Any hints on how to "port" a 16-bit NE-executable (decompiling and "recompiling") to run on modern Linux machines. So far I managed to get it working with Wine with custom 32-bit WINEPREFIX.
Executable itself is a simple game, was released in 1995 and based on ObjectWindows for C++ Demo (Borland C++).
So far I have managed to extract the resources (menus, dialogs, bitmaps and cursors) using the excellent `nefile` python library.
Some minor progress with Ghidra:
Firstly, it recognizes imports from various libraries (GDI, KERNEL and MMSYSTEM), but as it hasn't fully decompiled the game, most of the imports are marked as unused. On the image below `GDI::CREATECOMPATIBLEDC` is referenced from the code, but `GDI::CREATEDC` isn't.
So if we dig further, we can see that the library calls use `CALLF address_of_thunk` which in hex is `9a4000b811`...
#ghidra #reverseengineering #win16
If we look closely and chew through some endianness magic, we can now start searching for the "magic bytes" using the knowledge that `CALLF` instruction starts with 0x9a and the next four bytes is the address of the thunk.
One way so far is via Search -> "For Instruction Patterns" and looking up all the possible locations for these calls.
All this is manual work though, until I figure out a way to script this...
Well, live and learn. There is actually a better search option which supports wildcards under: Search -> "Memory..." .
plaes