ASM: INT 20 doesn`t work on Debug DOSbox [duplicate] - debugging

I'm trying to use DOSBox with debug.exe on a 64-bit system. It works perfectly fine if I enter the commands manually. When I redirect input from a file with:
debug < [file]
it doesn't work. On every line except for the first it displays an error similar to this:
DOSBox will eventually hang and crash. Is there any way to fix this?
The input file I am trying to process as commands is:
a 100
jmp 145
db 'Hello, World!', 0D, 0A, 'Press any key to continue . . .$'
a 145
mov ah, 09
mov dx, 102
int 21
mov ah, 08
int 21
int 20
rcx
100
n hello.com
w
q

I can reproduce the behavior you are seeing in this scenario:
DOSBox 0.74 on Windows and Linux
DEBUG.EXE from Windows XP copied to DOSBox
DEBUG.EXE from various versions of MS-DOS will cause problem including unexpected hangs. See this Stackoverflow question for another related problem.
I found a version of DEBUG.COM from FreeDOS that works as expected. I have made DEBUG.COM available for download from my website. Alternatively you can download the ZIP File from Softpedia and extract DEBUG.COM.
When I run DEBUG.COM I get this:
S:\>debug.com <hello.asm
-a 100
0BFB:0100 jmp 145
0BFB:0102 db 'Hello, World!', 0D, 0A, 'Press any key to continue . . .$'
0BFB:0131
-a 145
0BFB:0145 mov ah, 09
0BFB:0147 mov dx, 102
0BFB:014A int 21
0BFB:014C mov ah, 08
0BFB:014E int 21
0BFB:0150 int 20
0BFB:0152
-rcx
CX 0000
:100
-n hello.com
-w
Writing 00100 bytes
-q
S:\>hello
Hello, World!

Had same problem in DosBox 0.74 with DEBUG.EXE script redirection. Discovered that it could be fixed by changing the end-of-line characters in the script file from [CR][LF] to just [CR] when redirecting into DEBUG.EXE.
Pasting your file into the Scite editor and viewing the line-end characters showed this:
a 100{CR][LF]
jmp 145[CR][LF].... et cetera
I used an option in Scite to change the EOL characters to [CR] alone, getting
a 100{CR]
jmp 145[CR].... et cetera
saved the file, and was able to redirect it into DEBUG.EXE with no problem.
Not sure why [CR][LF] causes the issue with DEBUG.EXE, but hope this helps.
DEBUG.COM handles either EOL sequence with no glitch, so makes sense to use it instead, especially with its extended features. But one can use DEBUG.EXE it seems, with this fix, FWIW. The Scite editor is a neat tool.

I found the same problem running a script file for Debug within Dosbox.
but I found another editor: Notepad2. runs great and small and changes color to highlight assembler words.
Had to use debug ver 1.25 though.

Than you Michael Petch. I was trying everything to get the output of FreeDos clone of MS-DEBUG to save into a text file. But it was not the path, the speed, or the memory allotment that was blocking the redirection of output. It was indeed the line feed and cursor return combination. I quickly wrote a program to take out cursor return and leave line feed. It now redirects! I can also take out the line feed and leave the cursor returns, and DEBUG redirects to file as well. The small glitch is I have to access Windows outside the or close the DosBox window, for the outputted DEBUG code to become visible in a directory listing.
This is how I redirect DEBUG output to a file:
DEBUG < game.dbg > game.lst

Related

Why is CreateFileA succeeding in Windows XP and failing in Windows 10?

I'm working through a reverse engineering exercise using olly.
00402D71 |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
00402D73 |. 68 80000000 PUSH 80 ; |Attributes = NORMAL
00402D78 |. 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
00402D7A |. 6A 00 PUSH 0 ; |pSecurity = NULL
00402D7C |. 6A 00 PUSH 0 ; |ShareMode = 0
00402D7E |. 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ
00402D83 |. FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; |C:\Windows\system32\eLearnRE#5.dat
00402D86 |. E8 DF642300 CALL <JMP.&KERNEL32.CreateFileA> ; \CreateFileA
On Windows 10, I created the eLearnRE#5.dat file and verified that NTFS permissions make it readable. But even like that I get 0xFFFFFFFF with ERROR_FILE_NOT_FOUND (00000002) as a result of the CALL CreateFileA.
This is what I tried already (without success)
Copy and pasted the name from ollydbg to make sure I don't have any typos
Compared the two filenames letter by letter in notepad to check for typos
Patched the process memory to try reading an existing file in C:\temp\test.txt (just in case c:\windows\System32\eLearnRE#5.dat had some special restrictions because it's in a system folder)
Put some data into the file just in case it had trouble handling a blank file for some reason.
Ran olly as Administrator
This works perfectly fine in Windows XP, but not in Windows 10. Why?
The credit for the answer goes to Hans Passant for https://learn.microsoft.com/en-us/windows/win32/winprog64/file-system-redirector
On 64bit windows, 32bit applications are redirected to C:\windows\syswow64
As soon as I moved the file to C:\windows\syswos64, things started to work as expected

