x86 asm and debug example
TRANSCRIPT
-
8/17/2019 x86 ASM and DEBUG Example
1/7
Sponsoring website: Emergency Boot CD
FIRE.com : Some MS-DEBUG Tricks
An Exercise in x86 Assembly Language
for
Advanced students and the totally Clueless!
(A free Hex Editor with an ASCII import function)
This page will eventually get around to examining a few ways that DEBUG can be
used to study x86 Assembly Language, but first I'd like to present a little illustration
which may be a bit confusing at first for some of you...
The following text is a fancy signature which I found appended to the end of a file by
someone called The Bitripper. The outline drawing of TB is rather obvious, but you might be
asking yourself, "What do the rows of letters and digits mean?" Well, as The Bitripper said (at
the end of the last line), you should "c4urself " (See for yourself !) If you already have an idea
about why The Bitripper put this (code?) here, then please go ahead and find out on your
own before reading any further!
--
B013CD1033C0BFB001B9007DF3ABBAC803EE42FEC980/~~~~~~~~\ The Bitripper
FB3C730580C304EB0880FF3C730380C7048AC3EE8AC7/' `\~~~\
EE32C0EEE2E3B1C88106AC01E9628006AC01628116AE`\ /' )
011936A1AE0133D2BB4001F7F38BF2FE8C707DE2DDBE`~~/ \~~' / Coders do it
F102BFB17EB162BA3E018A9CC0FE8A44FF03D88A4401/` ) `\ bit by bit
03D88A84400103D8C1EB02881D46474A75E246464747/ / )
E2D9BEB27EBFB201B97E3E5157F3A55E6800A007BF02(_______/ /
7D59F3A51E07B401CD16748CB80300CD10C3c4urself`.____/'
--
If you don't have the slightest idea where to begin in solving the mystery of these lines, thenhere are some helpful hints:
Since this signature file was created by an "assembly coder," we'll assume that...
Every two digits of these lines forms a Hexadecimal byte of x86 Machine code (all the letters here
are Hex digits too: A thru F; see "What is Hexadecimal?" if you need a detailed introduction to
HEXaDecimal).
1.
Although it could turn out differently later on (but I doubt it since coders are so logical ), let's drop
the phrase 'c4urself ' as having nothing to do with the assembly code (all these letters are in lowercase and most of them are NOT Hex digits anyway!)
2.
Viewing the bytes in a Hex editor or with DEBUG (as an ASCII Dump) might give us a clearer
picture as to what the lines mean.
3.
ASM and DEBUG Example http://thestarman.pcministry.com/asm/fire/Fire.html
7 26/08/2014 11:48
-
8/17/2019 x86 ASM and DEBUG Example
2/7
So, run off to your Hex editor and find out what it means... ``What's that you say? It's too
much typing; there should be a better way to do this!?'' I guess your Hex editor doesn't
support importing Hex code from an ASCII based text file!? (If you're interested in one that
does; and for free, keep reading.)
First, I'll show you a method that takes a bit longer than importing the code directly, but it
will save you from most typos and the chances are it's already installed on your computer:MS-DEBUG (from almost any version of MS-DOS up through WINDOWS 9x/NT or
whatever). To check for its presence: Try finding the file debug.exe ; normally found in
your C:\WINDOWS\COMMAND folder (9x).
[ For those of you who do NOT have DEBUG available in a DOS-Window, you can
download a hex editor with an import function here: Frhed: Free Hex Editor. ( You can also
click here: For info on using DOS-Windows.)
IF you DO have access to DEBUG, I encourage you to try learning more about it by working
through the data on this page -- even those without DEBUG should skim through this materialto see if their own conclusions about the Hex data are correct! At the end of the page I'll
describe how FRHED greatly simplifies the process of importing the hex data, if you don't
want to use DEBUG.]
OK, Let's Find Out What It Means!
