Based on postings and responses to othes, I wondered about finally
fixing the problems that irked me about MS Debug.exe not including a
function to trace out code vs data and allow simple dumping of
assembly code. And this is an itch of some 20 odd years!. But now I
have more time (huh!).

 So I set out to disassemble Dbug.exe to add a full listing ability.

What surprised me was that NONE of my fairly-useful disassemblers
(BUBBLE, DASM, DIS86, GRDB, IDA, SICETOOL) would succeed!

 Bubble managed to give me a page by page list, but it was pretty much
the same as using debug itself; (the tedium!), the rest simply bombed
out! Yes, really!

All of these tools are extremely difficult to use anyway.
Usually there a two requirements when using a disasembler:-

a) step through code to find a problem and hence a solution.
b) disassemble everything to study principles, suitable insert points
for additional services,
change nature of functions, all  usually to make a better tool.

What do the readers suggest in either category, (but especially "b")?

"Terence" wrote...
: So I set out to disassemble Dbug.exe to add a full listing ability.
:
: What surprised me was that NONE of my fairly-useful disassemblers
: (BUBBLE, DASM, DIS86, GRDB, IDA, SICETOOL) would succeed!

1) It's not a PE file, it's a 16-bit DOS executable.
2) When you start it up debug.exe on any NT machine, a version of ntvdm.exe
   starts up, which in turn runs the application (debug.exe).
3) You might want to copy it to another folder, rename it as debug.com and
   try to run it. It runs and it starts up the ntvdm.exe program in which
   it runs inside of. And the ntvdm.exe that started up then does not shut
   itself down until you exit the cmd.exe prompt.

I scanned it with PEID, which told me that it's a DOS executable, not a PE.

OllyDbg warns that the application is not a 32-bit Portable Executable and
asks if you'd like to load it.

Debug.exe may NOT support any 32-bit mnemonics at all. It certainly does
not allow one to encode in 32-bit. And that's why grdb.exe came around, or
so I've heard.

Tapping on the ? question mark once inside of debug.exe identifies that it
is capable of working with expanded memory.

allocate expanded memory        XA [#pages]
deallocate expanded memory      XD [handle]
map expanded memory pages       XM [Lpage] [Ppage] [handle]
display expanded memory status  XS

-XS
EMS not installed

And I've not messed with expanded memory at all in the last 8 years
(or so I believe).

You may need to open a command.com prompt, then run debug.exe inside
of that prompt. I'm pretty sure command.com reads from an autoexec.nt
and a config.nt file, so if you wanted to load an expanded memory
manager, you'd might need to go about it in that manner. I don't ever
recall messing with expanded memory on Windows 2000/XP.

Inside the cmd.exe prompt you can type the following to get around the
page by page viewing.

debug.exe debug.exe >> debug.txt
U 10 1000
Q

Note: You will not see what you type, but the commands get executed
and you will end up with a big file named debug.txt.

I don't know if that helps anything. Good luck.

-- 
Jim Carlock

08/23/2001  08:00 AM            20,634 debug.exe
c17afa0aad78c621f818dd6729572c48 *debug.exe