Remote backup of Raspberry Pi sd card from Windows

This references details a procedure for backing up the SD card on a running Raspberry Pi from and to a file on another computer (https://johnatilano.com/2016/11/25/use-ssh-and-dd-to-remotely-backup-a-raspberry-pi/)
To do this from a Windows PC it is necessary to install a new "DD tool" for Windows, also referenced above. I've done all of this and thought I had the process figured out, the following command run from a Windows CMD window does create a file on my Windows PC, but shows an error message which I can not figure out.
c:\Windows\System32>ssh me#192.168.xxx.yyy “sudo dd if=/dev/mmcblk0 bs=1M | gzip -” | dd of=\\.\c:/Users/me/Desktop/rPi_backup.gz –progress
I have run this on my LAN to two different Pi's (3B and 4B), Here is the output from the later after about 30 minutes:
c:\Windows\System32>ssh me#192.168.xxx.yyy “sudo dd if=/dev/mmcblk0
bs=1M | gzip -” | dd of=\.\c:/Users/me/Desktop/rPi_backup.gz
–progress
rawwrite dd for windows version 0.5. Written by John Newbigin This
program is covered by the GPL. See copying.txt for details
0me#192.168.xxx.yyy‘s password:
11,754,655,23215193+1 records in 15193+1 records out 15931539456 bytes
(16 GB, 15 GiB) copied, 2528.86 s, 6.3 MB/s 11,755,209,216Error
reading file: 109 The pipe has been ended
22959393+0 records in 22959393+0 records out
I got the same Error 109 for both Pi's. I have checked the SD cards and they are functional, not corrupted nor have any "dirty bits". I have tried to find the error code description, but nothing I see seems to apply to this situation.
Can anyone help me with this problem. I posted it to the above reference, but have not gotten any meaningful replies....RDK
EDIT after using Maxim Sagaydachny's suggestion (in comments). It worked and I got a .gz file on my desktop. I used BalenaEtcher to expand and copy it to an SD card, same size as that of the source. The Pi booted up but it appears that the restored version is a bit crippled, the Pi boots ok, I can log on (console and SSH) but I get this message just after I log on:
-bash: /etc/profile.d/magnum_path.sh: line 1: syntax error near unexpected token
$'sʧ\237\376\351\370'' -bash: /etc/profile.d/magnum_path.sh: line 1: MA▒$▒g▒p▒[▒kh▒▒▒▒▒D(sʧ▒▒▒▒|▒Kq/t
▒▒▒ ▒9▒$A▒6▒▒f▒▒V▒▒▒Y▒▒ UX▒O:▒▒35▒▒1z▒׎▒YC#▒ȓ!▒ӪW▒▒GM▒
<▒▒'▒▒▒`W=|k▒▒▒V ▒9▒▒R▒[j▒
*▒▒ֈ▒▒
I also noted a message in the bootup screen but it went by too fast to fully read so the following i s a stab at what it really said. Something about the expected number of ?? was, for example, 273 and it only sees 272. And I think it was referencing mmcblk0p2....RDK

How to break in x64dbg from ghidra's corresponding instructions?

