TweetFollow Us on Twitter

Disassembler
Volume Number:1
Issue Number:6
Column Tag:MacNosy

A New Disassembler

By Steve Jasik

A New Disassembler

As a compiler writer specializing in code generation, I decided to build a Disassembler to better understand the Motorola 68000 and the Macintosh operating system. Given the poor quality of the documentation and the general lack of source listings, a powerful disassembler is a useful tool for debugging and getting information about the system.

MacNosy and its helper programs consist of over 7000 lines of Pascal and about 300 lines of assembly lanaguage code. Internally, MacNosy contains many features usually associated with a compiler such as a table manager, symbol table enter/lookup routines, a reference map, global flow analysis, etc.

Features

MacNosy has many features that place it an order of magnitude above other disassemblers. They include:

• Symbol dictionaries of the Rom names and global symbols (0 - $B00) along with value to symbol substitution in appropriate places.

• Selective list of procedures in a file by procedure name or substring.

• Ability to place the disassembled output on a file in assembler listing output or assembler input format (MDS “.list” or “.asm” format).

• References to the symbols are collected and may be selectively viewed.

• Ability to search the program file for references to selected address’s, trap (rom) calls, resource type references, constant or string references.

• Ability to translate the segment relative address of an instruction to the disk file relative address for code patching purposes.

• MacNosy records its input on a “.jrnl” file (in text format) for later playback. This feature is used as an educational tool and as a medium of communication between developers, hackers, etc.

• Ability to reformat data in its “natural format” via directives. This is in addition to the automatic recognition of various character string formats.

• A full or selective listing of the resources in a file. Format is similar to that of the Resource Mover, but you get more information with less work.

• A built-in mini editor to view files without leaving Nosy.

Facts and Specifications

MacNosy runs on a 512K Mac or a 1 Meg Lisa under the Workshop O.S. or the Macworks environment.

It is capable of disassembling the resource fork of any application file, ROM, Macsbug, and various resource types in the System file (DRVR, PACK, INIT, CDEF, WDEF, etc). Note that source listing of the WDEF, CDEF procedures come with the MacSupplement.

The released disk contains both the Mac and Lisa versions of MacNosy, some sample “.jrnl’ files to acquaint you with it, source code for the table manager (this may be useful to other developers) and the SfGetFile routines so you can see how it selects files to disassemble.

How does MacNosy work?

When disassembling a file, one must know the structure (code or data) of a given piece of the file. To do this, Nosy uses the fact that every program has a “call graph”. The nodes of the graph are the procedures and the edges are the calls (A calls B, etc). As Nosy is primarily interested in the size of the nodes, it ignores some aspects of the graph (such as recursion) which leads to cycles in the graph. Because of this, the graph reduces to a Directed Acyclic (without cycles) Graph. We can get sloppy in our terminology and refer to the DAG as a “tree of procedures”.

Discovering the size and extent of a procedure is a messy problem that entails disassembling instructions, and looking for the procedure exits. The potential presence of spaghetti code makes the algorithm more complicated.

At this point a reasonable strategy is to treat the file as a collection of code and data blocks (contigious set of bytes). We start at the entry points and walk the tree until all possible procedures have been discovered. The remaining areas are caterogized as “data” blocks. During the tree walk Nosy builds symbol tables for the various categories of labels which are:

Procedure (JSR X) X = proc’nnn’ or the 8 character name following the proc if compiled by Lisa Pascal with the D+ option on.

Global labels ( X(A5) )

X = glob’nnn’

Data labels (LEA X or PEA X)

X = data’nnn’

Common labels (JMP X, Bcc X from another proc) - com_’nnn’

Local labels within a procedure - loc_’nnn’

You can change the names of all but the local labels in Nosy.

Example 1 - A fragment of the resource list of a System file.

Note that for the DITL’s the accompanying text/controls are listed.

