 ͻ
 ͼ
  Ŀ Ŀ      ĿĿ     Ŀ  ĿĿĿ ĿĿĿ
   Ŀ        ٳ           ٳ ٳ ٳ Ŀ
       Ŀ  Ŀ                         Ŀ   
                    Ŀ                Ŀ      Ŀ 
     Ŀ         Ŀ  Ŀ    Ŀ  
            
  Ŀ ĿĿ  
     ĿĿ
                                                           
                          *

 ͸
  1  INTRODUCTION 

   DeGlucker (DG) is the universal debugger, designed for debugging
 original (and someone else's too :) programs.
   Despite the fact that there's a lot of other debuggers, DG has
 the following advantages:

   Works in Protected Mode, victim runs in V86
   Comfortable fullscreen interface a la Turbo Debugger
   Small size...
   ...Huge amount of features
   Free source code

   None grants these all together :)

 ͸
  2  INSTALLATION AND EXECUTION 

   DeGlucker is always ready to serve, everything you need is:

   - to have 386+ CPU and VGA card.
   - don't have any EMS-manager or multitasking OS installed
   - to unpack this package in any directory you like
   - to run DG.EXE, with the following options if necessary...

 ͸
  3  USAGE OPTIONS 

   DG should be executed like this (the content of the square brackets is
   not obligatory):

   DG [keys] [progname.ext [progparams]]
   
   Where:
    keys - options setting up DG, which should begin with '/' or '-',
          possible keys are:
     k - to use hard unlock keyboard control. Used when victim program uses
          keyboard ports to lock it. Unfortunately keyboard echo turns
          off if this option is specified, so you have to press F7
          constantly:)
     e - to give control to V86 int 6 handler, instead of PM. Used when
          victim intentionally uses invalid opcode, e.g. for the
          antidebugging means.
     r - to remove resident DG.
     ? - to show help.
   
    progname.ext - victim program name (extension required!)
           If it's not specified, DG installs resident.
    progparams - victim's command-line.

   Attention!  /k and/or /e options should certainly precede the
   victim's name, otherwise they would be treated as its command-line.

   Press [Pause] to activate resident DeGlucker. Otherwise, when
   victim's name was specified, it activates by itself.

 ͸
  4  NEW FEATURES 

   DG has a lot of new features comparing to the last CrazyMax's
   release.

  native assembler with masm/ideal syntax and pentium opcodes
  Useful FPU window
  DRXs sharing
  DRx and CRx window
  Virtual PIC
  Up to 6 bookmarks for the code/data windows
  Built-in clocks!!! (For true night-time hackers ;)))
  Status bar. (Your memory is supposed for better needs %)

 ͸
  5  DEBUGGER MAIN SCREEN 

   DeGlucker's main screen look depends on its state:

             [1][2][3]         [1][2][3]
                                                        
                                                        
                      [5][4]Ĵ                  [8]Ĵ
                                  or                     
                         [6]Ĵ                  [0][9]
             [7]Ĵ              [7]Ĵ  
                                                         
                      

              a) with stack info             b) with FPU info

   Where:

   [1] -    CPU    window with disassembled code
   [2] - Registers window with CPU registers
   [3] -   Flags   windows with CPU flags
   [4] -  Watches  window
   [5] -   Stack   window
   [6] -  Locals   window or DR/CR window
   [7] -   Dump    window,which is able to be maximized
   [8] -    STs    FPU registers and tags window
   [9] -   CR-SR   FPU flags window
   [0] - Pointers  of FPU window

   To change active window press [Tab] (clockwise), [Shift+Tab] (
 anticlockwise) or [Ctrl+n], where [n] is the number of desired window.

