disassembly of Debug.exe?

Based on postings and responses to othes, I wondered about finally
fixing the problems that irked me about MS Debug.exe not including a
function to trace out code vs data and allow simple dumping of
assembly code. And this is an itch of some 20 odd years!. But now I
have more time (huh!).

So I set out to disassemble Dbug.exe to add a full listing ability.

What surprised me was that NONE of my fairly-useful disassemblers
(BUBBLE, DASM, DIS86, GRDB, IDA, SICETOOL) would succeed!

Bubble managed to give me a page by page list, but it was pretty much
the same as using debug itself; (the tedium!), the rest simply bombed
out! Yes, really!

All of these tools are extremely difficult to use anyway.
Usually there a two requirements when using a disasembler:-

a) step through code to find a problem and hence a solution.
b) disassemble everything to study principles, suitable insert points
for additional services,
change nature of functions, all usually to make a better tool.

What do the readers suggest in either category, (but especially "b")?

"Terence" wrote...
: So I set out to disassemble Dbug.exe to add a full listing ability.
:
: What surprised me was that NONE of my fairly-useful disassemblers
: (BUBBLE, DASM, DIS86, GRDB, IDA, SICETOOL) would succeed!

1) It's not a PE file, it's a 16-bit DOS executable.
2) When you start it up debug.exe on any NT machine, a version of ntvdm.exe
starts up, which in turn runs the application (debug.exe).
3) You might want to copy it to another folder, rename it as debug.com and
try to run it. It runs and it starts up the ntvdm.exe program in which
it runs inside of. And the ntvdm.exe that started up then does not shut
itself down until you exit the cmd.exe prompt.

I scanned it with PEID, which told me that it's a DOS executable, not a PE.

OllyDbg warns that the application is not a 32-bit Portable Executable and
asks if you'd like to load it.

Debug.exe may NOT support any 32-bit mnemonics at all. It certainly does
not allow one to encode in 32-bit. And that's why grdb.exe came around, or
so I've heard.

Tapping on the ? question mark once inside of debug.exe identifies that it
is capable of working with expanded memory.

allocate expanded memory XA [#pages]
deallocate expanded memory XD [handle]
map expanded memory pages XM [Lpage] [Ppage] [handle]
display expanded memory status XS

-XS
EMS not installed

And I've not messed with expanded memory at all in the last 8 years
(or so I believe).

You may need to open a command.com prompt, then run debug.exe inside
of that prompt. I'm pretty sure command.com reads from an autoexec.nt
and a config.nt file, so if you wanted to load an expanded memory
manager, you'd might need to go about it in that manner. I don't ever
recall messing with expanded memory on Windows 2000/XP.

Inside the cmd.exe prompt you can type the following to get around the
page by page viewing.

debug.exe debug.exe >> debug.txt
U 10 1000
Q

Note: You will not see what you type, but the commands get executed
and you will end up with a big file named debug.txt.

I don't know if that helps anything. Good luck.