      26 resource types, data index =   100
Type FRSV    att   indx  length   name
  ID     1     00   CF12        A        0      0
Type ALRT    att   indx  length   name
  ID  -3997   20   CDBC       C        0        0
  ID  -3996   20   CDCC       C        0        0
  ID  -3995   20   CDDC       C        0        0
  ID  -3994   20   CDEC       C        0        0
Type DITL    att   indx  length   name
  ID  -15936  20   BA6C      1E    
  ID   -6047  20   CA18     1A6    <Initialize> <Eject> <OK> 
                               Do you want to initialize it? 
                               This disk is unreadable: 
                                This disk is damaged: 
                               This is not a Macintosh disk: 
                               Please name this disk: 
                               Initializing disk . . .  
                               Initialization failed! 
                               Initialize this disk? 
  ID   -4000  20   CC7C      A8    <Open> <O> <Cancel> <Eject> <Drive> 
h 
  ID   -3999  20   CD28      90    <Save> <Cancel> Save as: <Eject> <Drive>

Example 2 - code fragment from a little test program I wrote.

The output listing format is:

aaa: hhhh hhhh ‘cccc’ label opcode address $ssaaaaaa

aaa = segment relative address , hhhh and ccccc are the value of the instruction in hex and ascii. The field ssaaaaaa is the address of any label or symbol reference in the

address field. ss is the segment number of the reference.

I have suppressed leading zeros in most cases and many of the numeric formats use decimal conversion. The macros POP and PUSH have the obvious meaning. The QUAL pseudo implies that all the labels of the form loc_nnn are local to the procedure. The line right after it tells us who calls it. The line with “_Button” is a trap macro. The DNAME macro expands to the 8 character name which is used by Lisabug and Nosy.

    440:                                 QUAL    CHK_USER
                                ; refs - TEST  
    440:                                  
    440: 4E56 0000      ‘NV..’  CHK_USER LINK    A6,#0
    444: 4267           ‘Bg’             CLR     -(A7)
    446: A974           ‘.t’             _Button 
    448: 101F           ‘..’             POP.B   D0
    44A: 6714           ‘g.’             BEQ     loc_2               
      $1000460
    44C: 2F0E           ‘/.’             PUSH.L  A6
    44E: 4EBA FFC0      ‘N...’           JSR     WAITBUTT            
      $1000410
    452: 4267           ‘Bg’    loc_1    CLR     -(A7)
    454: A974           ‘.t’             _Button 
    456: 101F           ‘..’             POP.B   D0
    458: 67F8           ‘g.’             BEQ     loc_1               
      $1000452
    45A: 2F0E           ‘/.’             PUSH.L  A6
    45C: 4EBA FFB2      ‘N...’           JSR     WAITBUTT            
      $1000410
    460: 4E5E           ‘N^’    loc_2    UNLK    A6
    462: 4E75           ‘Nu’             RTS     
    464:                                  
    464: C348                   data21   DNAME   CHK_USER,0,2

Example 3 - This next routine was dumped to the hardcopy file in “.asm” format.

It is suitable for input to the MDS assembler ASM.

         QUAL    WCR
; refs - TEST 
          
WCR      LINK    A6,#0
         PUSH.L  glob13(A5)
         PEA     data19
         CLR     -(A7)
         JSR     %W_STR
         PUSH.L  glob13(A5)
         JSR     %W_LN
         PUSH.L  glob12(A5)
         PEA     glob8(A5)
         PUSH    #255
         JSR     %R_STR
         PUSH.L  glob12(A5)
         JSR     %R_LN
         UNLK    A6
         RTS     
          
data18   DNAME   WCR     ,0,2
          
; refs - WCR+8  
data19   STR     ‘wait for cr’

Example 4 - Note the Value to Symbol substitution in this ROM fragment listing

 404C12: 50F8 0902      ‘P...’  Launch   S_T     LaunchFlag          
      $902
 404C16: 31E8 0004 0936 ‘1....6 loc_2    MOVE    4(A0),CurPageOption 
      $936
 404C1C: 2058           ‘ X’             MOVE.L  (A0)+,A0
 404C1E: 43F8 0910      ‘C...’           LEA     CurApName,A1        
      $910
 404C22: 7020           ‘p ‘             MOVEQ   #32,D0
 404C24: A02E           ‘..’             _BlockMove

Example 5 - Sample Reference Map listing fragment of the “System Globals” from ROM

      114 HeapEnd      proc203  MaxMem  proc253  
      118 TheZone      proc201  proc203  GetZone  MaxMem  proc212  proc232 
 
                       InitResources  proc852  MoreMasters  InitZone 
 proc204  
                       SetGrowZone  
      11C uTableBase   proc36  proc89  proc96  RDrvrInstall  SystemTask 
 proc942  
                       SystemMenu  OpenDeskacc  BlockMove  com_28

Example 6 - Sample Segment Reference Map listing fragment of Nosy.

