amiga-bootcamp/05_reversing/README.md

[← Home](../README.md)

# Reverse Engineering AmigaOS Binaries

## Overview

This section provides a systematic methodology for reverse engineering AmigaOS executables and shared libraries using IDA Pro (or Ghidra with the Amiga plugin), with focus on:

- Reconstructing the library JMP table
- Identifying compiler-specific code patterns
- Understanding the exec/dos calling convention at the assembly level
- Tracing library patches (SetFunction)
- Case studies from real Amiga software

## Contents

| File | Topic |
|---|---|
| [methodology.md](methodology.md) | Step-by-step RE workflow for Amiga HUNK binaries |
| [ida_setup.md](ida_setup.md) | IDA Pro configuration for 68k/Amiga analysis |
| [ghidra_setup.md](ghidra_setup.md) | Ghidra configuration for 68k/Amiga analysis & decompilation |
| [compiler_fingerprints.md](compiler_fingerprints.md) | Compiler identification by code patterns |
| [static/library_jmp_table.md](static/library_jmp_table.md) | Reconstructing unknown library JMP tables and LVOs |
| [static/code_vs_data_disambiguation.md](static/code_vs_data_disambiguation.md) | Distinguishing code bytes from data — IDA/Ghidra workflows |
| [patching_techniques.md](patching_techniques.md) | Surgical binary patching methods |
| [unpacking_and_decrunching.md](unpacking_and_decrunching.md) | Executable unpacking, decruncher architecture, and manual extraction |
| [custom_loaders_and_drm.md](custom_loaders_and_drm.md) | Bypassing DOS, Trackloaders, and physical DRM tricks |
| [anti_debugging.md](anti_debugging.md) | The Cracker vs. Developer arms race: Trace vector abuse, NMI defeat, CIA timers |
| [games/whdload_architecture.md](games/whdload_architecture.md) | WHDLoad internals, slaves, resload_DiskLoad, and runtime memory patching |
| [case_studies/](case_studies/) | Real-world RE walkthroughs |
| [case_studies/ramdrive_device.md](case_studies/ramdrive_device.md) | ramdrive.device RE walkthrough |

### Game Reverse Engineering

| File | Topic |
|---|---|
| [games/game_reversing.md](games/game_reversing.md) | Game RE: disassembly, modification, asset extraction, save game analysis |

### Per-Compiler Reverse Engineering — Binary Field Manuals

| File | Topic |
|---|---|
| [static/compilers/README.md](static/compilers/README.md) | Compiler identification flowchart and comparison matrix |
| [static/compilers/sasc.md](static/compilers/sasc.md) | **SAS/C 5.x/6.x** — LINK A5 + 9-reg save, absolute strings, `_LibBase` globals |
| [static/compilers/gcc.md](static/compilers/gcc.md) | **GCC 2.95.x** — `.text` hunk, A6 frame pointer, PC-relative strings, `__CTOR_LIST__` |
| [static/compilers/vbcc.md](static/compilers/vbcc.md) | **VBCC** — No frame pointer, per-function saves, `__reg()`, `__MERGED` hunks |
| [static/compilers/stormc.md](static/compilers/stormc.md) | **StormC / StormC++** — SAS/C-compatible C, unique C++ ABI, PPC support |
| [static/compilers/aztec_c.md](static/compilers/aztec_c.md) | **Manx Aztec C** — D3-D7 save only (5 regs), D2 scratch, pre-1990 era |
| [static/compilers/lattice_c.md](static/compilers/lattice_c.md) | **Lattice C 3.x/4.x** — SAS/C predecessor, simpler optimizer, 6-reg save |
| [static/compilers/dice_c.md](static/compilers/dice_c.md) | **DICE C** — No frame pointer, `_mainCRTStartup`, fast compile speed |

### Language-Specific Reverse Engineering

| File | Topic |
|---|---|
| [static/asm68k_binaries.md](static/asm68k_binaries.md) | Hand-written assembly reverse engineering — demos, games, bootblocks |
| [static/ansi_c_reversing.md](static/ansi_c_reversing.md) | ANSI C reverse engineering — struct recovery, control flow, library anchoring |
| [static/cpp_vtables_reversing.md](static/cpp_vtables_reversing.md) | C++ OOP reverse engineering — vtables, inheritance, RTTI, name mangling |
| [static/other_languages.md](static/other_languages.md) | Non-C languages — AMOS, Blitz Basic, Amiga E, Modula-2, FORTH, ARexx |

## Core Principles

1. **Know the ABI first** — All library calls are `JSR LVO(A6)`. Before reversing any function, identify which library A6 holds using the `lib_Node.ln_Name` string at `base+$00`.
2. **Use .fd files** — The NDK39 `.fd` files give you every function name and parameter mapping for free.
3. **Relocations are your friend** — HUNK_RELOC32 entries tell you exactly which longwords are inter-hunk references, making it easy to distinguish code from data.
4. **Compiler signatures reduce work** — SAS/C vs GCC produces distinct prologues. Identifying the compiler narrows the pattern space dramatically.