debug.exe debug.exe >> debug.txt
-u 10 1000

0010 8BE8          MOV BP,AX
0012 8CC0          MOV AX,ES
0014 051000        ADD AX,0010
0017 0E            PUSH CS
0018 1F            POP DS
0019 A30400        MOV [0004],AX
001C 03060C00      ADD AX,[000C]
0020 8EC0          MOV ES,AX
0022 8B0E0600      MOV CX,[0006]
0026 8BF9          MOV DI,CX
0028 4F            DEC DI
0029 8BF7          MOV SI,DI
002B FD            STD
002C F3            REPZ
002D A4            MOVSB
002E 50            PUSH AX
002F B83400        MOV AX,0034
0032 50            PUSH AX
0033 CB            RETF
0034 8CC3          MOV BX,ES
0036 8CD8          MOV AX,DS
0038 48            DEC AX
0039 8ED8          MOV DS,AX
003B 8EC0          MOV ES,AX
003D BF0F00        MOV DI,000F
0040 B91000        MOV CX,0010
0043 B0FF          MOV AL,FF
0045 F3            REPZ
0046 AE            SCASB
0047 47            INC DI
0048 8BF7          MOV SI,DI
004A 8BC3          MOV AX,BX
004C 48            DEC AX
004D 8EC0          MOV ES,AX
004F BF0F00        MOV DI,000F
0052 B104          MOV CL,04
0054 8BC6          MOV AX,SI
0056 F7D0          NOT AX
0058 D3E8          SHR AX,CL
005A 8CDA          MOV DX,DS
005C 2BD0          SUB DX,AX
005E 7304          JNB 0064
0060 8CD8          MOV AX,DS
0062 2BD2          SUB DX,DX
0064 D3E0          SHL AX,CL
0066 03F0          ADD SI,AX
0068 8EDA          MOV DS,DX
006A 8BC7          MOV AX,DI
006C F7D0          NOT AX
006E D3E8          SHR AX,CL
0070 8CC2          MOV DX,ES
0072 2BD0          SUB DX,AX
0074 7304          JNB 007A
0076 8CC0          MOV AX,ES
0078 2BD2          SUB DX,DX
007A D3E0          SHL AX,CL
007C 03F8          ADD DI,AX
007E 8EC2          MOV ES,DX
0080 AC            LODSB
0081 8AD0          MOV DL,AL
0083 4E            DEC SI
0084 AD            LODSW
0085 8BC8          MOV CX,AX
0087 46            INC SI
0088 8AC2          MOV AL,DL
008A 24FE          AND AL,FE
008C 3CB0          CMP AL,B0
008E 7505          JNZ 0095
0090 AC            LODSB
0091 F3            REPZ
0092 AA            STOSB
0093 EB06          JMP 009B
0095 3CB2          CMP AL,B2
0097 756D          JNZ 0106
0099 F3            REPZ
009A A4            MOVSB
009B 8AC2          MOV AL,DL
009D A801          TEST AL,01
009F 74B1          JZ 0052
00A1 BE3201        MOV SI,0132
00A4 0E            PUSH CS
00A5 1F            POP DS
00A6 8B1E0400      MOV BX,[0004]
00AA FC            CLD
00AB 33D2          XOR DX,DX
00AD AD            LODSW
00AE 8BC8          MOV CX,AX
00B0 E313          JCXZ 00C5
00B2 8BC2          MOV AX,DX
00B4 03C3          ADD AX,BX
00B6 8EC0          MOV ES,AX
00B8 AD            LODSW
00B9 8BF8          MOV DI,AX
00BB 83FFFF        CMP DI,-01
00BE 7411          JZ 00D1
00C0 26            ES:
00C1 011D          ADD [DI],BX
00C3 E2F3          LOOP 00B8
00C5 81FA00F0      CMP DX,F000
00C9 7416          JZ 00E1
00CB 81C20010      ADD DX,1000
00CF EBDC          JMP 00AD
00D1 8CC0          MOV AX,ES
00D3 40            INC AX
00D4 8EC0          MOV ES,AX
00D6 83EF10        SUB DI,+10
00D9 26            ES:
00DA 011D          ADD [DI],BX
00DC 48            DEC AX
00DD 8EC0          MOV ES,AX
00DF EBE2          JMP 00C3
00E1 8BC3          MOV AX,BX
00E3 8B3E0800      MOV DI,[0008]
00E7 8B360A00      MOV SI,[000A]
00EB 03F0          ADD SI,AX
00ED 01060200      ADD [0002],AX
00F1 2D1000        SUB AX,0010
00F4 8ED8          MOV DS,AX
00F6 8EC0          MOV ES,AX
00F8 BB0000        MOV BX,0000
00FB FA            CLI
00FC 8ED6          MOV SS,SI
00FE 8BE7          MOV SP,DI
0100 FB            STI
0101 8BC5          MOV AX,BP
0103 2E            CS:
0104 FF2F          JMP FAR [BX]
0106 B440          MOV AH,40
0108 BB0200        MOV BX,0002
010B B91600        MOV CX,0016
010E 8CCA          MOV DX,CS
0110 8EDA          MOV DS,DX
0112 BA1C01        MOV DX,011C
0115 CD21          INT 21
0117 B8FF4C        MOV AX,4CFF
011A CD21          INT 21
011C 50            PUSH AX
011D 61            DB 61
011E 63            DB 63
011F 6B            DB 6B
0120 65            DB 65
0121 64            DB 64
0122 206669        AND [BP+69],AH
0125 6C            DB 6C
0126 65            DB 65
0127 206973        AND [BX+DI+73],CH
012A 20636F        AND [BP+DI+6F],AH
Q

