Dec 062017
Full Description of File
Welcome to WDASM 1.8, the premiere
shareware Windows disassembler.
Please read the user's manual for
operating and license information,
found in WDMANUAL.WRI. (This document
is in Microsoft Write for Windows
format.)
| WDASM Windows Disassembler v 1.8. Windows Disassembler disassembles Win .EXE and .DLL. Browse the source code of a program without having to write it to a file. | |||
|---|---|---|---|
| File Name | File Size | Zip Size | Zip Type |
| CTL3D.DLL | 15856 | 8744 | deflated |
| FILE_ID.DIZ | 432 | 221 | deflated |
| HELLO.C | 2089 | 856 | deflated |
| HELLO.DEF | 391 | 209 | deflated |
| HELLO.EXE | 4416 | 2317 | deflated |
| HELLO1.AS_ | 4768 | 4768 | stored |
| HELLO2.ASM | 4823 | 977 | deflated |
| HELLO2.INC | 5719 | 526 | deflated |
| HELLOHIL.AS_ | 5523 | 5523 | stored |
| HILEVEL.EX_ | 30196 | 30164 | deflated |
| HILEVEL.INC | 3720 | 923 | deflated |
| TPCREAD.ME | 199 | 165 | deflated |
| WDASM.EX_ | 37741 | 37741 | stored |
| WDASM.HL_ | 15816 | 15816 | stored |
| WDASM.ICO | 766 | 236 | deflated |
| WDMANUAL.WRI | 44928 | 13332 | deflated |
| WDREADME.TXT | 2046 | 696 | deflated |
| WINSETUP.EXE | 121360 | 23676 | deflated |
| WINSETUP.INF | 2113 | 806 | deflated |
Download File WDASM18.ZIP Here
Contents of the WDMANUAL.WRI file
2|)[[\]^_
Windows Disassembler 1.8 User's Manual
Windows Disassembler 1.8
A 486 Disassembler for Windows
`7+(PBrushBM^>( ^[email protected]~|2~y9~x?6|8|9s~pvN{Ny0y&~gv
~UUT~
h~UUT~
~UTUUTv~
~UTUUT~
~UTUUT~
~UTUUT~
~UTUUT~~~~h~~~I~~~~
0~UTUUTA~
~UTUUT`~
~UTUUT~
~UTUUTj~
~UTUUTz~
~UTUUT|~
D~UTUUTN~
~UUUUUTRUUUUUT|UUUUUTtx~UUT~
F~UUT~
t~UUTv~
~UTUUT~
D~UTUUTt~
R~UTUUT~
~UTUUTh~
[email protected]~
~9~~~~v~F~F~~~~~~~~~~~~~~??-VFX>jR,!+vL#hh8]?q]_YwM]~w.e]uw]]}u]uk]]}k>3uukMtM}{Mweu]uYR=q_Y]~?q}
8$Cx?P#>1$xxc
###>1p?cxct##13qca8>1!Zk>fjhhvC,>Gv
User's Manual
Index
Introduction and Specifications....................................page 2
Operation.....................................................................page 2
Opening Files.....................................................page 2
The Display........................................................page 2
Creating Assembly Language Source Code Files...page 3
Assembly Tips....................................................page 4
Differences Between Versions 1.6, 1.7, and 1.8............page 5
The HiLevel Utility.........................................................page 5
License And Warranty Disclaimer................................page 6
Registration Form.........................................................page 8
Introduction
Windows Disassembler disassembes Windows executables and dynamic link libraries. It allows the user to browse at the source code of a program without having to write it to a file. Windows Disassembler generates procedure directives, as well as all of the literal Windows API function call names.
Specifications
Files
Works on Windows 3.x executables and dynamic link libraries only.
Instruction Set
Translates all instructions within the 486 instruction set. It assumes that all code is executed in 16-bit mode (since Windows 3.1 uses 16-bit mode only).
Operating System and Hardware
Requires at least DOS 4.0, Windows 3.1, and a 286 or above IBM compatible computer. Installation of SMARTDRV (which comes with Windows) is recommended.
