether double or single underscores, I prefer to have at least some idea what a function does so I know whether or not it's worth paying attention to later on. It may very well turn out to be way too hard, but I'd like to try modifying Cartooners and see what I can make it do.

Do not read if you don't like attention seeking self-advertisements!

Did you read it anyway? Well, you can find all sorts of stuff I made using various programming languages over here:
https://github.com/peterswinkels

Reply 16 of 22, by mkarcher

Posted on 
User metadata
Rank l33t
Rank
l33t
Peter Swinkels wrote on 2024-04-22, 18:45:

Whether double or single underscores, I prefer to have at least some idea what a function does so I know whether or not it's worth paying attention to later on. It may very well turn out to be way too hard, but I'd like to try modifying Cartooners and see what I can make it do.

I understand the idea. On the other hand, for modifying applications, you can treat the C library as "black box" most of the time. I recommend to not spend time on understanding the implementation of the C library when you have better things to do (like spending time on understanding the Cartooners application code). The behaviour of the C library is quite well known and documented, so you don't need to research yourself how the C library behaves. Underdocumented functions with extra underscores are typically never called by application code, so knowing what they do does not help understanding the application code, which is likely you main goal, as you keep mentioning one specific application you are trying to reverse engineer. Actually, that's one the greatest feature in IDA: It can detect, rename and mark the C library function, so you don't have to analyze them, which can be a massive time-saver trying to understand application code.

Of course you are free to investigate the C library code if you like. You can learn the techniques that were used to build the library, which might be interesting as well. It's just that it likely will not get you any information about any nice things you can make Cartooners do.

Reply 17 of 22, by llm

Posted on 
User metadata
Rank Member
Rank
Member
Peter Swinkels wrote on 2024-04-22, 18:45:

I think I understand now. My copy of stat.h refers to "System V" so dtoxmode basically converts between MS-DOS file attributes and Unix/Linux (POSIX?) file attributes and has to refer to the .bat, .com and .exe extensions because MS-DOS doesn't have an "executable" attribute like Linux/Unix (POSIX?) ?
Correct?

yes, correct

Peter Swinkels wrote on 2024-04-22, 18:45:

Whether double or single underscores, I prefer to have at least some idea what a function does so I know whether or not it's worth paying attention to later on.

i wasn't clear enough - single underscore functions (the ones found by IDA) are the public c stdlib functions (its a standard to use a single underscore) - there is absolutely no need in any form to dig down deeper into them - or else you try to understand code that is equal in every Mirosoft C 5.1 build program and already very well documented (when not looking at implementation-detail under the hood functions like __dtoxmode) - the only relevance is how the cartooners code it using the top-level (single-underscore) functions like fopen,fread,malloc etc. because that gives you maybe a hint about the meaning of the analysed function - but try to avoid analysing stuff that is already well known (at least to C developers)

i know what stats() is doing and its completely unrelevant that __dtoxmode is used to implement its behavior - that does not give any hint about cartooners usage of it - stats() itself is enough at this point

reversing a project means - try to be as efficent as possible to not look at the unrelevant code - trust in IDA 😀

Reply 18 of 22, by Peter Swinkels

Posted on 
User metadata
Rank Oldbie
Rank
Oldbie

Yes, I don't want to waste too much time on the C functions, because like you said they're already documented and I suspect some of them aren't even called by Cartooners. And you're absolutely right, if I want to modify Cartooners my focus should be on the application code. However, have a limited knowledge of C so I need help determining what is and isn't C code. The IDAPro assembly code I have been provided with helps a lot in that regard, but sometimes I will have to ask about the stuff I find in there because I don't fully understand it all. So I will be asking about C functions to make sure I understand what I am dealing with.

At the moment I am trying to create a map in the form of a table of everything I found in the unpacked Cartoons.exe but is a lot of work. Also, how I am going to figure out the application code if I don't know what C function's they're calling or what part of the binary is application code?