## Tool Setup

| Tool | Purpose |
|---|---|
| IDA Pro 7.x | Primary static disassembler (no native M68k decompilation) |
| IDA Amiga plugin | HUNK loader, HUNK_SYMBOL import |
| Ghidra + ghidra-amiga | Powerful disassembler and C-pseudocode decompiler for M68k |
| `hunkinfo` | Quick hunk/symbol/reloc dump |
| wack / MonAm | On-device debugger |

## References

- NDK39: `fd/`, `include/`
- ADCD 2.1: complete library autodocs
- *Amiga ROM Kernel Reference Manual: Libraries* and *Devices*
docs(amiga): complete AmigaOS 3.1/3.2 developer reference — 172 files across 17 sections Comprehensive technical documentation covering: - Hardware: OCS/ECS/AGA custom chip registers, Copper & Blitter deep dives - Boot sequence: cold boot through startup-sequence - Binary format: HUNK executable spec, relocation, debug info - Linking & ABI: .fd files, LVO tables, register calling conventions - Exec kernel: tasks, interrupts, memory, signals, semaphores - AmigaDOS: file I/O, FFS/OFS layout, CLI/Shell scripting - Graphics: planar bitmaps, Copper programming, HAM/EHB modes - Intuition: screens, windows, IDCMP, BOOPSI - Devices: trackdisk, SCSI, serial, timer, audio, keyboard - Libraries: utility, expansion, IFFParse, locale, ARexx - Networking: bsdsocket API, SANA-II, TCP/IP stack comparison - Toolchain: GCC, vasm/vlink, SAS/C, NDK, debugging - Reverse engineering: IDA/Ghidra setup, compiler fingerprints, case studies - CPU & MMU: 68040/060 emulation libs, PMMU, cache management - Driver development: SANA-II, Picasso96/RTG, AHI audio All files include breadcrumb navigation. No local paths or proprietary content. 2026-04-23 12:16:52 -04:00			`[← Home](../README.md)`

			`# Reverse Engineering AmigaOS Binaries`

			`## Overview`

			`This section provides a systematic methodology for reverse engineering AmigaOS executables and shared libraries using IDA Pro (or Ghidra with the Amiga plugin), with focus on:`

			`- Reconstructing the library JMP table`
			`- Identifying compiler-specific code patterns`
			`- Understanding the exec/dos calling convention at the assembly level`
			`- Tracing library patches (SetFunction)`
			`- Case studies from real Amiga software`