Operation
Opening Files
The default file name extension is ".exe" for opening files if no extension is specified. Windows Disassembler processes one file at a time. If a file is opened while another one is already open, the old file will be automatically closed. When opened, the file's assembly language code appears on the screen, provided that the file has a DOS executable file header, a new executable file header, and at least one segment. Otherwise, a dialog box will inform the user that the file does not meet a particular specification.
The Display
Displaying code in the display window is presented as an alternative to generating a gigantic assembly language source code file, since some programs are large, and the user may merely want to glance at a program's source code.
The code that initially appears in the window when a file is opened is the first segment within the file. Numbers are assigned to segments according to their chronological order within the new executable file header. Windows Disassembler displays one segment at a time within the window. The View | Segment command must be used to go to another segment. To scroll the text in the window, use the Up Arrow, Down Arrow, Page Up, and Page Down keys, or the scroll bar. To see the address offsets of each instruction, select View | Address Offsets from the main menu. To jump to a specific address, select View | Go To from the main menu and enter the address in hexadecimal format.
The View | Far Call Names command toggles between displaying far function call names and the actual relocation values in far CALL instructions (for example, 0000H:0FFFFH).
All labels have the form of either LxxxxH or DxxxxH, where xxxx is a 4-digit hexadecimal number equal to the offset of the location being referenced. Labels with an 'L' prefix denote locations within the immediate code segment, and labels with a 'D' prefix denote locations within a data segment. Labels within a code segment can either be procedure labels, jump/loop labels, or data labels within the code segment. Assembler directives, while generated for source code text files, are not shown in the display window.
Strings are detected and translated by Windows Disassembler whenever five or more visible characters occur within a data segment.
The Edit! command allows the user to convert a desired range of bytes from byte declarations into instructions, or vice versa, or to give labels to a specified range of bytes. This command is necessary for programs which have data declarations in their code segments. Note that all modifications which the user has made to a segment will be lost when exiting that segment. The user can save that segment using the Save Current Segment Only option as a text file first before quitting to save the changes. However, when the user leaves the segment, there is no way to restore the byte settings except by specifying them over again. Selecting the Create Separate Files For Each Segment option will result in the the modifications/settings being erased (lost) before the file is created, hence the user must use the Save Current Segment Only option.
Creating Assembly Language Source Code Files
After opening an executable, the user can create an assembly language source code file for it using the Save Text As command. If the source code file name that the user specifies is the name of an already existing file, then that file will be automatically overwritten with the new source code file. Three options are available for generating (a) file(s). The first is to put all of the source code into one file. The name of this file will be the name the user specifies. The second option is to put each segment of the source code into separate files. Each segment's file name will be of the form yournameN.ext, where yourname.ext is the name the user specifies in the dialog box, and N is an integer corresponding to the segment's number and which is appended to the base-name of the file (if necessary, this base name will be truncated to perform the appending). For example, if the user specifies \work\myprog.asm as the file name, Windows Disassembler will generate files named \work\myprog1.asm, \work\myprog2.asm, \work\myprog3.asm, etc.. The third option is to generate a file for the current segment only (which is currently being displayed in the window). In this case Windows Disassembler uses the file name exactly as specified.
All editing done will be lost if the user exits a segment which the user has just modified, or if the user tries writing all of the segments to a file(s) at one time. However, if the user uses the Save Current Segment Only option, all modifications will remain.
The new file will contain tabs. To display the file in the way in which it was intended to be displayed, the user should set his or her editor's tab stop option to 8 spaces.
Windows Disassembler will create TITLE, .CODE segmentname, .DATA segmentname, .MODEL LARGE, .486, and EXTRN winAPIfunc:FAR directives. PROC and ENDP directives are also created for all exported and far procedures. In the case of non-exported functions, these procedure directives will all have the following form:
FunctionnPROCFAR PUBLIC
(code)
RETF
FunctionnENDP
where n is the ordinal number (a decimal integer value) of the procedure in the entry table of the program's executable file header. For exported functions, the name of the function is explicitly written as it is listed in the resident and non-resident names tables in the program's header. For calls to functions in fixed memory segments, a comment is written beside the call. For example,
CALLFAR PTR Proc0AD0HSeg5
For far calls to procedures within the program in a different segment, EXTERNDEF's are generated. Near procedures are written in the following form:
ProcXXXXSegNPROCFAR PUBLIC
(code)
RET
ProcXXXXSegNENDP
where XXXX is a four-digit hexidecimal value equal to the offset of the procedure in the segment and N is the decimal number of the segment the procedure is in.