--
Jim Carlock

08/23/2001 08:00 AM 20,634 debug.exe
c17afa0aad78c621f818dd6729572c48 *debug.exe

debug.exe debug.exe >> debug.txt
-u 10 1000

0010 8BE8 MOV BP,AX
0012 8CC0 MOV AX,ES
0014 051000 ADD AX,0010
0017 0E PUSH CS
0018 1F POP DS
0019 A30400 MOV [0004],AX
001C 03060C00 ADD AX,[000C]
0020 8EC0 MOV ES,AX
0022 8B0E0600 MOV CX,[0006]
0026 8BF9 MOV DI,CX
0028 4F DEC DI
0029 8BF7 MOV SI,DI
002B FD STD
002C F3 REPZ
002D A4 MOVSB
002E 50 PUSH AX
002F B83400 MOV AX,0034
0032 50 PUSH AX
0033 CB RETF
0034 8CC3 MOV BX,ES
0036 8CD8 MOV AX,DS
0038 48 DEC AX
0039 8ED8 MOV DS,AX
003B 8EC0 MOV ES,AX
003D BF0F00 MOV DI,000F
0040 B91000 MOV CX,0010
0043 B0FF MOV AL,FF
0045 F3 REPZ
0046 AE SCASB
0047 47 INC DI
0048 8BF7 MOV SI,DI
004A 8BC3 MOV AX,BX
004C 48 DEC AX
004D 8EC0 MOV ES,AX
004F BF0F00 MOV DI,000F
0052 B104 MOV CL,04
0054 8BC6 MOV AX,SI
0056 F7D0 NOT AX
0058 D3E8 SHR AX,CL
005A 8CDA MOV DX,DS
005C 2BD0 SUB DX,AX
005E 7304 JNB 0064
0060 8CD8 MOV AX,DS
0062 2BD2 SUB DX,DX
0064 D3E0 SHL AX,CL
0066 03F0 ADD SI,AX
0068 8EDA MOV DS,DX
006A 8BC7 MOV AX,DI
006C F7D0 NOT AX
006E D3E8 SHR AX,CL
0070 8CC2 MOV DX,ES
0072 2BD0 SUB DX,AX
0074 7304 JNB 007A
0076 8CC0 MOV AX,ES
0078 2BD2 SUB DX,DX
007A D3E0 SHL AX,CL
007C 03F8 ADD DI,AX
007E 8EC2 MOV ES,DX
0080 AC LODSB
0081 8AD0 MOV DL,AL
0083 4E DEC SI
0084 AD LODSW
0085 8BC8 MOV CX,AX
0087 46 INC SI
0088 8AC2 MOV AL,DL
008A 24FE AND AL,FE
008C 3CB0 CMP AL,B0
008E 7505 JNZ 0095
0090 AC LODSB
0091 F3 REPZ
0092 AA STOSB
0093 EB06 JMP 009B
0095 3CB2 CMP AL,B2
0097 756D JNZ 0106
0099 F3 REPZ
009A A4 MOVSB
009B 8AC2 MOV AL,DL
009D A801 TEST AL,01
009F 74B1 JZ 0052
00A1 BE3201 MOV SI,0132
00A4 0E PUSH CS
00A5 1F POP DS
00A6 8B1E0400 MOV BX,[0004]
00AA FC CLD
00AB 33D2 XOR DX,DX
00AD AD LODSW
00AE 8BC8 MOV CX,AX
00B0 E313 JCXZ 00C5
00B2 8BC2 MOV AX,DX
00B4 03C3 ADD AX,BX
00B6 8EC0 MOV ES,AX
00B8 AD LODSW
00B9 8BF8 MOV DI,AX
00BB 83FFFF CMP DI,-01
00BE 7411 JZ 00D1
00C0 26 ES:
00C1 011D ADD [DI],BX
00C3 E2F3 LOOP 00B8
00C5 81FA00F0 CMP DX,F000
00C9 7416 JZ 00E1
00CB 81C20010 ADD DX,1000
00CF EBDC JMP 00AD
00D1 8CC0 MOV AX,ES
00D3 40 INC AX
00D4 8EC0 MOV ES,AX
00D6 83EF10 SUB DI,+10
00D9 26 ES:
00DA 011D ADD [DI],BX
00DC 48 DEC AX
00DD 8EC0 MOV ES,AX
00DF EBE2 JMP 00C3
00E1 8BC3 MOV AX,BX
00E3 8B3E0800 MOV DI,[0008]
00E7 8B360A00 MOV SI,[000A]
00EB 03F0 ADD SI,AX
00ED 01060200 ADD [0002],AX
00F1 2D1000 SUB AX,0010
00F4 8ED8 MOV DS,AX
00F6 8EC0 MOV ES,AX
00F8 BB0000 MOV BX,0000
00FB FA CLI
00FC 8ED6 MOV SS,SI
00FE 8BE7 MOV SP,DI
0100 FB STI
0101 8BC5 MOV AX,BP
0103 2E CS:
0104 FF2F JMP FAR [BX]
0106 B440 MOV AH,40
0108 BB0200 MOV BX,0002
010B B91600 MOV CX,0016
010E 8CCA MOV DX,CS
0110 8EDA MOV DS,DX
0112 BA1C01 MOV DX,011C
0115 CD21 INT 21
0117 B8FF4C MOV AX,4CFF
011A CD21 INT 21
011C 50 PUSH AX
011D 61 DB 61
011E 63 DB 63
011F 6B DB 6B
0120 65 DB 65
0121 64 DB 64
0122 206669 AND [BP+69],AH
0125 6C DB 6C
0126 65 DB 65
0127 206973 AND [BX+DI+73],CH
012A 20636F AND [BP+DI+6F],AH
Q

On Mon, 28 Jul 2008 18:03:37 -0700 (PDT), Terence
<spamtrap@crayne.org> wrote:

