is windbg able to debug wince executable

WINDBG
1

i recently met with an exe which windbg couldnt open

claims to have no disassembler as ususal i renamed it as .dmp and
tried to open it as crash dump file
windbg can run a few commands in this mode on the loaded file

and i see windbg is still balking at disassembling this but the prompt
knows something about the file it seems as it turned int 0:00:sh
notice the extra sh

it seems the exe was wince executable

google seems to have a few entries claiming windbg / dr watson is able
to debug wince executable but not much to chew on

can someone confirm if this is the case or is there a special windbg
which knows how to debug wince ? is it available to the public

C:\Documents and Settings\Admin\Desktop\suspect>cdb suspect.exe

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: suspect.exe
Cannot execute ‘suspect.exe’, Win32 error 0n193
“%1 is not a valid Win32 application.”
Debuggee initialization failed, Win32 error 0n193
“%1 is not a valid Win32 application.”

C:\Documents and Settings\Admin\Desktop\suspect>ren suspect.exe suspect.dmp

C:\Documents and Settings\Admin\Desktop\suspect>cdb -z suspect.dmp

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Documents and Settings\Admin\Desktop\suspect\suspect.dmp]
Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:
ModLoad: 00010000 0004c800 C:\Documents and Settings\Admin\Desktop\suspect\sus
pect.dmp
*** WARNING: Unable to verify checksum for suspect.dmp
*** ERROR: Module load completed but symbols could not be loaded for suspect.dmp

suspect+0x7dd4:
00017dd4
0:000:sh> .load domdbg
dom WinDBG extension v0.3 loaded
0:000:sh> !grep -i -e “machine” -c “!dh suspect”
1A2 machine (Unknown)
32 bit word machine
0:000:sh> !grep -i -e “entry” -c “!dh suspect”
7DD4 address of entry point
0:000:sh> db 17dd4 l10
00017dd4 86 2f 96 2f a6 2f b6 2f-22 4f 43 68 53 6b 63 6a ././././"OChSkcj
0:000:sh> !opcodemap 86 2f
C:\Documents and Settings\Admin\Desktop\suspect\suspect.dmp
Instr OpCode Dest Source
No
0:000:sh>

disassembled with another sisassembler
00017dd4 86 2f mov.l r8,@-r15
00017dd6 96 2f mov.l r9,@-r15
00017dd8 a6 2f mov.l r10,@-r15
00017dda b6 2f mov.l r11,@-r15
00017ddc 22 4f sts.l pr,@-r15
00017dde 43 68 mov r4,r8
00017de0 53 6b mov r5,r11
00017de2 63 6a mov r6,r10

2

raj_r wrote:

i recently met with an exe which windbg couldnt open

claims to have no disassembler as ususal i renamed it as .dmp and
tried to open it as crash dump file
windbg can run a few commands in this mode on the loaded file

and i see windbg is still balking at disassembling this but the prompt
knows something about the file it seems as it turned int 0:00:sh
notice the extra sh

it seems the exe was wince executable

google seems to have a few entries claiming windbg / dr watson is able
to debug wince executable but not much to chew on

This not a WinCE executable. Well, actually, it probably is, but that’s
not the issue. The issue is that this compiled for a Hitachi SH-3
processor. You might be able to use a DLL from the Windows CE
development kit to get Windbg to disassemble it, but you certainly can’t
debug it unless you’re running on an SH-3, and Windbg doesn’t run on an
SH-3.

On a whim, have you tried “link /dump /disass xxx.exe” on it?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

3

>> google seems to have a few entries claiming windbg / dr watson is able

> to debug wince executable but not much to chew on

Back when Windbg wasn’t based on DbgEng, the CE team had their own fork
of the NT debugging tools. I’m not clear how the CE team used it,
presumably they shipped their own debugger, perhaps even called Windbg.

If you’re debugging CE images (esp esoteric archs that NT doesn’t
target), you should use the CE toolchain to debug them. The NT debugging
team’s tools never supported some of the CE-only targets.

4

On 3/4/13, Tim Roberts

> On a whim, have you tried “link /dump /disass xxx.exe” on it?
thanks tim
no link / dumpbin doesn’t play dice with this exe

C:>“C:\Program Files\Microsoft Visual Studio 10.0\VC\vcvarsall.bat” x86
Setting environment for using Microsoft Visual Studio 2010 x86 tools.

