jcranmer 1 day ago

> It is even messier in protected mode, since now every selector is an entry in a table, so its value itself is meaningless.

Actually, my experience is that things are much easier in protected mode. Since selector values are chosen by the OS, that means you rely a lot more on internal relocations. And the use of segment selectors is a strong indicator that you have a pointer in the first place.

Unfortunately, ghidra itself struggles to apply these techniques, especially in the decompiler, which seems completely unable to cope with the concept of far pointers.

1
dmitrygr 1 day ago

In DOS, plenty of applications/games load selectors and do nasty things with them

so indeed you'd know it is a far pointer, but may not know what to :D

1 reply
genewitch 1 day ago

Well, certainly not above 0xA0000