   Status bar consists of the following:

 _      pic: 08/70  bpint: 21/4B00 bpio: 00  123456789  DeGlucker 0.05 
                           Ĵ
         PIC base                                    active Ŀ
   Command-line         bpint numb/fn   number of Ŀ breaks/bookmarksٳ
                                           port breaks  Version or clock

 ͸
  6  WINDOWS AND KEYS DEFINITION 

  Common keys are:
   
    [F1] - Active window's keys help. Press twice for global keys.
    [Alt+X] - Exit
    [Ctrl+Alt+Del] - The same as [Alt+X]
   
    Windows control:
     [Esc] - Show user screen
     [Alt+F5] - The same as [Esc]
     [Alt+T] - Toggle clock
     [Alt+F] - Toggle FPU windows
     [Alt+D] - Toggle DR/CR or Locals window
     [Ctrl+R] - Toggle registers mode (16/32)
     [Ctrl+F4] - Calculator
   
    Victim program control:
     [F6] - Skip opcode
     [F7] - Trace
     [F8] - Step over
     [Ctrl+F2] - Reload victim
     [Alt+n] - Go to breakpoint (1<=n<=4) or bookmark (5<=n<=0)
     [Alt+0] - Go to the previous bookmark
     [Ctrl+Alt+n] - Place bookmark (5<=n<=9)
     [Ctrl+V] - Show V86 vectors table
     [Ctrl+Alt+C] - Clear user screen and set text mode
   

  CPU window  [Ctrl+1]
    In the CPU window you can observe victim's code. If the current opcode
  uses memory data, the data is displayed in the top of the window. In case
  of a breakpoint address of opcode is red, conditional breakpoint is pink.
    When break occurs, breakpoint number is highlighted with red color.
    If the current opcode is conditional jump, when condition is true the
  further coming arrow shows the direction of the jump. In case of jmp/
  call/int opcode the follow mode is activated, you are able to follow
  the destination of jmp/call/int.
    DeGlucker has built-in assembler, called automatically after typing
  anything in CPU window. Assembler accepts both MASM/Ideal syntax. You
  can assemble a few opcodes at once separating them with ';'. Still
  if a mistake was found partial assembling would not take place.
  Assembler allows 'db/dw/dd' string constants, but opcodes like
  add al,'a'-'A' are prohibited. All numbers are hex, the ending 'h' is
  not required!
 
            The examples of assembler opcodes and expressions:
  Ŀ
  icebp                  cs:pushf               db 66;cli;sti;hlt       
  jmp   100              mov   ax,1234          call  dword ptr [bx]    
  movzx eax,byte cs:[bx] movsx esi,[word gs:si] mov   ebx,[1+edi*4+eax] 
  ffree st(5)            fld [qword es:1234]    add   al,'0'            
  
 
  CPU window keys
   
    Victim program control:
     [F2] - Toggle hardware code breakpoint
     [Alt+F2] - Set conditional hardware code breakpoint
     [Shift+F2] - Show the condition of breakpoint
     [F4] - Go here
     [Alt+J] - Replace conditional jump with unconditional
     [Alt+K] - NOP opcode
     [Alt+I] - Place int break
     [Alt+P] - Place port break
     [Alt+G] - Call interrupt
     [Ctrl+N] - Set new cs:ip with the cursor address
    Navigation:
     [Ctrl+G] - Go to the specific address
     [Ctrl+I] - Go to the interrupt handler
     [Ctrl+O] - Go to cs:ip
     [Ctrl+B] - Go to the stack top address
     [Ctrl+F] - Follow int/call/jump
     [Enter] - The same as [Ctrl+F]
     [Ctrl+P] - Undo follow (up to 5 times)
     [BackSpace] - The same as [Ctrl+P]
     [Ctrl+S] - Search string/number from the cursor position
     [Ctrl+Enter] - Continue search
   

  Registers window  [Ctrl+2]
    You can see the content of CPU registers, 16bit or 32bit modes are
  allowed. If you wish to change the value select the register and enter the
  new one. Registers which values have changed after opcode executing are
  highlighted.
 
