Editing Binaries in DOS

By Susam Pal on 18 Jul 2002

Both MS-DOS and Windows 98 come with a debugger program named DEBUG.EXE that make it possible to edit binary files without requiring additional tools. Although the primary purpose of this program is to test and debug executable files, it can be used to edit binary files too. Two examples of this are shown in this post. The first example edits a string of bytes in an executable file. The second one edits machine instructions to alter the behaviour of the program. Both examples provided in the next two sections can be reproduced on MS-DOS version 6.22. These examples can be performed on Windows 98 too after minor adjustments.

Editing Data

Let us first see an example of editing an error message produced by the MODE command. This DOS command is used for displaying and reconfiguring system settings. For example, the following command sets the display to show 40 characters per line:

C:\>MODE 40

The following command reverts the display to show 80 characters per line:

C:\>MODE 80

Here is another example of this command that shows the current settings for serial port COM1:

C:\>MODE COM1

Status for device COM1:
-----------------------
Retry=NONE

C:\>

An invalid parameter leads to an error like this:

C:\>MODE 0

Invalid parameter - 0

C:\>

We will edit this error message to be slightly more helpful. The following debugger session shows how.

C:\>DEBUG C:\DOS\MODE.COM
-S 0 FFFF 'Invalid parameter'
117C:19D1
-D 19D0 19FF
117C:19D0  13 49 6E 76 61 6C 69 64-20 70 61 72 61 6D 65 74   .Invalid paramet
117C:19E0  65 72 0D 0A 20 0D 0A 49-6E 76 61 6C 69 64 20 6E   er.. ..Invalid n
117C:19F0  75 6D 62 65 72 20 6F 66-20 70 61 72 61 6D 65 74   umber of paramet
-E 19D0 12 'No soup for you!' D A
-D 19D0 19FF
117C:19D0  12 4E 6F 20 73 6F 75 70-20 66 6F 72 20 79 6F 75   .No soup for you
117C:19E0  21 0D 0A 0A 20 0D 0A 49-6E 76 61 6C 69 64 20 6E   !... ..Invalid n
117C:19F0  75 6D 62 65 72 20 6F 66-20 70 61 72 61 6D 65 74   umber of paramet
-N SOUP.COM
-W
Writing 05C11 bytes
-Q

C:\>

We first open MODE.COM with the debugger. When we do so, the entire program is loaded into offset 0x100 of the code segment (CS). Then we use the S debugger command to search for the string "Invalid parameter". This prints the offset at which this string occurs in memory.

We use the D command to dump the bytes around that offset. In the first row of the output, the byte value 13 (decimal 19) represents the length of the string that follows it. Indeed there are 19 bytes in the string composed of the text "Invalid parameter" and the following carriage return (CR) and line feed (LF) characters. The CR and LF characters have ASCII codes 0xD (decimal 13) and 0xA (decimal 10). These values can be seen at the third and fourth places of the second row of the output of this command.

Then we use the E command to enter a new string length followed by a new string to replace the existing error message. Note that we enter a string length of 0x12 (decimal 18) which is indeed the length of the string that follows it. After entering the new string, we dump the memory again with D to verify that the new string is now present in memory.

After confirming that the edited string looks good, we use the N command to specify the name of the file we want to write the edited binary to. This command starts writing the bytes from offset 0x100 to the named file. It reads the number of bytes to be written to the file from the BX and CX registers. These registers are already initialised to the length of the file when we load a file in the debugger. Since we have not modified these registers ourselves, we don't need to set them again. In case you do need to set the BX and CX registers in a different situation, the commands to do so are R BX and R CX, respectively.

Finally, the W command writes the file and the Q command quits the debugger. Now we can test the new program as follows:


C:\>SOUP 0

No soup for you! - 0

C:\>

Editing Machine Instructions

In this section, we will see how to edit the binary we created in the previous section further to add our own machine instructions to print a welcome message when the program starts. Here is an example debugger session that shows how to do it.

C:\>DEBUG SOUP.COM
-U
117C:0100 E99521        JMP     2298
117C:0103 51            PUSH    CX
117C:0104 8ACA          MOV     CL,DL
117C:0106 D0E1          SHL     CL,1
117C:0108 32ED          XOR     CH,CH
117C:010A 80CD03        OR      CH,03
117C:010D D2E5          SHL     CH,CL
117C:010F 2E            CS:
117C:0110 222E7D01      AND     CH,[017D]
117C:0114 2E            CS:
117C:0115 890E6402      MOV     [0264],CX
117C:0119 59            POP     CX
117C:011A 7505          JNZ     0121
117C:011C EA39E700F0    JMP     F000:E739
-D 300
117C:0300  07 1F C3 18 18 18 18 18-00 00 00 00 00 00 00 00   ................
117C:0310  00 00 FF 00 00 00 00 00-FF 00 00 00 00 00 00 00   ................
117C:0320  00 00 00 00 00 00 00 00-00 00 FF FF 90 00 40 00   ..............@.
117C:0330  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
117C:0340  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
117C:0350  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
117C:0360  00 00 00 FF 00 00 00 00-00 00 00 00 00 00 00 00   ................
117C:0370  02 00 2B C0 8E C0 A0 71-03 A2 BA 07 A2 BC 07 3C   ..+....q.......<
-A
117C:0100 JMP 330
117C:0103
-A 330
117C:0330 MOV AH, 9
117C:0332 MOV DX, 33A
117C:0335 INT 21
117C:0337 JMP 2298
117C:033A DB 'Welcome to Soup Kitchen!', D, A, '$'
117C:0355
-W
Writing 05C11 bytes
-Q

C:\>

At the beginning, we use the debugger command U to unassemble (disassemble) some bytes at the top of the program to see what they look like. We see that the very first instruction is a jump to offset 0x2298. The debugger command D 300 shows that there are contiguous zero bytes around offset 0x330. We replace some of these zero bytes with new machine instructions that print our welcome message. To do this, we first replace the jump instruction at the top with a jump instruction to offset 0x330 where we then place the machine code for our welcome message. This new machine code prints the welcome message and then jumps to offset 0x2298 allowing the remainder of the program to execute as usual.

The debugger command A is used to assemble the machine code for the altered jump instruction at the top. By default it writes the assembled machine code to CS:0100 which is the address at which DOS loads executable programs. Then we use the debugger command A 330 to add new machine code at offset 0x330. We try not to go beyond the region with contiguous zeroes while writing our machine instructions. Fortunately for us, our entire code for the welcome message occupies 37 bytes and and the last byte of our code lands at offset 0x354.

Finally, we write the updated program in memory back to the file named SOUP.COM. Since the debugger was used to load the file named SOUP.COM, we do not need to use the N command to specify the name of the file again. When a file has just been loaded into the debugger, by default the W command writes the program in memory back to the same file that was loaded into the memory.

Now our updated program should behave as shown below:

C:\>SOUP COM1
Welcome to Soup Kitchen!

Status for device COM1:
-----------------------
Retry=NONE

C:\>SOUP 0
Welcome to Soup Kitchen!

No soup for you! - 0

C:\>

That's our modified program that prints a welcome message and our own error message created with the humble DOS debugger.

Comments | #assembly | #programming | #dos | #technology