I have x64dbg and ghidra synchronized via ret-sync. I found an interesting point in ghidra:
1800382b1 4d 8b e0 MOV R12,rebitData
1800382b4 48 63 f2 MOVSXD packetSize_,packetSize
in the listing view; the file my.dll starts at 180000000.
So, then in x64dbg I add a dll break for my.dll, and when I'm in, I go to the file offset with ctrl+shift+g and enter 328b4, but I end up at (first line):
00007FF8B2FB32B4 | 06 | ???
00007FF8B2FB32B5 | E9 80000000 | jmp my.7FF8B2FB333A
00007FF8B2FB32BA | 45:8BC6 | mov r8d,r14d
00007FF8B2FB32BD | EB 7B | jmp my.7FF8B2FB333A
00007FF8B2FB32BF | 3BFB | cmp edi,ebx
00007FF8B2FB32C1 | 73 22 | jae my.7FF8B2FB32E5
00007FF8B2FB32C3 | 41:3BDB | cmp ebx,r11d
00007FF8B2FB32C6 | 76 18 | jbe my.7FF8B2FB32E0
where in x64dbg, the file starts at: 00007FF8B2F81000 (CPU tab, module my.dll, main thread X, PID Y).
Obviously the instructions are not the same. (I believe I did the rebase correctly)
How can I make the correspondance ghidra -> x64dbg and break in x64dbg at the "same place" ie., same instructions ?
ret-sync allows to add a breakpoint directly from ghidra (to x64dbg) with F2:
https://github.com/bootleg/ret-sync#ghidra-usage
However, this does not work with ret-sync being built in release, only in debug version. This is a bug.
For manual rebase+jump, from x64dbg it is possible to enter the offset (current offset - base offset) in expression in x64dbg calculator, and ask follow in disassembler to jump directly to the offset. One can calculate an expression that does a rebase or a more complex function (eg., offset + sizeof X * Ntimes).
If the final offset is known, another way to jump to the desired offset in x64dbg is ctrl+shift+g (go to file offset), if the desired module is in the CPU disassembly. If not, one need to go to symbols, and follow the module of interest in the CPU disassembly and then go to file offset.
You said you wanted to go to 328b4 but your second snippet is at ...32B4 and looks like you ended up in the middle of an instruction. I would expect the correct address to be 0x00007FF8B2F81000 + 0x328b4 = 0x7ff8b2fb38b4.
I am not aware of ret-sync supporting setting breakpoints, but you can do the address translation more easily by either getting the relative offset by hovering
Source: https://twitter.com/dev747368/status/1347360276476293125
and then adding the x64dbg offset of 00007FF8B2F81000 to offset (2008h in the screenshot, in your case 328b4h )
Or you can script this by running currentAddress.subtract(currentProgram.imageBase) in the shell to get the relative offset for the current address (again 328b4h in your example) and then adding the x64dbg offset. So the complete command would be: currentAddress.subtract(currentProgram.imageBase).add(0x00007FF8B2F81000)
Run this in the Python REPL and the correct x64dbg address for the current address should result.

Suppressing ipdb output in Spyder iPython interpreter

I have reason to believe that my iPython interpreter is causing my kernel to die and restart similar to the issues logged in this link and that link.
The latter link indicates that the error is caused by the fact that the debugger outputs step-by-step ipdb content into the interpreter. One user reported that the behavior stopped when he (and I quote)
disabled logging to console before running in debug mode
How does one "disable logging to console" in Spyder IDE/IPython? I really need to do this so I can at least step through my code....
EDIT
I would like to suppress this kind of output
ipdb> > d:\temp\other const models\plaxis\output\plotparfile.py(16)PlotParFile()
14 with open(filename,'r') as fid:
15 lines = fid.readlines()
---> 16 fid.close()
17 #split first line get header and pop it out
18 header = lines[0].split()
> d:\temp\other const models\plaxis\output\plotparfile.py(18)PlotParFile()
16 fid.close()
17 #split first line get header and pop it out
---> 18 header = lines[0].split()
19 lines.pop(0)
20
(Spyder developer here) That output is generated automatically and its purpose is to tell you where are you placed in your code while debugging.
Right now there are no options in Spyder to deactivate it. Besides, I really doubt that output could be the cause of any kernel failures.

How to send EOF from command prompt *without newline*?