Simply copy and paste the lines into a text editor such as NOTEPAD. First remove the
non-Hex characters on the right side and then the blank spaces at the left until all the lines are
flush against the left-hand margin. Now you can see that all the lines have the same length
EXCEPT for the last one... AFTER you remove the "c4urself" they should look like this:
B013CD1033C0BFB001B9007DF3ABBAC803EE42FEC980
FB3C730580C304EB0880FF3C730380C7048AC3EE8AC7
EE32C0EEE2E3B1C88106AC01E9628006AC01628116AE
011936A1AE0133D2BB4001F7F38BF2FE8C707DE2DDBE
F102BFB17EB162BA3E018A9CC0FE8A44FF03D88A4401
03D88A84400103D8C1EB02881D46474A75E246464747E2D9BEB27EBFB201B97E3E5157F3A55E6800A007BF02
7D59F3A51E07B401CD16748CB80300CD10C3
Now arrange all the digits so you have only 32 of them (or 16 bytes) per line; this will make it
easier to enter the data later on! Your file should now look like this:
B013CD1033C0BFB001B9007DF3ABBAC8
03EE42FEC980FB3C730580C304EB0880
FF3C730380C7048AC3EE8AC7EE32C0EE
E2E3B1C88106AC01E9628006AC016281
16AE011936A1AE0133D2BB4001F7F38BF2FE8C707DE2DDBEF102BFB17EB162BA
3E018A9CC0FE8A44FF03D88A440103D8
8A84400103D8C1EB02881D46474A75E2
ASM and DEBUG Example http://thestarman.pcministry.com/asm/fire/Fire.html
7 26/08/2014 11:48
-
8/17/2019 x86 ASM and DEBUG Example
3/7
46464747E2D9BEB27EBFB201B97E3E51
57F3A55E6800A007BF027D59F3A51E07
B401CD16748CB80300CD10C3
Unfortunately, DEBUG requires that each byte must be separated by a blank space, so you'll
still have to punch a lot of keys ( but this is a lot easier to do AND more accurate than
entering each Hex byte manually!):
B0 13 CD 10 33 C0 BF B0 01 B9 00 7D F3 AB BA C8
03 EE 42 FE C9 80 FB 3C 73 05 80 C3 04 EB 08 80
FF 3C 73 03 80 C7 04 8A C3 EE 8A C7 EE 32 C0 EE
E2 E3 B1 C8 81 06 AC 01 E9 62 80 06 AC 01 62 81
16 AE 01 19 36 A1 AE 01 33 D2 BB 40 01 F7 F3 8B
F2 FE 8C 70 7D E2 DD BE F1 02 BF B1 7E B1 62 BA
3E 01 8A 9C C0 FE 8A 44 FF 03 D8 8A 44 01 03 D8
8A 84 40 01 03 D8 C1 EB 02 88 1D 46 47 4A 75 E2
46 46 47 47 E2 D9 BE B2 7E BF B2 01 B9 7E 3E 51
57 F3 A5 5E 68 00 A0 07 BF 02 7D 59 F3 A5 1E 07B4 01 CD 16 74 8C B8 03 00 CD 10 C3
Were getting close now! A DEBUG Entry command begins with an 'E,' a space and then the
first Hexadecimal memory address where the data will be entered followed by the string of
bytes to enter. If we can't find some kind of meaningful pattern after viewing an ASCII dump
of the bytes, our next step will be to assume they form an executable program. DEBUG can
create a .COM program for us if we enter the code beginning at Offset 0100 of the segment in
memory it assigns to us. So, we might as well enter the data beginning at offset 100 hex and
following... Now you can see that having each line contain exactly 16 bytes makes it easier to
count (and less likely for an error to occur):
E 100 B0 13 CD 10 33 C0 BF B0 01 B9 00 7D F3 AB BA C8
E 110 03 EE 42 FE C9 80 FB 3C 73 05 80 C3 04 EB 08 80
E 120 FF 3C 73 03 80 C7 04 8A C3 EE 8A C7 EE 32 C0 EE
E 130 E2 E3 B1 C8 81 06 AC 01 E9 62 80 06 AC 01 62 81
E 140 16 AE 01 19 36 A1 AE 01 33 D2 BB 40 01 F7 F3 8B
E 150 F2 FE 8C 70 7D E2 DD BE F1 02 BF B1 7E B1 62 BA
E 160 3E 01 8A 9C C0 FE 8A 44 FF 03 D8 8A 44 01 03 D8
E 170 8A 84 40 01 03 D8 C1 EB 02 88 1D 46 47 4A 75 E2
E 180 46 46 47 47 E2 D9 BE B2 7E BF B2 01 B9 7E 3E 51
E 190 57 F3 A5 5E 68 00 A0 07 BF 02 7D 59 F3 A5 1E 07
E 1A0 B4 01 CD 16 74 8C B8 03 00 CD 10 C3
If you entered the data above into DEBUG and then used the DUMP command
- d 100 1ab The only ASCII characters you'd see on the screen would be:
....3......}....
..B....Q
W..^h.....}Y....
....t.......