>Based on postings and responses to othes, I wondered about finally
>fixing the problems that irked me about MS Debug.exe not including a
>function to trace out code vs data and allow simple dumping of
>assembly code. And this is an itch of some 20 odd years!. But now I
>have more time (huh!).
>
> So I set out to disassemble Dbug.exe to add a full listing ability.
>
>What surprised me was that NONE of my fairly-useful disassemblers
>(BUBBLE, DASM, DIS86, GRDB, IDA, SICETOOL) would succeed!
>
> Bubble managed to give me a page by page list, but it was pretty much
>the same as using debug itself; (the tedium!), the rest simply bombed
>out! Yes, really!
>
>All of these tools are extremely difficult to use anyway.
>Usually there a two requirements when using a disasembler:-
>
>a) step through code to find a problem and hence a solution.
>b) disassemble everything to study principles, suitable insert points
>for additional services,
>change nature of functions, all usually to make a better tool.
>
>What do the readers suggest in either category, (but especially "b")?

No disassembler is going to do that very well. (Unless you are on a
system where the code and data are totally seperate.)

It took me YEARS to disassemble a 64k program well enough to be able
to reassemble it and get a working result. (not full time, though)

I use Sourcer, and it takes many passes of analyzing the listing,
applying corrections, and rerunning.

The free version of IDA should work about as well, but I haven't used
it much.
--
ArarghMail807 at [drop the 'http://www.' from ->] http://www.arargh.com
BCET Basic Compiler Page: http://www.arargh.com/basic/index.html

To reply by email, remove the extra stuff from the reply address.

There's FreeDOS DEBUG, which is open source (NASM) and which can
decode/encode 386 instructions:

http://www.japheth.de/debxxf.html

I used to use Sourcer a lot, but it has been a long time. Is it still
around? I know the company sold out and I still wonder if those
products are still supported and maintained.

On Mon, 28 Jul 2008 23:40:05 -0500, ArarghMail807NOSPAM
<spamtrap@crayne.org> wrote:

>On Mon, 28 Jul 2008 18:03:37 -0700 (PDT), Terence
><spamtrap@crayne.org> wrote:
>
>>Based on postings and responses to othes, I wondered about finally
>>fixing the problems that irked me about MS Debug.exe not including a
>>function to trace out code vs data and allow simple dumping of
>>assembly code. And this is an itch of some 20 odd years!. But now I
>>have more time (huh!).
>>
>> So I set out to disassemble Dbug.exe to add a full listing ability.
>>
>>What surprised me was that NONE of my fairly-useful disassemblers
>>(BUBBLE, DASM, DIS86, GRDB, IDA, SICETOOL) would succeed!
>>
>> Bubble managed to give me a page by page list, but it was pretty much
>>the same as using debug itself; (the tedium!), the rest simply bombed
>>out! Yes, really!
>>
>>All of these tools are extremely difficult to use anyway.
>>Usually there a two requirements when using a disasembler:-
>>
>>a) step through code to find a problem and hence a solution.
>>b) disassemble everything to study principles, suitable insert points
>>for additional services,
>>change nature of functions, all usually to make a better tool.
>>
>>What do the readers suggest in either category, (but especially "b")?
>
>No disassembler is going to do that very well. (Unless you are on a
>system where the code and data are totally seperate.)
>
>It took me YEARS to disassemble a 64k program well enough to be able
>to reassemble it and get a working result. (not full time, though)
>
>I use Sourcer, and it takes many passes of analyzing the listing,
>applying corrections, and rerunning.
>
>The free version of IDA should work about as well, but I haven't used
>it much.

On Mon, 28 Jul 2008 23:53:18 -0700, dave <spamtrap@crayne.org> wrote:

>I used to use Sourcer a lot, but it has been a long time. Is it still
>around? I know the company sold out and I still wonder if those
>products are still supported and maintained.

No, Sourcer appears to not be available anymore.

The old http://www.v-com.com/ now points to
http://www.avanquest.com/USA/vcom/ and I didn't find there. Didn't
look real hard, though. :-)

And, using their search for 'Sourcer' returns nothing. Which means no
support for users who bought it, and now have a problem. :-)

I am pretty sure it's gone. Except, of course, I still have my
copies. From version 1.87 thru 7.00, and a cracked copy of 8.00 that
I found out on the web. AFAICT, 8 has nothing new over 7.