C:>dumpbin /disasm “c:\Documents and Settings\Admin\Desktop\suspect\suspect.dmp

Microsoft (R) COFF/PE Dumper Version 10.00.30319.01
Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file c:\Documents and Settings\Admin\Desktop\suspect\suspect.dmp

File Type: EXECUTABLE IMAGE

LINK : warning : Disassembly not supported for this target machine

Summary

2AC00 .data
800 .pdata
1000 .rdata
6800 .rsrc
9800 .text

C:>

C:>dumpbin /headers “c:\Documents and Settings\Admin\Desktop\suspect\suspect.dm
p”
Microsoft (R) COFF/PE Dumper Version 10.00.30319.01
Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file c:\Documents and Settings\Admin\Desktop\suspect\suspect.dmp

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
1A2 machine (Unknown)
5 number of sections
37B348B3 time date stamp Fri Aug 13 03:50:35 1999
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
10F characteristics
Relocations stripped
Executable
Line numbers stripped
Symbols stripped
32 bit word machine

OPTIONAL HEADER VALUES
10B magic # (PE32)
5.11 linker version
9800 size of code
32C00 size of initialized data
0 size of uninitialized data
7DD4 entry point (00017DD4)
400 base of code
9C00 base of data
10000 image base (00010000 to 0004C7FF)
400 section alignment
200 file alignment
4.00 operating system version
0.00 image version
2.00 subsystem version
0 Win32 version
3C800 size of image
400 size of headers
0 checksum
9 subsystem (Windows CE GUI)
0 DLL characteristics
10000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [0] RVA [size] of Export Directory
A484 [3C] RVA [size] of Import Directory
36000 [6678] RVA [size] of Resource Directory
35800 [728] RVA [size] of Exception Directory
0 [0] RVA [size] of Certificates Directory
0 [0] RVA [size] of Base Relocation Directory
0 [0] RVA [size] of Debug Directory
0 [0] RVA [size] of Architecture Directory
0 [0] RVA [size] of Global Pointer Directory
0 [0] RVA [size] of Thread Storage Directory
0 [0] RVA [size] of Load Configuration Directory
0 [0] RVA [size] of Bound Import Directory
AC00 [16C] RVA [size] of Import Address Table Directory
0 [0] RVA [size] of Delay Import Directory
0 [0] RVA [size] of COM Descriptor Directory
0 [0] RVA [size] of Reserved Directory

SECTION HEADER #1
.text name
97E4 virtual size
400 virtual address (00010400 to 00019BE3)
9800 size of raw data
400 file pointer to raw data (00000400 to 00009BFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read

SECTION HEADER #2
.rdata name
FE2 virtual size
9C00 virtual address (00019C00 to 0001ABE1)
1000 size of raw data
9C00 file pointer to raw data (00009C00 to 0000ABFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only

SECTION HEADER #3
.data name
2AA20 virtual size
AC00 virtual address (0001AC00 to 0004561F)
C00 size of raw data
AC00 file pointer to raw data (0000AC00 to 0000B7FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write

SECTION HEADER #4
.pdata name
728 virtual size
35800 virtual address (00045800 to 00045F27)
800 size of raw data
B800 file pointer to raw data (0000B800 to 0000BFFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only

SECTION HEADER #5
.rsrc name
6678 virtual size
36000 virtual address (00046000 to 0004C677)
6800 size of raw data
C000 file pointer to raw data (0000C000 to 000127FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only

Summary

2AC00 .data
800 .pdata
1000 .rdata
6800 .rsrc
9800 .text

C:>

5

IDA Pro does disassemble and debug Hitachi SH3, according to

https://www.hex-rays.com/products/ida/processors.shtml.

-David

On Mon, Mar 4, 2013 at 12:44 PM, Tim Roberts wrote:

> raj_r wrote:
> > i recently met with an exe which windbg couldnt open
> >
> > claims to have no disassembler as ususal i renamed it as .dmp and
> > tried to open it as crash dump file
> > windbg can run a few commands in this mode on the loaded file
> >
> > and i see windbg is still balking at disassembling this but the prompt
> > knows something about the file it seems as it turned int 0:00:sh
> > notice the extra sh
> >
> > it seems the exe was wince executable
> >
> > google seems to have a few entries claiming windbg / dr watson is able
> > to debug wince executable but not much to chew on
>
> This not a WinCE executable. Well, actually, it probably is, but that’s
> not the issue. The issue is that this compiled for a Hitachi SH-3
> processor. You might be able to use a DLL from the Windows CE
> development kit to get Windbg to disassemble it, but you certainly can’t
> debug it unless you’re running on an SH-3, and Windbg doesn’t run on an
> SH-3.
>
> On a whim, have you tried “link /dump /disass xxx.exe” on it?
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>