On Mon, 28 Jul 2008 18:03:37 -0700 (PDT), Terence
<spamtrap@crayne.org> wrote:

>Based on postings and responses to othes, I wondered about finally
>fixing the problems that irked me about MS Debug.exe not including a
>function to trace out code vs data and allow simple dumping of
>assembly code. And this is an itch of some 20 odd years!. But now I
>have more time (huh!).
>
> So I set out to disassemble Dbug.exe to add a full listing ability.
>
>What surprised me was that NONE of my fairly-useful disassemblers
>(BUBBLE, DASM, DIS86, GRDB, IDA, SICETOOL) would succeed!
>
> Bubble managed to give me a page by page list, but it was pretty much
>the same as using debug itself; (the tedium!), the rest simply bombed
>out! Yes, really!
>
>All of these tools are extremely difficult to use anyway.
>Usually there a two requirements when using a disasembler:-
>
>a) step through code to find a problem and hence a solution.
>b) disassemble everything to study principles, suitable insert points
>for additional services,
>change nature of functions, all  usually to make a better tool.
>
>What do the readers suggest in either category, (but especially "b")?

No disassembler is going to do that very well.  (Unless you are on a
system where the code and data are totally seperate.)

It took me YEARS to disassemble a 64k program well enough to be able
to reassemble it and get a working result.  (not full time, though)

I use Sourcer, and it takes many passes of analyzing the listing,
applying corrections, and rerunning.

The free version of IDA should work about as well, but I haven't used
it much.
-- 
ArarghMail807 at [drop the 'http://www.' from ->] http://www.arargh.com
BCET Basic Compiler Page: http://www.arargh.com/basic/index.html

To reply by email, remove the extra stuff from the reply address.

There's FreeDOS DEBUG, which is open source (NASM) and which can
decode/encode 386 instructions:

http://www.japheth.de/debxxf.html

I used to use Sourcer a lot, but it has been a long time.  Is it still
around?  I know the company sold out and I still wonder if those
products are still supported and maintained.

On Mon, 28 Jul 2008 23:40:05 -0500, ArarghMail807NOSPAM
<spamtrap@crayne.org> wrote:

>On Mon, 28 Jul 2008 18:03:37 -0700 (PDT), Terence
><spamtrap@crayne.org> wrote:
>
>>Based on postings and responses to othes, I wondered about finally
>>fixing the problems that irked me about MS Debug.exe not including a
>>function to trace out code vs data and allow simple dumping of
>>assembly code. And this is an itch of some 20 odd years!. But now I
>>have more time (huh!).
>>
>> So I set out to disassemble Dbug.exe to add a full listing ability.
>>
>>What surprised me was that NONE of my fairly-useful disassemblers
>>(BUBBLE, DASM, DIS86, GRDB, IDA, SICETOOL) would succeed!
>>
>> Bubble managed to give me a page by page list, but it was pretty much
>>the same as using debug itself; (the tedium!), the rest simply bombed
>>out! Yes, really!
>>
>>All of these tools are extremely difficult to use anyway.
>>Usually there a two requirements when using a disasembler:-
>>
>>a) step through code to find a problem and hence a solution.
>>b) disassemble everything to study principles, suitable insert points
>>for additional services,
>>change nature of functions, all  usually to make a better tool.
>>
>>What do the readers suggest in either category, (but especially "b")?
>
>No disassembler is going to do that very well.  (Unless you are on a
>system where the code and data are totally seperate.)
>
>It took me YEARS to disassemble a 64k program well enough to be able
>to reassemble it and get a working result.  (not full time, though)
>
>I use Sourcer, and it takes many passes of analyzing the listing,
>applying corrections, and rerunning.
>
>The free version of IDA should work about as well, but I haven't used
>it much.

