visions_of_eden
November 30th, 2010, 02:40
Hi,
i'm trying to reverse a DOS-based BIOS flasher (AsRock bios flasher to be specific) who runs with DOS/4G extender.
I need to modify it in order to flash a write-protected section of the BIOS .
Since i've never done RE on this kind of executables (dos EXE that runs with extenders) i don't know where to start.
Analysing the EXE with an hex editor shows that the size of exe is larger than the one specified in DOS header. The reason is that the image size specifed in DOS header just countain a DOS/4G loader, that (i think since i've not been able to analyze it) initilize protected mode environment and in turns load the real program (the section appended after the end of the regular exe image) and switch to PM trasferring control to the real program.
To verify this i reduced the exe size to the one specified in header (trimming additional byts) and the results confirm my thoughs, since the program still executes but throws an error like "This EXE is not a DOS/16M executable".
Trying to load it in IDA generates a warning saying that the file is larger than the size specified in header , then loads the exe but without additional bytes , just the right image size as in the header . Some section of disassembled code points to a segment what falls right in the section of file that has not been loaded by IDA.
I don't know if i explained myself clearly (sorry for the bad english), but could someone point me to the right direction ?
What disassembler /debugger could be used to debug such kind of programs ?
Does DOS/4G embedded programs have specific headers to identify where the real program is in the image ?
Thanks .
Nico.
i'm trying to reverse a DOS-based BIOS flasher (AsRock bios flasher to be specific) who runs with DOS/4G extender.
I need to modify it in order to flash a write-protected section of the BIOS .
Since i've never done RE on this kind of executables (dos EXE that runs with extenders) i don't know where to start.
Analysing the EXE with an hex editor shows that the size of exe is larger than the one specified in DOS header. The reason is that the image size specifed in DOS header just countain a DOS/4G loader, that (i think since i've not been able to analyze it) initilize protected mode environment and in turns load the real program (the section appended after the end of the regular exe image) and switch to PM trasferring control to the real program.
To verify this i reduced the exe size to the one specified in header (trimming additional byts) and the results confirm my thoughs, since the program still executes but throws an error like "This EXE is not a DOS/16M executable".
Trying to load it in IDA generates a warning saying that the file is larger than the size specified in header , then loads the exe but without additional bytes , just the right image size as in the header . Some section of disassembled code points to a segment what falls right in the section of file that has not been loaded by IDA.
I don't know if i explained myself clearly (sorry for the bad english), but could someone point me to the right direction ?
What disassembler /debugger could be used to debug such kind of programs ?
Does DOS/4G embedded programs have specific headers to identify where the real program is in the image ?
Thanks .
Nico.
