• Updated 2023-07-12: Hello, Guest! Welcome back, and be sure to check out this follow-up post about our outage a week or so ago.

A-Traps in Ghidra

cy384

cy384

Well-known member
For those unfamiliar with them, a-traps are a clever(?) trick used by the classic mac OS: it uses illegal instructions as a system call interface. When an illegal instruction gets hit, a lookup table is examined to figure out what code to run. This enables lots of shenanigans since the lookup table can be patched/modified at runtime.

Anyway, if you try to examine a classic mac application in most disassemblers, they'll freak out because there are illegal instructions everywhere. I (and I suspect some others) wanted to use Ghidra, so I came up with a dumb little hack. Basically, I defined ~800 new kinds of 68000 NOP instructions, one for every a-trap I could find, and stuck them in the appropriate data file for Ghidra. This allows the disassembler to continue when it runs into them and display at least the name of the a-trap.

FXeNeI3X0AIIfcZ.png
How to:
Copy the contents of this file into "68000.sinc" right below the line starting with ":nop"

Caveats:
* there are duplicate names for some a-traps, I picked whatever one I liked best
* this doesn't tell Ghidra anything about what they actually do or what the expected parameters are
* definitely a hack, I imagine there's a better way to do it

tagging @cheesestraws and @mdeverhart since they mentioned interest!
 

Attachments

  • ghidra-a-traps.txt
    57 KB · Views: 22
M

Melkhior

Well-known member
Would someone have some tutorial on how to disassemble Mac code resources using Ghidra? There's some acceleration drivers I'd like to examine, but I'm not 68k-fluent enough to make heads or tails from Resorcerer's disassembly. The snippet of regenerated C code posted by @cheesestraws in the VNC-on-AU/X thread seems a lot more readable to me.
 
C

cheesestraws

Well-known member
Melkhior said:
Would someone have some tutorial on how to disassemble Mac code resources using Ghidra? There's some acceleration drivers I'd like to examine, but I'm not 68k-fluent enough to make heads or tails from Resorcerer's disassembly. The snippet of regenerated C code posted by @cheesestraws in the VNC-on-AU/X thread seems a lot more readable to me.
Click to expand...

I have had some luck using https://github.com/Hopper262/classic-mac-utils to get the code resources out of the resource fork to start with, then loading them into Ghidra just as raw binaries. You'll need to set the header up manually, but after that it's usually OK IME? The big annoyance is that Ghidra doesn't support debugging symbols in the style that's usually used in code resources, so you need to go and manually rename everything (unless someone has a better trick for this)
 
M

Melkhior

Well-known member
@cheesestraws Thanks, that's the kind of tools I needed. Acceleration cdev / init usually 'hide' the code in custom resources with weird headers (for dispatch?), but worst-case scenario they can be renamed to 'code' and post-processed to get something usable.
Now to find the time for that and the other billions things I'd like to do...
 
C

cheesestraws

Well-known member
Melkhior said:
custom resources with weird headers
Click to expand...

There's actually a standard for these headers that Apple recommended people writing code resources follow. So you may well get lucky and find these are all variations on a theme. I can't remember where the theme is documented, though.
 
robin-fo

robin-fo

Well-known member
Sorry for hijacking this thread, but does anybody have experience/tips about disassembling Extensions or other Code Resources?
 
You must log in or register to reply here.

Similar threads

G
Some Ghidra tools for ROM exploration
Replies
8
Views
1K
marciot
M
David Cook
Interesting finds in BlockMove
Replies
4
Views
689
David Cook
David Cook
Snial
Fantasy M88100 Macs
2 3 4
Replies
75
Views
3K
Snial
Snial
David Cook
Patched 6.0.8L for more Macs
3 4 5
Replies
91
Views
6K
voce1
voce1
Snial
The Mythical Mac 256K!
Replies
8
Views
986
Jockelill
Jockelill
Top