Close

20241109 -- Tables, and Tables of Tables

A project log for ROM Disassembly - Cefucom-21

Peering into the soul of this obscure machine

ziggurat29ziggurat29 3 days ago0 Comments

There's still a fair amount of unexplored data and code.  Can't say much for data, but code you can figure out where functions demarcate in many cases just by looking for the C9 that is the RET that often punctuates a function end.  I found several 'orphan' functions this way.

As a new tack, I searched the binary for the orphaned function's address.  Ostensibly to find a call site, but many times I found it in a list of addresses that mapped to other orphaned functions.  So I had found some dispatch tables.  Oftentimes is was easy to work backwards from such to find the start of the function table because it would abut some code ending.  Then I could do a similar address search to find the code that dispatches through the table.

It was a bit tedious, but there are presently 42 such dispatch tables currently found!  And just for fun, it turns out that there are dispatch tables of dispatch tables in some cases!  There is a huge table of 128 entries at 4002h, a double-dispatch table at 2DA6 (with associated paramters table at 2DE0) and another double-dispatch table at 2200.

With that many dispatch tables, this surely is some state machine design.  To think I was daunted by the one in ROM 4!  This is proportionately larger.  But who knows, this might be a gift as it might make the intent clearer.

Bloopers

Some amusing treats were nullsubs that have a subsequent jump to the nullsub.  (The code in the subsequent jump is not referenced anywhere.)

3E9C  nullsub_4:
3E9C C9        ret
3E9D C3 9C 3E  jp      nullsub_4

or

3EA8  nullsub_5:
3EA8 C9        ret
3EA9 C3 A8 3E  jp      nullsub_5

 And a dispatch table of jump addresses that ends with a ret; lol.

...
40FC 9E 41  dw sub_419E    ; XXX IX -= 4
40FE 9E 41  dw sub_419E    ; XXX IX -= 4
4100 9E 41  dw sub_419E    ; XXX IX -= 4
4102 C9     ret

My personal favorite: 

...
0475 18 00  jr  loc_477  ; well let's jump right on that!
0477      loc_477:
...

I think more symptoms of machine generated code.

It took a day, but it got me to my desired 100% code coverage milestone.  Now that I have the puzzle pieces, it's time to see what picture emerges.

Discussions