4

I have an old DOS program compiled using Borland C++ (1991 version)

The end of the executable contains many strings preceded by an underscore which looks like debug/symbol information :

eg: _HandleMemory, _AddKey, _SetPalette, ...

Most of these strings seems to be functions or variables names.

However once the exe is opened in IDA, that information is not used, most functions are simply named this way (except some known C functions like _qsort) :

sub_XXXXX

Is there a way to import that info back to IDA ?

0xec
  • 6,090
  • 3
  • 23
  • 33
tigrou
  • 371
  • 4
  • 13
  • Are you sure it's not actually a list of DLL imported symbols? – Jongware Dec 31 '15 at 01:17
  • By DLL, do you mean an external library ? (since AFAIK, DLL are windows only). I don't think so because these strings are referenced in any other of the program files. – tigrou Dec 31 '15 at 12:03
  • DLL is a Windows term, but Microsoft did not invent importing libraries from scratch. I assume you mean "not referenced" elsewhere. But: Just a list of symbols is practically useless. Are there any references to it inside the same executable? Can you upload this file and provide a link to it, so others can check? – Jongware Dec 31 '15 at 12:07
  • 1
    Yes you are right, I mean "not referenced". The program in question is a game (Alone in the Dark 1). It is freely downloadable on many abandonware sites, but i am not sure if it's OK to put a link to the executable here ? – tigrou Dec 31 '15 at 13:27
  • The year 1991 pegs this as Turbo C++ 1.0 or thereabouts, and it is indeed very likely that the tail data in question is Borland-style debug info (16-bit TDS format). Experiments show that the available IDA freewares - 3.7 through 5.0 - do not recognise the 16-bit Borland debug info. If the debug info is stripped into a separate TDS file (via tdstrip.exe) then you get a rejection message in the output window for those versions that can deal with TDS in principle but expect the newer 32-bit format (as of BOA 4.0 and beyond). Same for the 'Load TDS' menu item, if present. – DarthGizka Dec 31 '15 at 17:29
  • Payware IDA can FLIRT the 16-bit Borland code but apparently it can't load 16-bit TDS (at least not with the shipped plugins). Hence it seems necessary to find a tool that can rip at least the symbol info from 16-bit TDS for import into IDA in some way or other. There's loads of stuff for 32-bit Borland around (and also shipping with IDA) but 16-bit stuff probably predates the IDA plugin revolution... I was using things like Sourcer at the time (which should be available for free somewhere on the net, as abandonware or freeware). Turbo C++ 1.01 should be available from Emborlandero for free. – DarthGizka Dec 31 '15 at 17:34
  • I just open the exe in TD (Turbo Debugger 3.1) and it works! i got all variables, functions, modules names, wow!... While its not exactly what i wanted it already very good. Thanks ! – tigrou Dec 31 '15 at 20:00
  • Older versions of tdump can display/dump the old style debug info as well; that's up to version 5.0 (i.e. the version that shipped with BC++ 3.1, the last before BC++ 4.0 with the new linker/TDS format). The other tools can convert to TDS (e.g. tdmap) but not from TDS to something different. However, since you have a working Turbo Debugger you're basically set. The free versions available from Embarcadero usually lack advanced tools but here are the links anyway ;-) Turbo C 2.01 Turbo C++ 1.01 – DarthGizka Dec 31 '15 at 20:51

2 Answers2

4

In case anyone has same question, here is how I solved it :

1) I exported all debug symbol information to a text file, using TDUMP.

TDUMP somefile.exe > 1.txt

2) I cleaned the txt file to keep only useful information : 

[Function name] + [Address]

3) I imported the file back to IDA using a python script : see here

Community
  • 1
tigrou
  • 371
  • 4
  • 13
0

I've written an IDAPython script which parses the debug information and then performs the corresponding renamings, all from within IDA.

The script, along with simple usage instructions, are available on GitHub.

ramikg
  • 1