Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Dennis Nedry]

I have recently discovered a new disassembler and its ability to disassemble PowerPC code, even including Mac OS toolbox calls, and also going as far as generating C code!  It’s a hacker’s dream come true.

I used to do a lot with Appearance Themes a long time ago.  They are like Apple’s built-in version of Kaleidoscope.  I would love to decompile the code that parses appearance themes and see if there are any cool surprises in there.  Also, there are a couple bugs here and there, for example, the pop-up menu text color does not use the correct entry in the clr# resource. It would be neat to try to fix that.

I do not know where this code is located though.  Trying to narrow that down, I did a minimum install of Mac OS 8.6 and deleted as many system files as possible where it could still boot and let me apply a theme.  I further narrowed down that it isn’t the appearance control panel itself because you can select a theme, delete the control panel, reboot, and the theme will still be working.  Deleting the theme file or the correct preferences file and rebooting again removes the theme.  So these behaviors aren’t depending on the control panel.  The theme parsing code must lie someplace else.

I used Resorcerer to search the resource and data forks of the System file and Mac OS Resources file for the ASCII names of these resources, like ‘layo’, ‘frme’, ‘pxm#’ and not found it.  I would have thought those references would be lurking as plain ASCII text somewhere and easily spotted this way.  I am not sure what could be going on; maybe I didn’t look at the right place?  Maybe the code is compressed or something?  If anyone could help me find that, I would appreciate it.

[joevt]

The System file has multiple cfrg resources. One of them has an entry that points to the AppearanceLib.

The MPW command DumpPEF can dump all the pefs but I think it only works for cfrg 0. So you might need to make a System resource file, one for each cfrg with the resource ID changed to 0.

The below is a modern macOS shell script to do the job. It uses
 https://github.com/ksherlock/mpw
to use MPW's DumpPEF command.

You can probably rewrite it as an MPW script.

The AppearanceLib is container 11 of cfrg 49 of Mac OS 9.2.2 System file.

Code: [Select]

#=========================================================================================
# Dump all pefs of Mac OS 9.2.2 System file

mkdir -p ~/SystemFragments
cd ~/SystemFragments
cp "/Volumes/Classic/System Folder/System" .
IFS=$'\n'
for thecfrg in $(derez -p -only xxxx "System" 2>&1 | perl -nE 'if (/Skipping .cfrg. \((-?\d+)/) { print $1 ."\n" }'); do
printf "include \"System\" 'cfrg' (%d) as 'cfrg' (0) ;" "$thecfrg" > "/tmp/System_cfrg_$thecfrg.r"
cat "System" > "/tmp/System_cfrg_$thecfrg"
rez -o "/tmp/System_cfrg_$thecfrg" "/tmp/System_cfrg_$thecfrg.r"
mpw dumppef -do All -pi u "/tmp/System_cfrg_$thecfrg" 2> "System_cfrg_$thecfrg.errs.txt" > "System_cfrg_$thecfrg.dumppef.txt"
if ! [[ -s "System_cfrg_$thecfrg.errs.txt" ]]; then
rm "System_cfrg_$thecfrg.errs.txt"
fi
done

#=========================================================================================

# Find library named AppearanceLib.
grep -l -R -E 'AppearanceLib.*member' .
./System_cfrg_49.dumppef.txt

# Find libraries that import from AppearanceLib.
grep -l -R -E 'from.*AppearanceLib' .
./System_cfrg_49.dumppef.txt
./System_cfrg_64.dumppef.txt
./System_cfrg_257.dumppef.txt
./System_cfrg_76.dumppef.txt
./System_cfrg_52.dumppef.txt
./System_cfrg_79.dumppef.txt


[Dennis Nedry]

Thank you for this info.  I was able to open the 9.2.2 system file with Resorcerer, open ‘cfrg’ ID 49, locate entry 11, and get the offset and length into the data fork for AppearanceLib.

Offset 2601440 -> 0x27B1E0
Length 317304 -> 0x4D778

I copied this region into a new file’s data fork and saved it for importing in a disassembler.  Browsing this file with HxD, I found that resource names are loaded 2 characters at a time.  Searching for ‘layo’ produces no results, but searching for ‘la’ and ‘yo’ in close proximity, DOES have results:

0xFD4A / FD86
0x11D6A / 11D72
0x128EA / 128F2
0x12BEE / 12BF6
0x12D82 / 12D8A
0x1DA26 / 1DA32

I think I have achieved “Hello World” status. I have a lot to learn in order to get anything useful to happen but this will at least be something fun to experiment with.   Thank you for your help.

[robespierre]

PowerPC instructions don't have a way to load 32 bit immediates ('layo' is a 32-bit constant), so the compiler emits an instruction sequence that pastes two 16-bit immediates together.

[joevt]

Data sections of PEFs are compressed so a utility like DumpPEF that can decompress it is useful. A good disassembler should understand the PEF format and decompress the data section for examination.

