Hiew release 7.01 Dedicated to my wife...

For news visit http://webhost.kemtel.ru/~sen

���� Release notes: version 7.00 ���������������������������������������������

After a considerable delay version 7.00 of Hiew has been released.

There are many new features:
- Hiew does not support DOS or OS/2 operating systems any longer.
- Hiew now works with files and blocks of any size, so it can be used with all
physical and logical drives in the system (provided user has sufficient access
rights of course).
- Keyboard macros
- Progress bar
- Fixups highlighting for PE and MZ
- Following offset based jumps/calls with one touch
(for example, when Hiew encounters a call d,[12345678] instruction,
it checks if the value at the offset of 12345678 looks like VA,
and assigns this call a number: call d,[12345678] ;.87654321 --- (1) )
- New algorithm for reading the Import Table.
- Search speed has been slightly (~5-7%) increased.

**VERY IMPORTANT**: Assembler search wildcards have been changed. They are
unified with the File wildcards now (see 'String Wildcards')

���� Release notes: version 6.70 ���������������������������������������������

Crypt is 32-bit now. Crypt programs (*.cry) are written in text format
now. Old binary format from version 5.01 will be supported by current version
(6.7x) only! Tho new operators were added: AND, OR. Programs can be up to 32
lines long. Lines starting with ';' treated as comments.

���� Release notes: version 6.60 ���������������������������������������������

Support for little-endian ELF executables

EDUMP - common dumper for NE/LX/LE/PE/ELF files

���� Release notes: versions 6.29/6.30 ���������������������������������������

32-bit console version for Windows.

PEDUMP.EXE - dumper for PE files.
All utilities have versions compiled for DOS, OS/2, and Win32

���� Release notes: version 6.15 ���������������������������������������������

Starting with this release HIEW is SHAREWARE. See register.txt for

details.

���� Release notes: version 6.00 ���������������������������������������������

New features in version 6.00:

- "crypt" has been removed (it will be a separate project)

- Switching between files specified in the command line moved to
CtrlF11/CtrlF12.
- Alt- functions moved to Alt-Fn (except for Alt-P, Alt-H, Alt-=). See hiew.hlp
for details.
- History has been added for string input (PgDn) and file section
(press Backspace for menu, Tab to select next file in history).
- "ActionAfterWriteSavefile" option removed from the ini-file.
- "NextFileSaveOffset" option (preserve current offset for next file)
replaced by "NextFileSaveOffset" option (preserve current state for next file)

���� Contents ����������������������������������������������������������������

� About HIEW
� Assembler mode
� Basing
� Block operations
� Status bar (New in 7.00)
� Keys
� Bookmarks
� Jumps (call/jmp) in disassembler mode
� String wildcards (New in 7.00)
� Search and replace (New in 7.00)
� Crypt
� Local and Global offsets (New in 7.00)
� Keyboard macros (New in 7.00)
� INI file
� SAV file
� XLT file structure
� Command line (New in 7.00)
� History (Always new)

���� About HIEW ��������������������������������������������������������������

Basically HIEW is a hex viewer for those who need to change some bytes in the
code (usually 7xh to 0EBh). Hiew can view files of unlimited length in text,
hex, and Pentium(R) 4 disassembler mode.

Features:

� Text/hex mode editor

� Built-in Pentium(R) 4 assembler
� Physical & logical drive view & edit
� Creating new files
� Search and replace in blocks
� Context help (however help file is not necessary for starting HIEW)
� Search for assembler command wildcards
� Keyboard macros
� Built-in 64-bit calculator

���� Assembler mode ����������������������������������������������������������

"Byte/word/dword/pword/qword/tbyte" can be abbreviated as

"b,/w,/d,/p,/q,/t,". All numbers are hexadecimal by default, so the suffix "h"
is optional. Constant arithmetics is supported (i.e. mov bx, [123+23-46h]
produces same results as mov bx,[100h]). Error
messages are very brief (invalid command, syntax error, invalid operand,
missing/invalid size). Unconditional JMP's are translated to 0E9 XX XX, for
near jump (0EB), you have to type jmp short xxxxx (or jmps xxxxx).

Starting from version 5.00 HIEW works with 386 assembler, so when
working with 8086 code check entered jumps carefully, because you may get
unwanted long jump.

WARNING! Commands can be assembled differently depending on the

assembler you're using.

���� Basing ������������������������������������������������������������������

Base is a constant that is added to all offset and jump addresses.

If current offset is YY, and you want it to be XX, you can enter "*XX" as a
base (note the asterisks!). Pressing Ctrl-F5/Ctrl-F5 produces same result.

���� Block operations ��������������������������������������������������������

Block operations work only in "Hex" and "Decode" modes. You can mark
blocks without switching to Edit. Marked block can be written to a file by
pressing F2 (PutBlk).

To append the block to the end of file, type '*' character. You can load a
block from another file by pressing Ctrl-F2 (GetBlk). Block will be loaded at
the current offset.

Since version 6.10, if nothing is marked in the current file, history is

searched for the latest file where the block is marked, and this block is used.

���� Status Bar ��������������������������������������������������������������

������������������������������������������������������������������������������
xx% Filename.ext .dFRO -------- xxx PE xxxxxxxx�Hiew 7.00 (c) SEN
������������������������������������������������������������������������������
��� ������������ ����� �������� ��� � �������� �����������������
percentage � ����� � � � current progress bar will
indicator � ����� � � � offset appear here
(when BAR=P � ����� � � V
in HIEW.INI) � ����� � � neexecutable type
V ����� � �
file name ����� � �
����� � ��> * Text mode: index of the
����� � first column
kbmacro state: <�������‫���ٳ‬ � * DeCode mode: operands and
R - recording ���� � addresses width;
0..8 - replay ���� � 'a' means it was
���� � recognized automatically
search direction <��������‫��ٳ‬ � for executable
��� �
search area: <���������‫�ٳ‬ ��> status of all bookmarks
F - whole file �� '-' free
B - block �� '1..8' occupied
A - list from the command line �� '*' current
��
file state: <����������‫ٳ‬
R - opened in Read mode �
W - opened in Write mode �
U - modified �
�
O - overwrite block <������������
I - insert block
���� Keys ��������������������������������������������������������������������

All keys described in the HIEW7.HLP help file (press F1 to open). You may may
modify HIEW7.HLP, but modified version should keep "[HiewHelp 7.00]" in the
first line. Semicolon
';' denotes a comment. F1 calls corresponding section (from [xxxx] to [yyyy]).

HIEW7.HLP must end with section called [End].

Since version 7.00 it is possible to create section links with:

+[SectionName]

���� Bookmarks ���������������������������������������������������������������

Bookmarks allows you to save the current screen and restore it later. Press
'+' to save state of the current screen. Up to eight screens can be saved, and
each saved screen is assigned an index 1..8. To restore a screen press one of
Alt-1...Alt-8 according to the screen index. Bookmarks are kept separately for
each mode (Text/Hex/Decode).

���� Jumps (call/jmp) in disassembler mode �����������������������������������

Jumps are more configurable now. They can be specified in the jumpTable
array of HIEW.INI. It is a string (in C since) of digits and letters. First
character ('0' in HIEW 4, 'Z' in HIEW 5 day 28) is used to undo jump. Character
read from the keyboard are converted to upper case, then looked for in the
jumpTable. By default jumpTable consists of digits '1'-'9' followed by letters
'A'-'Z'.

���� String wildcards ��������������������������������������������������������

String wildcards are used in the following places:

1. Search for wildcard in decode mode (F7-F7)

2. File masks in filemanager (F9)
3. Mask for imported functions in the Import Table (F8-F7)

Wildcard symbols:

? - any single character

* - arbitrary number of any characters (0 or more)
{ABD} - A, B, or D
{A-D} - A, B, C, or D
{!ABC} - any single character except A, B, and C
! - anything but ... (must be the first character)

Examples:

All executable files in file manager: *.exe

All non-executable files in file manager: !*.exe
Filter from imported functions ones working with registry:
reg*key* = RegCreateKey, RegDeleteKey, RegQueryKeyValue, etc.

���� Search and replace ������������������������������������������������������

If Enter was pressed in ASCII field, search is case insensitive, for

case sensitive search move cursor to HEX field before pressing Enter.
 You can search assembler commands (F7).

Search/replace can be restricted to a selected block now (F4 while

entering the search or replace string).

In the disassembler mode assembler commands can be searched with wildcards

(see above). If entered assembler command contains any of the wildcard
characters, wildcard search is started, otherwise command is just assembled.
Assembling can be forced with Ctrl+Enter for commands like 'mov eax,[eax*2]'

For example, in the DECODE mode <F7><F7> 'mov ax, *' will find 'mov ax,1234h",
"mov ax,sp", and like.

"mov ?x, ax" will find "mov ax,ax", "mov bx,ax", "mov cx,ax", and "mov dx,
ax",
but not "mov bp,ax" or "mov si,ax".

*** IMPORTANT ***

strings are compared without conversion! Do not forget any leading
zeroes, like 'cmp *,0ab' for byte, 'cmp *,000ab' for word, etc...

Since version 5.83 semicolumn-delimited sequence of assembler commands

can be searched as well.
For example: "push *10; call *; add *"

will find: will not find:

-------- ---------
push 00010 push 00010
call 01234:05678 push 00011
add sp,00006 add ax,00006

Since version 6.10 search and replace can be performed in all files
that were specified in the command line. Option "fillArg" must be activated by
pressing "F4" while entering search or replace string.

Alt-? can be used in ASCII and hex searches as any symbol wildcard. For
example (HEX mode, F7): 00 01 ?? 03 04 (?? is shown in place of Alt-?) will
find '00 01 02 03 04', '00 01 FF 03 04', '00 01 AC 03 04', and like.

���� Crypt (F7/F8 in Edit mode) ����������������������������������������������

Crypt can be used for (de-)crypting code or data with some simple
algorithm. Single byte, word or dword of code or data is crypted at a time
(press F2 to change crypt width). Crypt routine must end with "LOOP lineNumber"
operator.

Available commands:

Reg mode : neg,mul,div

Reg-Reg mode: mov,xor,add,sub,rol,ror,xchg,and,or
Reg-Imm mode: mov,xor,add,sub,rol,ror,and,or
Imm mode : loop

All 8/16/32 bit registers are available, except for AL/AX/EAX that is
used for (de-)crypted byte/word/dword input and output.
 Differences from usual assembler:
* there are no jumps;
* 'loop' means jump or stop
* 'rol/ror' operands must have the same width, i.e. ROL AX,CL is not
allowed.
* 32-bit registers cannot be used as 'div' and 'mul' operands

Example:
a. XOR byte with 0AAh:
1. XOR al,0aah
2. LOOP 1

b. XOR word with mask increment

1. MOV dx,0
2. XOR ax,dx
3. ADD dx,1
4. LOOP 2

c. divide byte by 2
1. MOV cl,2
2. MOV ah,0 ; register AH use for DIV
3. DIV cl

d. translate using expression ax=(ax*3)/2

1. MOV bx,3
2. MOV cx,2
3. MUL bx ; result store into (DX:AX)
4. DIV cx ; divide (DX:AX) by CX

���� Local and Global offsets ������������������������������������������������

Since version 5.40 Hiew can show (and set) local offsets, i.e. offsets from the
beginning of a segment or an object. Local offset is represented by a dot
followed by the offset itself.

For the case of the local offset in the NE/LX files, the new offset is
calculated as SSSSOOOO, where SSSS is a segment number for NE, or base for LX;
OOOO is a local offset. If SSSS is zero, then the offset is calculated from the
current segment.

For PE files object alignment (OA) is used in calculating the base. If you
enter (with F5) a local offset that is less than OA, the jump is performed in
the current section.

For LX files having objects larger than 0xFFFF (see object 1 in FC.EXE),
offsets are displayed as in some debuggers (for example, in SD386), and you
should use jumps like .0x200234, although there's no such base as 0x200000.

If the cursor is outside of a segment/object, error message is shown (incorrect

jump calculation).

*NB!* If the first input symbol is '.', the offset is considered local,
otherwise it is global.

Examples of local offset inputs with F5:

a: (NE) .10023 - offset 0x0023 in the first segment

 b: (NE/LX/PE) .23 - offset 0x0023 in the current segment
c: (LX) .10023 - object with base 0x10000 is searched in Object Table
and a jump to local offset 0x0023 is performed
d: (PE) .401023 - virtual address (VA) 401023

If a local offset is set, then wildcards and NE/LX/PE links are searched only
in code segments. For dual-EXE the search area is defined by the active header.
If MZ header is active, then search stops at NewExe header.

Since version 7.00 64-bit offset representation is switched on for files larger
than 4 gigabytes. The offset is shown as 'high32,low32'. This is because
otherwise long numbers with lots of zeroes are difficult to read.

Titlebar for this kind of files always displays 64-bit offset, while in the
left column it's only shown on screens wider than 89 characters, otherwise just
low 32 bits are displayed, and you have to check the titlebar for the rest.

���� Keyboard macros ��������������������������������������������������������

Macros allow you to record a sequence of keypresses in order to replay it

later.

1. Press Ctrl-. to start recording

2. Press any keys you want to record
3. Press Ctrl-. to stop recording

Recorded sequence is assigned to Ctrl + 0 as Macro0. It is possible to move it

to anothercombination (from Ctrl + 1 to Ctrl + 8) with Ctrl-Minus; it is also
possible to save it to a file, load it from file, specify delay between
replayed keypresses and set other various flags.