On Mon, 28 Jul 2008 23:53:18 -0700, dave <spamtrap@crayne.org> wrote:

>I used to use Sourcer a lot, but it has been a long time.  Is it still
>around?  I know the company sold out and I still wonder if those
>products are still supported and maintained.

No, Sourcer appears to not be available anymore.

The old http://www.v-com.com/ now points to
http://www.avanquest.com/USA/vcom/ and I didn't find there.  Didn't
look real hard, though.  :-)

And, using their search for 'Sourcer' returns nothing.  Which means no
support for users who bought it, and now have a problem.  :-)

I am pretty sure it's gone.  Except, of course, I still have my
copies.  From version 1.87 thru 7.00, and a cracked copy of 8.00 that
I found out on the web.  AFAICT, 8 has nothing new over 7.

After v-com was sold, I emailed Frank, the previous owner, to ask
about Sourcer.  He said he no longer had any of it.  It all went to
the new owner.  (I had wanted to port it to a win32 console program,
because I got tired of it running out of memory on some larger
programs and because I wanted to fix some other things.)
-- 
ArarghMail807 at [drop the 'http://www.' from ->] http://www.arargh.com
BCET Basic Compiler Page: http://www.arargh.com/basic/index.html

To reply by email, remove the extra stuff from the reply address.

On Mon, 28 Jul 2008 23:17:54 -0400, "Jim Carlock"
<spamtrap@crayne.org> wrote:

<snip>
>Debug.exe may NOT support any 32-bit mnemonics at all. It certainly does
>not allow one to encode in 32-bit. 

Debug.exe doesn't support any code later than 8086, AFAIK.
You can't even use shifts by a constant other than 1.

Best regards,


Bob Masta
 
              DAQARTA  v4.00
   Data AcQuisition And Real-Time Analysis
             www.daqarta.com
Scope, Spectrum, Spectrogram, Sound Level Meter
           FREE Signal Generator
        Science with your sound card!

Jim Carlock wrote:

> 1) It's not a PE file, it's a 16-bit DOS executable.
> 2) When you start it up debug.exe on any NT machine, a version of ntvdm.exe
>    starts up, which in turn runs the application (debug.exe).
> 3) You might want to copy it to another folder, rename it as debug.com and
>    try to run it. It runs and it starts up the ntvdm.exe program in which
>    it runs inside of. And the ntvdm.exe that started up then does not shut
>    itself down until you exit the cmd.exe prompt.
>
> I scanned it with PEID, which told me that it's a DOS executable, not a PE.
>
> OllyDbg warns that the application is not a 32-bit Portable Executable and
> asks if you'd like to load it.
>
> Debug.exe may NOT support any 32-bit mnemonics at all. It certainly does
> not allow one to encode in 32-bit. And that's why grdb.exe came around, or
> so I've heard.
>
> Tapping on the ? question mark once inside of debug.exe identifies that it
> is capable of working with expanded memory.
>
> allocate expanded memory        XA [#pages]
> deallocate expanded memory      XD [handle]
> map expanded memory pages       XM [Lpage] [Ppage] [handle]
> display expanded memory status  XS
>
> -XS
> EMS not installed
>
> And I've not messed with expanded memory at all in the last 8 years
> (or so I believe).
>
> You may need to open a command.com prompt, then run debug.exe inside
> of that prompt. I'm pretty sure command.com reads from an autoexec.nt
> and a config.nt file, so if you wanted to load an expanded memory
> manager, you'd might need to go about it in that manner. I don't ever
> recall messing with expanded memory on Windows 2000/XP.
>
> Inside the cmd.exe prompt you can type the following to get around the
> page by page viewing.
>
> debug.exe debug.exe >> debug.txt
> U 10 1000
> Q
>
> Note: You will not see what you type, but the commands get executed
> and you will end up with a big file named debug.txt.
>