  Registers window keys
   
    [Ctrl+I] - Increase register value
    [Ctrl+D] - Decrease register value
    [Ctrl+Z] - Zero register
    [Ctrl+P] - Restore register previous value

  Flags window  [Ctrl+3]
    Shows the current state of CPU flags. Additional Trace flag is displayed
  in the top right corner.
 
  Flags window keys
   
    [Enter],
    [Space],
    [Insert] - Invert flag state
    [Ctrl+T] - Invert trace flag state

  Watches window  [Ctrl+4]
    Watches window is designed for the operative data watching up to 4
  pointers simultaneously. The left side contains pointers' values
  and the right one the data itself.
    You can specify any expression as a pointer, e.g.:
            Ŀ
             0:21*4  cs:100  ds:dx  ds+bp:ax*2+bx 
            
  , but no longer than 19 chars at once.
    Registers' values in expressions are updated. If expression doesn't
  specify any segment register (e.g. bx+cx), ds segment is assumed
  (i.e. ds:bx+cx).
 
  Watches window keys
   
    [Ctrl+T] - Toggle Hex-dump

  Stack window  [Ctrl+5]
    It contains victim program stack.
    Stack data editing is possible.
 
  Stack window keys
   
    [Ctrl+G] - Go to the specific address
    [Ctrl+O] - Go to ss:sp
    [Ctrl+N] - Set new ss:sp with the cursor address
    [Ctrl+P] - Push word
    [Ctrl+E] - pop word (i.e. add sp,2)

  Locals window  [Ctrl+6]
    Locals window shows special victim program's stack part (created by
  enter or mov bp,sp). As a rule this part contains procedure's arguments
  and local variables.
    Locals data editing is possible..
 
  Locals window keys
   
    [Ctrl+G] - Go to the specific address
    [Ctrl+O] - Go to ss:bp

  DR/CR window  [Ctrl+6], [Alt+D]
    DR/CR window contains virtual DRx and CRx values. DeGlucker is able
  to share DRx with victim program.
    In the middle horizontal part of window dr7 content is placed in more
  helpful double char form, which describes dr0-dr3 usage (from the left
  to the right). The first char shows breakpoint type, the second one
  describes its type.
 
                 Breakpoint type:                    Breakpoint size:
   Ŀ Ŀ
    x - on eXecution  m - on memory Modify   b - Byte     w - Word  
    i - on port IO    a - on memory Access   u - Unknown  d - Dword 
    
 
    This window overlaps Locals window, you can toggle between them by
  pressing [Alt+D]
 
  DR/CR window keys
   
    In h/w breakpoints status field:
     [X],[I],[M],[A] - Set breakpoint state
     [B],[W],[U],[D] - Set breakpoint size
     [L],[G]         - Toggle breakpoint activity
   
    In DR0-DR3 fields:
     [Ctrl] + aforesaid keys - The same for the selected DRx
    [Ctrl+F] - Follow DRx address in CPU/Dump window

  Dump window  [Ctrl+7]
    It shows and allows to edit memory data.
    The value of Data Breakpoint byte is highlighted. When break occurs,
  breakpoint number in the status bar is highlighted with green color.
    The Dump window header can show additional info about marked block.
 
  Dump window keys
   
    Common:
     [F5] - Maximize/Minimize Dump window
     [F2] - Toggle hardware data breakpoint
     [Alt+F2] - Set conditional hardware data breakpoint
     [Shift+F2] - Show the condition of breakpoint
     [Alt+S] - Save dump to file
     [Alt+L] - Load dump from file
    Navigation:
     [Ctrl+G] - Go to the specific address
     [Ctrl+I] - Go to the interrupt
     [Ctrl+W] - Toggle segment/raw dump mode
     [Ctrl+Left] - Shift dump a byte left
     [Ctrl+Right] - Shift dump a byte right
     [Home] - Go to the first byte in the Dump window
     [Enter] - Toggle Hex/Text fields
     [Ins] - Toggle block info
     [Ctrl+Home],
     [Ctrl+End] - Mark block begin/end
     [Shift+Home],
     [Shift+End] - Go to the begin/end of block
     [Ctrl+S] - Search string/number from the cursor position
     [Ctrl+Enter] - Continue search
   

  Ŀ
        The following 3 windows are available only if you have FPU!      
  