ASM and DEBUG Example http://thestarman.pcministry.com/asm/fire/Fire.html
7 26/08/2014 11:48
-
8/17/2019 x86 ASM and DEBUG Example
4/7
Not very meaningful... So, we assume The Bitripper is showing us a program of some kind.
Finally, I've arranged our data in the form of a DEBUG SCRIPT FILE which you can use to
quickly and automatically create a program with just a single DOS command! I've used
DEBUG's N command to name the program FIRE.COM (you'll find out why later) and added
a few more DEBUG commands at the end of the file to change the CX register ( RCX ) to AC
(the file is 172 bytes long), the write ( W ) command to save the file to disk and the quit ( Q )
command to exit DEBUG. Make the necessary changes in your text editor and SAVE this fileas FIRE.SCP (MAKE CERTAIN that you hit the ENTER key after 'Q' so a new line starts at
the end of the file; DEBUG can't quit without this carriage return, and your DOS-window
will lock-up if DEBUG can't quit!) :
N FIRE.COM
E 0100 B0 13 CD 10 33 C0 BF B0 01 B9 00 7D F3 AB BA C8
E 0110 03 EE 42 FE C9 80 FB 3C 73 05 80 C3 04 EB 08 80
E 0120 FF 3C 73 03 80 C7 04 8A C3 EE 8A C7 EE 32 C0 EE
E 0130 E2 E3 B1 C8 81 06 AC 01 E9 62 80 06 AC 01 62 81
E 0140 16 AE 01 19 36 A1 AE 01 33 D2 BB 40 01 F7 F3 8B
E 0150 F2 FE 8C 70 7D E2 DD BE F1 02 BF B1 7E B1 62 BA
E 0160 3E 01 8A 9C C0 FE 8A 44 FF 03 D8 8A 44 01 03 D8
E 0170 8A 84 40 01 03 D8 C1 EB 02 88 1D 46 47 4A 75 E2
E 0180 46 46 47 47 E2 D9 BE B2 7E BF B2 01 B9 7E 3E 51
E 0190 57 F3 A5 5E 68 00 A0 07 BF 02 7D 59 F3 A5 1E 07
E 01A0 B4 01 CD 16 74 8C B8 03 00 CD 10 C3
RCX
AC
W
Q
For those who are interested... "No! I did NOT run this program right away to see what it
did ; I first examined the Assembly instructions to determine if it was reasonably safe to run
on my computer!" I'll show you how to do that soon...
Experimenting with completely unknown programs is best left for a spare computer with a
hard drive you're ready to wipe clean as soon as you're through with your experiments! Many
kid's computers these days are full of trojans and viruses too!! Those of you with risky friends
should NEVER accept floppy disks or download programs from their computers; it's best to
just say 'No thanks!' and learn whatever else you can to keep your machine clean (virus
free).
Open a DOS-Window and run the following command from whatever folder you stored or
moved the SCRIPT file (fire.scp) into... I'm simply using the root directory (C:\) for the
command here:C:\> debug < fire.scp
And here's what you should see on your screen as DEBUG automatically creates the program
for you:
C:\> debug < fire.scp
- N FIRE.COM
- E 0100 B0 13 CD 10 33 C0 BF B0 01 B9 00 7D F3 AB BA C8
- E 0110 03 EE 42 FE C9 80 FB 3C 73 05 80 C3 04 EB 08 80
- E 0120 FF 3C 73 03 80 C7 04 8A C3 EE 8A C7 EE 32 C0 EE
- E 0130 E2 E3 B1 C8 81 06 AC 01 E9 62 80 06 AC 01 62 81- E 0140 16 AE 01 19 36 A1 AE 01 33 D2 BB 40 01 F7 F3 8B
- E 0150 F2 FE 8C 70 7D E2 DD BE F1 02 BF B1 7E B1 62 BA
- E 0160 3E 01 8A 9C C0 FE 8A 44 FF 03 D8 8A 44 01 03 D8
- E 0170 8A 84 40 01 03 D8 C1 EB 02 88 1D 46 47 4A 75 E2
- E 0180 46 46 47 47 E2 D9 BE B2 7E BF B2 01 B9 7E 3E 51
ASM and DEBUG Example http://thestarman.pcministry.com/asm/fire/Fire.html
7 26/08/2014 11:48
-
8/17/2019 x86 ASM and DEBUG Example
5/7
-
8/17/2019 x86 ASM and DEBUG Example
6/7
-
8/17/2019 x86 ASM and DEBUG Example
7/7
The Starman's Index Page
ASM and DEBUG Example http://thestarman.pcministry.com/asm/fire/Fire.html