Oh and people complain about bloat, those few kbs of what seems like unnecessary stuff would have amounted to a significant amount of the storage space people had available on their systems back then. Also it looks like the conversion from GS/OS to MS-DOS was a rush job. Somehow they recompiled and rewrapped the application code to make it work with MS-DOS. I believe Cartooners is slightly more stable and has a few extra features on the Apple IIGS. It is still a very nice application for the time, it's kind of surprising not much else similar to it appears to have been released. All I can think of is Storybook Weaver.

Do not read if you don't like attention seeking self-advertisements!

Did you read it anyway? Well, you can find all sorts of stuff I made using various programming languages over here:
https://github.com/peterswinkels

Reply 19 of 22, by llm

Posted on 
User metadata
Rank Member
Rank
Member
Peter Swinkels wrote on 2024-04-23, 07:04:

Also, how I am going to figure out the application code if I don't know what C function's they're calling or what part of the binary is application code?

all functions that are labled by IDA as 'Attributes: library function' are library functions - all function called by these are implementation details of the library
normaly the c library isn't cluttered in small pieces around your exe but more on-block - all the functions come straight after another

the 'L' means detected as c library - if there are names like sub_33C06 or unnamed etc. in the c-lib functions block that means that IDAs flirt signature library got no name for this - mostly pure internal functions for th c-lib

