Hiew release 8.43 Dedicated to my wife...
http://www.hiew.ru
北北 Release notes: version 7.40 北北北北北北北北北北北北北北北北北北北北北北?
New engines are for 64bits disassmbler and assembler with x86-64
commands full support. Added PE32+ format support. Crypt grow up 64bit too.
**VERY IMPORTANT**: Command MUL and DIV are changed !
(See section 'Crypt' for details)
For migrate previous crypt-program are *attentively* examine use the commands
DIV/MUL and replace first line to '[HiewCrypt 6.70]'.
北北 Release notes: version 7.00 北北北北北北北北北北北北北北北北北北北北北北?
After a considerable delay version 7.00 of Hiew has been released.
There are many new features:
- Hiew does not support DOS or OS/2 operating systems any longer.
- Hiew now works with files and blocks of any size, so it can be used with all
physical and logical drives in the system (provided user has sufficient access
rights of course).
- Keyboard macros
- Progress bar
- Fixups highlighting for PE and MZ
- Following offset based jumps/calls with one touch
(for example, when Hiew encounters a call d,[12345678] instruction,
it checks if the value at the offset of 12345678 looks like VA,
and assigns this call a number: call d,[12345678] ;.87654321 --- (1) )
- New algorithm for reading the Import Table.
- Search speed has been slightly (~5-7%) increased.
**VERY IMPORTANT**: Assembler search wildcards have been changed. They are
unified with the File wildcards now (see 'String Wildcards')
北北 Release notes: version 6.70 北北北北北北北北北北北北北北北北北北北北北北?
Crypt is 32-bit now. Crypt programs (*.cry) are written in text format
now. Old binary format from version 5.01 will be supported by current version
(6.7x) only! Tho new operators were added: AND, OR. Programs can be up to 32
lines long. Lines starting with ';' treated as comments.
北北 Release notes: version 6.60 北北北北北北北北北北北北北北北北北北北北北北?
Support for little-endian ELF executables
EDUMP - common dumper for NE/LX/LE/PE/ELF files
北北 Release notes: versions 6.29/6.30 北北北北北北北北北北北北北北北北北北北?
32-bit console version for Windows.
PEDUMP.EXE - dumper for PE files.
All utilities have versions compiled for DOS, OS/2, and Win32
北北 Release notes: version 6.15 北北北北北北北北北北北北北北北北北北北北北北?
Starting with this release HIEW is SHAREWARE. See register.txt for
details.
北北 Release notes: version 6.00 北北北北北北北北北北北北北北北北北北北北北北?
New features in version 6.00:
- "crypt" has been removed (it will be a separate project)
- Switching between files specified in the command line moved to
CtrlF11/CtrlF12.
- Alt- functions moved to Alt-Fn (except for Alt-P, Alt-H, Alt-=). See hiew.hlp
for details.
- History has been added for string input (PgDn) and file section
(press Backspace for menu, Tab to select next file in history).
- "ActionAfterWriteSavefile" option removed from the ini-file.
- "NextFileSaveOffset" option (preserve current offset for next file)
replaced by "NextFileSaveOffset" option (preserve current state for next file)
北北 Contents 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
?About HIEW
?Assembler mode
?Basing
?Block operations
?Status bar
?Keys
?Bookmarks
?Jumps (call/jmp) in disassembler mode
?String wildcards
?Search and replace
?Crypt
?Local and Global offsets
?Keyboard macros
?Text string extraction
?Color marking
?INI file
?SAV file
?XLT file structure
?Command line
?History
北北 About HIEW 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
Basically HIEW is a hex viewer for those who need to change some bytes in the
code (usually 7xh to 0EBh). Hiew can view files of unlimited length in text,
hex, and disassembler modes.
Features:
* displaying files of any length in text, hex, and decode modes
* view, edit, search/replace for unicode
* x86-64 disassembler & assembler
* physical & logical drive view & edit
* support for NE, LE, LX, PE, PE32+ and little-endian ELF executable formats
* support for Netware Loadable Modules like NLM, DSK, LAN,...
