2

im disassembling the old 1989 Borland tool TDSTRIP.EXE that can extract Turbo Debugger information from executables and stumpled over this path-normalizing function

this is the signature im using extern "C" void far maybe_lib_sub_103FC(char far* dest, const char far* src);

i think it is not a __cdecl because the routine seems to cleanup the stack on its own and the calls to the routine do not cleanup the stack

i copied the disassembly and re-assembled it binary equal and calling it from a Borland C++ 5.02, DOS, small memory model, testprogram

the code runs only as expected when i replace the last retf 4 with just retf and i don't understand why 4 bytes - to my understanding there are 2 far-ptrs pushed onto the stack so wouldn't be 8 more correct? or is that only for local variables stack cleanup, but i can't see any local variables

calling looks like this

cmp word ptr [si+2], 0
jz  short loc_13478
; ----
; calling starts
push    ds
push    word ptr [si+2] ; src
push    ss
lea ax, [bp+s1]
push    ax
call    maybe_lib_sub_103FC
; after call no sp adjust
; ----
lea ax, [bp+var_52]
push    ax
lea ax, [bp+s1]
push    ax      ; s1
call    _strcmp

this is the routine

seg000:03FC                         _maybe_lib_sub_103FC proc far            ; CODE XREF: MAYBE_MAIN_sub_133D6+61P
seg000:03FC                                                                 ; MAYBE_MAIN_sub_133D6+7BP
seg000:03FC
seg000:03FC                         arg_0           = dword ptr  6
seg000:03FC                         arg_4           = dword ptr  0Ah
seg000:03FC
seg000:03FC 55                                      push    bp
seg000:03FD 8B EC                                   mov     bp, sp
seg000:03FF 1E                                      push    ds
seg000:0400 56                                      push    si
seg000:0401 57                                      push    di
seg000:0402 FC                                      cld
seg000:0403 C4 7E 0A                                les     di, [bp+arg_4]
seg000:0406 32 C0                                   xor     al, al
seg000:0408 B9 FF FF                                mov     cx, 0FFFFh
seg000:040B F2 AE                                   repne scasb
seg000:040D F7 D1                                   not     cx
seg000:040F 49                                      dec     cx
seg000:0410 C5 76 0A                                lds     si, [bp+arg_4]
seg000:0413 03 CE                                   add     cx, si
seg000:0415 C4 7E 06                                les     di, [bp+arg_0]
seg000:0418 AD                                      lodsw
seg000:0419 3B F1                                   cmp     si, cx
seg000:041B 77 11                                   ja      short loc_1042E
seg000:041D 80 FC 3A                                cmp     ah, ':'
seg000:0420 75 0C                                   jnz     short loc_1042E
seg000:0422 3C 61                                   cmp     al, 61h ; 'a'
seg000:0424 72 12                                   jb      short loc_10438
seg000:0426 3C 7A                                   cmp     al, 7Ah ; 'z'
seg000:0428 77 0E                                   ja      short loc_10438
seg000:042A 2C 20                                   sub     al, 20h ; ' '
seg000:042C EB 0A                                   jmp     short loc_10438
seg000:042E                         ; ---------------------------------------------------------------------------
seg000:042E
seg000:042E                         loc_1042E:                              ; CODE XREF: maybe_lib_sub_103FC+1Fj
seg000:042E                                                                 ; maybe_lib_sub_103FC+24j
seg000:042E 4E                                      dec     si
seg000:042F 4E                                      dec     si
seg000:0430 B4 19                                   mov     ah, 19h
seg000:0432 CD 21                                   int     21h             ; DOS - GET DEFAULT DISK NUMBER
seg000:0434 04 41                                   add     al, 41h ; 'A'
seg000:0436 B4 3A                                   mov     ah, 3Ah ; ':'
seg000:0438
seg000:0438                         loc_10438:                              ; CODE XREF: maybe_lib_sub_103FC+28j
seg000:0438                                                                 ; maybe_lib_sub_103FC+2Cj ...
seg000:0438 AB                                      stosw
seg000:0439 3B F1                                   cmp     si, cx
seg000:043B 74 05                                   jz      short loc_10442
seg000:043D 80 3C 5C                                cmp     byte ptr [si], 5Ch ; '\'
seg000:0440 74 28                                   jz      short loc_1046A
seg000:0442
seg000:0442                         loc_10442:                              ; CODE XREF: maybe_lib_sub_103FC+3Fj
seg000:0442 2C 40                                   sub     al, 40h ; '@'
seg000:0444 8A D0                                   mov     dl, al
seg000:0446 B0 5C                                   mov     al, 5Ch ; '\'
seg000:0448 AA                                      stosb
seg000:0449 56                                      push    si
seg000:044A 1E                                      push    ds
seg000:044B B4 47                                   mov     ah, 47h ; 'G'
seg000:044D 8B F7                                   mov     si, di
seg000:044F 06                                      push    es
seg000:0450 1F                                      pop     ds
seg000:0451 CD 21                                   int     21h             ; DOS - 2+ - GET CURRENT DIRECTORY
seg000:0451                                                                 ; DL = drive (0=default, 1=A, etc.)
seg000:0451                                                                 ; DS:SI points to 64-byte buffer area