start             seg002 00003BEC 000000CD                   . . L . . . .
__cinit           seg002 00003CBA 000000C4                   R F L . . . .
_exit             seg002 00003D7E 00000017 00000002 00000000 . . L . B T .
__exit            seg002 00003D95 00000047 00000002 00000004 . . L . B T .
__ctermsub        seg002 00003DDC 0000002D                   R . L . . . .
sub_33629         seg002 00003E09 00000013                   R . L . . . .
__chkstk          seg002 00003E1C 00000024                   R F L . . . .
__flsbuf          seg002 00003E40 000001BE 0000000E 00000006 R F L . B T .
_close            seg002 00003FFE 00000020 00000002 00000002 R F L . B T .
_lseek            seg002 0000401E 0000007A 00000006 0000000A R . L . B T .
_open             seg002 00004098 0000019F 00000006 00000008 R F L . B T .
__cXENIXtoDOSmode seg002 00004237 00000011                   R . L . . . .
_read             seg002 00004248 000000EA 00000004 00000008 R F L . B T .
_write            seg002 00004332 000000B4 0000000A 00000008 R F L . B T .
sub_33C06         seg002 000043E6 0000005C                   R F L . . . .
unknown_libname_1 seg002 0000447C 00000012 00000002 00000002 R F L . B . .
unknown_libname_2 seg002 0000448E 00000046 00000006 00000002 R F L . B . .
_strncat          seg002 000044D4 0000003B 00000006 0000000A R F L . B T .
_strncpy          seg002 00004510 0000002A 00000006 0000000A R F L . B T .
j___catox         seg002 0000453A 00000003 00000000 FFFFFFFE R F L . . . .
_itoa             seg002 0000453E 0000001C 00000006 00000008 R F L . B T .
_ltoa             seg002 0000455A 0000000A 00000006 0000000C R . L . B T .
_int86            seg002 00004564 00000088 00000010 0000000A R F L . B T .
__aFahdiff        seg002 000045EC 0000002D 00000002 00000008 R F L . B . .
_puts             seg002 0000461A 0000009B 00000010 00000004 R F L . B T .
_tell             seg002 000046B6 00000018 00000002 00000004 R F L . B T .
_filelength       seg002 000046CE 00000066 0000000C 00000004 R F L . B T .
sub_33F54         seg002 00004734 00000026 00000002 00000000 R . L . B . .
__memmax          seg002 0000475A 00000049 00000004 00000000 R F L . B T .
__memavl          seg002 000047A3 0000003C 00000004 00000000 R F L . B T .
__freect          seg002 000047DF 00000052 00000004 00000002 R F L . B T .
sub_34051         seg002 00004831 00000022 00000002 00000000 R . L . B . .
_int86x           seg002 00004854 00000098 00000012 0000000E R F L . B T .
_intdos           seg002 000048EC 00000052 00000006 00000008 R F L . B T .
_intdosx          seg002 0000493E 00000062 00000006 0000000C R F L . B T .
_segread          seg002 000049A0 0000001D 00000002 00000004 R F L . B T .
_strchr           seg002 000049BE 0000002D 00000004 00000006 R F L . B T .
_stricmp          seg002 000049EC 00000045 00000002 00000008 R F L . B T .
_strrchr          seg002 00004A32 0000002E 00000004 00000006 R F L . B T .
_strlwr           seg002 00004A60 00000028 00000002 00000004 R F L . B T .
_strupr           seg002 00004A88 00000028 00000002 00000004 R F L . B T .
_strcspn          seg002 00004AB0 0000005C 00000026 00000008 R F L . B T .
_memmove          seg002 00004B0C 000000CA 00000002 0000000A R F L . B T .
_atexit           seg002 00004BD6 00000035 00000002 00000004 R F L . B T .
_qsort            seg002 00004C0C 000000EE 00000012 0000000C R F L . B T .
quicksort         seg002 00004CFA 000001D7 0000000A 00000008 R . L S B . .
swap              seg002 00004ED2 00000059 00000004 0000000A R . L S B . .
_setjmp           seg002 00004F2C 0000002A 00000000 00000004 R F L . B . .
_longjmp          seg002 00004F56 0000002A 00000000 00000006 . F L . B T .
_signal           seg002 00004F86 000000A3 00000006 00000006 R F L . B T .
__sigentry        seg002 00005029 00000028 00000002 00000000 R F L . B . .
_access           seg002 000050F2 00000021 00000002 00000007 R . L . B T .
_mkdir            seg002 00005114 00000007 00000002 00000000 R . L . B T .
_chdir            seg002 0000511B 0000000F 00000002 00000006 R . L . B T .
_rmdir            seg002 0000512A 00000029 00000002 00000006 R . L . B T .
_getcwd           seg002 00005154 00000018 00000002 00000006 R F L . B T .
__getdcwd         seg002 0000516C 000000EE 00000066 00000008 R F L . B T .
_dtoxmode         seg002 0000525A 000000E1 0000000C 00000006 R . L S B T .
_stat             seg002 0000533C 000001F3 00000058 00000008 R F L . B T .
_remove           seg002 00005530 0000000F 00000002 00000006 R . L . B T .
