68K MacOS Emulating and Reversing

[Bra!NSHiT]

Hi,

well i got some experience on PC but now the time has come to lay my hands on MacOS.

Here is my configuration:

- Basilisk II
- MacOS 8.1

I hope thats enough. Its possible to reverse on very old 68K ?? And if 'Yes', which tools i have to use for this stuff ? I googled a while and found some stuff like MacNosy and smth else, but it would be great if u could say smth to this point.

Regards

[kw]

Not sure if I pointed you to this earlier, but http://www.reteam.org/board/viewtopic.php?t=110 would be worth reading through.. Tools like MacNosy are also mentioned there. A good starting point anyway, I can't really help you further, but I'm sure rous has found some info in the meantime, so he would be a good person to share his findings

KW

[rous]

Yes, I think it is possible to reverse w/ MacOS 8.1 running through an emulator. That OS is quite old, however, and very different than Apple's most current, Unix based, OS 10.3. One must also take into account the differences between the 68K and PowerPC chip architectures. I guess what I'm trying to say is, almost everything you would have to learn in order to reverse applications, using your current setup, is way outdated.

I really don't want to discourage you, however, because I think its great you're attempting something different. I will try to help anyway I can...I can take apart and analyze old apps, I just can't run them.

Having said that...the tools, to which, kw pointed you, are all pretty useless in your case. I do have, however, have other suggestions:

MacsBug-it's Apple's 68K debugger and I hear it was the best...get for free at http://developer.apple.com/tools/debuggers/MacsBug/

Resourcerer-disassembler/hex editor. I've never used MacNosy so I don't know much about it other than it is probably pretty difficult to find. Try Resourcerer, it's better anyway.

Those two apps are all you will need for most programs. I'm not sure, and this is a question I have wondered for quite a while (maybe somebody knows the answer?) how accurate emulators are when disassembling code...I mean, it is difficult even on native systems. Anyway, there are books on assembly I could point you to if you're interested.

Good Luck,
rous

[rous]

I just found this on Sourceforge.net:

PearPC is an architecture independent PowerPC platform emulator capable of running most PowerPC operating systems. It includes a JITC for x86-Processors.

I don't know if you're still around but this would probably be better for you...

[nrindah0]

I've never even used a mac68k, let alone reversed it, but since I'm a growing IDA Pro fan, might I suggest this to be another tool to add to your arsenal?

Wasn't sure if IDA Pro supported 68k, but it appears to:
http://www.datarescue.com/idabase/gallery/index.htm

You can find the free version of IDA here: http://www.themel.com/idafree.zip
This version is dated and I'm not entirely certain if it supports the 68k architecture, but this is the best place to start.

The newer versions of IDA Pro come with a GUI (unfortunatly the free is console based) which is quite nice, amoungst many other nice features. And although IDA Pro is quite expensive, it's WELL worth the money. I definitely recommend purchasing it if you can.

Of course, you can always find a warez version of it somewhere...
(I'm impartial to this matter).

[rous]

It's interesting you mention IDA Pro because I finally got the opportunity to play with it the other day...until then, I never really grasped the power ofl an interactive dissassembler. For instance, imagine my surprise when I noticed it immediately matched strings back to their caller functions. Normally, I would set GDB or Codewarrior, I prefer Codewarrior, to break on the instruction that fetched the string, then read the contents of the corresponding register. If many strings are fetched, this becomes a tedious task indeed.

Anyway, I installed IDA Pro 4.3 Advanced on my girlfriends PC. I must use the "advanced" version because the "standard" version does not include the mach-o powerpc plugins. Her P4 took forever, even taking into account it only has 64MB of RAM, to disassemble my test binary...something like a half-hour! I could have already printed the binaries deadlisting, reversed it, and been sipping a Margarita in that amount of time

However, I just got a copy of version 4.7 "standard"--even though I can't do much with it until I am able to get ahold of the powerpc plugins, and plan on preforming my experiment again as soon as I am able.

rous

ps-its really late (early?) here so please excuse my English.

pps-I actually pay for any app, which I find useful.

Good night
rous