Windows Disassembler generates segment names for segment directives of the form .CODE SEGn, where n is the segment number. This name is produced in order to distinguish between segments, and can be deleted or changed. (If the segments are in separate files then the name isn't needed.) If there are exactly 2 segments in a program, Windows Disassembler treats the program as having a small model, otherwise it assumes the program has a medium memory model. If the program has a compact or large model, then the MODEL directive must be changed to reflect the actual memory model. Windows Dissassembler 1.8 translates functions belonging to commdlg.dll and shell.dll. It also generates information for unknown function calls in the form Module modulename Ordinal n. The user can look up the names of these function names using an executable-file header utility on the given dynamic link library. (In other words, one can use the relocation table names and offsets provided by an .exe file header utility to determine the function/variable names in the source code.)
Finally, EXTRN's (or EXTERNDEF's) must be supplied for any far variables used by the program not already supplied by Windows Disassembler (typically the far variable __winflags is used by Windows programs, for example).
As an example, the files hello.exe, hello.c, hello.def, hello2.inc, hello1.asm, and hello2.asm are included to demonstrate disassembly using Windows Disassembler. hello.exe (a "hello world" program) is a compilation of hello.c. hello.exh is an .exe file-header listing for hello.exe generated by EXEHDR.
hello1.asm and hello2.asm were generated using Windows Disassembler (using the Create Separate Files option) and were edited as follows. The labels L0627H, L01ACH, and L0360H were made global labels via the :: (double colon) since these are accessed outside of the procedure in which they exist. (In MASM 5.1 the ::'s wouldn't be necessary.) An EXTRN __winflags directive was added, and the segment names SEG1 and SEG2 were deleted.
The include file was created by copying the file hello2.asm to hello2.inc. Then, using an editor with a regular expression search function, each occurance of "^D" was replaced with EXTERNDEF D, each occurance of DB 00[A-F,0-9][A-F,0-9]H was replaced with :BYTE, and each occurance of DB "[A-Z,a-z,0-9,\\,\.,\,,\ ,\*,\%,\~,\<,\>,+,=,-,?,@,_]*" was replaced with :BYTE. The EXTERNDEFs serve as either PUBLIC or EXTRN specifiers, depending on whether the corresponding argument of an EXTERNDEF is located in the same file or else in a different module (like function prototypes in C).
One can rebuild hello.exe from hello2.asm with MASM 6.0 by typing:
ml /c hello1.asm
ml /c hello2.asm
link /ALIGN:4 hello1 hello2,hello2,, libw slibcew, hello.def;
which will generate hello2.exe.
Borland's Resource Workshop can be used for obtaining the resources from executables if necessary.
Assembly Tips
A problem that sometimes occurs is that of undefined label errors because of references to labels that are located in a different procedure. In MASM 6.0, the :: operator must be used to make such labels global. Another problem is a linking error in which a given module references a global variable that doesn't exist. The problem is usually that the variable is a string which follows another non-null terminating string in the data segment and the two strings are thus combined as one string. In this case you must separate the strings. The error, "A2006 : undefined symbol" will occur when there are fixed relocations in the program, which require EXTRNs and PUBLICs. However it is possible that procedure names could conflict, requiring the procedure(s) to be renamed, especially in the case of procedures with the name, Procedure0000.
To make the code modifiable and more readable, it is necessary to change all literal addresses in the code (hexidecimal numbers) into their symbolic equivalents. For example, in the hello program,
MOVAX, 00B0H
MOVDX, DS
PUSHDX
PUSHAX
should be changed to
MOVAX, OFFSET D00B0H
MOVDX, DS
PUSHDX
PUSHAX
since this portion of code is clearly passing the address of a string to a Windows function.