* following direct call/jmp instructions in any executable file with one touch
* built-in simple 64bit decrypt/crypt system
* built-in powerful 64bit calculator
* operations with blocks of arbitrary length: read, write, fill, copy, move,
insert, delete, crypt
* multifile search and replace
* editing the NewExecutable files header
* keyboard macros
* unicode support
* Hiew Extrenal Module (HEM) support
北北 Assembler mode 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
For true assemblers!
All numbers are hexadecimal by default, but the suffix "t" changes to
decimal (e.g. mov al,10t). Possible use string as immed operand (e.g. mov
eax,"sign") Constant arithmetics is supported (i.e. mov bx,
[123+23-46h] produces same results as mov bx,[100h]). Error messages are
very brief (invalid command, syntax error, invalid operand,
missing/invalid size).
Three non-standart commands exists:
jmps = jmp short
jmpf = jmp far [mem 16:16/32/64]
callf = call far [mem 16:16/32/64]
Commands can be assembled different way. Since version 7.40 appeared
the possibility of the choice: F4 when entering the assembler command switches
to choose from available variants or put the command of the minimum length.
Under included options 'nop' will offers the different length from 1-9 bytes.
北北 Basing 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
Base is a constant that is added to all offset and jump addresses.
If current offset is YY, and you want it to be XX, you can enter "*XX" as a
base (note the asterisks!). Pressing Ctrl-F5/Ctrl-F5 produces same result.
北北 Block operations 北北北北北北北北北北北北北北北北北北北北北北北北北北北北
Block operations work only in "Hex" and "Decode" modes. You can mark
blocks without switching to Edit. Marked block can be written to a file by
pressing F2 (PutBlk).
To append the block to the end of file, type '*' character. You can load a
block from another file by pressing Ctrl-F2 (GetBlk). Block will be loaded at
the current offset.
Since version 6.10, if nothing is marked in the current file, history is
searched for the latest file where the block is marked, and this block is used.
北北 Status Bar 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
xx% Filename.ext .dFRO -------- xxx PE xxxxxxxx篐iew 7.00 (c) SEN
哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
缆? 滥哪哪哪哪沦 吵吵?滥哪履馁 缆?? 滥穆哪馁 滥哪哪哪履哪哪哪? percentage ? 吵吵? ? ? ? current progress bar will
indicator ? 吵吵? ? ? ? offset appear here
(when BAR=P ? 吵吵? ? ? V
in HIEW.INI) ? 吵吵? ? ? neexecutable type
V 吵吵? ? ?
file name 吵吵? ? ?
吵吵? ? 滥> * Text mode: index of the
吵吵? ? first column
kbmacro state: <哪哪哪馁吵吵 ? * DeCode mode: operands and
R - recording 吵吵 ? addresses width;
0..8 - replay 吵吵 ? 'a' means it was
吵吵 ? recognized automatically
search direction <哪哪哪哪俪吵 ? for executable
吵? ?
search area: <哪哪哪哪馁吵 滥> status of all bookmarks
F - whole file 吵 '-' free
B - block 吵 '1..8' occupied
A - list from the command line 吵 '*' current
吵
file state: <哪哪哪哪哪俪
R - opened in Read mode ? W - opened in Write mode ? U - modified ? ? O - overwrite block <哪哪哪哪哪馁
I - insert block
北北 Keys 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
All keys described in the HIEW7.HLP help file (press F1 to open). You may may
modify HIEW7.HLP, but modified version should keep "[HiewHelp 7.00]" in the
first line. Semicolon
';' denotes a comment. F1 calls corresponding section (from [xxxx] to [yyyy]).
HIEW7.HLP must end with section called [End].
Since version 7.00 it is possible to create section links with:
+[SectionName]
北北 Bookmarks 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北?
Bookmarks allows you to save the current screen and restore it later. Press
'+' to save state of the current screen. Up to eight screens can be saved, and
each saved screen is assigned an index 1..8. To restore a screen press one of
Alt-1...Alt-8 according to the screen index. Bookmarks are kept separately for
each mode (Text/Hex/Decode).
北北 Jumps (call/jmp) in disassembler mode 北北北北北北北北北北北北北北北北北?
Jumps are more configurable now. They can be specified in the jumpTable
array of HIEW.INI. It is a string (in C since) of digits and letters. First
character ('0' in HIEW 4, 'Z' in HIEW 5 day 28) is used to undo jump. Character
read from the keyboard are converted to upper case, then looked for in the
jumpTable. By default jumpTable consists of digits '1'-'9' followed by letters
'A'-'Z'.
北北 String wildcards 北北北北北北北北北北北北北北北北北北北北北北北北北北北北
String wildcards are used in the following places:
1. Search for wildcard in decode mode (F7-F7)
2. File masks in filemanager (F9)
3. Mask for imported functions in the Import Table (F8-F7)
Wildcard symbols:
? - any single character
* - arbitrary number of any characters (0 or more)
{ABD} - A, B, or D
{A-D} - A, B, C, or D
{!ABC} - any single character except A, B, and C
! - anything but ... (must be the first character)
Examples:
All executable files in file manager: *.exe
All non-executable files in file manager: !*.exe
Filter from imported functions ones working with registry:
reg*key* = RegCreateKey, RegDeleteKey, RegQueryKeyValue, etc.
北北 Search and replace 北北北北北北北北北北北北北北北北北北北北北北北北北北北
If Enter was pressed in ASCII field, search is case insensitive, for
case sensitive search move cursor to HEX field before pressing Enter.
You can search assembler commands (F7).
Search/replace can be restricted to a selected block now (F4 while
entering the search or replace string).
In the disassembler mode assembler commands can be searched with wildcards
(see above). If entered assembler command contains any of the wildcard
characters, wildcard search is started, otherwise command is just assembled.
Assembling can be forced with Ctrl+Enter for commands like 'mov eax,[eax*2]'
For example, in the DECODE mode <F7><F7> 'mov ax, *' will find 'mov ax,1234h",
"mov ax,sp", and like.
"mov ?x, ax" will find "mov ax,ax", "mov bx,ax", "mov cx,ax", and "mov dx,
ax",
but not "mov bp,ax" or "mov si,ax".
*** IMPORTANT ***
strings are compared without conversion! Do not forget any leading
zeroes, like 'cmp *,0ab' for byte, 'cmp *,000ab' for word, etc...
Since version 5.83 possible search for the sequence of the commands,
preparing their special character. Since version 7.40 such chracter is '/'.
For example: "push *10 / call * / add *"
will find: will not find:
-------- ---------
push 00010 push 00010
call 01234:05678 push 00011
add sp,00006 add ax,00006
Since version 6.10 search and replace can be performed in all files
that were specified in the command line. Option "filArg" must be activated by
pressing "F4" while entering search or replace string.
Alt-? can be used in ASCII and hex searches as any symbol wildcard. For
example (HEX mode, F7): 00 01 ?? 03 04 (?? is shown in place of Alt-?) will
find '00 01 02 03 04', '00 01 FF 03 04', '00 01 AC 03 04', and like.
北北 Crypt (F7 in Edit mode) 北北北北北北北北北北北北北北北北北北北北北北北北?
Crypt can be used for (de-)crypting code or data with some simple
algorithm. Byte/Word/Dword/Qword of code or data is crypted at a time
(press F2 to change crypt width). Crypt routine must end with "LOOP lineNumber"
operator.
All 8/16/32/64-bit registers are available and equipollent, except for
AL/AX/EAX/RAX that is used for (de-)crypted byte/word/dword/qword input and
output.
