北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 北北北迸排排排排疟北排排排排排北迸排排北北排排北北北北北 戙岖í 北北北北北北 北北北排排鞍鞍鞍鞍迸排虐鞍鞍鞍氨排排排氨迸排虐氨北北北北 參% 鞍北北北北北 北北迸排虐氨北北北排排鞍北北北迸排虐排氨排排鞍北北北北北 崹珷アㄧ 鞍北北北北北 北北排排排排排北迸排排排排疟北排排鞍排芭排虐氨北北北北北北卑鞍鞍鞍鞍鞍氨北北北北 北北卑鞍芭排虐氨排排鞍鞍鞍鞍迸排虐氨排排排鞍 voice: (384-2-)23-31-40 北 北北北北排排鞍迸排虐氨北北北排排鞍北排排虐氨 FIDO: 2:5020/35.200 鞍 迸排排排排虐氨排排排排排北迸排虐氨北排排鞍北 E-mail: sen@suslikov.kemerovo.su 鞍 北鞍鞍鞍鞍鞍北卑鞍鞍鞍鞍氨北鞍鞍北北卑鞍氨北北鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍鞍 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 Release 5.16 28 May 1996 ( English translation: M.Korneff ) 北北 Contents 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 1. About HIEW 2. Assembler mode 3. Basing 4. Block operations 5. Video modes 6. Status bar 7. Keys 8. Bookmarks 9. Jumps (call/jmp) in the disassembler mode 10. Search/replace operations 11. Crypt operations 12. INI file 13. SAV file 14. History 北北 About HIEW 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 Basically HIEW (Hacker's view) is a hex viewer for those who need change some bytes in the code (usually 7xh to 0EBh). Hiew is able to view unlimited length files in text/hex modes and in 386 disassembler mode. Features: Text/hex mode editor Built-in 386 assembler HIEW is able to create new files Search and replace mode (can be restricted to block size) Context-sensitive help (but who needs any goddamned help anyways? HIEW can operate without help file HIEW.HLP) Search of assembler commands using pattern (for real hackers!) Version 5.02 compiled for OS/2, EXE for DOS use as stub 北北 Assembler mode 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 "Byte/word/dword/pword ptr" may be abbreviated to "b/w/d/p". All numbers are hex, so the letter "h" is optional. You can use math operations (i.e. mov bx, [123+23-46h] = mov bx,[100h]). Error messages are very brief (invalid command, syntax error, invalid operand, missing/invalid size). Unconditional JMP will be translated to 0E9 XX XX, so if you want near jump (0EB), you have to type jmp short xxxxx (or jmps xxxxx ). There is 386 assembler in HIEW version 5.00 or later, so check all jumps carefully because you may get unwanted long jump in 8086 code. WARNING! The same command can be assembled differently depending on the assembler you're using. 北北 Basing 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 Base is a constant that will be added to offset and jump addresses. If current offset is YY and you need XX, you should type base "*XX" (asterisk is required!). 北北 Block operations 北北北北北北北北北北北北北北北北北北北北北北北北北北北北 Block operations are working only in Hex and Decode modes. You can mark blocks without switching to Edit mode. Block can be written to file using PutBlk(F2). If you want to append the block to the end of file, you should type "FFFFFFFF" offset. You can insert the block to the current file from another file using GetBlk (CtrlF2). Block will be inserted on the current offset. 北北 Video modes 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 HIEW supports video modes up to 132x75. 北北 Status Bar 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 xxx% Filename.ext R xxxxxxxx xxx -------- YYYYYYY HIEW X.XXa by SEN 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪 缆馁 滥哪哪哪哪沦 滥穆哪馁 缆 滥履哪馁 滥穆哪馁 percent current file length in bytes indicator offset (only if BAR=P 1: status of the bookmarks: in HIEW.INI) '-' free V 滥> '1...8' respective position filename is currently used '*' current 2: "" = Edit mode V status of the file: 滥> 1: Text mode: number of the first R - open in Read mode column W - open in Write mode 2: Decode mode: measurement of U - modified operands and addresses 北北 Keys 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 All keys are described in HIEW.HLP (press Alt-H). HIEW.HLP may be modified. First line of HIEW.HLP must be "[HiewHelp 5.01]". Semicolon ';' is a comment prefix character. By pressing Alt-H the respective section (from [xxxx] till [yyyy]) will be displayed. HIEW.HLP must be terminated with [End]. 北北 Bookmarks 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 Bookmarks is for saving/restoring of the current screen. Press '+' to save the state of current screen. You can save eight screens. To restore any saved screen, press Alt-1...Alt-8 respectively. There are different bookmarks for different modes (Text/ Hex/Decode). 北北 Jumps (call/jmp) in the disassembler mode 北北北北北北北北北北北北北北北 Now jumps is 100% configurable. Jumps can be specified in HIEW.INI in the jumpTable array. This line (C Language) consists of digits and letters. First character used to undo jump ('0' in HIEW 4, 'Z' in HIEW 5 day 28). After reading from keyboard the character will be converted to the upper case, then search in jumpTable will be performed. Default value of jumpTable is '1'-'9', then 'A'-'Z'. 