It is advisable that the user also makes a hardcopy of the windows.h file and that the user converts the windows.h file into its MASM equivalent using the H2INC which comes with MASM 6.0. H2INC cannot translate certain macros, such as RGB and MAKEINTRESOURCE, and hence these must be manually rewritten in MASM or else deleted. This way, certain constants such as message values can be replaced by their symbolic equivalents. It is also suggested that the user incorporate the prologue.inc file which comes with MASM 6.0 into the program in place of the existing prologue and epilogue code to make things more legible. Finally, the user should replace all other variable names and constants with more meaningful expressions. With the windows.inc file generated by H2INC, procedure calls usually can be written in a more legible form using INVOKEs. If the NOCASEMAP option is used (for employing case sensitivity), the prologue.inc file will need to modified slightly. In particular, the case of three or four of the words in the prologue.inc file will have to be changed in order to agree. .IF, .WHILE, and .REPEAT constructs can also be used to make the code more clear. The steps mentioned above can be accomplished faster with the help of the HiLevel utility.
Windows Disassembler 1.8 always outputs the .486 directive following the TITLE directive in every file.
Differences Between Versions 1.6, 1.7, and 1.8
Versions 1.0 through 1.6 disassembled only 286 instructions. Version 1.7 disassembles all 486 instructions, including the floating-point instruction set.
Version 1.7b contains bug fixes for the incorrect disassembly of certain floating-point instructions in version 1.7. These bug fixes include fixes for the following bugs in version 1.7:
1.)Incorrect stack registers were supplied for instructions having one of the following stack registers as their operands: ST(1) through ST(7).
2.)The no-wait instructions FNCLEX, FNDISI, FNENI, FNINIT, FNSAVE, FNSTCW, FNSTENV, and FNSTSW were each incorrectly translated into their corresponding wait versions. In version 1.7b, the wait version of each of these instructions is given as a WAIT instruction followed by the corresponding no-wait version of the instrucion.
3.)The instruction FCOM mem64 was incorrectly translated as FIDIVR mem64.
4.)For the instructions FLDENV, FRSTOR, FSAVE, and FSTENV, version 1.7 failed to differentiate between the 16-bit versions and the 32-bit versions of the instructions. Version 1.7b will append either a W or a D (as required by MASM 6.0) to these instructions in order to differentiate between the 16-bit versions and the 32-bit versions of each instruction.
5.)The instruction FYL2X was incorrectly translated as FYL2XP1.
6.)The instructions IRET and IRETD now have an F appended to them (i.e., IRETF and IRETDF) as required by MASM 6.0 to prevent epilogue code from being generated.
7.)For the 386/486 instruction Jcond disp(2) (conditional near jump), the label was incorrectly calculated as L(xxxx-1)H instead of as LxxxxH (i.e., the numeric portion of the label was off by 1)
Version 1.8 contains a bug fix for the vertical scroll bar problem that occured when viewing large segments. In addition, version 1.8 shares the CPU with other applications while it disassembles unlike previous versions. Similarly, HiLevel 2.03 (included with version 1.8) was updated so that it shares the CPU. In addition, HiLevel no longer crashes as it did in previous versions.
The HiLevel Utility
The HiLevel utility included with Windows Disassembler is a Windows 3.1 utility which attempts to build high-level constructs out of the bare instructions generated by Windows Disassembler. The result is a smaller, more understandable, and more readily modifiable source code file. It will accept as input basic MASM programs, provided they do not have macros or certain other directives and high-level syntax keywords. It should accept all source code generated by Windows Disassembler. HiLevel can construct nested .IF statements for each corresponding block of instructions found in the given MASM source code file. Locals are given symbols of the form localn and parameters are given the symbol parn, where n is the offset of the variable relative to the BP register.
HiLevel also constructs "pseudo-function calls" via a macro procedure named hCall. The hCall macro is defined in the hilevel.inc which is included with Windows Disassembler. This macro does not perform any high-level operation, but rather is just a more legible way of performing a series of pushes followed by a procedure call, regardless of whether the arguments being pushed are actually being passed to the given function or not. HiLevel generates an OFFSET DxxxxH instead of xxxxH when a number xxxxH follows DS in the parameter list of a hCall invokation, since this combination is practically always a far address being passed as an argument.
The PROC directives produced by HiLevel are designed to work with either the hilevel.inc file or the prologue.inc file that comes with MASM 6.0. If HiLevel detects prologue code in a procedure, it then checks for matching epilogue code. If the prologue and epilogue do not logically agree, HiLevel generates a comment above the procedure that explains what is missing in the epilogue code, and consequently the procedure is left as is with no prologue/epilogue directives. If the epilogue and prologue logically agree, then the literal code is replaced by the appropriate prologue/epilogue directives, including the FORCEFRAME and LOCAL directives, plus by specifying any parameters.