			`## Contents`

			`\| File \| Topic \|`
			`\|---\|---\|`
			`\| [methodology.md](methodology.md) \| Step-by-step RE workflow for Amiga HUNK binaries \|`
			`\| [ida_setup.md](ida_setup.md) \| IDA Pro configuration for 68k/Amiga analysis \|`
More information. Especially about RE and AREXX automation 2026-04-29 21:42:28 -04:00			`\| [ghidra_setup.md](ghidra_setup.md) \| Ghidra configuration for 68k/Amiga analysis & decompilation \|`
docs(amiga): complete AmigaOS 3.1/3.2 developer reference — 172 files across 17 sections Comprehensive technical documentation covering: - Hardware: OCS/ECS/AGA custom chip registers, Copper & Blitter deep dives - Boot sequence: cold boot through startup-sequence - Binary format: HUNK executable spec, relocation, debug info - Linking & ABI: .fd files, LVO tables, register calling conventions - Exec kernel: tasks, interrupts, memory, signals, semaphores - AmigaDOS: file I/O, FFS/OFS layout, CLI/Shell scripting - Graphics: planar bitmaps, Copper programming, HAM/EHB modes - Intuition: screens, windows, IDCMP, BOOPSI - Devices: trackdisk, SCSI, serial, timer, audio, keyboard - Libraries: utility, expansion, IFFParse, locale, ARexx - Networking: bsdsocket API, SANA-II, TCP/IP stack comparison - Toolchain: GCC, vasm/vlink, SAS/C, NDK, debugging - Reverse engineering: IDA/Ghidra setup, compiler fingerprints, case studies - CPU & MMU: 68040/060 emulation libs, PMMU, cache management - Driver development: SANA-II, Picasso96/RTG, AHI audio All files include breadcrumb navigation. No local paths or proprietary content. 2026-04-23 12:16:52 -04:00			`\| [compiler_fingerprints.md](compiler_fingerprints.md) \| Compiler identification by code patterns \|`
docs(amiga): fix README navigation indexes, add missing entries, and update Tier 3 statuses 2026-05-12 22:18:43 -04:00			`\| [static/library_jmp_table.md](static/library_jmp_table.md) \| Reconstructing unknown library JMP tables and LVOs \|`
More information. Especially about RE and AREXX automation 2026-04-29 21:42:28 -04:00			`\| [static/code_vs_data_disambiguation.md](static/code_vs_data_disambiguation.md) \| Distinguishing code bytes from data — IDA/Ghidra workflows \|`
docs(amiga): complete AmigaOS 3.1/3.2 developer reference — 172 files across 17 sections Comprehensive technical documentation covering: - Hardware: OCS/ECS/AGA custom chip registers, Copper & Blitter deep dives - Boot sequence: cold boot through startup-sequence - Binary format: HUNK executable spec, relocation, debug info - Linking & ABI: .fd files, LVO tables, register calling conventions - Exec kernel: tasks, interrupts, memory, signals, semaphores - AmigaDOS: file I/O, FFS/OFS layout, CLI/Shell scripting - Graphics: planar bitmaps, Copper programming, HAM/EHB modes - Intuition: screens, windows, IDCMP, BOOPSI - Devices: trackdisk, SCSI, serial, timer, audio, keyboard - Libraries: utility, expansion, IFFParse, locale, ARexx - Networking: bsdsocket API, SANA-II, TCP/IP stack comparison - Toolchain: GCC, vasm/vlink, SAS/C, NDK, debugging - Reverse engineering: IDA/Ghidra setup, compiler fingerprints, case studies - CPU & MMU: 68040/060 emulation libs, PMMU, cache management - Driver development: SANA-II, Picasso96/RTG, AHI audio All files include breadcrumb navigation. No local paths or proprietary content. 2026-04-23 12:16:52 -04:00			`\| [patching_techniques.md](patching_techniques.md) \| Surgical binary patching methods \|`
More information. Especially about RE and AREXX automation 2026-04-29 21:42:28 -04:00			`\| [unpacking_and_decrunching.md](unpacking_and_decrunching.md) \| Executable unpacking, decruncher architecture, and manual extraction \|`
More interesting hot stuff! 2026-04-29 23:18:55 -04:00			`\| [custom_loaders_and_drm.md](custom_loaders_and_drm.md) \| Bypassing DOS, Trackloaders, and physical DRM tricks \|`
			`\| [anti_debugging.md](anti_debugging.md) \| The Cracker vs. Developer arms race: Trace vector abuse, NMI defeat, CIA timers \|`
docs(amiga): fix README navigation indexes, add missing entries, and update Tier 3 statuses 2026-05-12 22:18:43 -04:00			`\| [games/whdload_architecture.md](games/whdload_architecture.md) \| WHDLoad internals, slaves, resload_DiskLoad, and runtime memory patching \|`
docs(amiga): complete AmigaOS 3.1/3.2 developer reference — 172 files across 17 sections Comprehensive technical documentation covering: - Hardware: OCS/ECS/AGA custom chip registers, Copper & Blitter deep dives - Boot sequence: cold boot through startup-sequence - Binary format: HUNK executable spec, relocation, debug info - Linking & ABI: .fd files, LVO tables, register calling conventions - Exec kernel: tasks, interrupts, memory, signals, semaphores - AmigaDOS: file I/O, FFS/OFS layout, CLI/Shell scripting - Graphics: planar bitmaps, Copper programming, HAM/EHB modes - Intuition: screens, windows, IDCMP, BOOPSI - Devices: trackdisk, SCSI, serial, timer, audio, keyboard - Libraries: utility, expansion, IFFParse, locale, ARexx - Networking: bsdsocket API, SANA-II, TCP/IP stack comparison - Toolchain: GCC, vasm/vlink, SAS/C, NDK, debugging - Reverse engineering: IDA/Ghidra setup, compiler fingerprints, case studies - CPU & MMU: 68040/060 emulation libs, PMMU, cache management - Driver development: SANA-II, Picasso96/RTG, AHI audio All files include breadcrumb navigation. No local paths or proprietary content. 2026-04-23 12:16:52 -04:00			`\| [case_studies/](case_studies/) \| Real-world RE walkthroughs \|`
			`\| [case_studies/ramdrive_device.md](case_studies/ramdrive_device.md) \| ramdrive.device RE walkthrough \|`

