Results 1 to 7 of 7

Thread: DOS/4GW , DOS/16M Reversing Help !

  1. #1
    visions_of_eden
    Guest

    DOS/4GW , DOS/16M Reversing Help !

    Hi,

    i'm trying to reverse a DOS-based BIOS flasher (AsRock bios flasher to be specific) who runs with DOS/4G extender.
    I need to modify it in order to flash a write-protected section of the BIOS .

    Since i've never done RE on this kind of executables (dos EXE that runs with extenders) i don't know where to start.

    Analysing the EXE with an hex editor shows that the size of exe is larger than the one specified in DOS header. The reason is that the image size specifed in DOS header just countain a DOS/4G loader, that (i think since i've not been able to analyze it) initilize protected mode environment and in turns load the real program (the section appended after the end of the regular exe image) and switch to PM trasferring control to the real program.
    To verify this i reduced the exe size to the one specified in header (trimming additional byts) and the results confirm my thoughs, since the program still executes but throws an error like "This EXE is not a DOS/16M executable".
    Trying to load it in IDA generates a warning saying that the file is larger than the size specified in header , then loads the exe but without additional bytes , just the right image size as in the header . Some section of disassembled code points to a segment what falls right in the section of file that has not been loaded by IDA.

    I don't know if i explained myself clearly (sorry for the bad english), but could someone point me to the right direction ?
    What disassembler /debugger could be used to debug such kind of programs ?
    Does DOS/4G embedded programs have specific headers to identify where the real program is in the image ?

    Thanks .
    Nico.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    INSIGHT 1.24

    Use INSIGHT 1.24 this are useful for 16 bits programs.

    ricnar

  3. #3

    here some tuts using Insight (spanish)

    http://ricardonarvaja.info/WEB/CONCURSOS%202010/CONCURSO%203/SOLU_CONCU%233_Crackme1_By_InDuLgEo.rar

    http://ricardonarvaja.info/WEB/CONCURSOS%202010/CONCURSO%2010/SOLU_CONCU%2310_xg_cm08_CRKME81.COM%20%2816%20Bits%29_By_InDuLgEo.rar

    http://ricardonarvaja.info/WEB/CONCURSOS%202009/CONCURSO%2021/SOLU_CONCU%2321_Heiko_Plame_By_InDuLgEo.RaR

    two tuts are .Com and the other a exe of 16 bits .You can run Insight in any Windows (XP, Vista, Seven, etc)

    ricnar

  4. #4
    visions_of_eden
    Guest
    Hi!

    First thanks for replying.

    I tryed with insight , but essentially works like TD.

    The problem is not debugging a DOS 16bit problem , but debugging in a non-standard envirinment. DOS 4GW loads by itself the code that has to be executed in protected mode (don't know if insight can handle protected mode debugging ) so if the debugger is not aware of what's going on is of no help.
    Understanding how loading takes place is a long (even if interesting) work, so if someone have more information on how DOS 4GW works it could speed up my reversing .

    Thanks.
    Nico.

    PS:The program i'm working on is the standard AsRock flasher , can be found at :http://www.asrock.com/MB/download.asp?Model=K7S41GX&o=BIOS .

    The version i'm currently trying to reverse is the one contained in BIOS v2.80.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    http://www.hex-rays.com/idapro/60/index.html
    IDA Pro 6.0 feature list
    ...
    + LE: added support for bound DOS/4G executables
    ...

  6. #6
    http://dos32a.narechk.net/index_en.html

    DOS/32A is a free, open-source DOS Extender which can be used as a drop-in replacement for the popular DOS/4GW DOS Extender and compatibles.

    The DOS/32 Advanced - SUNSYS Bind Utility is capable of unbinding protected mode applications from the existing Extender/Stub programs they may be bound to.

    DOS/32 Advanced - SUNSYS Protected Mode Debugger supports the "LE" and "LX" Linear Executable formats
    I don't know if that is helpful.
    Last edited by aqrit; December 1st, 2010 at 03:54.

  7. #7
    visions_of_eden
    Guest
    Quote Originally Posted by aqrit View Post
    http://dos32a.narechk.net/index_en.html



    I don't know if that is helpful.
    Thanks for the info.

    Extracted the LE file from original exe and now IDA loads it without problems . But the had part of the work has still to be done
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Reversing SHR EAX,1F
    By captcpsc in forum The Newbie Forum
    Replies: 16
    Last Post: May 19th, 2012, 23:14
  2. InTether Protection System Reversing...Reversing Kernel Code
    By tHE mUTABLE in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: December 20th, 2007, 10:48
  3. Reversing VMs
    By Maximus in forum Mini Project Area
    Replies: 17
    Last Post: August 22nd, 2006, 10:38
  4. About Reversing
    By Joda in forum Advanced Reversing and Programming
    Replies: 12
    Last Post: July 11th, 2001, 13:28
  5. Reversing
    By A_m_A in forum Advanced Reversing and Programming
    Replies: 11
    Last Post: May 3rd, 2001, 14:43

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •