±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± ±±±±±±±ÅÅÅÅÅÅÅÅÅű±±ÅÅÅÅÅÅÅÅÅű±±ÅÅÅÅű±±±ÅÅÅű±±±±±±±±±± Eugene ±±±±±±±±±±±± ±±±±±±ÅÅÅÅ°°°°°°°°±ÅÅÅÅ°°°°°°°°±ÅÅÅÅÅÅ°±±ÅÅÅÅ°°±±±±±±±±±± Suslikov °°±±±±±±±±±± ±±±±±ÅÅÅÅ°°±±±±±±±ÅÅÅÅ°°±±±±±±±ÅÅÅÅ°ÅÅ°±ÅÅÅÅ°°±±±±±±±±±±±±±°°°°°°°°°°°°±±±±±±±±±± ±±±±ÅÅÅÅÅÅÅÅÅű±±ÅÅÅÅÅÅÅÅÅű±±ÅÅÅÅ°°ÅÅ°ÅÅÅÅ°°±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± ±±±±±°°°°ÅÅÅÅ°°±ÅÅÅÅ°°°°°°°°±ÅÅÅÅ°°±ÅÅÅÅÅÅ°° voice: (384-2-)23-31-40 ±±± ±±±±±±±±ÅÅÅÅ°°±ÅÅÅÅ°°±±±±±±±ÅÅÅÅ°°±±ÅÅÅÅÅ°°± FIDO: 2:5001/15.200 °°± ±ÅÅÅÅÅÅÅÅÅÅ°°±ÅÅÅÅÅÅÅÅÅű±±ÅÅÅÅ°°±±±ÅÅÅÅ°°±± E-mail: sen@ofu-kem.kuzb-fin.ru °°± ±±°°°°°°°°°°±±±°°°°°°°°°°±±±°°°°±±±±±°°°°±±±±±°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Release 6.00 19 Oct 1998 Dedicate my little wife... ( English translation: M.Korneff ) ±±±± Contents ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± 1. About HIEW 2. Assembler mode 3. Basing 4. Block operations 5. Video modes 6. Status bar 7. Keys 8. Bookmarks 9. Jumps (call/jmp) in the disassembler mode 10. Search/replace operations 11. INI file 12. SAV file 13. XLT file structure 14. Command line 15. History ±±±± About HIEW ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Basically HIEW (Hacker's view) is a hex viewer for those who need change some bytes in the code (usually 7xh to 0EBh). Hiew is able to view unlimited length files in text/hex modes and in Pentium(R) Pro disassembler mode. Features: þ Text/hex mode editor þ Built-in Pentium(R) Pro assembler þ HIEW is able to create new files þ Search and replace mode (can be restricted to block size) þ Context-sensitive help (but who needs any goddamned help anyways? HIEW can operate without help file HIEW.HLP) þ Search of assembler commands using pattern (for real hackers!) þ Version 5.02 compiled for OS/2, EXE for DOS use as stub ±±±± Assembler mode ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± "Byte/word/dword/pword/qword/tbyte" may be abbreviated to "b,/w,/d,/p,/q,/t,". All numbers are hex, so the letter "h" is optional. You can use math operations (i.e. mov bx, [123+23-46h] = mov bx,[100h]). Error messages are very brief (invalid command, syntax error, invalid operand, missing/invalid size). Unconditional JMP will be translated to 0E9 XX XX, so if you want near jump (0EB), you have to type jmp short xxxxx (or jmps xxxxx ). There is 386 assembler in HIEW version 5.00 or later, so check all jumps carefully because you may get unwanted long jump in 8086 code. WARNING! The same command can be assembled differently depending on the assembler you're using. ±±±± Basing ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Base is a constant that will be added to offset and jump addresses. If current offset is YY and you need XX, you should type base "*XX" (asterisk is required!). Yuo can use Ctrl-F5/Ctrl-F5 as *0. ±±±± Block operations ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Block operations are working only in Hex and Decode modes. You can mark blocks without switching to Edit mode. Block can be written to file using PutBlk(F2). If you want to append the block to the end of file, you should type "FFFFFFFF" offset. You can insert the block to the current file from another file using GetBlk (CtrlF2). Block will be inserted on the current offset. ±±±± Video modes ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± HIEW supports video modes up to 132x75. ±±±± Status Bar ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ xxx% Filename.ext R NE xxxxxxxx xxx -------- YYYYYYYº HIEW X.XX (c) SEN ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÀÂÄÙ ÀÄÄÄÄÄÄÄÄÄÂÙ ³ ³ ÀÄÄÂÄÄÄÙ ÀÂÙ ÀÄÂÄÄÄÄÙ ÀÄÄÂÄÄÄÙ percent ³ ³ ³ current ³ ³ file length in bytes indicator ³ ³ ³ offset ³ ³ (only if BAR=P ³ ³ V ³ ³ 1: status of the bookmarks: in HIEW.INI) ³ ³ NewExe type ³ ³ '-' free V ³ ³ ÀÄ> '1...8' respective position filename ³ ³ is currently used ³ ³ '*' current ³ ³ 2: "" = Edit mode ³ ³ V ³ status of the file: ÀÄ> 1: Text mode: number of the first R - open in Read mode column W - open in Write mode 2: Decode mode: measurement of U - modified operands and addresses (prefix 'a' show automatic defined size code) ±±±± Keys ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± All keys are described in HIEW.HLP (press Alt-H). HIEW.HLP may be modified. First line of HIEW.HLP must be "[HiewHelp 5.01]". Semicolon ';' is a comment prefix character. By pressing Alt-H the respective section (from [xxxx] till [yyyy]) will be displayed. HIEW.HLP must be terminated with [End]. ±±±± Bookmarks ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Bookmarks is for saving/restoring of the current screen. Press '+' to save the state of current screen. You can save eight screens. To restore any saved screen, press Alt-1...Alt-8 respectively. There are different bookmarks for different modes (Text/ Hex/Decode). ±±±± Jumps (call/jmp) in the disassembler mode ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Now jumps is 100% configurable. Jumps can be specified in HIEW.INI in the jumpTable array. This line (C Language) consists of digits and letters. First character used to undo jump ('0' in HIEW 4, 'Z' in HIEW 5 day 28). After reading from keyboard the character will be converted to the upper case, then search in jumpTable will be performed. Default value of jumpTable is '1'-'9', then 'A'-'Z'. ±±±± Search/replace operations ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± If search string was entered in ASCII field, case-insensitive search will be performed. If you want to perform case-sensitive search, move the cursor to the HEX field and press Enter. You can search assembler commands (F7). Now search/replace can be restricted to selected block (F4 during entering the search/replace string). In the disassembler mode you can use wildcards in assembler commands for searching. The wildcard character is '?'. For example, DECODE 'mov ax, ?' will look for 'mov ax,1234h", "mov ax,sp", etc. ±±±± INI file ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± INI file must be located in HIEW.EXE home directory. You can specify key "/INI=" in the command line. First line in HIEW.INI always "[HiewIni 5.03]" ! Blank line or line, beginners with ';' is ignored. -----8<------ Example HIEW.INI -------8<------- [HiewIni 5.03] ; ; Startup ; ; legal values ; startup mode ; StartMode = Text ; Text | Hex | Code ; beeper Beep = On ; On | Off ; percent indicator Bar = Left ; Left | Right | Percent ; warp/don't warp long lines ; Auto=Off for textfile, On for binary Wrap = Auto ; Auto | On | Off ; tabulation ; Auto=On for textfile, Off for binary Tab = Auto ; Auto | On | Off ; step for Ctrl-Left, Ctrl-Right in textmode StepCtrlRight = 20 ; 1 - 128 ; Show/Do not show mouse cursor DisableMouse = On ; On | Off ; table symbols for branch call/jmp JumpTable = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" ; Select symbol "linefeed": automatic 0x0a / 0x0d / 0x0d:0x0a Linefeed = Auto ; LF | CR | LFCR v5.10 ; Automatic define size of code for LX-executable AutoCodeSize = On ; On | Off v5.41 ; Flush keyboard buffer before read a key KbdFlush = On ; On | Off v5.50 ; View Offset for NE/LX/PE as local/global (toggle Alt-G) ShowOffset = Local ; Local | Global v5.51 ; Mask for showed offset in pattern search RunningOffsetMask = 0xFF ; 0 - 0xFFFFFFFF v5.53 ; Xlat table index in hiew.xlt ( 0 - As Is ) XlatTableIndex = 0 ; 0 - 15 v5.85 ; sort in filelist FlistSort = Name ; none |Name |Ext |Time |Size v5.90 ; reverse sort in filelist FlistSortReverse = Off ; On | Off v5.90 ; show hidden files in filelist FlistShowHidden = Off ; On | Off v5.90 ; save current state( mode, offset, bookmarks, etc) for next file NextFileSaveState = Off ; On | Off v6.00 ; Scanning code step for search with pattern and find reference ; / by command / by one byte ScanStep = Command ; Command | Byte v6.00 ; Write savefile at exit SaveFileAtExit = Off ; On | Off v6.00 ; Locate savefile Savefile = "hiew.sav" v6.00 ; ; Colors ; ColorMain = 0x1B ; main color ColorCurrent = 0x71 ; current byte ColorMark = 0x5E ; block color ColorEdit = 0x1E ; file editing ColorEditOut = 0x1D ; non-file editing ColorError = 0x4E ; error messages ColorMsg = 0x2E ; messages ColorTitle = 0x70 ; status bar ColorKbNum = 0x07 ; keys ColorKb = 0x30 ; key is active ColorKbOff = 0x37 ; key is inactive ColorBar = 0x02 ; progress indicator ColorWin = 0x70 ; input dialog ColorWinBold = 0x7F ; - " - selected ColorWinInput = 0x3F ; - " - input field ColorMenu = 0x30 ; menu frame ColorMenuText = 0x31 ; - " - field ColorMenuBold = 0x0F ; - " - text ColorHelp = 0x20 ; help frame ColorHelpText = 0x2E ; - " - field ColorHelpBold = 0x0F ; - " - text ; ---+--- End of Inifile ---+--- --------8<--------8<--------8<-------- ±±±± SAV file ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± If executed without any parameters, HIEW will look for SAV-file in the current directory (you can specify "Savefile=" in INI-file or /SAV= in the command line) and restore previously saved (Ctrl-F10) state. ±±±± XLT file structure ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± typedef struct{ BYTE sign[ 9 ], // "HiewXlat",0 unused[ 5 ], versionMajor, // 0x05 versionMinor; // 0x40 }XLAT_HEADER; typedef struct{ BYTE title[ 16 ], // show in F8 tableOut[ 256 ], // for output tableIn[ 256 ], // for input tableUpper[ 256 ]; // for search with ignore case }XLAT; Maximal count xlat-table is 15. ±±±± Command line ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Hiew [/SAV=] [/INI=] [/s]filemask ...[/s][filemask] /SAV= - location for savefile /INI= - location for inifile [/s] filemask ... [/s][filemask] - more files, include pattern Option /s toggle search with subdirectories: hiew /s *.dll *.exe /s *.txt -> search .dll and .exe with subdir and .txt only in current catalog ±±±± History ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± 5.03aa 3/10/95 - OS/2: DosSleep( 1L ) - Unvisible cursor 5.10ee 22/12/95 - fixed bug: invalid jump for Jc 7E/7F - fixed bug: invalid opsize, if previons byte is 0x0F - save screencopy into file ( PrScr deleted ) - choise symbol "linefeed" in INI-file - for replace write full buffer ( was: 1 byte ) - for OS/2session get key with KbdCharIn ( was: getch() ) delete DosSleep( 1 ) 5.11bb 24/01/96 - fixed bug: call/jmp PWORD ptr 5.13 01/02/96 - fixed bug: marked text on 2-lines fixed bug: crash scrolling Up, if upper code is 24 one-byte command (ex. NOP ) fixed bug: OS/2: trap on create file 5.14 09/04/96 - fixed bug: ( from 5.13 ) double prefix 0x66 - fixed bug: bad assembler with [EBP] - for (Pg)Up looking symbol 0x0A - added leading zero to all digit in decode - pattern find with wildcards as in decode 5.15 12/05/96 - fixed bug: pattern find truncate line 5.16 28/05/96 - fixed bug: pattern find not found "mov ax,?" 