Basic Usage of DOS DEBUG

Materials: Working complete PC Blank Diskette Student Diskette, "New Boot A Ver 2.0+" Student CD-ROM, "Room 6359" Objectives: The student will become familiar with how to use DOS DEBUG to: clear the DEBUG workspace RAM with zeros, load a raw sector into RAM, display RAM contents on screen, Competency: The student will how to use DEBUG's basic commands for the purposes of data recovery including how to clear the DEBUG RAM workspace with zeros, load a raw sector into RAM and how to display its contents on screen.

DEBUG.EXE

1. This machine language programmer's tool has been included with all versions of DOS from the beginning up to the WIN9x family and the WINNT family including Windows XP. Because the 32-bit Windows operating systems are protected mode operating systems many of the more powerful and hence useful capabilities of DEBUG will be blocked if they are attempted from DEBUG running within a DOS box. As such all exercises with DEBUG must be performed from a DOS only boot up (i.e. a DOS bootable diskette or CD-ROM).

Procedures

2. Boot to the Room 6359 student CD-ROM. Cancel the virus scan if it starts with [Ctrl]+[Break]. From the Q:\BOOTNAV prompt change to the K: RAM Drive which the bootable CD-ROM automatically creates. Insert a boot diskette into the floppy drive which has been remapped by the bootable CD-ROM to be physical diskette drive B: Now start DEBUG:

   
   K:\>debug
   -_
   

3. At the DEBUG "dash prompt" enter the command "d 100 1ff" which tells DEBUG to dump or display the contents of RAM from offset 100 to offset 1FFh on screen. Note that the program DEBUG itself occupies the first 256 bytes of RAM from offset 0 to offset FFh and these are offlimits. The workspace begins at offset 100h and is roughly 32KB in size. Going beyond the end of the workspace, one runs into DEBUG again and corrupts it forcing a reboot. Corrupting the area below offset 100h can also lock up the machine and force a reboot:

   -d 100 1ff
   242C:0100  BA 83 03 E8 34 F2 C6 06-2A 28 FF 81 3E D8 2A 0F   ....4...*(..>.*.
   242C:0110  29 75 2C C6 06 0F 29 20-C7 06 D8 2A 34 00 1B 24   )u,...) ...*4..$
   242C:0120  FC 30 00 40 75 0E 81 0E-FC 30 00 40 A1 DA 2A A2   .0.@u....0.@..*.
   242C:0130  B5 2F EB 0B BA 83 03 E8-00 F2 C6 06 2A 28 FF 81   ./..........*(..
   242C:0140  3E E0 2A 6E 28 75 7A C7-06 E0 2A 00 00 C6 06 6E   >.*n(uz...*....n
   242C:0150  28 20 F7 06 FC 30 02 00-75 5C 83 0E FC 30 02 8E   ( ...0..u\...0..
   242C:0160  1E E4 2A FC 8B CE 26 8B-36 E2 2A 80 3C 00 75 22   ..*...&.6.*.<.u"
   242C:0170  06 26 8B 3E 2B 28 2B CF-26 8E 06 11 27 B0 3A F2   .&.>+(+.&...'.:.
   242C:0180  AE 07 06 1F E3 2E C6 06-2A 27 00 C6 06 10 27 FF   ........*'....'.
   242C:0190  EB 22 BF 2A 27 B9 0C 00-F3 A4 06 1F BE 2A 27 C6   .".*'........*'.
   242C:01A0  06 10 27 FF E8 7C 02 73-0B BA 63 02 E8 8B F1 C6   ..'..|.s..c.....
   242C:01B0  06 2A 28 FF EB 0B BA 83-03 E8 7E F1 C6 06 2A 28   .*(.......~...*(
   242C:01C0  FF 81 3E D0 2A F0 28 75-0B C6 06 F0 28 20 81 0E   ..>.*.(u....( ..
   242C:01D0  FC 30 00 08 81 3E E0 2A-03 29 75 38 C6 06 03 29   .0...>.*.)u8...)
   242C:01E0  20 C7 06 E0 2A 00 00 C7-06 D8 2A 00 00 F7 06 FC    ...*.....*.....
   242C:01F0  30 00 10 75 14 81 0E FC-30 00 10 83 0E FE 30 01   0..u....0.....0.
   -_
   
   

4. The offset of the first byte of each row is displayed at the far left of the output, the actual bytes values at each location are shown in hexadecimal across the rows and the ASCII code equivalents are shown at the far right. If there is no text ASCII code equivalent of the value DEBUG displays a period instead. Therefore it is important to know the ASCII code for a period itself since at the right it could be mistaken for a byte that has no ASCII equivalent when in fact it is a period. The ASCII code for a period is "2Eh" A byte holding this value is highlighted and its ASCII equivalent to the far right to clarify:

   -d 100 1ff
   242C:0100  BA 83 03 E8 34 F2 C6 06-2A 28 FF 81 3E D8 2A 0F   ....4...*(..>.*.
   242C:0110  29 75 2C C6 06 0F 29 20-C7 06 D8 2A 34 00 1B 24   )u,...) ...*4..$
   242C:0120  FC 30 00 40 75 0E 81 0E-FC 30 00 40 A1 DA 2A A2   .0.@u....0.@..*.
   242C:0130  B5 2F EB 0B BA 83 03 E8-00 F2 C6 06 2A 28 FF 81   ./..........*(..
   242C:0140  3E E0 2A 6E 28 75 7A C7-06 E0 2A 00 00 C6 06 6E   >.*n(uz...*....n
   242C:0150  28 20 F7 06 FC 30 02 00-75 5C 83 0E FC 30 02 8E   ( ...0..u\...0..
   242C:0160  1E E4 2A FC 8B CE 26 8B-36 E2 2A 80 3C 00 75 22   ..*...&.6.*.<.u"
   242C:0170  06 26 8B 3E 2B 28 2B CF-26 8E 06 11 27 B0 3A F2   .&.>+(+.&...'.:.
   242C:0180  AE 07 06 1F E3 2E C6 06-2A 27 00 C6 06 10 27 FF   ........*'....'.
   242C:0190  EB 22 BF 2A 27 B9 0C 00-F3 A4 06 1F BE 2A 27 C6   .".*'........*'.
   242C:01A0  06 10 27 FF E8 7C 02 73-0B BA 63 02 E8 8B F1 C6   ..'..|.s..c.....
   242C:01B0  06 2A 28 FF EB 0B BA 83-03 E8 7E F1 C6 06 2A 28   .*(.......~...*(
   242C:01C0  FF 81 3E D0 2A F0 28 75-0B C6 06 F0 28 20 81 0E   ..>.*.(u....( ..
   242C:01D0  FC 30 00 08 81 3E E0 2A-03 29 75 38 C6 06 03 29   .0...>.*.)u8...)
   242C:01E0  20 C7 06 E0 2A 00 00 C7-06 D8 2A 00 00 F7 06 FC    ...*.....*.....
   242C:01F0  30 00 10 75 14 81 0E FC-30 00 10 83 0E FE 30 01   0..u....0.....0.
   -_
   
   

5. DEBUG is displaying the random data that was already present in the RAM workspace before it was launched. This area can be filled with zeros using the FILL command like this:

   -f 100 2ff 0
   -_
         
   

6. The FILL command says "F(ill from offset) 100 (to offset) 2FF (with) 0". The reason the area from 100 to 2FF is filled with zeros (as opposed to just up to 1FF is because a physical sector from the floppy is 512 bytes or 200h bytes which will span from offset 100 up to offset 2FFh. Now display the first 256 bytes of this area again with the "d 100 1ff" command and it is plain that the area has in fact been filled with zeros:

   -d 100 1ff
   242C:0100  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:0110  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:0120  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:0130  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:0140  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:0150  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:0160  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:0170  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:0180  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:0190  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:01A0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:01B0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:01C0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:01D0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:01E0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   242C:01F0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
   -_
   
   

7. Now that the RAM workspace has been cleared, a raw sector will be read from the floppy into it. This requires the LOAD command. The load command depends on DOS being able to read the drive. If DOS cannot read the drive then an error will occur. Under many data recovery scenarios, DOS cannot read the drive because the DOS Boot Record has been damaged. In that case the raw BIOS "read sector" command will be used. But first the DEBUG LOAD command "L 100 1 0 1" which means: "L(oad into offset) 100 (from drive number) 1 (logical sector number) 0 (a total of) 1 (sectors)" where the drives are numbered A: = 0, B: = 1, C: = 2 and so on. The first logical sector numbered zero of the drive is the DBR of that drive, so in this case the boot sector of the B: drive is being requested. As you press [Enter] for the command watch the diskette drive activity light:

   -L 100 1 0 1
   -_
   

8. Having loaded the boot sector of the diskette into RAM offset 100h, display it on screen now:

   -d 100 1ff
   242C:0100  EB 3C 90 4D 53 57 49 4E-34 2E 31 00 02 01 01 00   .<.MSWIN4.1.....
   242C:0110  02 E0 00 40 0B F0 09 00-12 00 02 00 00 00 00 00   ...@............
   242C:0120  00 00 00 00 00 00 29 E4-18 58 17 4E 4F 20 4E 41   ......)..X.NO NA
   242C:0130  4D 45 20 20 20 20 46 41-54 31 32 20 20 20 33 C9   ME    FAT12   3.
   242C:0140  8E D1 BC FC 7B 16 07 BD-78 00 C5 76 00 1E 56 16   ....{...x..v..V.
   242C:0150  55 BF 22 05 89 7E 00 89-4E 02 B1 0B FC F3 A4 06   U."..~..N.......
   242C:0160  1F BD 00 7C C6 45 FE 0F-38 4E 24 7D 20 8B C1 99   ...|.E..8N$} ...
   242C:0170  E8 7E 01 83 EB 3A 66 A1-1C 7C 66 3B 07 8A 57 FC   .~...:f..|f;..W.
   242C:0180  75 06 80 CA 02 88 56 02-80 C3 10 73 ED 33 C9 FE   u.....V....s.3..
   242C:0190  06 D8 7D 8A 46 10 98 F7-66 16 03 46 1C 13 56 1E   ..}.F...f..F..V.
   242C:01A0  03 46 0E 13 D1 8B 76 11-60 89 46 FC 89 56 FE B8   .F....v.`.F..V..
   242C:01B0  20 00 F7 E6 8B 5E 0B 03-C3 48 F7 F3 01 46 FC 11    ....^...H...F..
   242C:01C0  4E FE 61 BF 00 07 E8 28-01 72 3E 38 2D 74 17 60   N.a....(.r>8-t.`
   242C:01D0  B1 0B BE D8 7D F3 A6 61-74 3D 4E 74 09 83 C7 20   ....}..at=Nt... 
   242C:01E0  3B FB 72 E7 EB DD FE 0E-D8 7D 7B A7 BE 7F 7D AC   ;.r......}{...}.
   242C:01F0  98 03 F0 AC 98 40 74 0C-48 74 13 B4 0E BB 07 00   .....@t.Ht......
   -_
   

9. This is a typical floppy DBR. In later exercises, the entire Drive Parameter Block at the top will be analyzed, but for now note the driver signature "MSWIN4.1" indicating that Windows 98 formatted this diskette. Now display the bottom 256 bytes of it with the "d 200 2ff" command:

   -d 200 2ff
   242C:0200  CD 10 EB EF BE 82 7D EB-E6 BE 80 7D EB E1 CD 16   ......}....}....
   242C:0210  5E 1F 66 8F 04 CD 19 BE-81 7D 8B 7D 1A 8D 45 FE   ^.f......}.}..E.
   242C:0220  8A 4E 0D F7 E1 03 46 FC-13 56 FE B1 04 E8 C2 00   .N....F..V......
   242C:0230  72 D7 EA 00 02 70 00 52-50 06 53 6A 01 6A 10 91   r....p.RP.Sj.j..
   242C:0240  8B 46 18 A2 26 05 96 92-33 D2 F7 F6 91 F7 F6 42   .F..&...3......B
   242C:0250  87 CA F7 76 1A 8A F2 8A-E8 C0 CC 02 0A CC B8 01   ...v............
   242C:0260  02 80 7E 02 0E 75 04 B4-42 8B F4 8A 56 24 CD 13   ..~..u..B...V$..
   242C:0270  61 61 72 0A 40 75 01 42-03 5E 0B 49 75 77 C3 03   aar.@u.B.^.Iuw..
   242C:0280  18 01 27 0D 0A 49 6E 76-61 6C 69 64 20 73 79 73   ..'..Invalid sys
   242C:0290  74 65 6D 20 64 69 73 6B-FF 0D 0A 44 69 73 6B 20   tem disk...Disk 
   242C:02A0  49 2F 4F 20 65 72 72 6F-72 FF 0D 0A 52 65 70 6C   I/O error...Repl
   242C:02B0  61 63 65 20 74 68 65 20-64 69 73 6B 2C 20 61 6E   ace the disk, an
   242C:02C0  64 20 74 68 65 6E 20 70-72 65 73 73 20 61 6E 79   d then press any
   242C:02D0  20 6B 65 79 0D 0A 00 00-49 4F 20 20 20 20 20 20    key....IO      
   242C:02E0  53 59 53 4D 53 44 4F 53-20 20 20 53 59 53 7F 01   SYSMSDOS   SYS..
   242C:02F0  00 41 BB 00 07 60 66 6A-00 E9 3B FF 00 00 55 AA   .A...`fj..;...U.
   -_
   

10. Note the typical error messages displayed by a nonbootable floppy "Invalid system disk..." embedded within this boot sector code. Note the names of the files that the boot strap loader program embedded above the messages will try to find and load into RAM are listed near the bottom "IO SYS and MSDOS SYS" and the last two bytes of the sector are the BIOS standard boot signature, indicating that this is a "good" boot sector, of "55 AA".

11. In the next tutorial, the student will learn how to save the sector to a file and how to restore it to a diskette in which the sector has been damaged.