Inter seg refs are prefixed with “n/”. This map may be used for procedure balancing.

seg# procedure   fba  blen  refs (seg#/proc) called by
  1] HEAP_OVF    1D6    50   ADD_USED    4/NEW_TBL    
  1] SET_MAX     208   120   CLR_TBL     4/REL_TBLS    3/RTN_PTR    
  1] CLR_TBL     280    46   DI_PROC     3/SEARCH_C    4/DI_FILE     
3/SEARCH_C   
  1] MOVEUP      2AE    80   ADD_USED   
  1] ADD_ENTR    2FE    42   DI_PROC       ENTER_LA      PUT_REF     
  NEW_CASE   
                             ADD_ISPR    3/CHK_PROC    4/NI_FILE     
4/DI_FILE    
                             PROCESS_   
  1] SET_USED    328    44 4/NI_FILE

Disassemblling the ROM

I Would like to show a sample listing of a piece or two of ROM but I don’t want to start any fights with Apple’s Lawyers. So like sex, I leave it for you to do it in the privacy of your own home.

I found a few interesting things looking around the ROM. One is an interesting piece of unreachable code at 40AD30 which blasts 32 long words into RAM and then hangs. Another is the “come from” code in the rom patch area in the system heap. In many cases bugs were patched by placing a CMPI.L $40xxxx,28(A7) followed by a suitable jump in unrelated routines. A rather obnoxious example is BlockMove which contains 3 such checks. I will be forming a MacNosy Users Group (Special Interest Group) on the Delphi Information Service (800-544-4005) starting in April to study the ROM and swap “jrnl” files. Admission will be limited to registered owners of MacNosy.

Ordering Information

If ordered from the author before May 1, 1985 cost is $55, including sales tax for CA. residents. After that it will be sold in selected stores or direct for $70. Orders should be addressed to:

Steve Jasik

343 Trenton Way

Menlo Park, Ca. 94025

(415-322-1386)

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Latest Forum Discussions

See All

Six fantastic ways to spend National Vid...
As if anyone needed an excuse to play games today, I am about to give you one: it is National Video Games Day. A day for us to play games, like we no doubt do every day. Let’s not look a gift horse in the mouth. Instead, feast your eyes on this... | Read more »
Old School RuneScape players turn out in...
The sheer leap in technological advancements in our lifetime has been mind-blowing. We went from Commodore 64s to VR glasses in what feels like a heartbeat, but more importantly, the internet. It can be a dark mess, but it also brought hundreds of... | Read more »
Today's Best Mobile Game Discounts...
Every day, we pick out a curated list of the best mobile discounts on the App Store and post them here. This list won't be comprehensive, but it every game on it is recommended. Feel free to check out the coverage we did on them in the links below... | Read more »
Nintendo and The Pokémon Company's...
Unless you have been living under a rock, you know that Nintendo has been locked in an epic battle with Pocketpair, creator of the obvious Pokémon rip-off Palworld. Nintendo often resorts to legal retaliation at the drop of a hat, but it seems this... | Read more »
Apple exclusive mobile games don’t make...
If you are a gamer on phones, no doubt you have been as distressed as I am on one huge sticking point: exclusivity. For years, Xbox and PlayStation have done battle, and before this was the Sega Genesis and the Nintendo NES. On console, it makes... | Read more »
Regionally exclusive events make no sens...
Last week, over on our sister site AppSpy, I babbled excitedly about the Pokémon GO Safari Days event. You can get nine Eevees with an explorer hat per day. Or, can you? Specifically, you, reader. Do you have the time or funds to possibly fly for... | Read more »
As Jon Bellamy defends his choice to can...
Back in March, Jagex announced the appointment of a new CEO, Jon Bellamy. Mr Bellamy then decided to almost immediately paint a huge target on his back by cancelling the Runescapes Pride event. This led to widespread condemnation about his perceived... | Read more »
Marvel Contest of Champions adds two mor...
When I saw the latest two Marvel Contest of Champions characters, I scoffed. Mr Knight and Silver Samurai, thought I, they are running out of good choices. Then I realised no, I was being far too cynical. This is one of the things that games do best... | Read more »
Grass is green, and water is wet: Pokémo...
It must be a day that ends in Y, because Pokémon Trading Card Game Pocket has kicked off its Zoroark Drop Event. Here you can get a promo version of another card, and look forward to the next Wonder Pick Event and the next Mass Outbreak that will be... | Read more »
Enter the Gungeon review
It took me a minute to get around to reviewing this game for a couple of very good reasons. The first is that Enter the Gungeon's style of roguelike bullet-hell action is teetering on the edge of being straight-up malicious, which made getting... | Read more »
See All

