disassember - tracer

Sometime one requires a disassembler-tracer. While a disassembler only
provides a listing, one would like to have it running on the PC. Once I
had to reverse engineer a product not on sale anymore. I took the digital
sampling scope to sample the adress bus to find out what actually happens.
A small program transferred the samples to the PC. I also had a listing,
disassembled from the EPROM.

Steps

  1. load the code to memory (array[0..N]of byte). have a 'usedtable' of
    the same size. It stores whether this location was executed before,
    and whether it is the first byte of an instruction. The tracer is
    intended to stop at places visited before. It signals an error when
    the middle of an instruction is jumped to.
  2. model an instruction decoder from the assembly manual of the cpu:
  3. start the decoder at kown places, resetvector, interrupt vectors.

Outline

Be 'function step(currentaddress:integer,var nextadress,altadress:integer):boolean;
the instruction decoder. The result can be made to signal an error.

 currentadress:=resetvector;

 procedure trace(currentadress:integer)
 instr_result:=0;
 while (instr_result=0)and(currentadress inrange) do begin
  instr_result:=step(currentadress,nextadress,altadress);
  currentaddress:=nextadress;
 end;
steps forward until a loop is encountered. A recursive version
may find all possible code. A single step button may choose between
nextadress and alternate address

Findings

A simple version that discards the data encounters problems with
indirect jumps. Those jumptables are limited in size, and the fact
that not all codes are valid together with the 'used table' greatly
reduces the possibilities. A little automation may try them all.

Enhancements



sponsored links




embedded
home

last updated: 6.jan.00



Copyright (99,2000) Ing.Büro R.Tschaggelar