DOS ain't dead

Hi,

since DOS386's bug-report (and fix) there were several updates to PE (which is a binary dump tool like GNU objdump, Agner Fog's objconv, ndisasm, MS dumpbin, ... ):

- can dump libraries
- disassembler included
- true stand-alone DOS binary (PED.EXE) added
- easier to build the binary ( just JWasm + WLink needed, no Win32Inc )

http://www.japheth.de/Download/pe.zip

---
MS-DOS forever!

> since DOS386's bug-report (and fix) there were several updates to PE
> (which is a binary dump tool like GNU objdump, Agner Fog's objconv,
> ndisasm, MS dumpbin, ... ):
> - can dump libraries
> - disassembler included
> - true stand-alone DOS binary (PED.EXE) added
> - easier to build the binary ( just JWasm + WLink needed, no Win32Inc )
> http://www.japheth.de/Download/pe.zip

YES, there are many improvements , but there is (at least) one new bug, NOT present in cca 1.09

This PE runs excellently with HX, ME and XP, but PE crashes with it

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***

> YES, there are many improvements , but there is (at least) one
> new bug, NOT present in cca 1.09
>
> This PE
> runs excellently with HX, ME and XP, but PE crashes with it

Ah, no wonder, this isn't a "new" version but "old" (to us, anyways, heh) from July. I thought his download link wasn't refreshed yet.

> > YES, there are many improvements , but there is (at least) one
> > new bug, NOT present in cca 1.09
> >
> > This
> PE
> > runs excellently with HX, ME and XP, but PE crashes with it
>
> Ah, no wonder, this isn't a "new" version but "old" (to us, anyways, heh)
> from July. I thought his download link wasn't refreshed yet.

Ok, but even the newest PE crashes with DOS386's program. It's not a big issue, because this sample is rather unusual, but nevertheless PE should be able to handle any atrocity without crashing.

---
MS-DOS forever!

> this isn't a "new" version but "old" (to us, anyways, heh)
> from July. I thought his download link wasn't refreshed yet.

Heh ???

There is a BUG and regression in PE 1.16, but FYI, I don't need the fix that badly since I have now my own PE tool



offering many features ^^^ beyond Japheth's one like stub and linker error detection



also support of non-PE ^^^ files is better

and it has some more new (secret for now, cut away from the upper shot ) features

(and it has still some flaws of course and is not uncrashable, but at least it usually doesn't crash on valid PE's)

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***

> There is a BUG and regression in PE 1.16, but FYI, I don't need the fix
> that badly since I have now my own PE tool
>
> offering many features ^^^ beyond Japheth's one like stub and
> linker error detection

Co-cool!

> also support of non-PE ^^^ files is better

Please guess why PE is called PE!

> and it has some more new (secret for now, cut away from the upper shot )
> features
>
> (and it has still some flaws of course and is not uncrashable, but at
> least it usually doesn't crash on valid PE's)

Great, but ... are we allowed to download your fantastic new program somewhere? For free? Or does it cost buggs?

---
MS-DOS forever!

> Please guess why PE is called PE!

No idea. But my tool reveals what it is if not PE and gives a hint what to do as next

> Great, but ... are we allowed to download your fantastic new program
> somewhere? For free? Or does it cost BUG's?

It's not yet done ... and works less good in HX than ME or XP and I continue finding new bugs in HX with it, see other thread

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***

Hello,

PE v1.17 fixes the infamous bug found by DOS386. Also adds a few new options concerning codeview symbolic debugging info.

---
MS-DOS forever!

> PE v1.17 fixes the infamous bug found by DOS386. Also adds a few
> new options concerning codeview symbolic debugging info.

COOL, the import bug seems fixed. But there is 1 bug left (see below)

I'm now using JPE when referring to Japheth's tool and UPET as a preliminary name for mine

My tool also got spectacular improvements:



- More rigid stub parsing and new errors supported (see ^^^ shot)

- The "Machine" is now getting decrypted (see ^^^ shot, and this field is inherently faulty again, it says "80386" even for the MPLAYER from 2009-12 using CMOVNTQ )

- More validity checks in PE structures (see ^^^ shot, incredible how many bugs one can have in a "Hello World" program BTW, it is supposed (as author boasts ...) to work in NT but for me it securely fails in both ME and XP )



- The directory listing is heavily superior to JPE (see ^^^ shot), and the next victim of my rigid validity checks is the [in]famous NTVDM.EXE ... check the invalid entry at index 11