seg000:0453 1F                                      pop     ds
seg000:0454 5E                                      pop     si
seg000:0455 72 13                                   jb      short loc_1046A
seg000:0457 26 80 3D 00                             cmp     byte ptr es:[di], 0
seg000:045B 74 0D                                   jz      short loc_1046A
seg000:045D 51                                      push    cx
seg000:045E B9 FF FF                                mov     cx, 0FFFFh
seg000:0461 32 C0                                   xor     al, al
seg000:0463 F2 AE                                   repne scasb
seg000:0465 4F                                      dec     di
seg000:0466 B0 5C                                   mov     al, 5Ch ; '\'
seg000:0468 AA                                      stosb
seg000:0469 59                                      pop     cx
seg000:046A
seg000:046A                         loc_1046A:                              ; CODE XREF: maybe_lib_sub_103FC+44j
seg000:046A                                                                 ; maybe_lib_sub_103FC+59j ...
seg000:046A 2B CE                                   sub     cx, si
seg000:046C F3 A4                                   rep movsb
seg000:046E 32 C0                                   xor     al, al
seg000:0470 AA                                      stosb
seg000:0471 C5 76 06                                lds     si, [bp+arg_0]
seg000:0474 46                                      inc     si
seg000:0475 8B FE                                   mov     di, si
seg000:0477
seg000:0477                         loc_10477:                              ; CODE XREF: maybe_lib_sub_103FC+8Fj
seg000:0477 AC                                      lodsb
seg000:0478 0A C0                                   or      al, al
seg000:047A 74 11                                   jz      short loc_1048D
seg000:047C 3C 5C                                   cmp     al, 5Ch ; '\'
seg000:047E 74 0D                                   jz      short loc_1048D
seg000:0480 3C 61                                   cmp     al, 61h ; 'a'
seg000:0482 72 06                                   jb      short loc_1048A
seg000:0484 3C 7A                                   cmp     al, 7Ah ; 'z'
seg000:0486 77 02                                   ja      short loc_1048A
seg000:0488 2C 20                                   sub     al, 20h ; ' '
seg000:048A
seg000:048A                         loc_1048A:                              ; CODE XREF: maybe_lib_sub_103FC+86j
seg000:048A                                                                 ; maybe_lib_sub_103FC+8Aj ...
seg000:048A AA                                      stosb
seg000:048B EB EA                                   jmp     short loc_10477
seg000:048D                         ; ---------------------------------------------------------------------------
seg000:048D
seg000:048D                         loc_1048D:                              ; CODE XREF: maybe_lib_sub_103FC+7Ej
seg000:048D                                                                 ; maybe_lib_sub_103FC+82j
seg000:048D 81 7D FE 5C 2E                          cmp     word ptr [di-2], 2E5Ch
seg000:0492 75 04                                   jnz     short loc_10498
seg000:0494 4F                                      dec     di
seg000:0495 4F                                      dec     di
seg000:0496 EB 1C                                   jmp     short loc_104B4
seg000:0498                         ; ---------------------------------------------------------------------------
seg000:0498
seg000:0498                         loc_10498:                              ; CODE XREF: maybe_lib_sub_103FC+96j
seg000:0498 81 7D FE 2E 2E                          cmp     word ptr [di-2], 2E2Eh
seg000:049D 75 15                                   jnz     short loc_104B4
seg000:049F 80 7D FD 5C                             cmp     byte ptr [di-3], 5Ch ; '\'
seg000:04A3 75 0F                                   jnz     short loc_104B4
seg000:04A5 83 EF 03                                sub     di, 3
seg000:04A8 80 7D FF 3A                             cmp     byte ptr [di-1], 3Ah ; ':'
seg000:04AC 74 06                                   jz      short loc_104B4
seg000:04AE
seg000:04AE                         loc_104AE:                              ; CODE XREF: maybe_lib_sub_103FC+B6j
seg000:04AE 4F                                      dec     di
seg000:04AF 80 3D 5C                                cmp     byte ptr [di], 5Ch ; '\'
seg000:04B2 75 FA                                   jnz     short loc_104AE
seg000:04B4
seg000:04B4                         loc_104B4:                              ; CODE XREF: maybe_lib_sub_103FC+9Aj
seg000:04B4                                                                 ; maybe_lib_sub_103FC+A1j ...
seg000:04B4 0A C0                                   or      al, al
seg000:04B6 75 D2                                   jnz     short loc_1048A
seg000:04B8 80 7D FF 3A                             cmp     byte ptr [di-1], 3Ah ; ':'
seg000:04BC 75 03                                   jnz     short loc_104C1
seg000:04BE B0 5C                                   mov     al, 5Ch ; '\'
seg000:04C0 AA                                      stosb
seg000:04C1
seg000:04C1                         loc_104C1:                              ; CODE XREF: maybe_lib_sub_103FC+C0j
seg000:04C1 32 C0                                   xor     al, al
seg000:04C3 AA                                      stosb
seg000:04C4 5F                                      pop     di
seg000:04C5 5E                                      pop     si
seg000:04C6 1F                                      pop     ds
seg000:04C7 5D                                      pop     bp
seg000:04C8 CA 04 00                                retf    4
seg000:04C8                         _maybe_lib_sub_103FC endp

