VOGONS


First post, by Chelnov18

User metadata
Rank Newbie
Rank
Newbie

Hello,
Apologies if this the incorrect forum.
I am currently working on doing some reverse engineering on Origin's Bioforge from 1995. I would like to do some static code analysis using IDA Pro, but am running into a problem with the PharLap DOS extender that Bioforge uses, since IDA can't disassemble the actual executable. So I have read that it should be possible to strip off the DOS extender from the original executable before attempting to disassemble it. I have a copy of the PharLap386 DOS extender ver. 4.1 SDK. It should be possible to use the SDK to strip off the extender, but so far I have not had much luck doing so.

So I was wondering if anyone here has done something similar and could provide some insight into how this is done properly. I am still fairly new to reversing and DOS programming in general, so this may be an obvious question. I am able to see the code running via the DOSBox debugger, so I can do dynamic analysis, but working in IDA would be a big help.

Reply 1 of 5, by HandOfFate

User metadata
Rank Member
Rank
Member

Another newbie DOS reverse enginerer here: I recently used the MEMDUMPBIN command in the DOSBox debugger to get around the obfuscation of a program. Its code was stored in fragments in the binary and placed at the correct positions in memory at runtime. I dumped everything once the de-obfuscation routine was done and then do static analysis with IDA on that memory dump.

Maybe this method would work for you too?

(btw, do you know about the OpenBioforge project? Maybe the person behind it has experience with dealing with the extender)

Am486 DX4 120MHz, no L2, 16MB, Tseng ET4000/W32 1MB VLB, ESS ES1869 /// 5x86 133MHz, 256kb L2, 64MB, S3 Virge/DX 4MB PCI, SB16 + Yucatan FX, PicoGUS /// Pentium III 1GHz, 512MB, Asus V7700 64MB AGP, SB Live!

Reply 2 of 5, by Chelnov18

User metadata
Rank Newbie
Rank
Newbie

Thank you, that is a good suggestion. Definitely worth a try.
I am familiar with OpenBioforge. In a sense I could just wait for that to be released since that will likely be way before I have enough done to even resemble a game. But I guess I will just use my own project as a fun learning experience.

Reply 3 of 5, by mkarcher

User metadata
Rank l33t
Rank
l33t
Chelnov18 wrote on 2024-01-28, 17:51:

So I was wondering if anyone here has done something similar and could provide some insight into how this is done properly. I am still fairly new to reversing and DOS programming in general, so this may be an obvious question. I am able to see the code running via the DOSBox debugger, so I can do dynamic analysis, but working in IDA would be a big help.

I ran into this issue, too. I don't remember exactly how I solved it, but I am confident that I either used a hex editor to just remove everything before the "extended EXE header" used by Phar Lap (NE? LX?), or the stub-stripping tool supplied with DOS32A was able to do the job.

Reply 4 of 5, by HandOfFate

User metadata
Rank Member
Rank
Member
Chelnov18 wrote on 2024-01-28, 22:26:

Thank you, that is a good suggestion. Definitely worth a try.
I am familiar with OpenBioforge. In a sense I could just wait for that to be released since that will likely be way before I have enough done to even resemble a game. But I guess I will just use my own project as a fun learning experience.

I meant it as maybe the person behind it could help you with questions. I didn't intend it as trying to dissuade you from working on this at all 😀

Am486 DX4 120MHz, no L2, 16MB, Tseng ET4000/W32 1MB VLB, ESS ES1869 /// 5x86 133MHz, 256kb L2, 64MB, S3 Virge/DX 4MB PCI, SB16 + Yucatan FX, PicoGUS /// Pentium III 1GHz, 512MB, Asus V7700 64MB AGP, SB Live!

Reply 5 of 5, by MERCURY127

User metadata
Rank Member
Rank
Member

PharLap's executables is ordinal 32 bit PE files, header starts on 6680h. just select PE loader in IDA when open file for disasm.