- PX Sigi is of course also recognized, but the evil thing is the corrupt relox entry in the sectional header of your "PED.EXE" (see ^^^ shot, your BUG ... also IDECHECK is affected by this)



- NE files (obsolete as hell) are also recognized (but not yet supported, see ^^^ shot)



- Also DGJPP files are recognized, of course no bad /STUBSIZE hack is required (see ^^^ shot)



- And LX (see ^^^ shot)



- Not even PE64 (see ^^^ shot) can break it


Opening file: "ntoskrnl.exe "
GetFileSizeEx: 2'189'184 = $0021'6780
Reading .... Done !

MZ Sigi: "MZ. "
MZ stub Size  : $0000'0490
MZ header Size: $0000'0040

--------------------------------
                            .
.... ...!..L.!This program canno
t be run in DOS mode....$
.<i.J]..J]..J]...RZ.M]..J]...]..
--------------------------------

Next Level Sigi (PE) position: $0000'00D8
Next Level Sigi: "PE  " recognized as PE
Follow Up Sigi : "    " (invalid)
ERROR: Stub size <> Next Level position
CRITICAL ERROR: Macro$oft linker detected
CRITICAL ERROR: Stub ''hint'' is faulty

Machine: $0000'014C - I80386 (believe with care)
Number of sexions: 21
Size of Optional Header: $0000'00E0
Characterum: $0000'010E
Baseball address : $0040'0000
Memory alignment : $0000'0080
File alignment   : $0000'0080
Image size       : $0021'6780
Submarine system : 1 - Ring0 driver
Directory entries: $0000'0010 (content see below sections)

Sections:

no ---name--- exact-size rva-indeed file-posit attributes

00 ".text   " $0007'2511 $0000'0580 $0000'0580 $6800'0020
01 "POOLMI  " $0000'12B3 $0007'2B00 $0007'2B00 $6800'0020
02 "MISYSPTE" $0000'0700 $0007'3E00 $0007'3E00 $6800'0020
03 "POOLCODE" $0000'15A0 $0007'4500 $0007'4500 $6800'0020
04 ".data   " $0001'6DA0 $0007'5B00 $0007'5B00 $C800'0040
05 "PAGE    " $000F'A0CC $0008'C900 $0008'C900 $6000'0020
06 "PAGELK  " $0000'E3B9 $0018'6A00 $0018'6A00 $6000'0020
07 "PAGEVRFY" $0000'F1CD $0019'4E00 $0019'4E00 $6000'0020
08 "PAGEWMI " $0000'17E0 $001A'4000 $001A'4000 $6000'0020
09 "PAGEKD  " $0000'4052 $001A'5800 $001A'5800 $6000'0020
10 "PAGESPEC" $0000'0C43 $001A'9880 $001A'9880 $6000'0020
11 "PAGEHDLS" $0000'1DD8 $001A'A500 $001A'A500 $6000'0020
12 ".edata  " $0000'B5A2 $001A'C300 $001A'C300 $4000'0040
13 "PAGEDATA" $0000'1558 $001B'7900 $001B'7900 $C000'0040
14 "PAGEKD  " $0000'C021 $001B'8E80 $001B'8E80 $C000'0040
15 "PAGECONS" $0000'018C $001C'4F00 $001C'4F00 $C000'0040
16 "PAGEVRFC" $0000'3449 $001C'5100 $001C'5100 $4000'0040
17 "PAGEVRFD" $0000'0648 $001C'8580 $001C'8580 $C000'0040
18 "INIT    " $0002'D938 $001C'8C00 $001C'8C00 $E200'0020
19 ".rsrc   " $0001'0708 $001F'6580 $001F'6580 $4000'0040
20 ".reloc  " $0000'FA5C $0020'6D00 $0020'6D00 $4200'0040

PE Directory block: size = $80 Byte's, file position = $0000'0150

Entries (target: RVA, size, file position) :