More interesting hot stuff! 2026-04-29 23:18:55 -04:00			`### Game Reverse Engineering`

			`\| File \| Topic \|`
			`\|---\|---\|`
			`\| [games/game_reversing.md](games/game_reversing.md) \| Game RE: disassembly, modification, asset extraction, save game analysis \|`

More information. Especially about RE and AREXX automation 2026-04-29 21:42:28 -04:00			`### Per-Compiler Reverse Engineering — Binary Field Manuals`

			`\| File \| Topic \|`
			`\|---\|---\|`
			`\| [static/compilers/README.md](static/compilers/README.md) \| Compiler identification flowchart and comparison matrix \|`
			\| [static/compilers/sasc.md](static/compilers/sasc.md) \| SAS/C 5.x/6.x — LINK A5 + 9-reg save, absolute strings, `_LibBase` globals \|
			\| [static/compilers/gcc.md](static/compilers/gcc.md) \| GCC 2.95.x — `.text` hunk, A6 frame pointer, PC-relative strings, `__CTOR_LIST__` \|
			\| [static/compilers/vbcc.md](static/compilers/vbcc.md) \| VBCC — No frame pointer, per-function saves, `__reg()`, `__MERGED` hunks \|
			`\| [static/compilers/stormc.md](static/compilers/stormc.md) \| StormC / StormC++ — SAS/C-compatible C, unique C++ ABI, PPC support \|`
			`\| [static/compilers/aztec_c.md](static/compilers/aztec_c.md) \| Manx Aztec C — D3-D7 save only (5 regs), D2 scratch, pre-1990 era \|`
			`\| [static/compilers/lattice_c.md](static/compilers/lattice_c.md) \| Lattice C 3.x/4.x — SAS/C predecessor, simpler optimizer, 6-reg save \|`
			\| [static/compilers/dice_c.md](static/compilers/dice_c.md) \| DICE C — No frame pointer, `_mainCRTStartup`, fast compile speed \|

			`### Language-Specific Reverse Engineering`

			`\| File \| Topic \|`
			`\|---\|---\|`
			`\| [static/asm68k_binaries.md](static/asm68k_binaries.md) \| Hand-written assembly reverse engineering — demos, games, bootblocks \|`
			`\| [static/ansi_c_reversing.md](static/ansi_c_reversing.md) \| ANSI C reverse engineering — struct recovery, control flow, library anchoring \|`
			`\| [static/cpp_vtables_reversing.md](static/cpp_vtables_reversing.md) \| C++ OOP reverse engineering — vtables, inheritance, RTTI, name mangling \|`
			`\| [static/other_languages.md](static/other_languages.md) \| Non-C languages — AMOS, Blitz Basic, Amiga E, Modula-2, FORTH, ARexx \|`

docs(amiga): complete AmigaOS 3.1/3.2 developer reference — 172 files across 17 sections Comprehensive technical documentation covering: - Hardware: OCS/ECS/AGA custom chip registers, Copper & Blitter deep dives - Boot sequence: cold boot through startup-sequence - Binary format: HUNK executable spec, relocation, debug info - Linking & ABI: .fd files, LVO tables, register calling conventions - Exec kernel: tasks, interrupts, memory, signals, semaphores - AmigaDOS: file I/O, FFS/OFS layout, CLI/Shell scripting - Graphics: planar bitmaps, Copper programming, HAM/EHB modes - Intuition: screens, windows, IDCMP, BOOPSI - Devices: trackdisk, SCSI, serial, timer, audio, keyboard - Libraries: utility, expansion, IFFParse, locale, ARexx - Networking: bsdsocket API, SANA-II, TCP/IP stack comparison - Toolchain: GCC, vasm/vlink, SAS/C, NDK, debugging - Reverse engineering: IDA/Ghidra setup, compiler fingerprints, case studies - CPU & MMU: 68040/060 emulation libs, PMMU, cache management - Driver development: SANA-II, Picasso96/RTG, AHI audio All files include breadcrumb navigation. No local paths or proprietary content. 2026-04-23 12:16:52 -04:00			`## Core Principles`

