Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Does not detect DOS Executables

See original GitHub issue

ghidra_9.1-BETA_DEV (and also 9.0.4)

if i open up a simple 16 bit dos exe (build with nasm assembler and ulink) Ghidra doesn’t detect it as Old-Style DOS Exe

The exe is working and correctly assembled - checked with dosbox debugger and IDA Pro (also tested with several other assemblers - its a linker thing)

single.asm

; build with: 
;  nasm.exe (https://www.nasm.us/pub/nasm/releasebuilds/2.14.02/)
;  ulink.exe (ftp://ftp.styx.cabel.net/pub/UniLink/)
; 
;  nasm.exe -f obj -o single.obj single.asm
;  unlink.exe single.obj

BITS 16

segment seg000 align=16

text: db 'Hello World!',0ah,0dh,'$'

segment seg001 align=16

..start:
mov ax,seg000
mov ds,ax

push ax
pop ax

call far print

mov ax,0x4c00
int 0x21

segment seg002 align=16

print:
mov dx,text
mov ah,9
int 0x21
retf

segment seg003 stack
resb 256

checked it with serveral Linkers: wlink.exe: Open Watcom Linker Version 2.0 beta Sep 13 2019 01:44:55 (64-bit) link.exe: Microsoft ® Segmented Executable Linker Version 5.60.339 Dec 5 1994 optlink.exe: OPTLINK ® for Win32 Release 8.00.17 (from the dmd package: dmd.2.088.0.windows) ulink.exe: UniLink v1.11 [beta] (build 11.27) from ftp://ftp.styx.cabel.net/pub/UniLink/

all exes except the ulink.exe linked exe getting detected as Old-Style DOS Exe the only real difference is a “UniLink” string between the header and relocation table

IDA Pro detects all of them as DOS MZ Executables

optlink.single.exe -> detected as Old-Style DOS Exe

exe_header:
  signature: MZ
  bytes_in_last_block: 0x0068
  blocks_in_file: 0x0001
  num_relocs: 0x0002
  header_paragraphs: 0x0003
  min_extra_paragraphs: 0x0010
  max_extra_paragraphs: 0xffff
  ss:sp: 0x0004:0x0100
  checksum: 0x0000
  cs:ip: 0x0001:0x0000
  reloc_table_offset: 0x001e
  overlay_number: 0x0000

data between header and relocation table:
00000000  00 00                                            ..
   
relocation_table:
0    0x0001:0x000A
1    0x0001:0x0001

ulink.single.exe -> detected as Raw binary

exe_header:
  signature: MZ
  bytes_in_last_block: 0x0088
  blocks_in_file: 0x0001
  num_relocs: 0x0002
  header_paragraphs: 0x0005
  min_extra_paragraphs: 0x0011
  max_extra_paragraphs: 0xffff
  ss:sp: 0x0004:0x0100
  checksum: 0x0000
  cs:ip: 0x0001:0x0000
  reloc_table_offset: 0x0040
  overlay_number: 0x0000

data between header and relocation table:  
00000000  55 6E 69 4C 69 6E 6B 00 00 00 00 00 00 00 00 00  UniLink.........
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000020  00 00 00 00                                      ....
  
relocation table:
0    0x0001:0x0001
1    0x0001:0x000A

nasm sample dos exes build with serveral linkers: http://s000.tinyupload.com/?file_id=77824670479507329081

data between header and relocation table by linker:

optlink.exe: 00 00
link.exe: 01 00
wlink.exe: 00 00 00 00
ulink.exe:
00000000  55 6E 69 4C 69 6E 6B 00 00 00 00 00 00 00 00 00  UniLink.........
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000020  00 00 00 00                                      ....

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:1
  • Comments:12

github_iconTop GitHub Comments

1reaction
LowLevelMahncommented, Sep 24, 2019

i would also add ‘PE’ to the check

if MZ
  if NE
  if PE
  else Old-Style
1reaction
ryanmkurtzcommented, Sep 24, 2019
Read more comments on GitHub >

github_iconTop Results From Across the Web

Is there a safe way to identify MS-DOS executable?
So the first thing to is do is to look at the MS-DOS executable header, and see if if it's valid. It looks...
Read more >
Microsoft Windows 7 will not run DOS executable files - IBM
Microsoft Windows 7 does not support executable 32/16 bit DOS files. This is working as designed. Workaround. Here is a procedure that works:...
Read more >
How can I tell whether a DOS-looking exe. requires a 32-bit ...
You are asking about DOS executables. DOS cannot know what the executable contains, DOS simply loads the executable binary into memory and jumps...
Read more >
DOS executable (.com) - Just Solve the File Format Problem
COM binaries distributed with Windows 95 and later are MZ executables. The DOS loader can detect this and load the file appropriately.
Read more >
How to Run a File from MS-DOS - Computer Hope
If you don't see the file you want to execute or receive an error such as "bad command or file name," likely it...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[9.1 beta] Demangling VS C++ functions not working in autoanalysis

Next page

Decompiler exception