Flag: Tornado!
Hurricane!
|
|
Topic created on: June 25, 2009 20:43 CDT by benington  .
I'm disassembling a DJGPP 16bit executable using the Binary file option, because I couldn't get IDA Pro to parse the file structure correctly. Is it possible to get the Debugger to work with the binary file? I did explore the ida-x86emu plugin as well. But it didn't work out. Any help is appreciated.
There should be two ways to debug the file if I am right:
1. Use the Bochs debugger plugin
2. get the debugger plugin that talks to DOSBox (3rd party plugin, announced on the IDA board)
greetings,
dennis
|
Those might work. But the problem is that the Debugger option is not available when I parse a Binary/Raw file. Is there anyway to re-analyze the file after I specify the actual entry point, and bring up the Debugger option?
Thanks.
Alex
|
|
probably something you should ask the hexrays guys. the bochs debugger works perfectly on files that are loaded with the "binary" option here.
|
benington
> I'm disassembling a DJGPP 16bit executable
> using the Binary file option, because I couldn't get
> IDA Pro to parse the file structure correctly.
I'm pretty familiar with DJGPP and had no problem with IDA-Pro 4.7
as far as I understand you talk about 16bit MS-DOS executable, so it's probably COFF (X386MAGIC). IDA should recognize it automatically.
there should be 16bit MS-DOS stub, working in real mode and switching to 32bit PM via DPMI. anyway, it's easy to recognize is it 16 or 32 bit segment, using HIEW. if code has no sense - just switch the mode.
using "binary mode" is a very bad idea, because the most "delicious" features of IDA are not available in binary. if it's not a secret - could I take a look? I mean: could you send me the file? maybe it will help me to help you :)
> Is it possible to get the Debugger to work with the binary file?
do you mean IDA-Pro debugger? um, I don't thik so.
> I did explore the ida-x86emu plugin as well. But it didn't work out.
of course it does not. it's only for win32 and small code snippets. you probably want to debug the code interacting with DPMI host, right? the only way - to use native MS-DOS debugger, like Turbo Debugger. personally, I dislike Turbo Debugger - for me BOCHSDBG works great. just put L1: JMP L1 where you want to stop, patching the program with HIEW or HTE, put the program on the disk image, feed it to BOCHSDBG, type "c" (continue) in the dbg, run the program, switch to BOCHSDBG screen and press <ctrl-break>. now you can trace it step-by-step or do something else.
it's possible to load code snippets into BOCHSDBG IDA-Pro plug-in, but it does not support 16bit mode, so you can debug only 32bit pieces of code.
> But the problem is that the Debugger option is not available
> when I parse a Binary/Raw file
I checked IDA-Pro 5.5 - BOCSHDBG Plug-in is available.
I checked IDA-Pro 5.3 - the debugger is not available, because it uses win32 API, supporting only win32 programs. so, guess, you have IDA Pro 5.3 version or earlier and I would recommend you to use "native" BOCHSDBG w/o IDA. it does not look good (kind of GDB), but there are a lot of graphical front ends for it.
|
Hi all, thanks for the suggestions. The binary contains a COFF object embedded inside the PE file. I think that's what messes IDA Pro up a little bit. I can probably work around by having 2 databases, 1 for the PE part, and the other for COFF.
Instead of using emulators, I'm just using DOS Debug to executive natively. Not very pretty interface, but I guess it works.
nezumi, I'm very tempted to send you the binary. However, the company policy forbids me to do so at this point. But I'm still very appreciative. And I've seen your posts about your free training for IDA Pro. I'm very impressed! Hopefully we've a chance to meet up some day. :)
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,323 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}