info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
reverse engineering a 64 bit Forth
70 views
Skip to first unread message
none albert
Jan 24, 2023, 8:20:35 AM1/24/23
to
I have taken an old version of ciforth 'lina530' : a 64 bit
linux Forth, an elf executable. Nothing special, a stable production
version of ciforth.
Using my tool ciasdis (that has been upgraded to understand 64
bits code) I scripted a crawler: lina530crawl.cul
It contains information such a
0040,2BA0 EQU docol
and Forth scripting to analyse a Forth header.
Because a Forth header contains the name of a Forth word, this
allows to generate sensible names for labels.
All this information could be found by a person who suspect that the
program is a Forth. (Of course it was advantageous that I was exposed.
Not clean room, okay.)
The test goes :
ciasdis -d testcmp/lina530 lina530crawl.cul >lina530.asm
ciasdis -a lina530.asm lina530
diff -bBw testcmp lina530
diff -bBw testcmp lina530.asm
So with the script lina530crawl.cul , ciasdis was able to disassemble
lina530. (ciasdis -d )
Then it was able to assemble it (ciasdis -a) to the exact same executable.
Now this is nothing new.
ciasdis has completed to do this feat for the original colorforth,
i.e. recovering a complete source, arcane strings and character
definitions and all. (Having this colorforth analysed to death didn't
help me to run it on my computers. And Jeff Fox hated me for doing it.)
Forth compilers rf51 and lina405 has been reverse engineered the same way.
https://github.com/albertvanderhorst/ciasdis
What I want to brag about that it can be relocated by simply
moving the ORG up by say 2000.
That means that all labels are defined by their place in the source
and automatically upgraded.
[ They are doubly defined up front in the source, these have to be
removed, because they are fixed EQU's. ciasdis don't care if a label
is redefined, as long as it the same value. ]
Groetjes Albert
--
Don't praise the day before the evening. One swallow doesn't make spring.
You must not say "hey" before you have crossed the bridge. Don't sell the
hide of the bear until you shot it. Better one bird in the hand than ten in
the air. First gain is a cat spinning. - the Wise from Antrim -
linux Forth, an elf executable. Nothing special, a stable production
version of ciforth.
Using my tool ciasdis (that has been upgraded to understand 64
bits code) I scripted a crawler: lina530crawl.cul
It contains information such a
0040,2BA0 EQU docol
and Forth scripting to analyse a Forth header.
Because a Forth header contains the name of a Forth word, this
allows to generate sensible names for labels.
All this information could be found by a person who suspect that the
program is a Forth. (Of course it was advantageous that I was exposed.
Not clean room, okay.)
The test goes :
ciasdis -d testcmp/lina530 lina530crawl.cul >lina530.asm
ciasdis -a lina530.asm lina530
diff -bBw testcmp lina530
diff -bBw testcmp lina530.asm
So with the script lina530crawl.cul , ciasdis was able to disassemble
lina530. (ciasdis -d )
Then it was able to assemble it (ciasdis -a) to the exact same executable.
Now this is nothing new.
ciasdis has completed to do this feat for the original colorforth,
i.e. recovering a complete source, arcane strings and character
definitions and all. (Having this colorforth analysed to death didn't
help me to run it on my computers. And Jeff Fox hated me for doing it.)
Forth compilers rf51 and lina405 has been reverse engineered the same way.
https://github.com/albertvanderhorst/ciasdis
What I want to brag about that it can be relocated by simply
moving the ORG up by say 2000.
That means that all labels are defined by their place in the source
and automatically upgraded.
[ They are doubly defined up front in the source, these have to be
removed, because they are fixed EQU's. ciasdis don't care if a label
is redefined, as long as it the same value. ]
Groetjes Albert
--
Don't praise the day before the evening. One swallow doesn't make spring.
You must not say "hey" before you have crossed the bridge. Don't sell the
hide of the bear until you shot it. Better one bird in the hand than ten in
the air. First gain is a cat spinning. - the Wise from Antrim -
0 new messages