00 Export $001A'C300, $0000'B5A2, $001A'C300 in sexion 12 (exact)
01 Import $001F'5C34, $0000'0050, $001F'5C34 in sexion 18 (inexact)
02 Resour $001F'6580, $0001'0708, $001F'6580 in sexion 19 (exact)
03 Excep? (unused)
04 Secur? (unused)
05 Relox  $0020'6D00, $0000'FA5C, $0020'6D00 in sexion 20 (exact)
06 Debug  $0007'2A30, $0000'0038, $0007'2A30 in sexion 00 (inexact)
07 CopRig (unused)
08 MipGP? (unused)
09 Tls?   (unused)
10 LConf? $0005'3828, $0000'0040, $0005'3828 in sexion 00 (inexact)
11 BouIm? (unused)
12 IAT    $0000'0580, $0000'0154, $0000'0580 in sexion 00 (exact)
13 ?????? (unused)
14 ?????? (unused)
15 ?????? (unused)

Export block found and valid
RVA, size, file position: $001A'C300, $0000'B5A2, $001A'C300

DLL name RVA: $001A'FD3E , string: "ntoskrnl.exe"
Amount of named exports: 1'487 = $0000'05CF

0 "CcCanIWrite"


- Fortunately it crashes in processing the export details, otherwise this post would be further 6'000 lines bigger

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***


; SSHSIGI - dumbs (quoted), checks and reports "addon-EXE" Sigi, EOL's

; In  : ESI - points to the Sigi (4 Byte's must be present)
; Out :  BL - 0:invalid  1:PE  2:PX  3:LE  4:LX  5:NE (sucks)  6:COFF'ee
; Trashes : all except ESI

sshsigi:

        push   esi

        call   ssquot
        mov    ch, 4              ; 4 chars Sigi
        call   ssprintstringfix   ; Trashes EAX and CH, preserves ESI and CL
        call   ssquot

        lodsd                     ; Peek file Sigi
        xchg   edx, eax           ; Drop file Sigi into EDX
        call   @f
        db     "PEPXLELXNE",$4C,1
@@:     pope   ecx
        movntq eax, 0             ; High bits must be ZERO all the time
        movntq ebx, 0             ; Pre'ASS'ume PE (will get INC'ed to 1)

sigi_desperate_search:
        mov    al, [ecx]
        mov    ah, [ecx+1]
        cmp    eax, edx
        je     short found_sigi
        inc    ebx                ; INCNTQ BL
        cmp    bl, 6              ; 6 is now invalid, later COFF'ee
        je     short not_found_sigi
        cmp    bl, 4              ; 4 is now NE later LX
        jne    short @f
        and    edx, $0000'FFFF    ; NE and COFF'ee are only 2 Byte's
@@:     inc    ecx
        inc    ecx
        jmp    short sigi_desperate_search
        ;---------------------------------

not_found_sigi:
        call   sshinvalid
        mov    bl, $FF            ; Will get INC'ed to ZERO
        jmp    short hey_done_sigi
        ;-------------------------

found_sigi:
        push   eax                    ; Sigi in both EAX and EDX
        call   @f
        db " recognized as ", 0
@@:     pope   edx
        call   ssprintedxa            ; Trashing EAX and EDX
        pope   eax
        cmp    bl, 5                  ; COFF'ee ???
        je     short got_the_coffee   ; YES
        call   ssonecharal            ; @
        mov    al, ah                 ; @ Display Sigi except for COFF'ee
        call   ssonecharal            ; @

got_the_coffee:
        mov    ah, bl       ; Can be 0 (PE) to 5 (COFF'ee), no "???" possible
        call   sshmultisigi ; Reduces jump distance

hey_done_sigi:
        call   sseol
        pope   esi
        inc    ebx          ; !!!
        ret
        ;----

sshmultisigi:

        call   @f
        db 0, " AKA PE", 0, " Linear (WATT'com or OS'ama/2)", 0, 2
        db " (sucks)", 0, "COFF'ee/DGJPP", 0
@@:     pope   esi
        call   ssmmultitext   ; Updates ESI, trashes EAX
        jmp    ssprintesia    ; Comment (not PE) or main name (COFF'ee only)
        ;-----------------


Preventig stupid questions about "where to download"

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***

>
>
>
> - PX Sigi is of course also recognized, but the evil thing is the corrupt
> relox entry in the sectional header of your "PED.EXE" (see ^^^ shot, your
> BUG ... also IDECHECK is affected by this)

It's a OW WLink v1.8 bug then. Please report it to the OW group!

---
MS-DOS forever!

> It's a OW WLink v1.8 bug then. Please report it to the OW group!

No account in the BUG'zilla ...