5.20 17/06/96 - NE-executable: Header & segment table 5.21 27/06/96 - NE-executable: TransSegment call support 5.22 01/07/96 - Fill block 5.23 12/07/96 - NE-executable: Entry table support 5.24 30/07/96 - fixed bug: crash after replace in decode mode 5.30 20/12/96 - Support LX-executable (header, object table, call/jmp) - Named ordinals for NE- and LX-executable - fixed bug: invalid percent bar on long file - fixed bug: assemble relative jmp/call > 8000 - fixed bug: Save hiew.sav before edit disabled write 5.31 9/01/97 - Alt-O in decode: show named ordinal toggle - fixed bug: incorrect far jump/call in exe-MZ (from 5.30) 5.40 29/01/97 - F4 in NE/LX header: goto on top NE(LX) image - F8 in text: select translation table - Alt-G: toggle Global/Local offset for NE(LX) files 5.41 31/01/97 - choise "AutoCodeSize" in INI-file: automatic define size of code (32/16) - Alt-R: Reload file - fixed bug: russian 'p' 5.50 10/02/97 - support PE-executable (header, object table) - choise "KbdFlush" in INI-file: flush keyboard buffer 5.51 27/02/97 - jmp/call show as local - imports name for PE from NT - input (F5) local offset, if first symbol is '.' - word "call"/"jmp" before system functions - choise "ViewOffset" in INI-file 5.52 4/03/97 - for localOffset patternSearch only in code segments ( NE/LX/PE ) 5.53 18/03/97 - choise "RunningOffsetMask" in INI-file - fixed bug in HIEW.XLT: upcase table 5.60 10/04/97 - option /s in command line - fixed bug: lost double prefix 66(67) - fixed bug: assemble relative jmp/call > 8000 bytes (fix in 5.30 incorrect) - fixed bug: jmp/call with prefix 67 5.61 2/06/97 - new releases of NEDUMP.EXE and LXDUMP.EXE (show named ordinals from hiew.ord) - assembled "rep cmpsd" as F3 66 A3 ( was: 66 F3 A3 ) - on binary files 'line feed' define as CR/LF - increase length of line in decode 5.65 24/07/97 - added xor with string 5.66 4/08/97 - fixed bug: trap in Win'95 - losted free() 5.67 14/01/98 - fixed bug: bad translation for big get/put blocks 5.70 13/03/98 - fixed bug: text file with first 'NE'... - calculator with parenthesis and priority (Alt-=) - Pentium(R) Pro (dis)assembler (inc. floating and MMX) 5.71 30/03/98 - showed import in delphi-exe 5.80 7/04/98 - support LE-modules - new release of LXDUMP.EXE (support LE) 5.81 10/04/98 - bugfixed release of 5.80 5.82 28/04/98 - internal change 5.83 7/05/98 - fixed bug (5.70): crash on long string in Crypt 5.84 13/05/98 - Alt-9 restore last edit position 5.85 10/06/98 - fixed bug: prtScr into exist file - F5 in FindInput: go last editing position - choise "XlatTableIndex" in ini-file 5.90 9/07/98 - File list - choise "FlistSort" in ini-file - choise "FlistSortReverse" in ini-file - choise "FlistShowHidden" in ini-file - choise "NextFileSaveOffset" in ini-file - parameter in command line "/SAV=" (was: "/FS=" ) - new parameter in command line "/INI=" - fixed bug: lose first empty line in text 5.91 17/08/98 - Alt-R in Filelist (reread) - fixed bug: go image in MZ-header show - include DEXEM.EXE - DualEXEcatableManipulator (NE/LX/LE) ( replace stub, split old-exe & new-exe, ...) 5.92 21/09/98 - Alt-S in decode: toggle scancode step (byte/command) - timeslice under windows - modifired import for PE - fixed bug: empty filelist for mask - fixed bug: restore current offset from .sav 6.00 19/10/98 - delete "ActionAfterWriteSavefile" in ini-file - delete "NextFileSaveOffset" ini ini-file - no more crypt, sorry... - support NLM-module - history of files (Backspace, Tab) - history input (PgDown in edit input string) - Ctrl-* - mark all - choise "SaveFileAtExit" in ini-file - choise "ScanStep" in ini-file - choise "Savefile" in ini-file - choise "NextFileSaveState" in ini-file - DEXEM.EXE v1.50 - know PE ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± = YES = ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±