DAT2343 File Analysis with MicroSoft DEBUG © Alan T. Pinck / Algonquin College; 2003.
12
DAT2343 File Analysis with MicroSoft DEBUG © Alan T. Pinck / Algonquin College; 2003
-
Upload
christiana-oakley -
Category
Documents
-
view
215 -
download
0
Transcript of DAT2343 File Analysis with MicroSoft DEBUG © Alan T. Pinck / Algonquin College; 2003.
DAT2343
File Analysis with MicroSoft DEBUG
© Alan T. Pinck / Algonquin College; 2003
Starting a DOS Window in XP
• Start – Run – (command)or• Start – Programs – Accessories – Command Prompt
(slight variations may exist between this and different installations of XP or other Windows Operating Systems)
DOS Windows Controls in XP
It is often useful to be able to mark and copy text from a DOS window (to be pasted into some other application file).
By left-clicking on the title bar icon and selecting Edit from the drop-down menu, it is possible to mark and then copy text from a DOS window.
(Other Windows OS’s provide icon tools to do this on the title bar).
Running DEBUG from the DOS prompt
At the DOS prompt, type:DEBUG
and hit <Enter>
DEBUG will respond with its prompt symbol, the dash
-
Examining a File in DEBUG
At the DEBUG prompt, enter:N followed by the filepath for the file to be examined This identifies the file Name to DEBUG
L This tells DEBUG to Load the file
D This tells DEBUG to Display or Dump
Sample DEBUG File Display
Copying the Hex Contents for Analysis
4A 70 20 33 45 20 64 52-35 32 C8 FE 44 61 64 20FF FF CD 21 80 3C 00 74-06 BA DA 89 34 00 CA 0A08 98 80 FC 3A 74 02 B0-40 8A 0E 24 99 0C 20 2C60 A2 C2 96 A0 07 98 8A-26 6A 98 25 02 02 0A C0
Use the DOS Windows controls to copy a few lines of the hexadecimal file contents into a NotePad or similar file to work with; set the font to Courier New or some other non-proportional font:
Quitting DEBUG
In order to exit or “quit” the DEBUG program, enter
Q
at the DEBUG prompt
(Return to the file where you pasted the hexadecimal file contents)
Sample Analysis of the “Dump”
Suppose that the file contained records composed of a 4 (ASCII) character field followed by a (2-byte) integer field (2’s complement, little Endian).
The first two records could be extracted from the dump as:
4A 70 20 33 45 20 64 52 35 32 C8 FE
Analysis of First “Dump” Record
4A 70 20 33 45 20 4 ASCII characters:
4A 70 20 33 Using an ASCII table this translates into “Jp 3”
2-byte integer field 45 20 (little Endian form)
Using standard 2’s complement conversion:2045(hex) = 8261(dec)
Summary of DEBUG Commands
Nfilepath Name file to be used
L Load previously named file
D or Dxxxx Dump/Display memory contents (starting at offset
xxxx)
Q Quit DEBUG
End of Lecture
