Disassembling Winamp with Ghidra to find the Maki interpreter

So called “Modern” Winamp skins are scripted using a custom scripting language called Maki which compiles to a custom byte code.

To learn more about this byte code, I attempted to locate the byte code interpreter in the Winamp binary. Here are the septs I followed to find the Maki interpreter in the Winamp binary using Ghidra:

• Install Winamp (5.666)

• Find the install directory in Program Files

• Find the plugins directory

• Open gen_ff.dll plugin (the one in charge of rendering the UI) in Ghidra

• Search strings for “division” and find “Division by zero”

• Select that option to jump to the data section offset where the string is

• Right click the offset number and select “Show all References to Address”

• Find the name of the enclosing function that uses the string

• Right click the name and select “References” > “Find references to FUN_<FUNCTION_NUMBER>”

• Jump to the one reference

• This function is the interpreter

• 🎉

The branch for multiplication

• I talked about Winamp2-js on the Zeal Interestings Podcast
• How Winamp2-js loads native skins in your browser
• I was on the Changelog podcast again