Differences from usual assembler:
* there are no jumps;
* 'loop' means jump or stop
* 'rol/ror' operands must have the same width, i.e. ROL AX,CL is not
allowed.
* (7.40+) command DIV divides unsigned value in the register RAX by
source operand (register or immed) and store quotient in the RAX
and remainder in the RDX.
* (7.40+) command MUL performs an unsigned multiplication of the
operand (register ot immed) by register RAX and the result store
in register RAX.
Example:
a. XOR byte with 0AAh:
1. XOR al,0aah
2. LOOP 1
b. XOR word with mask increment
1. MOV dx,0
2. XOR ax,dx <-+
3. ADD dx,1 |
4. LOOP 2 --+
北北 Local and Global offsets 北北北北北北北北北北北北北北北北北北北北北北北北
Since version 5.40 Hiew can show (and set) local offsets, i.e. offsets from the
beginning of a segment or an object. Local offset is represented by a dot
followed by the offset itself.
For the case of the local offset in the NE/LX files, the new offset is
calculated as SSSSOOOO, where SSSS is a segment number for NE, or base for LX;
OOOO is a local offset. If SSSS is zero, then the offset is calculated from the
current segment.
For PE files object alignment (OA) is used in calculating the base. If you
enter (with F5) a local offset that is less than OA, the jump is performed in
the current section.
For LX files having objects larger than 0xFFFF (see object 1 in FC.EXE),
offsets are displayed as in some debuggers (for example, in SD386), and you
should use jumps like .0x200234, although there's no such base as 0x200000.
If the cursor is outside of a segment/object, error message is shown (incorrect
jump calculation).
*NB!* If the first input symbol is '.', the offset is considered local,
otherwise it is global.
Examples of local offset inputs with F5:
a: (NE) .10023 - offset 0x0023 in the first segment
b: (NE/LX/PE) .23 - offset 0x0023 in the current segment
c: (LX) .10023 - object with base 0x10000 is searched in Object Table
and a jump to local offset 0x0023 is performed
d: (PE) .401023 - virtual address (VA) 401023
If a local offset is set, then wildcards and NE/LX/PE links are searched only
in code segments. For dual-EXE the search area is defined by the active header.
If MZ header is active, then search stops at NewExe header.
Since version 7.00 64-bit offset representation is switched on for files larger
than 4 gigabytes. The offset is shown as "high32'low32". This is because
otherwise long numbers with lots of zeroes are difficult to read.
Titlebar for this kind of files always displays 64-bit offset, while in the
left column it's only shown on screens wider than 89 characters, otherwise just
low 32 bits are displayed, and you have to check the titlebar for the rest.
北北 Keyboard macros 北北北北北北北北北北北北北北北北北北北北北北北北北北北北
Macros allow you to record a sequence of keypresses in order to replay it
later.
1. Press Ctrl-. to start recording
2. Press any keys you want to record
3. Press Ctrl-. to stop recording
Recorded sequence is assigned to Ctrl + 0 as Macro0. It is possible to move it
to anothercombination (from Ctrl + 1 to Ctrl + 8) with Ctrl-Minus; it is also
possible to save it to a file, load it from file, specify delay between
replayed keypresses and set other various flags.
Key combinations for macro recording and playback:
Enter - replay current macro
F2 - From 0 - copy Macro0 here
F4 - Delay - set delay between keypresses
F5 - Rename - rename macro
F8 - Unload - unload from memory
F9 - Store - save macro to a file
F10 - Load - load macro from file
F11 - Up - move macro up
F12 - Down - move macro down
AltF1 - Loop - loop macro playback
AltF2 - FailSr - stop playback if search returned no results
Also it is possible to run Hiew with a macros from the command line:
HIEW /MACRO0=<filename>
北北 Text string extraction 北北北北北北北北北北北北北北北北北北北北北北北北北
Starting from version 7.10 it's possible to extract all text strings
(sequences of letters, digits and some ASCII7 special characters) from
the file or selected block, and pass extraction results through
a wildcard-based filter. You have to be in hex mode in order to invoke
this function; whole file is being used for extraction when no block
is selected. Strings with length smaller than 'MinStringLength='
ini-file parameter value are ignored, and this value itself cannot
be smaller than 4. Also, wildcard search is limited to the first 1000
characters of a string.
