HowTo: Use Dosbox as a Quick & Dirty disassembler

Dosbox is an open source DOS emulator available for many OS flavors. Dosbox allows you to run any old DOS game, relive some of the golden games of DOS era. It has full support for multiple video standards (VGA, CGA, Tandy,…) and sound cards (Adlib, SB, …). Amazing program! I was even able to bring up Windows 1.0 under that

Not many use this powerful emulator as a disassembler though. I have used this technique to disassemble many programs with out resorting to IDA or Sourcer.

Step by step instructions:

1. Download & install the HeavyDebug enabled Dosbox from here – Dosbox 0.72 (Heavy Debug). Check this page for other Dosbox versions.
2. Open Dosbox. You will see two windows opening, the main Dosbox shell window and the debug window. Debug window looks as shown below:
3. Switch to the DosShell window (the window where you can type your commands). Mount the program directory as C:. Go to C:.
4. Load the program to debug by typing
   

   debug <programname>

   For example, debug runme.com

5. Dosbox will load the program and wait on the first instruction of the program entry point. Switch to Dosbox Debug window.
6. Type the following command in the debug prompt and press ENTER.
   

   LOG 100000

   This command instructs Dosbox to log all the instructions along with the registers contents for the next 100,000 CPU cycles. Dosbox will respond with “DEBUG: Starting log.” status message. Once 100,000 CPU cycles are done, Dosbox will let us know by the status message “DEBUG: cpu log LOGCPU.TXT created“. The log statements can be found in LOGCPU.TXT (in the Dosbox folder). Try increasing the cycle count number, if you want to capture more LOG statements.

7. The execution is stopped when the specified number of cycles are done. You can decide to continue logging the rest of the program by issuing the same LOG command again. Note that, by default the LOG statements go to LOGCPU.TXT. So, you may want to rename the LOG files as LOGCPU1.txt, LOGCPU2.txt and so on, if you want more than 100,000 cycles.

Higher the number you specify for LOG command, the more space Dosbox needs for writing all those LOG statements. On an average you can expect around 250MB to be used by Dosbox for dumping 100,000 cycles.

Logcpu.txt contains the executed instructions in the format shown below:

0128:000003D3 je 000003D0 ($-5) (up) EAX:00000000 EBX:0000016E ECX:000000B1 EDX:000003DA ESI:00000D07 EDI:00000D09 EBP:00000020 ESP:0000FFF4 DS:0128 ES:0128 FS:0000 GS:0000 SS:0128 CF:0 ZF:40 SF:0 OF:0 AF:0 PF:4 IF:0

0128:000003D0 in al,dx EAX:00000000 EBX:0000016E ECX:000000B1 EDX:000003DA ESI:00000D07 EDI:00000D09 EBP:00000020 ESP:0000FFF4 DS:0128 ES:0128 FS:0000 GS:0000 SS:0128 CF:0 ZF:40 SF:0 OF:0 AF:0 PF:4 IF:0

0128:000003D1 test al,08 EAX:00000000 EBX:0000016E ECX:000000B1 EDX:000003DA ESI:00000D07 EDI:00000D09 EBP:00000020 ESP:0000FFF4 DS:0128 ES:0128 FS:0000 GS:0000 SS:0128 CF:0 ZF:40 SF:0 OF:0 AF:0 PF:4 IF:0

As can be seen, all the instructions along with the registers are dumped. All we need to do now is to clean up this file by retaining only the disassembled instruction and removing everything else. I use Textpad’s Find/Replace for doing this, a dedicated tool will be a better option though.

Main advantage of using Dosbox to dump the instructions like this is, if the program you want to disassemble is encrypted or is using some kind of mutation engine or even simply compressed and decompresses itself on-the-fly, you can let the program reveal itself instead of spending hours trying to get to the original opcodes

Tags: Debug, Disassemble, Dosbox, Emulation, HowTo, IDA, programming, Sourcer