I use Jasik's Nosy II for classic Mac OS binaries but it's just a disassembler - it can't decompile. DumpPEF can disassemble but it's not as good as Nosy II.

After the AppearanceLib data is decompressed, you might be able to see some hex that is pixels for some AppearanceLib graphical objects.

[Dennis Nedry]

Thanks for all the info.  I have been playing with the disassembly and it has become very apparent that this indeed has the code that parses out theme files, as well as soundset files.

I spent some time where it loads 'crsr's via the 'tdat' resource, which has never actually worked as far as I know.  The Gizmo theme contains 'crsr's and has 'tdat' entries for some them, but it does not have an entry for 'crsr' 128, which is the normal mouse cursor.

Looking at the code that parses the 'tdat' resource in AppearanceLib, it looked like it was checking the first 2 bytes of the resource data to see if they were 00 00 and if not, aborting.  Well, 'crsr's start with 80 xx.  So I changed the opcode of that branch instruction from BNE to BEQ or something like that.  I made sure to modify a copy of the system file and swap it, rebooted, etc.  None of that made Gizmo's custom cursors come to life but it's a start and definitely a fun thing to poke around at.

There are some symbols preserved in AppearanceLib which is pretty helpful.  I think I might dig up various versions of Mac OS 8 and 9 and see if there are any different versions of AppearanceLib and if any of that has different symbols preserved, etc.  I know that themes were quite a bit different between 8.2b (where they first appeared if I remember right?) and 8.5.  I don't expect a whole lot of differences from 8.5 through 9.2.2 since the theme project got canceled, but who knows!  Worth a look.  Definitely Mac OS X had a continuation of this using Extras.rsrc in a very modified but still similar format.  I am guessing that they might have continued using some of the old AppearanceLib source code so that might also be interesting to look into.

I looked into DumpPEF at this location:
https://git.sr.ht/~joshrig/dumppef

I downloaded the source code from that page and I am seeing two .c files, util.c and dumppef.c.  I am not seeing any place where it does a literal decompression.  Also, looking at the end of AppearanceLib, I see bytes arranged like they look like raw/uncompressed graphics, but I haven't looked deeply at that.  But I am wondering if it is in fact compressed or not, and if I found the correct DumpPEF.

[joevt]

The DumpPEF at https://git.sr.ht/~joshrig/dumppef is not the same. You need the one from MPW which doesn't have source code.

The compression is byte codes in the pidata section of the PEF. The byte codes allow doing things like reducing a string of 00 bytes into a single opcode. So there is some uncompressed parts between byte codes/opcodes.

Compressed:

Code: [Select]

      Pidata section 1 (<unnamed>)
      Address    Op      Operand               Encoding/data
43EA0  0000      ZERO    cnt=1246              00 895E
43EA3  04DE      BLK     cnt=2                 22
43EA4                                          C3FC                                ..
43EA6  04E0      RPTZERO cnt=2                 82
43EA7                    dcnt=2                   02
43EA8                    rpt=338                  8252
43EAA                                       1  C400 C404 C405 237C 2768 2A54       ......#|'h*T
43EB6                                       7  C450 C44E C454 C456 1074 107C       .P.N.T.V.t.|
43EC2                                      13  1084 108C 109C 1094 C5C0 C5C4       ............
43ECE                                      19  C5BC 2C48 C5C8 2C90 2E24 C5CC       ..,H..,..$..
43EDA                                      25  2E04 2E44 2DE4 2F80 31D0 320C       ...D-./.1.2.
43EE6                                      31  322C 3AD0 3268 3CC8 32F0 47EC       2,:.2h<.2.G.
...

Uncompressed:

Code: [Select]

             ---------------------------- Unpacked PiData ---------------------------
      00000  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00020  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00040  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00060  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00080  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      000A0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      000C0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      000E0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00100  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00120  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00140  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00160  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00180  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      001A0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      001C0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      001E0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00200  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00220  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00240  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00260  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00280  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      002A0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      002C0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      002E0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00300  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00320  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00340  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00360  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00380  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      003A0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      003C0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      003E0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00400  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00420  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00440  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00460  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      00480  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      004A0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 00000000  ................................
      004C0  00000000 00000000 00000000 00000000  00000000 00000000 00000000 0000C3FC  ................................
      004E0  0000C400 0000C404 0000C405 0000237C  00002768 00002A54 0000C450 0000C44E  ..............#|..'h..*T...P...N
      00500  0000C454 0000C456 00001074 0000107C  00001084 0000108C 0000109C 00001094  ...T...V...t...|................
      00520  0000C5C0 0000C5C4 0000C5BC 00002C48  0000C5C8 00002C90 00002E24 0000C5CC  ..............,H......,....$....
      00540  00002E04 00002E44 00002DE4 00002F80  000031D0 0000320C 0000322C 00003AD0  .......D..-.../...1...2...2,..:.


[Windoze]

The data doesn't have to be compressed. There are different section types for compressed and uncompressed data.
Also it depends on the software you are using. IDA Pro for example automatically uncompresses the data sections while loading.