You are on page 1of 10

Hiew8 DEMO (based on release 8.13) http://www.hiew.ru/ Release notes: version 7.

.40 New engines are for 64bits disassmbler and assembler with x86-64 commands full support. Added PE32+ format support. Crypt grow up 64bit too. **VERY IMPORTANT**: Command MUL and DIV are changed ! (See section 'Crypt' for details) For migrate previous crypt-program are *attentively* examine use the commands DIV/MUL and replace first line to '[HiewCrypt 6.70]'. Release notes: version 7.00 After a considerable delay version 7.00 of Hiew has been released. There are many new features: - Hiew does not support DOS or OS/2 operating systems any longer. - Hiew now wors with files and blocs of any size, so it can be used with all physical and logical drives in the system (provided user has sufficient access rights of course). - Keyboard macros - Progress bar - Fixups highlighting for PE and MZ - Following offset based jumps/calls with one touch (for example, when Hiew encounters a call d,[12345678] instruction, it checs if the value at the offset of 12345678 loos lie VA, and assigns this call a number: call d,[12345678] ;.87654321 --- (1) ) - New algorithm for reading the Import Table. - Search speed has been slightly (~5-7%) increased. **VERY IMPORTANT**: Assembler search wildcards have been changed. They are unified with the File wildcards now (see 'String Wildcards') Release notes: version 6.70 Crypt is 32-bit now. Crypt programs (*.cry) are written in text format now. Old binary format from version 5.01 will be supported by current version (6.7x) only! Tho new operators were added: AND, OR. Programs can be up to 32 lines long. Lines starting with ';' treated as comments. Release notes: version 6.60 Support for little-endian ELF executables EDUMP - common dumper for NE/LX/LE/PE/ELF files Release notes: versions 6.29/6.30 32-bit console version for Windows. PEDUMP.EXE - dumper for PE files. All utilities have versions compiled for DOS, OS/2, and Win32 Release notes: version 6.15 Starting with this release HIEW is SHAREWARE. See register.txt for details. Release notes: version 6.00

New features in version 6.00: - "crypt" has been removed (it will be a separate project) - Switching between files specified in the command line moved to CtrlF11/CtrlF12. - Alt- functions moved to Alt-Fn (except for Alt-P, Alt-H, Alt-=). See hiew.hlp for details. - History has been added for string input (PgDn) and file section (press Bacspace for menu, Tab to select next file in history). - "ActionAfterWriteSavefile" option removed from the ini-file. - "NextFileSaveOffset" option (preserve current offset for next file) replaced by "NextFileSaveOffset" option (preserve current state for next file) Contents About HIEW Assembler mode (DEMO N/A) Basing Bloc operations Status bar Keys Boomars Jumps (call/jmp) in disassembler mode String wildcards Search and replace Crypt (DEMO N/A) Local and Global offsets Keyboard macros (DEMO N/A) Text string extraction INI file (DEMO N/A) SAV file (DEMO N/A) XLT file structure Command line

About HIEW Basically HIEW is a hex viewer for those who need to change some bytes in the code (usually 7xh to 0EBh). Hiew can view files of unlimited length in text, hex, and disassembler modes. * * * * * * * * * * * * * * * Features: displaying files of any length in text, hex, and decode modes view, edit, search/replace for unicode x86-64 disassembler & assembler physical & logical drive view & edit support for NE, LE, LX, PE, PE32+ and little-endian ELF executable formats support for Netware Loadable Modules lie NLM, DSK, LAN,... following direct call/jmp instructions in any executable file with one touch built-in simple 64bit decrypt/crypt system built-in powerful 64bit calculator operations with blocs of arbitrary length: read, write, fill, copy, move, insert, delete, crypt multifile search and replace editing the NewExecutable files header eyboard macros unicode support Hiew Extrenal Module (HEM) support