Key combinations for macro recording and playback:

Ctrl-Minus - Macro manager (see button functions below)

Ctrl-. - record/stop macros to Macro0
Ctrl-0 - replay Macro0
Ctrl-1 - replay Macro1
...
Ctrl-8 - replay Macro8

Macro manager:

Enter - replay current macro

F2 - From 0 - copy Macro0 here
F4 - Delay - set delay between keypresses
F5 - Rename - rename macro
F8 - Unload - unload from memory
F9 - Store - save macro to a file
F10 - Load - load macro from file
F11 - Up - move macro up
F12 - Down - move macro down
AltF1 - Loop - loop macro playback
AltF2 - FailSr - stop playback if search returned no results

Also it is possible to run Hiew with a macros from the command line:
HIEW /MACRO0=<filename>
���� INI file ����������������������������������������������������������������

HIEW.INI file is searched in HIEW.EXE home directory. INI file can be

specified in "/INI=<inifile>" command line parameter. HIEW.INI must start with
"[HiewIni 5.03]" in the first line! Blank lines and commented lines (starting
with ';') are ignored.

Detailed information about all options is provided in the HIEW.INI itself.

���� SAV file ����������������������������������������������������������������

If started without any parameters, HIEW looks for SAV-file in the

current directory ("HIEW.SAV", or the value of 'savefile' statement in
HIEW.INI), and restores the previously saved (with Ctrl-F10) state.

���� XLT file structure ������������������������������������������������������

typedef struct{
BYTE sign[ 9 ], // "HiewXlat",0
unused[ 5 ],
versionMajor, // 0x05
versionMinor; // 0x40
}XLAT_HEADER;

typedef struct{
BYTE title[ 16 ], // show in F8
tableOut[ 256 ], // for output
tableIn[ 256 ], // for input
tableUpper[ 256 ]; // for search with ignore case
}XLAT;

Maximum number of translation tables is 15

All translation tables can be viewed with F8-F9 in textmode, or Alt-F8-F9 in

other modes, including Edit mode.

���� Command line ������������������������������������������������������������

Hiew [/MACRO0=<macrofile>][/SAV=<savefile>][/INI=<inifile>] [/s]filemask

...[/s][filemask]

/MACRO0=<macrofile> - run keyboard macro after start

/SAV=<savefile> - location of savefile
/INI=<inifile> - location of inifile
[/s] filemask ... [/s][filemask] - more files, including wildcards

Option /s toggles search with subdirectories:

hiew /s *.dll *.exe /s *.txt -> search for .dll and .exe in subdirectories,
and for .txt files in current directory only

���� Thanks ������������������������������������������������������������������

Special thanks to:

Alexander Orechov as best beta-tester
Alexander Volok
Arkady Kapustinsky for ELF files support
Ilfak Guilfanov for NE files support
 Kaspersky Labs, AVP research team for general support
Michail Korneff for english translation of dox
Roman Potapov for introduction to unix
Vladimir Ibatulin for finding bugs

Thanks for beta-testing to:

Elias Bachaalany
Erwann Corvellec
Konstantin Zhdanov
Michael Orechov
Nicola Krasnoyarsky

Thanks to:
Ruslan Kantorovych
Tadashi Yamakawa
Alexei Kulencov
Andrew Shipinsky
Kirill N. Joss
Stas Mechanoshin
Vladimir Kalashnikov
Alexey Podrezov
Marat Khalili
Keith Byers

���� History ����������������������������������������������������������������

7.00 23/12/04 - DOS and OS/2 versions are no longer supported

- support for files and blocks larger than 4Gb
- keyboard macros
- 64-bit calculator
- progress bar for search and block operations
- displaying names for ordinals in PE
- support for overlay MZ
- fixups highlighting for MZ and PE
- PE table section editing (deleting, adding, swapping...)
- all imports (incl. Delay) aggregated in one table (F8-F7)
- more wildcards for assembler search
- new lines in hiew.ini
MacroDelay=
MacroStopIfSearchFail=
MacroPath=
FlistSizeInK=
AutoloadOrdinals=
IgnoreDiskError=
ConfirmExitByEsc=
SuppressPrepareError=
CursorShapeInvert=
ColorFixup=
ColorMacroRec=
ColorMacroPlay=
7.01 28/12/04 - FIX: trash for edit PE section name
FIX: crash on some files with a bad import table

���������������������� Eugeny Suslikov <[email protected]> ���������������������