  STs window  [Ctrl+8]
    This window contains FPU registers data, their tags, and the current
  FPU stack top.
    st() registers are settled from up to down, their tags are placed
  from the left to the right.
    Tags contents are displayed as:
                    Ŀ
                     E - Empty        V - Valid       
                    Ĵ
                     Z - Zero         U - Unsupported 
                    
    It's allowed to change any register's value, but you should admit, that
  it's prohibited to change tag's value arbitrarily, their contents depend
  on the corresponding st register's value. Anyway you can always [Empty]
  it. Values for st registers can be represented in standard or exponential
  form. NANs (Not a number) are allowed.
  No operations or registers as value are allowed.
 
                         Examples of input:
        Ŀ
             123          3.1415        -1234e10     111e-2  
        Ĵ
                      +inf  (set positive infinity)             
        Ĵ
                    -nan  (set negative not a number)           
        
 
  STs window keys
   
    Common:
     [Home] - Go to st(0)
     [End] - Go to st(7)
     [Ctrl+H] - toggle hex form of st()
     [Alt+N] - FPU Nuke :) (FINIT)
    In st() fields:
     [Ctrl+E] - empty tag
     [Ctrl+Z] - zero tag
    In tags fields:
     [Ctrl+E] - empty tag
     [Ctrl+Z] - zero tag
     [Enter],
     [Space],
     [Ins] - Increase (if possible)
     [Del] - Decrease (if possible)
    In stack top field:
     [Ins] - Increase value
     [Del] - Decrease value
   

  CR-SR window  [Ctrl+9]
    CR-SR window shows the contents FPU control and status registers.
    c0-c3 flags of sr are joined in cc field.
 
  CR-SR window keys:
   
    [Left],
    [Right] - Move between cr and sr columns
    [Home] - Go to the top register
    [End] - Go to the bottom register
    [Enter],
    [Space],
    [Ins] - Increase/change flag value

  Pointers window  [Ctrl+0]
    This window shows the contents of FPU pointers registers.
    Unrestricted editing is allowed.
 
  Pointers window keys:
   
    [Ctrl+F] - Follow pointer in CPU/Dump windows.

 ͸
  7  ADDITIONAL FEATURES 

  
   1   Calculator                              [Ctrl+F4] in any window
  

     Built-in calculator allows simple arithmetic calculations up to 32 bit.
     Default numbers are in hex form. Decimal number should be followed by a
   dot. Quoted (') strings are allowed, the last 4 chars will be used in
   calculations ('12345' == 32333435h). You can as well specify any CPU
   register, they will be substituted by their current values. The name
   of CPU flags register is fl.
     The expression calculates from the left to the right without operations
   priority, e.g. 2+3*4 gives the same result as (2+3)*4.
   Use parenteses to change the order of expression calculation, nesting
   level is unlimited.
     If an error has taken the place, no additional calculating proceeds,
   the current result returns, e.g. 5+6+suxx+7 will be equal to 5+6 = 11.

     Besides 4 arithmetical operations, calculator allows:
              Ŀ
               & - logical "and"       | - logical "or"       
              Ĵ
               ^ - logical "xor"       % - division remainder 
              

  
   2   Inputs
  

    All inputs, which require numerical input (except st()), are processed
  by calculator, so everything mentioned about calculator applies them.

