Log in

View Full Version : Reversing win16 applications???

BobRock
June 16th, 2002, 18:02
Hello,

what tools (debuggers, disassemblers, etc) can be used to reverse a win16 application?
Thx.

Regards,
Bob Rock
foxthree
June 16th, 2002, 19:28
Hi there:

16-bit windows applications come in what is called as NE-file format... a format that is not particularly appealing.. if you know what I mean However, I think W32DAsm can handle NE Files. I remember working with it a long time back. For Debugging, what better than SoftICE for Win3.x! Take a look at exetools.com/debuggers.

Signed,
-- FoxThree
cah
June 20th, 2002, 05:39
How to find free space & lengthen the code segment of NE file format? Any tools/utilities/knowledge available on this subject.

Thanks in advance
Cah....
Kayaker
June 20th, 2002, 06:52
Hi Cah,

Interesting problem. It'd be best to study the NE file structure and figure out how to add a new segment, or increase the length of the last one. There are NE docs at wotsit.org, d/l them all there and examine them.

Taking a look at the New EXE ("NE" Header file NEWEXE.H, I'd be playing with the values in certain fields you can find as offsets to the ascii "NE" (same as in a PE file), such as:

NE + 1Ch - Specifies the number of entries in the segment table.

NE + 22h - Specifies a relative offset from the beginning of the Windows header to the beginning of the segment table.


Then I'd try to figure out how to add a new segment to the segment table, or maybe easier, lengthen the last segment.


;-----------------------------------------------
struct new_seg /* New .EXE segment table entry */
{
unsigned short ns_sector; /* File sector of start of segment */
unsigned short ns_cbseg; /* Number of bytes in file */
unsigned short ns_flags; /* Attribute flags */
unsigned short ns_minalloc; /* Minimum allocation in bytes */
;-----------------------------------------------

Segment Table
฿฿฿฿฿฿฿฿฿฿฿฿฿
The segment table contains information that describes each segment in an
executable file. This information includes the segment length, segment type,
and segment-relocation data. The following list summarizes the values found
in the segment table (the locations are relative to the beginning of each
entry):

Location ณ Description
อออออออออุอออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ
00h ณ Specifies the offset, in sectors, to the segment data (relative
ณ to the beginning of the file). A value of zero means no data
ณ exists.

02h ณ Specifies the length, in bytes, of the segment, in the file. A
ณ value of zero indicates that the segment length is 64K, unless
ณ the selector offset is also zero.

04h ณ Specifies flags that describe the contents of the executable
ณ file. This value can be one or more of the following:

06h ณ Specifies the minimum allocation size of the segment, in bytes.
ณ A value of zero indicates that the minimum allocation size is
ณ 64K.
;---------------------------------------------------------------


There may other things you'd have to change also and I don't know how well this would work, but it seems to be the starting idea. Your 16 bit app will probably crash and burn the first few times, but it'd be interesting to hear a report of your attempts.

Cheers,
Kayaker
cah
June 22nd, 2002, 05:19
thanks for your reply. I will play & dig more about this NE code segment lengthening.

Cah...