I EXPECT it to be a 16-bit executable; I'm not interested in any other
kind!
I program in 16 bits for DOS systems and emulations.
 And I'm using both CMD.exe and command.exe on a Windows 2000 system
to do the work, just in case a difference shoed up.

Oh, I know about using debug.exe itself, but that's self-flagelation.
I wanted to use something better becuase the end-point is SUPPOSED to
be something better!.

I was wrong on one point. It was GRDB that did something. and BUBBLE
that was a bomber.
I just want to list the code of debug.exe then fix it and reassemble
and have a better tool, unless someone has alredy done this, but my
searches found no clues.

ArarghMail807NOSPAM wrote:

> No disassembler is going to do that very well.  (Unless you are on a
> system where the code and data are totally seperate.)
>
> It took me YEARS to disassemble a 64k program well enough to be able
> to reassemble it and get a working result.  (not full time, though)
>
> I use Sourcer, and it takes many passes of analyzing the listing,
> applying corrections, and rerunning.
>
> The free version of IDA should work about as well, but I haven't used
> it much.
> --

Oh, I've quite quickly fixed a few programs, more usually in the under
64k area, but it isn't hard (rather wasn't; I'm sure I once had better
tools; especially finding and passing text areas).
I have the freeida43.exe but haven't tried that version.
I would REALLY like to fing a few simple ideas on how to use DRGB
properly to just load, analyse and dump code.

Many Thanks, Japheth for the pointer

japheth wrote:
> There's FreeDOS DEBUG, which is open source (NASM) and which can
> decode/encode 386 instructions:
>
> http://www.japheth.de/debxxf.html

ArarghMail807NOSPAM wrote:
> >I used to use Sourcer a lot, but it has been a long time.  Is it still
> >around?  I know the company sold out and I still wonder if those
> >products are still supported and maintained.
>
> No, Sourcer appears to not be available anymore.

> I am pretty sure it's gone.  Except, of course, I still have my
> copies.  From version 1.87 thru 7.00, and a cracked copy of 8.00 that
> I found out on the web.  AFAICT, 8 has nothing new over 7.

I located a sourcer_8.zip (2/02/2007) if anyone's interested

"japheth" <spamtrap@crayne.org> wrote in message
news:d80bd6db-5295-4d1d-b1b9-35c42a132752@b1g2000hsg.googlegroups.com...
> There's FreeDOS DEBUG, which is open source (NASM) and which can
> decode/encode 386 instructions:
>
> http://www.japheth.de/debxxf.html
>

Posted this link back in January.  It might be worth a look.
http://www.modest-proposals.com/Furball.htm

He has (different) source for the Linux and DOS debug versions.


Rod Pemberton

> Posted this link back in January.  It might be worth a look.http://www.modest-proposals.com/Furball.htm
>
> He has (different) source for the Linux and DOS debug versions.

Thanks! I wasn't aware of this tool. Perhaps it has some ideas
implemented which can be stolen ...

Terence wrote:
> 
> ArarghMail807NOSPAM wrote:
>>> I used to use Sourcer a lot, but it has been a long time.  Is it still
>>> around?  I know the company sold out and I still wonder if those
>>> products are still supported and maintained.
>> No, Sourcer appears to not be available anymore.
> 
>> I am pretty sure it's gone.  Except, of course, I still have my
>> copies.  From version 1.87 thru 7.00, and a cracked copy of 8.00 that
>> I found out on the web.  AFAICT, 8 has nothing new over 7.
> 
> I located a sourcer_8.zip (2/02/2007) if anyone's interested
> 
Where pray tell?