Price Scanner via MacPrices.net

Take $150 off every Apple 11-inch M3 iPad Air
Amazon is offering a $150 discount on 11-inch M3 WiFi iPad Airs right now. Shipping is free: – 11″ 128GB M3 WiFi iPad Air: $449, $150 off – 11″ 256GB M3 WiFi iPad Air: $549, $150 off – 11″ 512GB M3... Read more
Apple iPad minis back on sale for $100 off MS...
Amazon is offering $100 discounts (up to 20% off) on Apple’s newest 2024 WiFi iPad minis, each with free shipping. These are the lowest prices available for new minis among the Apple retailers we... Read more
Apple’s 16-inch M4 Max MacBook Pros are on sa...
Amazon has 16-inch M4 Max MacBook Pros (Silver and Black colors) on sale for up to $410 off Apple’s MSRP right now. Shipping is free. Be sure to select Amazon as the seller, rather than a third-party... Read more
Red Pocket Mobile is offering a $150 rebate o...
Red Pocket Mobile has new Apple iPhone 17’s on sale for $150 off MSRP when you switch and open up a new line of service. Red Pocket Mobile is a nationwide MVNO using all the major wireless carrier... Read more
Switch to Verizon, and get any iPhone 16 for...
With yesterday’s introduction of the new iPhone 17 models, Verizon responded by running “on us” promos across much of the iPhone 16 lineup: iPhone 16 and 16 Plus show as $0/mo for 36 months with bill... Read more
Here is a summary of the new features in Appl...
Apple’s September 2025 event introduced major updates across its most popular product lines, focusing on health, performance, and design breakthroughs. The AirPods Pro 3 now feature best-in-class... Read more
Apple’s Smartphone Lineup Could Use A Touch o...
COMMENTARY – Whatever happened to the old adage, “less is more”? Apple’s smartphone lineup. — which is due for its annual refresh either this month or next (possibly at an Apple Event on September 9... Read more
Take $50 off every 11th-generation A16 WiFi i...
Amazon has Apple’s 11th-generation A16 WiFi iPads in stock on sale for $50 off MSRP right now. Shipping is free: – 11″ 11th-generation 128GB WiFi iPads: $299 $50 off MSRP – 11″ 11th-generation 256GB... Read more
Sunday Sale: 14-inch M4 MacBook Pros for up t...
Don’t pay full price! Amazon has Apple’s 14-inch M4 MacBook Pros (Silver and Black colors) on sale for up to $220 off MSRP right now. Shipping is free. Be sure to select Amazon as the seller, rather... Read more
Mac mini with M4 Pro CPU back on sale for $12...
B&H Photo has Apple’s Mac mini with the M4 Pro CPU back on sale for $1259, $140 off MSRP. B&H offers free 1-2 day shipping to most US addresses: – Mac mini M4 Pro CPU (24GB/512GB): $1259, $... Read more
 

Jobs Board

  • Generate a short URL for this page:



All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.