北北 Search/replace operations 北北北北北北北北北北北北北北北北北北北北北北北 If search string was entered in ASCII field, case-insensitive search will be performed. If you want to perform case-sensitive search, move the cursor to the HEX field and press Enter. You can search assembler commands (F7). Now search/replace can be restricted to selected block (F4 during entering the search/replace string). In the disassembler mode you can use wildcards in assembler commands for searching. The wildcard character is '?'. For example, DECODE 'mov ax, ?' will look for 'mov ax,1234h", "mov ax,sp", etc. 北北 Crypt operations (F7/F8 in Edit) 北北北北北北北北北北北北北北北北北北北北 Crypt operations are using for crypting/decrypting the code/data. Crypt algorithm is very simple. Code/data will be crypted by the bytes/words (to change the size ot the unit, press F2). Crypting routine must be terminated with "LOOP numberLine" operator. Available commands: Reg mode : neg,mul,div Reg-Reg mode: mov,xor,add,sub,rol,ror,xchg Reg-Imm mode: mov,xor,add,sub,rol,ror Imm mode : loop All 8/16 bit registers are available, except AL/AX that will be filled with (de)crypted byte/word. The differences from standart asembler: there are no jumps; 'loop' means 'jmp/stop' the operands of 'rol/ror' commands must have the same size, i.e. ROL AX,CL not allowed. Example: a. XOR byte with 0AAh: 1. XOR al,0aah 2. LOOP 1 b. XOR word with mask increment 1. MOV dx,0 2. XOR ax,dx 3. ADD dx,1 4. LOOP 2 北北 INI file 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 INI file must be located in HIEW.EXE home directory. First line in HIEW.INI always "[HiewIni 5.03]" ! Blank line or line, beginners with ';' is ignored. -----8<------ Example HIEW.INI -------8<------- [HiewIni 5.03] ; ; Startup ; ; legal values ; startup mode ; StartMode = Text ; Text | Hex | Code ; beeper Beep = On ; On | Off ; percent indicator Bar = Left ; Left | Right | Percent ; warp/don't warp long lines ; Auto=Off for textfile, On for binary Wrap = Auto ; Auto | On | Off ; tabulation ; Auto=On for textfile, Off for binary Tab = Auto ; Auto | On | Off ; step for Ctrl-Left, Ctrl-Right in textmode StepCtrlRight = 20 ; 1 - 128 ; Show/Do not show mouse cursor DisableMouse = On ; On | Off ; see next line :-) ActionAfterWriteSavfile = None ; None | ExitF10 | ExitESC ; table symbols for branch call/jmp JumpTable = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" ; Select symbol "linefeed": automatic 0x0a / 0x0d / 0x0d:0x0a Linefeed = Auto ; LF | CR | LFCR ; ; Colors ; ColorMain = 0x1B ; main color ColorCurrent = 0x71 ; current byte ColorMark = 0x5E ; block color ColorEdit = 0x1E ; file editing ColorEditOut = 0x1D ; non-file editing ColorError = 0x4E ; error messages ColorMsg = 0x2E ; messages ColorTitle = 0x70 ; status bar ColorKbNum = 0x07 ; keys ColorKb = 0x30 ; key is active ColorKbOff = 0x37 ; key is inactive ColorBar = 0x02 ; progress indicator ColorWin = 0x70 ; input dialog ColorWinBold = 0x7F ; - " - selected ColorWinInput = 0x3F ; - " - input field ColorMenu = 0x30 ; menu frame ColorMenuText = 0x31 ; - " - field ColorMenuBold = 0x0F ; - " - text ColorHelp = 0x20 ; help frame ColorHelpText = 0x2E ; - " - field ColorHelpBold = 0x0F ; - " - text ; ---+--- End of Inifile ---+--- --------8<--------8<--------8<-------- 北北 SAV file 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 If executed without any parameters, HIEW will look for SAV file in the current directory (you can specify /FS= in the command line) and restore previously saved (Ctrl-F10) state. If executed with filename, HIEW will use SAV file only to restore search/replace data. 北北 History 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北 5.03aa 3/10/95 - OS/2: DosSleep( 1L ) - Unvisible cursor 5.10ee 22/12/95 - fixed bug: invalid jump for Jc 7E/7F - fixed bug: invalid opsize, if previons byte is 0x0F - save screencopy into file ( PrScr deleted ) - choise symbol "linefeed" in INI-file - for replace write full buffer ( was: 1 byte ) - for OS/2session get key with KbdCharIn ( was: getch() ) delete DosSleep( 1 ) 5.11bb 24/01/96 - fixed bug: call/jmp PWORD ptr 5.13 01/02/96 - fixed bug: marked text on 2-lines fixed bug: crash scrolling Up, if upper code is 24 one-byte command (ex. NOP ) fixed bug: OS/2: trap on create file 5.14 09/04/96 - fixed bug: ( from 5.13 ) double prefix 0x66 - fixed bug: bad assembler with [EBP] - for (Pg)Up looking symbol 0x0A - added leading zero to all digit in decode - pattern find with wildcards as in decode 5.15 12/05/96 - fixed bug: pattern find truncate line 5.16 28/05/96 - fixed bug: pattern find not found "mov ax,?" 北北北北北北北北北北北北北北北北北 = YES = 北北北北北北北北北北北北北北北北北