北北 Color marking 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北?
With version 8.32 inside Hex and Code modes can be colored blocks.
To do this, you first need to select standart block via double stars press,
then press Alt-M, select color with keys up-down-left-right and press Enter.
To remove a color mark move cursor over the waste block, and press Alt-M too.
Marking is stored in a file on request at an exit (or change the file) and
automatically loaded from a file with the extension .cmarkers, the format of:
followed by recording 12 bytes of the block and its color:
8 bytes - the absolute offset of a block in the file
1 byte - color
3 bytes - the length of the block
北北 INI file 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
HIEW.INI file is searched in HIEW.EXE home directory. INI file can be
specified in "/INI=<inifile>" command line parameter. HIEW.INI must start with
"[HiewIni 5.03]" in the first line! Blank lines and commented lines (starting
with ';') are ignored.
Detailed information about all options is provided in the HIEW.INI itself.
北北 HEMKEYS.INI file 北北北北北北北北北北北北北北北北北北北北北北北北北北北北
Since version 7.45 in hem-directory can be placed the file HEMKEYS.INI
with one-character keys of direct call hem-modules in hem-menu (F11).
First line must be line '[HemKeys 7.45]'. Next lines are keys defined:
k: hemfile
Blank lines and commented lines are ignored.
Characters are converted in uppercase.
The hem-file name is compared from begin and is taken the first coincidence.
If started without any parameters, HIEW looks for SAV-file in the
current directory ("HIEW.SAV", or the value of 'savefile' statement in
HIEW.INI), and restores the previously saved (with Ctrl-F10) state.
typedef struct{
BYTE title[ 16 ], // show in F8
tableOut[ 256 ], // for output
tableIn[ 256 ], // for input
tableUpper[ 256 ]; // for search with ignore case
}XLAT;
Maximum number of translation tables is 15
All translation tables can be viewed with F8-F9 in textmode, or Alt-F8-F9 in
other modes, including Edit mode.
北北 Command line 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
Hiew [options] filemask...[filemask]
/O[thc]=OEP|END|[.]offset[th] - assign start mode and start offset
/MACRO0=<macrofile> - run keyboard macro after start
/SAV=<savefile> - location of savefile
/INI=<inifile> - location of inifile
filemask...[filemask] - more files, including wildcards
* option /s toggles search with subdirectories:
hiew /s *.dll *.exe /s *.txt -> search for .dll and .exe in subdirectories,
and for .txt files in current directory only
* offset in option '/O' possible reference in any type supported by hiew inside:
- with first dot as local offset
- base by default (16) may be changed by suffix 't'
as well as:
- special offset 'END' (without quote) set cursor at last byte of the file
- special offset 'OEP' (without quote) set cursor at entry-point of the exe-file
examples:
/Ot=END - text mode, end of the file
/Oc=OEP - code mode, cursor at entry-point
/Oh=1234 - hex mode, offset as 1234 (hex)
/Oh=0x1234 - too most as above
/Oh=1234t - hex mode, offset as 1234 (decimal)
/Oc=.401234 - code mode, local offset 401234
* since version 7.40 the option '/O' it is used to all files
of the command line under CtrlF9/CtrlF11/CtrlF12
北北 History 北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北北
8.00 29/01/09 - ARMv6 disassembler
- "ArmCodeDetection = On/Off" in ini-file
- Xor string (Edit/F8) is back!