Show last 59 lines
sub_34D60         seg002 00005540 00000003                   R F . . . . .
__dos_getvect     seg002 00005544 00000012 00000002 00000002 R F L . B T .
__dos_findnext    seg002 00005556 0000000B 00000002 00000006 R . L . B T .
__dos_findfirst   seg002 00005561 00000020 00000002 0000000A R F L . B T .
__dos_setvect     seg002 00005582 00000015 00000002 00000006 R F L . B T .
__dos_getdiskfree seg002 00005598 0000002D 00000002 00000006 R F L . B T .
__dos_getdrive    seg002 000055C6 00000014 00000002 00000004 R F L . B T .
__harderr         seg002 000055DA 00000023 00000002 00000004 R F L . B T .
__hardresume      seg002 00005627 00000008 00000002 00000002 R F L . B T .
sub_34E50         seg002 00005630 00000042 00000002 00000002 R F . . B . .
__dos_setdrive    seg002 00005674 00000017 00000002 00000006 R F L . B T .
__aFldiv          seg002 0000568C 0000009C 00000008 00000008 R F L . B . .
__aFlmul          seg002 00005728 00000034 00000002 00000008 R F L . B . .
__aFlrem          seg002 0000575C 000000A2 00000006 00000008 R F L . B . .
__aFlshl          seg002 000057FE 0000000B                   R F L . . . .
__aFlshr          seg002 0000580A 0000000B                   R F L . . . .
unknown_libname_3 seg002 00005816 00000021 00000002 00000004 R F L . B . .
unknown_libname_4 seg002 00005838 00000021 00000002 00000004 R F L . B . .
unknown_libname_5 seg002 0000585A 00000021 00000002 00000004 R F L . B . .
__aFuldiv         seg002 0000587C 00000061 00000006 00000008 R F L . B . .
__aFulshr         seg002 000058DE 0000000B                   R F L . . . .
__FF_MSGBANNER    seg002 000058EA 00000024 00000002 00000000 R F L . B . .
__nullcheck       seg002 00005914 00000026 00000002 00000000 R F L . . . .
__setargv         seg002 0000593A 000001A7                   R . L . . . .
__NMSG_TEXT       seg002 00005AE2 0000002B 00000006 00000002 R F L . B . .
__NMSG_WRITE      seg002 00005B0D 0000002B 00000004 00000002 R F L . B . .
__maperror        seg002 00005B58 00000006                   R F L . . . .
sub_3537E         seg002 00005B5E 0000002E 00000000 00000000 R . L . . . .
_fwrite           seg002 00005B8C 000002C7 0000001E 0000000C R F L . B T .
__getbuf          seg002 00005E54 0000008A 00000006 00000004 R . L . B . .
__stbuf           seg002 00005EDE 000000BA 0000000A 00000004 R F L . B . .
__ftbuf           seg002 00005F98 000000DF 00000006 00000006 R F L . B T .
_stackavail       seg002 00006078 00000014                   R F L . . T .
__ffree           seg002 0000608C 00000015 00000002 00000004 R F L . B T .
_malloc           seg002 000060A1 0000003F 00000008 00000002 R F L . B T .
sub_35900         seg002 000060E0 0000006E                   R . L . . . .
sub_3596E         seg002 0000614E 00000017                   R . L . . . .
__amalloc         seg002 00006169 000000E3                   R . L . . . .
__amexpand        seg002 0000624C 0000003A                   R . L . . . .
__amlink          seg002 00006286 00000022                   R . L . . . .
__amallocbrk      seg002 000062A8 00000021 00000002 00000000 R . L . . . .
_strcpy           seg002 000062CA 00000036 00000002 00000008 R F L . B T .
_strlen           seg002 00006300 00000017 00000002 00000004 R F L . B T .
__catox           seg002 00006318 00000056 00000006 00000004 R F L . B . .
_isatty           seg002 0000636E 00000023 00000002 00000002 R F L . B T .
_bdos             seg002 00006392 00000012 00000002 00000006 R F L . B T .
__dtoxtime        seg002 000063A4 00000123 00000026 0000000C R F L . B . .
_strpbrk          seg002 000064C8 0000005E 00000026 00000008 R F L . B T .
_fflush           seg002 000065CE 0000008E 00000008 00000004 R F L . B T .
_brkctl           seg002 0000665C 0000006E 00000006 0000000A R F L . B . .
sub_35EEA         seg002 000066CA 00000056                   R . L . . . .
sub_35F40         seg002 00006720 00000010 00000000 00000000 R F L . . . .
sub_35F50         seg002 00006730 000000D3 0000000A 00000000 R F L . B . .
sub_36024         seg002 00006804 000000E2 0000000A 00000004 R F L . B . .
_memcpy           seg002 000068E6 0000005E 00000002 0000000A R F L . B T .
j___catox_0       seg002 00006944 00000003 00000006 00000000 R F L . B . .
_getenv           seg002 00006948 00000096 0000000A 00000004 R F L . B T .
_strncmp          seg002 000069DE 0000003B 00000006 0000000A R F L . B T .
Go to top of page Go to top of page
Back to Milliways
Close window
Close window