the function seems to be coded original in C due to the bp/sp usage - but could it be that it was coded in assembler and someone implemented the retf wrong?

Improve this question

1 Answer 1

Reset to default
2

This function was most probably hand-written in Assembler. I doubt contemporary compilers could've generated such a code. It does seem retf 4 is a human error, and it should've been retf 8 for callee to clean up its arguments (Pascal calling convention).

The caller gets disbalanced stack after calling this function. It went unnoticed because the caller almost doesn't depend on the sp value during execution and it resets the stack pointer from bp in its epilogue:

seg001:0D5E                 pop     di
seg001:0D5F                 pop     si
seg001:0D60                 mov     sp, bp
seg001:0D62                 pop     bp
seg001:0D63                 retf

So the only adverse effect from stack inbalance is di/si being destroyed even though they are callee-saved registers.

Proper Borland C prototype for the function is (assuming retf 8 fix):

extern "C" void far pascal _maybe_lib_sub_103FC(const char far *source, char far *destination);

Note arguments are reversed with its cdecl counterpart because of Pascal calling convention.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

retf 8 creates strange results in the resulting string, retf without bytecount makes it "magically" work - but i don't understand it - do i need to use some sort of __pascal define in my signature (borland does not seem to know it)?
@llm Since you didn't tell C compiler it's pascal CC, it defaults to cdecl which is caller-cleanup; there's no magic retf worked because that made it cdecl-compatible. retf 8 threw your caller stack off. I've edited my answer to add C prototype for pascal CC version.
changing to "pascal" calling convention changes the mangling behavior (underscore is not preserved in the cpp main.obj) but then it links, changed retf to retf 8 and swapped src/dest parameter - now it works!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.