i recently met with an exe which windbg couldnt open
claims to have no disassembler as ususal i renamed it as .dmp and
tried to open it as crash dump file
windbg can run a few commands in this mode on the loaded file
and i see windbg is still balking at disassembling this but the prompt
knows something about the file it seems as it turned int 0:00:sh
notice the extra sh
it seems the exe was wince executable
google seems to have a few entries claiming windbg / dr watson is able
to debug wince executable but not much to chew on
can someone confirm if this is the case or is there a special windbg
which knows how to debug wince ? is it available to the public
C:\Documents and Settings\Admin\Desktop\suspect>cdb suspect.exe
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: suspect.exe
Cannot execute ‘suspect.exe’, Win32 error 0n193
“%1 is not a valid Win32 application.”
Debuggee initialization failed, Win32 error 0n193
“%1 is not a valid Win32 application.”
C:\Documents and Settings\Admin\Desktop\suspect>ren suspect.exe suspect.dmp
C:\Documents and Settings\Admin\Desktop\suspect>cdb -z suspect.dmp
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Documents and Settings\Admin\Desktop\suspect\suspect.dmp]
Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00010000 0004c800 C:\Documents and Settings\Admin\Desktop\suspect\sus
pect.dmp
*** WARNING: Unable to verify checksum for suspect.dmp
*** ERROR: Module load completed but symbols could not be loaded for suspect.dmp
suspect+0x7dd4:
00017dd4
0:000:sh> .load domdbg
dom WinDBG extension v0.3 loaded
0:000:sh> !grep -i -e “machine” -c “!dh suspect”
1A2 machine (Unknown)
32 bit word machine
0:000:sh> !grep -i -e “entry” -c “!dh suspect”
7DD4 address of entry point
0:000:sh> db 17dd4 l10
00017dd4 86 2f 96 2f a6 2f b6 2f-22 4f 43 68 53 6b 63 6a ././././"OChSkcj
0:000:sh> !opcodemap 86 2f
C:\Documents and Settings\Admin\Desktop\suspect\suspect.dmp
Instr OpCode Dest Source
No
0:000:sh>
disassembled with another sisassembler
00017dd4 86 2f mov.l r8,@-r15
00017dd6 96 2f mov.l r9,@-r15
00017dd8 a6 2f mov.l r10,@-r15
00017dda b6 2f mov.l r11,@-r15
00017ddc 22 4f sts.l pr,@-r15
00017dde 43 68 mov r4,r8
00017de0 53 6b mov r5,r11
00017de2 63 6a mov r6,r10