On Thu, 31 Jul 2008 09:19:01 GMT, Richard Brady  <spamtrap@crayne.org>
wrote:

>Terence wrote:
>> 
<snip>
>> I located a sourcer_8.zip (2/02/2007) if anyone's interested
>> 
>Where pray tell?

Google is your friend. :-)
-- 
ArarghMail807 at [drop the 'http://www.' from ->] http://www.arargh.com
BCET Basic Compiler Page: http://www.arargh.com/basic/index.html

To reply by email, remove the extra stuff from the reply address.

Richard Brady wrote:

> Where pray tell?
I tried to repeat what I did before using Google, (28/7/2008) and
couldn't get the site to work again, (but I did find my own posting as
a hit!).
But I DID actually download it at the time, so I can send it to those
interested
It's 1,358Kb, dated 2/2/2007.

Strange. I have a nice  bin to hex and ascii dump program, and a
FM.com which does binary/hex screen displays. Both show the same code
for debug.exe.
But debug itself working on itself show something utterly different,
with no ascii text in the given code (and there are wads of it to
handle the /? parameter).

So debug doesn't work on itself!

Hello Terence,

> So debug doesn't work on itself!

It does.  Its just that *you* must supply the brains (and interpret what the
code is doing), as Debug itself is as dumb as sh*t. :-)

The problem is that all the text is glued to the end of the origional
executable.  As far as I can see that was done to create a single
execucatble, and than add the a "pack containing strings for a specific
language to it.

I did a partial disassembly myself, so I could write a wrapper adding some
functionality to the program (like being able to disassemble for 486 too).

Regards,
  Rudy Wieser


Terence <spamtrap@crayne.org> schreef in berichtnieuws
52a16072-1a7b-449f-99e2-5927d086e43e@r15g2000prd.googlegroups.com...
> Strange. I have a nice  bin to hex and ascii dump program, and a
> FM.com which does binary/hex screen displays. Both show the same code
> for debug.exe.
> But debug itself working on itself show something utterly different,
> with no ascii text in the given code (and there are wads of it to
> handle the /? parameter).
>
> So debug doesn't work on itself!

On Thu, 31 Jul 2008 06:59:29 -0700 (PDT), Terence
<spamtrap@crayne.org> wrote:

>Strange. I have a nice  bin to hex and ascii dump program, and a
>FM.com which does binary/hex screen displays. Both show the same code
>for debug.exe.
>But debug itself working on itself show something utterly different,
>with no ascii text in the given code (and there are wads of it to
>handle the /? parameter).
>
>So debug doesn't work on itself!
Well, the Win98 debug is a packed file.  So, you would have to step
thru the unpack process to see much of anything useful.  

Strange -- I manually unpacked it, and a lot of the strings in the
front of the file disappeared.

A long time ago, back around dos 3.2, I used debug to disassemble
itself.  Hmmm, still have the file, from 1991.  Ugly.  :-)
-- 
ArarghMail807 at [drop the 'http://www.' from ->] http://www.arargh.com
BCET Basic Compiler Page: http://www.arargh.com/basic/index.html

To reply by email, remove the extra stuff from the reply address.

On Thu, 31 Jul 2008 06:54:13 -0700 (PDT), Terence
<spamtrap@crayne.org> wrote:

>Richard Brady wrote:
>
>> Where pray tell?
>I tried to repeat what I did before using Google, (28/7/2008) and
>couldn't get the site to work again, (but I did find my own posting as
>a hit!).
>But I DID actually download it at the time, so I can send it to those
>interested
>It's 1,358Kb, dated 2/2/2007.
I just tried it again, and it works.  But, I didn't bother to download
it again.  The zip appears to contain the original installation files
as they came from v-com.
-- 
ArarghMail807 at [drop the 'http://www.' from ->] http://www.arargh.com
BCET Basic Compiler Page: http://www.arargh.com/basic/index.html

To reply by email, remove the extra stuff from the reply address.