			1. Know the ABI first — All library calls are `JSR LVO(A6)`. Before reversing any function, identify which library A6 holds using the `lib_Node.ln_Name` string at `base+$00`.
			2. Use .fd files — The NDK39 `.fd` files give you every function name and parameter mapping for free.
			`3. Relocations are your friend — HUNK_RELOC32 entries tell you exactly which longwords are inter-hunk references, making it easy to distinguish code from data.`
			`4. Compiler signatures reduce work — SAS/C vs GCC produces distinct prologues. Identifying the compiler narrows the pattern space dramatically.`

			`## Tool Setup`

			`\| Tool \| Purpose \|`
			`\|---\|---\|`
More information. Especially about RE and AREXX automation 2026-04-29 21:42:28 -04:00			`\| IDA Pro 7.x \| Primary static disassembler (no native M68k decompilation) \|`
docs(amiga): complete AmigaOS 3.1/3.2 developer reference — 172 files across 17 sections Comprehensive technical documentation covering: - Hardware: OCS/ECS/AGA custom chip registers, Copper & Blitter deep dives - Boot sequence: cold boot through startup-sequence - Binary format: HUNK executable spec, relocation, debug info - Linking & ABI: .fd files, LVO tables, register calling conventions - Exec kernel: tasks, interrupts, memory, signals, semaphores - AmigaDOS: file I/O, FFS/OFS layout, CLI/Shell scripting - Graphics: planar bitmaps, Copper programming, HAM/EHB modes - Intuition: screens, windows, IDCMP, BOOPSI - Devices: trackdisk, SCSI, serial, timer, audio, keyboard - Libraries: utility, expansion, IFFParse, locale, ARexx - Networking: bsdsocket API, SANA-II, TCP/IP stack comparison - Toolchain: GCC, vasm/vlink, SAS/C, NDK, debugging - Reverse engineering: IDA/Ghidra setup, compiler fingerprints, case studies - CPU & MMU: 68040/060 emulation libs, PMMU, cache management - Driver development: SANA-II, Picasso96/RTG, AHI audio All files include breadcrumb navigation. No local paths or proprietary content. 2026-04-23 12:16:52 -04:00			`\| IDA Amiga plugin \| HUNK loader, HUNK_SYMBOL import \|`
More information. Especially about RE and AREXX automation 2026-04-29 21:42:28 -04:00			`\| Ghidra + ghidra-amiga \| Powerful disassembler and C-pseudocode decompiler for M68k \|`
docs(amiga): complete AmigaOS 3.1/3.2 developer reference — 172 files across 17 sections Comprehensive technical documentation covering: - Hardware: OCS/ECS/AGA custom chip registers, Copper & Blitter deep dives - Boot sequence: cold boot through startup-sequence - Binary format: HUNK executable spec, relocation, debug info - Linking & ABI: .fd files, LVO tables, register calling conventions - Exec kernel: tasks, interrupts, memory, signals, semaphores - AmigaDOS: file I/O, FFS/OFS layout, CLI/Shell scripting - Graphics: planar bitmaps, Copper programming, HAM/EHB modes - Intuition: screens, windows, IDCMP, BOOPSI - Devices: trackdisk, SCSI, serial, timer, audio, keyboard - Libraries: utility, expansion, IFFParse, locale, ARexx - Networking: bsdsocket API, SANA-II, TCP/IP stack comparison - Toolchain: GCC, vasm/vlink, SAS/C, NDK, debugging - Reverse engineering: IDA/Ghidra setup, compiler fingerprints, case studies - CPU & MMU: 68040/060 emulation libs, PMMU, cache management - Driver development: SANA-II, Picasso96/RTG, AHI audio All files include breadcrumb navigation. No local paths or proprietary content. 2026-04-23 12:16:52 -04:00			\| `hunkinfo` \| Quick hunk/symbol/reloc dump \|
			`\| wack / MonAm \| On-device debugger \|`

			`## References`

			- NDK39: `fd/`, `include/`
			`- ADCD 2.1: complete library autodocs`
			`- Amiga ROM Kernel Reference Manual: Libraries and Devices`