Assembler mode Not available in DEMO version

For true assemblers! All numbers are hexadecimal by default, but the suffix "t" changes to decimal (e.g. mov al,10t). Possible use string as immed operand (e.g. mov eax,"sign") Constant arithmetics is supported (i.e. mov bx, [123+23-46h] produces same results as mov bx,[100h]). Error messages are very brief (invalid command, syntax error, invalid operand, missing/invalid size). Three non-standart commands exists: jmps = jmp short jmpf = jmp far [mem 16:16/32/64] callf = call far [mem 16:16/32/64] Commands can be assembled different way. Since version 7.40 appeared the possibility of the choice: F4 when entering the assembler command switches to choose from available variants or put the command of the minimum length. Under included options 'nop' will offers the different length from 1-9 bytes. Basing Base is a constant that is added to all offset and jump addresses. If current offset is YY, and you want it to be XX, you can enter "*XX" as a base (note the asteriss!). Pressing Ctrl-F5/Ctrl-F5 produces same result. Bloc operations Bloc operations wor only in "Hex" and "Decode" modes. You can mar blocs without switching to Edit. Mared bloc can be written to a file by pressing F2 (PutBl). To append the bloc to the end of file, type '*' character. You can load a bloc from another file by pressing Ctrl-F2 (GetBl). Bloc will be loaded at the current offset. Since version 6.10, if nothing is mared in the current file, history is searched for the latest file where the bloc is mared, and this bloc is used. Status Bar xx% Filename.ext .dFRO -------- xxx PE xxxxxxxxHiew8 DEMO (c)SEN percentage current progress bar will indicator offset appear here (when BAR=P V in HIEW.INI) neexecutable type V file name > * Text mode: index of the first column < * DeCode mode: operands and bmacro state: R - recording addresses width; 0..8 - replay 'a' means it was recognized automatically

< search area: < F - whole file B - bloc A - list from the command line file state: < R - opened in Read mode W - opened in Write mode U - modified O - overwrite bloc < I - insert bloc

search direction

> status '-' '1..8' '*'

for executable of all boomars free occupied current

Keys All eys described in the HIEW32DEMO.HLP help file (press F1 to open). You may m ay modify HIEW32DEMO.HLP, but modified version should eep "[HiewHelp 7.00]" in the first line. Semicolon ';' denotes a comment. F1 calls corresponding section (from [xxxx] to [yyyy]). HIEW32DEMO.HLP must end with section called [End]. Since version 7.00 it is possible to create section lins with: +[SectionName] Boomars Boomars allows you to save the current screen and restore it later. Press '+' to save state of the current screen. Up to eight screens can be saved, and each saved screen is assigned an index 1..8. To restore a screen press one of Alt-1...Alt-8 according to the screen index. Boomars are ept separately for each mode (Text/Hex/Decode). Jumps (call/jmp) in disassembler mode Jumps are more configurable now. They can be specified in the jumpTable array of HIEW.INI. It is a string (in C since) of digits and letters. First character ('0' in HIEW 4, 'Z' in HIEW 5 day 28) is used to undo jump. Character read from the eyboard are converted to upper case, then looed for in the jumpTable. By default jumpTable consists of digits '1'-'9' followed by letters 'A'-'Z'. String wildcards String wildcards are used in the following places: 1. Search for wildcard in decode mode (F7-F7) 2. File mass in filemanager (F9) 3. Mas for imported functions in the Import Table (F8-F7) Wildcard symbols: ? - any single character

* {ABD} {A-D} {!ABC} !

arbitrary number of any characters (0 or more) A, B, or D A, B, C, or D any single character except A, B, and C anything but ... (must be the first character)

Examples: All executable files in file manager: *.exe All non-executable files in file manager: !*.exe Filter from imported functions ones woring with registry: reg*ey* = RegCreateKey, RegDeleteKey, RegQueryKeyValue, etc. Search and replace If Enter was pressed in ASCII field, search is case insensitive, for case sensitive search move cursor to HEX field before pressing Enter. You can search assembler commands (F7). (DEMO N/A)

Search/replace can be restricted to a selected bloc now (F4 while entering the search or replace string). In the disassembler mode assembler commands can be searched with wildcards (see above). If entered assembler command contains any of the wildcard characters, wildcard search is started, otherwise command is just assembled. Assembling can be forced with Ctrl+Enter for commands lie 'mov eax,[eax*2]' For example, in the DECODE mode <F7><F7> 'mov ax, *' will find 'mov ax,1234h", "mov ax,sp", and lie. "mov ?x, ax" will find "mov ax,ax", "mov bx,ax", "mov cx,ax", and "mov dx, ax", but not "mov bp,ax" or "mov si,ax". *** IMPORTANT *** strings are compared without conversion! Do not forget any leading zeroes, lie 'cmp *,0ab' for byte, 'cmp *,000ab' for word, etc... Since version 5.83 possible search for the sequence of the commands, preparing their special character. Since version 7.40 such chracter is '/'. For example: "push *10 / call * / add *" will find: -------push 00010 call 01234:05678 add sp,00006 will not find: --------push 00010 push 00011 add ax,00006

Since version 6.10 search and replace can be performed in all files that were specified in the command line. Option "filArg" must be activated by pressing "F4" while entering search or replace string. Alt-? can be used in ASCII and hex searches as any symbol wildcard. For example (HEX mode, F7): 00 01 ?? 03 04 (?? is shown in place of Alt-?) will find '00 01 02 03 04', '00 01 FF 03 04', '00 01 AC 03 04', and lie.

Crypt (F7 in Edit mode) Not available in DEMO version Crypt can be used for (de-)crypting code or data with some simple algorithm. Byte/Word/Dword/Qword of code or data is crypted at a time (press F2 to change crypt width). Crypt routine must end with "LOOP lineNumber" operator. Available commands: Reg mode : Reg-Reg mode: Reg-Imm mode: Imm mode : neg,mul,div mov,xor,add,sub,rol,ror,xchg,and,or mov,xor,add,sub,rol,ror,and,or mul,div,loop

All 8/16/32/64-bit registers are available and equipollent, except for AL/AX/EAX/RAX that is used for (de-)crypted byte/word/dword/qword input and output. Differences from usual assembler: * there are no jumps; * 'loop' means jump or stop * 'rol/ror' operands must have the same width, i.e. ROL AX,CL is not allowed. * (7.40+) command DIV divides unsigned value in the register RAX by source operand (register or immed) and store quotient in the RAX and remainder in the RDX. * (7.40+) command MUL performs an unsigned multiplication of the operand (register ot immed) by register RAX and the result store in register RAX. Example: a. XOR byte with 0AAh: 1. XOR al,0aah 2. LOOP 1 b. XOR word with mas increment 1. MOV dx,0 2. XOR ax,dx <-+ 3. ADD dx,1 | 4. LOOP 2 --+ Local and Global offsets Since version 5.40 Hiew can show (and set) local offsets, i.e. offsets from the beginning of a segment or an object. Local offset is represented by a dot followed by the offset itself. For the case of the local offset in the NE/LX files, the new offset is calculated as SSSSOOOO, where SSSS is a segment number for NE, or base for LX; OOOO is a local offset. If SSSS is zero, then the offset is calculated from the current segment. For PE files object alignment (OA) is used in calculating the base. If you enter (with F5) a local offset that is less than OA, the jump is performed in the current section.

For LX files having objects larger than 0xFFFF (see object 1 in FC.EXE), offsets are displayed as in some debuggers (for example, in SD386), and you should use jumps lie .0x200234, although there's no such base as 0x200000. If the cursor is outside of a segment/object, error message is shown (incorrect jump calculation). *NB!* If the first input symbol is '.', the offset is considered local, otherwise it is global. Examples of local offset inputs with F5: a: (NE) .10023 - offset 0x0023 in the first segment b: (NE/LX/PE) .23 - offset 0x0023 in the current segment c: (LX) .10023 - object with base 0x10000 is searched in Object Table and a jump to local offset 0x0023 is performed d: (PE) .401023 - virtual address (VA) 401023 If a local offset is set, then wildcards and NE/LX/PE lins are searched only in code segments. For dual-EXE the search area is defined by the active header. If MZ header is active, then search stops at NewExe header. Since version 7.00 64-bit offset representation is switched on for files larger than 4 gigabytes. The offset is shown as "high32'low32". This is because otherwise long numbers with lots of zeroes are difficult to read. Titlebar for this ind of files always displays 64-bit offset, while in the left column it's only shown on screens wider than 89 characters, otherwise just low 32 bits are displayed, and you have to chec the titlebar for the rest. Keyboard macros Not available in DEMO version Macros allow you to record a sequence of eypresses in order to replay it later. 1. Press Ctrl-. to start recording 2. Press any eys you want to record 3. Press Ctrl-. to stop recording Recorded sequence is assigned to Ctrl + 0 as Macro0. It is possible to move it to anothercombination (from Ctrl + 1 to Ctrl + 8) with Ctrl-Minus; it is also possible to save it to a file, load it from file, specify delay between replayed eypresses and set other various flags. Key combinations for macro recording and playbac: Ctrl-Minus Ctrl-. Ctrl-0 Ctrl-1 ... Ctrl-8 Macro manager: Enter - replay current macro F2 - From 0 - copy Macro0 here F4 - Delay - set delay between eypresses Macro manager (see button functions below) record/stop macros to Macro0 replay Macro0 replay Macro1