At least, there are improvements in my UPET:



* Progress indicator for loading (see ^^^ shot) - very useful when exploring B L O A T with a slow HD (oops, sorry Marcov )

* Outsourced some Win32 API dependent stuff, preparing native DOS support without the need of DKRNL32

* Code quality improvements

* Added many features (most not yet active)

* Increased B L O A T (see ^ shot)

* Fixed the exports

BTW, the PE / PECOFF spec released by Macro$oft is inherently faulty, they wrote (among other nonsense):

> i = Search_ExportNamePointerTable (ExportName)
> ordinal = ExportOrdinalTable [i]
> SymbolRVA = ExportAddressTable [ordinal - OrdinalBase]

Regrettably this ^^^ way not a single named ex/im-port can be resolved correctly

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***

NTOSKRNL.EXE (XP) 65'535 of 70'598 Byte's - pastebin has a 64 KiB-BUG

note that function location in sections ^^^ is reported (JPE doesn't have this feature)

KERNEL32.DLL (XP) 42'506 Byte's

note the ^^^ recognition of forwarded exports (JPE doesn't have this feature) (target in next version)

SHELL32.DLL (XP) 28'004 Byte's

note the huge amount ^^^ of anonymous and unused junk exports, the strange Ordinal Base of 2 (where is the range of valid values defined ??? What about a Base of 4'294'967'295 ???), and, even worse, the names seem to be NOT SORTED, and split into multiple blocks inside the file ... very strange stuff to analyze deeper in next version

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***

> $0000'1234

I don't like the format which you're using for numbers. These '$' and ''' make it look like a BASIC toy.

> BTW, the PE / PECOFF spec released by Macro$oft is inherently
> faulty, they wrote (among other nonsense):
>
> > i = Search_ExportNamePointerTable (ExportName)
> > ordinal = ExportOrdinalTable [i]
> > SymbolRVA = ExportAddressTable [ordinal - OrdinalBase]
>
> Regrettably this ^^^ way not a single named ex/im-port can be resolved
> correctly

Why is this nonsense?

Btw., why don't you create your own thread for your tool? There's no need to "hijack" other threads.

---
MS-DOS forever!

> > $0000'1234
> I don't like the format which you're using for numbers.
> These '$' and ''' make it look like a BASIC toy.

Please supply an example of such a toy with BASIC source

> > > SymbolRVA = ExportAddressTable [ordinal - OrdinalBase]
> Why is this nonsense?

Because the so-called "OrdinalTable" apparently contains ZERO-based indexes rather than "Ordinals" ...

> Btw., why don't you create your own thread for your tool?

I will occasionally

> There's no need to "hijack" other threads.

I didn't hijack that many ... maybe 1 at most.

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***

> since DOS386's bug-report (and fix) there were several updates to PE
> http://www.japheth.de/Download/pe.zip

1.23 is out (2013-Jun-20)

What's new:

- no more source code

+ debug codeview support (to be used with JAWASM ?)

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***

> 1.23 is out (2013-Jun-20)
>
> What's new:
>
> - no more source code

My desktop doesn't have the older versions, but here on my laptop I still see pe117.old and pe122.zip. There were a few minor releases in between, so I don't know when it changed, but 1.17 did have sources, yet 1.22 did not. So technically this isn't any different since the last minor release.

> since DOS386's bug-report (and fix) there were several updates to PE (which
> is a binary dump tool like GNU objdump, Agner Fog's objconv, ndisasm, MS
> dumpbin, ... ):

BTW, I noticed that ObjConv has been updated (2013-Jun-11) to 2.18. Feel free to test it under HX for us.

> ObjConv has been updated (2013-Jun-11) to 2.18. Feel free to test

Done!!! It seems to work. What's new: ???

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***

> > ObjConv has been updated (2013-Jun-11) to 2.18. Feel free to test
>
> Done!!! It seems to work. What's new: ???

And now for some silly news ... it was updated yet again (2.19) right when you last posted this, but I didn't notice until now.

File name: objconv.zip, size: 744191, last modified: 2013-Jun-25.

What's new? A quick diff from previous version only shows the addition of CDisassembler::CheckForMisplacedLabel() in disasm1.cpp : "Remove any label placed inside function. This is called if there appears to be a function end inside an instruction."

PE was updated (2013-07-31) to 1.24.

ObjConv was updated (2013-Oct-16) to 2.31.

> objconv.zip, size: 814334, last modified: 2013-Nov-27.
> #define OBJCONV_VERSION 2.32

What's new: ???

---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***