MS-DOS DEBUG Basics for Fixed-Format Files
The Microsoft MS-DOS DEBUG program provides a generally available tool for
examining and analyzing files in a Microsoft environment.
Files can be loaded and their internal data can be
displayed (in hexadecimal) regardless of whether or not the data
is encoded in a character format.
You can also find some free graphical hex dump programs (e.g. "hexdit"
from www.physics.ohio-state.edu or "XVI32" from www.chmaas.handshake.de)
but DEBUG is usually already installed on Windows computers.
Unix/Linux/BSD systems come with an od command-line
utility that can dump files in various formats, and various free GUI
editors such as HexEdit (available on sourceforge.net).
The DOS DEBUG Dump/Display Format
Sample DOS DEBUG Dump Output:
1373:0100 46 FE 06 47 DB EB EF E8-DB F9 75 04 FE 06 A3 D8 F..G......u.....
1373:0110 3C 3F 75 05 80 0E A7 D8-02 3C 2A 75 05 80 0E A7 <?u......<*u....
1373:0120 D8 02 3A 06 94 D2 75 C9-4E 32 C0 86 04 46 3C 0D ..:...u.N2...F<.
1373:0130 75 02 88 04 89 36 6B D7-89 0E 69 D7 C3 BE 48 DB u....6k...i...H.
1373:0140 8B 4C 05 8B 74 09 E8 08-00 03 F1 E8 03 00 3C 0D .L..t.........<.
- Address Every byte in memory has its own
unique address. The pair of 4-hexadecimal digit values at the
left side of each line of the dump indicates the address of the
first data byte displayed on that line. For now we will ignore
the initial 4-hexadecimal digit value (1373 in this case) and
consider only the second 4 digits to be relevant. For reasons
to be discussed later in this course, most files are loaded in
memory by DEBUG starting at address 0100 hex. (.EXE files are
the only exception). 16 (10 hex) data bytes are displayed on
each line, so an address of 0120 (for example) at the beginning
of a dump line indicates that the addresses for the bytes on
that line start at 0120 and go up to 12F inclusive; the byte at
address 012C above has the value 04, as an example.
- Hexadecimal Data Values As has already
been mentioned the middle portion of each dump line shows (in
hexadecimal) the internal bit pattern of 16 (10 hex) bytes of
data in memory. The "dash" character displayed in the middle of
each dump line has no significance for the values stored in
memory; it is simple an indicator to help us count addresses
(the byte immediately following the dash is at an address 8
more than the address at the beginning of the line).
- ASCII codes At the far right of each line
is a display of the character each byte of the line could be
interpreted as representing (assuming that each byte was being
used to hold an ASCII encoded character... which of course will
not always be the case). Non-displayable ASCII codes and codes
beyond the standard ASCII range are displayed in this area as
- Periods are also displayed as periods in the ASCII section.
Don't confuse the two.
Running Debug: Basic Commands
- Starting the DEBUG program - From the
MS-DOS command prompt, type DEBUG and hit the [Enter] key. If
your system responds with a message indicating that it could
not find this program, check that DEBUG.EXE is in fact
installed on your computer and that there is a PATH to the
directory containing DEBUG.EXE. The DEBUG program should
respond with a fresh line starting with a dash, the DEBUG
- Quitting DEBUG When you are finished using
DEBUG, type the letter Q (for Quit) at the DEBUG prompt (and
- Naming a file to load and Loading it A
file can be specified on the command line when you start DEBUG.
File names must be in DOS 8.3 format. Long file names may
not be recognized. Rename your file to 8.3 format first.
A more general method is to identify the name of the file (or
the complete file path) of the file to be loaded, by typing the
letter N followed immediately by the name (or path) of the file
to be used; you must then (on the next line) type the letter L
(for load) to tell DEBUG to load this file from disk to
- Dumping/Displaying the data values - By
typing the letter D at the DEBUG prompt, you can ask DEBUG to
display (or "dump") several lines of memory. The first time you
do this, the display will start from where-ever your file was
loaded (address 0100, usually); subsequent D requests will
display memory starting from where the last display ended. You
can get around this default by specifying an address (in hex)
immediately after the letter D before hitting the [Enter] key;
the address you specify becomes the starting address for the
display. You can also specify two addresses, separated by a
space, between the D and the [Enter] key; a start address
followed by an ending address.
A File Dump Example using DEBUG