- replay Macro8

F5 F8 F9 F10 F11 F12 AltF1 AltF2

Rename Unload Store Load Up Down Loop FailSr

rename macro unload from memory save macro to a file (DEMO N/A) load macro from file (DEMO N/A) move macro up move macro down loop macro playbac stop playbac if search returned no results

Also it is possible to run Hiew with a macros from the command line: HIEW /MACRO0=<filename> (DEMO N/A) Text string extraction Starting from version 7.10 it's possible to extract all text strings (sequences of letters, digits and some ASCII7 special characters) from the file or selected bloc, and pass extraction results through a wildcard-based filter. You have to be in hex mode in order to invoe this function; whole file is being used for extraction when no bloc is selected. Strings with length smaller than 'MinStringLength=' ini-file parameter value are ignored, and this value itself cannot be smaller than 4. Also, wildcard search is limited to the first 1000 characters of a string. INI file Not available in DEMO version HIEW.INI specified "[HiewIni with ';') file is searched in HIEW.EXE home directory. INI file can be in "/INI=<inifile>" command line parameter. HIEW.INI must start with 5.03]" in the first line! Blan lines and commented lines (starting are ignored.

Detailed information about all options is provided in the HIEW.INI itself. HEMKEYS.INI file Not available in DEMO version Since version 7.45 in hem-directory can be placed the file HEMKEYS.INI with one-character eys of direct call hem-modules in hem-menu (F11). First line must be line '[HemKeys 7.45]'. Next lines are eys defined: : hemfile Blan lines and commented lines are ignored. Characters are converted in uppercase. The hem-file name is compared from begin and is taen the first coincidence. Example: [HemKeys 7.45] w: FileWaler.hem V: PEVERIFY SAV file Not available in DEMO version If started without any parameters, HIEW loos for SAV-file in the current directory ("HIEW.SAV", or the value of 'savefile' statement in

HIEW.INI), and restores the previously saved (with Ctrl-F10) state. XLT file structure typedef struct{ BYTE sign[ 9 ], unused[ 5 ], versionMajor, versionMinor; }XLAT_HEADER; typedef struct{ BYTE title[ 16 ], tableOut[ 256 ], tableIn[ 256 ], tableUpper[ 256 ]; }XLAT; // "HiewXlat",0 // 0x05 // 0x40

// // // //

show in F8 for output for input for search with ignore case

Maximum number of translation tables is 15 All translation tables can be viewed with F8-F9 in textmode, or Alt-F8-F9 in other modes, including Edit mode. Command line Hiew [options] [/s]filemas...[/s][filemas] /O[thc]=OEP|END|[.]offset[th] - assign start mode and start offset (DEMO N /A) /MACRO0=<macrofile> - run eyboard macro after start (DEMO N/A) /SAV=<savefile> - location of savefile (DEMO N/A) /INI=<inifile> - location of inifile (DEMO N/A) [/s]filemas...[/s][filemas] - more files, including wildcards * option /s toggles search with subdirectories: hiew /s *.dll *.exe /s *.txt -> search for .dll and .exe in subdirectories, and for .txt files in current directory only * offset in option '/O' possible reference in any type supported by hiew insid e: - with first dot as local offset - base by default (16) may be changed by suffix 't' as well as: - special offset 'END' (without quote) set cursor at last byte of the file - special offset 'OEP' (without quote) set cursor at entry-point of the exefile examples: /Ot=END - text mode, end of the file /Oc=OEP - code mode, cursor at entry-point /Oh=1234 - hex mode, offset as 1234 (hex) /Oh=0x1234 - too most as above /Oh=1234t - hex mode, offset as 1234 (decimal) /Oc=.401234 - code mode, local offset 401234 * since version 7.40 the option '/O' it is used to all files of the command line under CtrlF9/CtrlF11/CtrlF12

Eugeny Susliov <sen@emtel.ru>, <eugenys@gmail.com>