After v-com was sold, I emailed Frank, the previous owner, to ask
about Sourcer. He said he no longer had any of it. It all went to
the new owner. (I had wanted to port it to a win32 console program,
because I got tired of it running out of memory on some larger
programs and because I wanted to fix some other things.)
--
ArarghMail807 at [drop the 'http://www.' from ->] http://www.arargh.com
BCET Basic Compiler Page: http://www.arargh.com/basic/index.html

To reply by email, remove the extra stuff from the reply address.

On Mon, 28 Jul 2008 23:17:54 -0400, "Jim Carlock"
<spamtrap@crayne.org> wrote:

<snip>
>Debug.exe may NOT support any 32-bit mnemonics at all. It certainly does
>not allow one to encode in 32-bit.

Debug.exe doesn't support any code later than 8086, AFAIK.
You can't even use shifts by a constant other than 1.

Best regards,


Bob Masta

DAQARTA v4.00
Data AcQuisition And Real-Time Analysis
www.daqarta.com
Scope, Spectrum, Spectrogram, Sound Level Meter
FREE Signal Generator
Science with your sound card!

Jim Carlock wrote:

> 1) It's not a PE file, it's a 16-bit DOS executable.
> 2) When you start it up debug.exe on any NT machine, a version of ntvdm.exe
> starts up, which in turn runs the application (debug.exe).
> 3) You might want to copy it to another folder, rename it as debug.com and
> try to run it. It runs and it starts up the ntvdm.exe program in which
> it runs inside of. And the ntvdm.exe that started up then does not shut
> itself down until you exit the cmd.exe prompt.
>
> I scanned it with PEID, which told me that it's a DOS executable, not a PE.
>
> OllyDbg warns that the application is not a 32-bit Portable Executable and
> asks if you'd like to load it.
>
> Debug.exe may NOT support any 32-bit mnemonics at all. It certainly does
> not allow one to encode in 32-bit. And that's why grdb.exe came around, or
> so I've heard.
>
> Tapping on the ? question mark once inside of debug.exe identifies that it
> is capable of working with expanded memory.
>
> allocate expanded memory XA [#pages]
> deallocate expanded memory XD [handle]
> map expanded memory pages XM [Lpage] [Ppage] [handle]
> display expanded memory status XS
>
> -XS
> EMS not installed
>
> And I've not messed with expanded memory at all in the last 8 years
> (or so I believe).
>
> You may need to open a command.com prompt, then run debug.exe inside
> of that prompt. I'm pretty sure command.com reads from an autoexec.nt
> and a config.nt file, so if you wanted to load an expanded memory
> manager, you'd might need to go about it in that manner. I don't ever
> recall messing with expanded memory on Windows 2000/XP.
>
> Inside the cmd.exe prompt you can type the following to get around the
> page by page viewing.
>
> debug.exe debug.exe >> debug.txt
> U 10 1000
> Q
>
> Note: You will not see what you type, but the commands get executed
> and you will end up with a big file named debug.txt.
>

I EXPECT it to be a 16-bit executable; I'm not interested in any other
kind!
I program in 16 bits for DOS systems and emulations.
And I'm using both CMD.exe and command.exe on a Windows 2000 system
to do the work, just in case a difference shoed up.

Oh, I know about using debug.exe itself, but that's self-flagelation.
I wanted to use something better becuase the end-point is SUPPOSED to
be something better!.

I was wrong on one point. It was GRDB that did something. and BUBBLE
that was a bomber.
I just want to list the code of debug.exe then fix it and reassemble
and have a better tool, unless someone has alredy done this, but my
searches found no clues.

ArarghMail807NOSPAM wrote:

> No disassembler is going to do that very well. (Unless you are on a
> system where the code and data are totally seperate.)
>
> It took me YEARS to disassemble a 64k program well enough to be able
> to reassemble it and get a working result. (not full time, though)
>
> I use Sourcer, and it takes many passes of analyzing the listing,
> applying corrections, and rerunning.
>
> The free version of IDA should work about as well, but I haven't used
> it much.
> --

Oh, I've quite quickly fixed a few programs, more usually in the under
64k area, but it isn't hard (rather wasn't; I'm sure I once had better
tools; especially finding and passing text areas).
I have the freeida43.exe but haven't tried that version.
I would REALLY like to fing a few simple ideas on how to use DRGB
properly to just load, analyse and dump code.

Many Thanks, Japheth for the pointer

japheth wrote:
> There's FreeDOS DEBUG, which is open source (NASM) and which can
> decode/encode 386 instructions:
>
> http://www.japheth.de/debxxf.html