  
   3   Conditional breakpoints            [Alt+F2] in CPU/Dump windows
  

    This kind of breakpoints requires a condition. Breakpoint occurs only
  when condition is true.
    Condition format is  x cond y , where x & y - any expression (processed
  by calculator), and cond is one of the following:
     Ŀ
       = , ==       - equal      >  - more    >=  - more or equal    
      != , <> , ><  - not equal  <  - less    <=  - less or equal    
     

    Except these conditions, data breakpoints have another one -
  activate after write or activate after access.
    Note that, that data breakpoint occurs _after_ data's accessed and
  cs:ip points to the next command, after those which caused access.

  
   4   Breakpoint at interrupt                   [Alt+I] in CPU window
  

    You can set breakpoint at interrupt (the only one). This kind of break
  requires interrupt number, and ax value, which would cause a break. If
  ax (ah, al) doesn't matter, enter FFFF (FF), e.g. break at file read
  will be (ah=3Fh, int 21h):
       Ŀ
        Interrupt : 21  Function : 3FFF    (ah==3F, al == anything) 
       

    You can find the current bpint state (int/fn) in status bar.
    To deactivate breakpoint, input Interrupt more than FE .
    Int 0FFh breakpoint isn't allowed.

  
   5   In/out breakpoint                            [Alt+P] CPU window
  

    You can set unlimited ports i/o breakpoints. To trap/untrap the desired
  port, you should enter its number. To unset all ports i/o breaks specify
  zero as a port number.

    Status bar indicates the current number of ports i/o breakpoints.

  
   6   V86 interrupts table                     [Ctrl+V] in CPU window
  

    It shows current V86 interrupts states. Interrupts handlers changed
  (comparing to those ones when DG was started) by victim program are
  highlighted with yellow. Use arrows to set the required interrupt, press
  [Enter] to follow its handler. [Esc] and [Ctrl+V] close this window.

  
   7   Blocks                           [Ctrl+Home/End] in Dump window
  

    You can mark a block in the Dump window for the fast loading and saving.
  So if you leave 'Seg:Off of dump' field empty during dump load/save
  procedure, the corresponding block parameters will be used as dump offset
  and size.
    The beginning and end of a block are marked with blue arrows.

  
   8   Virtual PIC
  

    DeGlucker emulates PIC, allowing victim to reprogram interrupts bases.

 ͸
  8  COPYRIGHT & CREDITS 

    This version of DeGlucker was created by Vladimir Gneushev aka VAG &
  Oleg Prokhorov aka OlegPro (c) VAGSoft Lab. Russia, Moscow, 1999-2000.

  I would like to thank the following outstanding people:
    ALI & MASTER  - for the initial creation of this debugger
    CrazyMaX      - for the giving it the second life and free sources
    David Lindauer - for the useful sources.
    iNTEL corporation - for their huge .pdf documentation ;)
  And especially all the alpha/beta testers:
    Sergei Lebedev (2:5020/1572.160) - for the sources and long chats 8-)
    Mike Zhuravlev (2:5020/1683) and
    Vladimir Zaitsev (2:5020/935.16) - for pieces of advice
    Mike Ivanov (2:5025/73.16) - for bugs searching & correspondence ;)
    Vladimir Gorbunov (darkgrey@mail.ru) - for the bug-reports and useful
                                            programs
    And all the rest, whom I forgot (but didn't wish :) to mention ...
  The following tools were used in DeGlucker's creation:
    DOS Navigator 1.51 (c) RIT Research Labs
    Turbo Assembler 4.1 and Make 4.0 (c)Borland (Inprise) Int.
    ALINK 1.6 (c) 1998-9 Anthony A.J. Williams
                    Ŀ
    KeyRus 7.3 (c) Dmitry Gurtjak
                    

    If you found DeGlucker's bug or would like to help in its further
  development e@mail to VAGSoft@mail.ru, FIDONET 2:5020/1105.20 or /1238.10

    The latest version of DeGlucker available at http://vagsoft.da.ru

 ͸
  9  HISTORY REVISION  
   [...] Coming soon... (see read_it.!!!)
 ķ
 [dox revision 1.4e-V at 8-may-2000]EOF!