- Names shift offset (F12/F6)
- Names export (F12/Shift-F12)
- PE section rva/offset correction (F8-F6-F5/F6)
- FIX: Some disassemblers fixes
- FIX: HEM: no set mode for HEM_RETURN_FILERELOAD
8.02 20/07/09 - code keys: Alt-F6(1byte/command) moved to Alt-F9
- code keys: Alt-F6 as Strings
- code keys: Ctrl-F7 as FindOtherByte
- FIX: PE import in mixed sections
- FIX ARM: load_imm_offset not allow for u-bit
- FIX: input hexline insertions from clipboard was truncate if spaces present
- FIX PE: files with sectioncount = 0 show as PE again
8.10 4/02/10 - FIX PE: crash if press escape for 'Sections count invalid'
- ELF: added some program types (TLS,EH_FRAME,STACK)
- "PackNops = On/Off" in ini-file
- SSE 4.2 opcodes added
8.11 26/07/10 - FIX: assemble local offset > 32 bits
- FIX: crash on non-valid export names pool
- FIX: crash on colored some import names
- FIX: backward search has found 0 always
- in ini-file: "KeysOtherNextSwap = On/Off" (swap CtrlF7 / ShiftF7 keys actions)
- PE section flags at F2
- 'section count invalid' message only (no keypress request)
- 'fixups: invalid data' shows only 4 times
8.12 25/10/10 - FIX: opcode FF/6 has dword size into 64bit mode
- FIX: assemble non-existing 'push eax' into 64bit mode
- Delay import preparing changes
- Header detail view (F8-F3) for read-only files
8.13 21/12/10 - FIX(8.12): lost negative form of disp8 ( [ebx][0F8] instand [ebx][-8] )
- first symbol '$' legal in names from import textfile
- Filemenu: Alt-F3 as Device menu
8.14 9/05/11 - FIX: symbol 0x0D hide for Consolas font
- FIX: some PE overlay cases
- FIX: garbage in PE header less nominal
- FIX: 64bits: r9d-r15d base/index registers not shows
- FIX: crypt xchg command works correct again
- ini-file: "PackInt3 = On/Off"
8.15 5/09/11 - FIX(8.14) unicode functions used for winnt only
- FIX: some fixes in 64bit disasm
- FIX: casual crash in Crypto's Ctrl-F7
- FIX: lost import name for PE with base above 0x7FFFFFFF
- ini-file: "wow64Disable = On/Off"
8.21 30/11/11 - PE resource list (F8-F12)
- hiew8.ini in current directory try opens first
- FIX: some (dis)asm fixes
- FIX: some artificialy made PE
- FIX: goto -1 ignored
8.22 15/02/12 - FIX(8.20): lost colorized of TRx registers
- FIX: bswap and prefix 66
- some undocumented fp-opcodes are added (fstp1,fcom2,fcomp3,...)
- if at start the file from sav-file not found but exist such file in current dir, may be use it
8.24 16/05/12 - sort and store operations are added in PE Resource table (F8-F12)
8.30 11/10/12 - AVX dis/assembler
- direction of FindOtherByte depend of find direction
8.32 21/01/13 - color marking
8.33 2/04/13 - Shift-Alt-M as casual mark color
- FillBlock in Code mode too
- FillBlock now available for non-files
- fix: likely trash on bottom line for inifile error message
- fix: crash on long commandline
8.40 27/09/13 - Mouse support (inifile: Mouse = On/Off)
- fix: command NOP assembled with garbage byte
8.41 10/02/14 - 32bits disassembler by default
- fix: incorrect address of assemble name in 64bits
- fix: crash on long export name
8.42 2/06/14 - fix: wrong name for simple direct address (e.g. mov eax,400000)
- fix: failed goto for pe-files with big base
- change unicode detection for text files
8.43 13/10/14 - fix: mouse click position in unicode mode edit is wrong if hex per line != 16
- fix: trash on top screen if sort very long export name
- block fill operation can be breaked by ESC press
发表于 2014-12-24 15:27