Sure, to send EOF from command prompt, Enter followed by Ctrl-Z does the trick.
C:\> type con > file.txt
line1
line2
^Z
This works, and file.txt contains line1\r\nline2\r\n. But how can you do the same without the last newline, so that file.txt contains line1\r\nline2?
In Linux, the solution is to hit Ctrl-D twice1. But what is the equivalent on Windows? Command prompt will happily print ^Zs at the end of a line without doing sending EOF. (And if you press Enter, then any ^Zs you typed get written to the file as literal escape characters!)
If there is no way to do this on Windows, then why?
1 https://askubuntu.com/questions/118548/how-do-i-end-standard-input-without-a-newline-character
The command type con > file.txt doesn't have any special handling for ^Z in the cmd shell, since the target file isn't con and the type command wasn't run in Unicode (UTF-16LE) output mode. In this case, the only ^Z handling is in the ReadFile call itself, which for a console input buffer has an undocumented behavior to return 0 bytes read if a line starts with ^Z.
Let's examine this with a debugger attached, noting that the number of bytes read (lpNumberOfBytesRead) is the 4th argument (register r9 in x64), which is returned by reference as an output parameter.
C:\Temp>type con > file.txt
Breakpoint 1 hit
KERNELBASE!ReadFile:
00007ffc`fb573cc0 48895c2410 mov qword ptr [rsp+10h],rbx
ss:00000068`c5d1dfa8=000001e3000001e7
0:000> r r9
r9=00000068c5d1dfd0
0:000> pt
line1
KERNELBASE!ReadFile+0xa9:
00007ffc`fb573d69 c3 ret
0:000> dd 68c5d1dfd0 l1
00000068`c5d1dfd0 00000007
As you see above, reading "line1\r\n" is 7 characters, as expected. Next let's enter "\x1aline2\r\n" and see how many bytes ReadFile reportedly reads:
0:000> g
Breakpoint 1 hit
KERNELBASE!ReadFile:
00007ffc`fb573cc0 48895c2410 mov qword ptr [rsp+10h],rbx
ss:00000068`c5d1dfa8=0000000000000000
0:000> r r9
r9=00000068c5d1dfd0
0:000> pt
^Zline2
KERNELBASE!ReadFile+0xa9:
00007ffc`fb573d69 c3 ret
0:000> dd 68c5d1dfd0 l1
00000068`c5d1dfd0 00000000
As you see above, this time it reads 0 bytes, i.e. EOF. Everything typed after ^Z was simply ignored.
However, what you want instead is to get this behavior in general, wherever ^Z appears in the input buffer. type will do this for you, but only if it's executed in Unicode mode, i.e. cmd /u /c type con > file.txt. In this case cmd does have special handling to scan the input for ^Z. But I bet you don't want a UTF-16LE file, especially since cmd doesn't write a BOM to allow editors to detect the UTF encoding.
You're in luck, because it happens that copy con file.txt does exactly what you want. Internally it calls cmd!ZScanA to scan each line for a ^Z character. We can see this in action back in the debugger, but this time we're in completely undocumented territory. On inspection, it appears that this function's 3rd parameter (register r8 in x64) is the number of bytes read as an in-out argument.
Let's begin again by entering the 7 character string "line1\r\n":
C:\Temp>copy con file.txt
line1
Breakpoint 0 hit
cmd!ZScanA:
00007ff7`cf4c26d0 48895c2408 mov qword ptr [rsp+8],rbx
ss:00000068`c5d1e9d0=0000000000000000
0:000> r r8; dd #r8 l1
r8=00000068c5d1ea64
00000068`c5d1ea64 00000007
On output, the scanned length remains 7 characters:
0:000> pt
cmd!ZScanA+0x4f:
00007ff7`cf4c271f c3 ret
0:000> dd 68c5d1ea64 l1
00000068`c5d1ea64 00000007
0:000> g
Next enter the 23 (0x17) character string "line2\x1a Ignore this...\r\n":
line2^Z Ignore this...
Breakpoint 0 hit
cmd!ZScanA:
00007ff7`cf4c26d0 48895c2408 mov qword ptr [rsp+8],rbx
ss:00000068`c5d1e9d0=0000000000000000
0:000> r r8; dd #r8 l1
r8=00000068c5d1ea64
00000068`c5d1ea64 00000017
This time the scanned length is only the 5 characters that precede the ^Z:
0:000> pt
cmd!ZScanA+0x4f:
00007ff7`cf4c271f c3 ret
0:000> dd 68c5d1ea64 l1
00000068`c5d1ea64 00000005
We expect file.txt to be 12 bytes, which it is:
C:\Temp>for %a in (file.txt) do #echo %~za
12
More generally, if a Windows console program wants to implement Ctrl+D handling that approximates the behavior of a Unix terminal, it can use the wide-character console function ReadConsoleW, passing a CONSOLE_READCONSOLE_CONTROL struct by reference as pInputControl. This struct's dwCtrlWakeupMask field is a bit mask that sets which control characters will immediately terminate the read. For example, bit 4 enables Ctrl+D. I wrote a simple test program that demonstrates this case:
C:\Temp>.\test
Enter some text: line1
You entered: line1\x04
You can't see this in the above example, but this read was immediately terminated by pressing Ctrl+D, without even pressing enter. The ^D control character (i.e. '\x04') remains in the input buffer, which is useful in case you want different behavior for multiple control characters.

Resources