If there is a syntax error in the source file, HiLevel will halt and give the line number on which the syntax error was found. Otherwise it displays the message, "Compilation was successful!". During compilation, it releases the CPU to other applications, but it does not give up the input focus. Therefore, because compilation is relatively slow, never attempt to compile a large file unless you can afford to wait 5 to 10 minutes.
As an example, the file hellohil.asm has been included, which is generated from hello1.asm. Hellohil.asm was assembled and linked with the old hello2.obj and hello.def files as follows:
ml /c hellohil.asm
link /ALIGN:2 hellohil hello2,hellohil,, libw slibcew, hello.def;
The only changes made were the renaming of Proc042ASeg1 to _aNchkstk (because the prologue/epilogue code requires this), the addition of double colons (::) for the global labels, and carriage returns (lines) inserted after the labels following the PROC directive in procedures Proc03EBSeg1 and Proc03FASeg1 (otherwise an assembler error results for some unknown reason).
License / Warranty Disclaimer
You may freely distribute the shareware version of Windows Disassembler 1.8 (which has an opening banner displaying the word "Shareware" and the word "Unregistered" in the about dialog box) provided that no fee is charged for copying, distribution, or use, and that it is unmodified and distributed with all of its original accompanying files and documentation. Registered copies of Windows Disassembler (which have an explicitly denoted registration number in the About
dialog box) may not be copied or distributed in any way or form. Eric Grass and Todd Snoddy disclaim all warranties, express or implied, including but not limited to warranty of merchantability or fitness for a particular purpose, and will not be liable for any damages resulting from the use of this software, including loss of data. Use this software at your own risk.
Windows Disassembler is copyrighted 1993 by Eric Grass and Todd T. Snoddy. Use of this software beyond a 30-day trial period is prohibited unless it is registered with the authors. A single registered copy of Windows Disassembler 1.8 can be obtained for $39.95, plus $3.00 for shipping and handling if shippped in the U.S.A., $4.50 if in Canada or Mexico, and $8.50 if shipped elsewhere. Registered users will receive a copy of Windows Disassembler 1.8 and a
hardcopy of the manual. In addition, registered users will receive a free evaulation copy of Version Resource Editor 1.0, a Windows programmer's tool for creating version resources. To register, either fill out and send the enclosed form (or a facsimile thereof) located in the accompanying file wdmanual.wri with the appropriate payment or dial the PsL registration Service listed below and use your credit card number. Registration forms may be sent to:
Todd T. Snoddy
4831-7 McCormick
Fort Riley, KS 66442
Please make all checks payable to Todd T. Snoddy.
FOR CREDIT CARD ORDERS ONLY -
You can order with MC, Visa, Amex, or Discover from Public (software) Library by calling 800-2424-PsL or 713-524-6394 or by FAX to 713-524-6398 or by CIS Email to 71355,470. You can also mail credit card orders to PsL at P.O.Box 35705, Houston, TX 77235-5705.
When ordering using PsL, you will need the product number for Windows Disassembler. The product number is 10964.
THE ABOVE NUMBERS ARE FOR ORDERS ONLY.
Any questions about the status of the shipment of the order, refunds, registration options, product details, technical support, volume discounts, dealer pricing, site licenses, etc, must be directed to either Eric Grass or Todd T. Snoddy.
To insure that you get the latest version, PsL will notify us the day of your order and we will ship Windows Disassembler directly to you.
COMPUSERVE REGISTRATION SERVICE -
If you are a CompuServe subscriber, you may also register Windows Disassembler using CompuServe's shareware registration service. Simply issue the command GO SWREG and choose the option to register a shareware program. The registration ID for Windows Disassembler 1.8 is 1347. Note that since CompuServe's registration service doesn't provide the ability to charge separately for shipping and handling, the total amount charged to your CompuServe bill will be $45.00 to cover the cost of shipping and handling.
Inquiries, questions, comments, and suggestions regarding Windows Disassembler may be directed to Eric Grass or Todd T. Snoddy via the following:
-----------------------------------------------------------------------------
Eric Grass
1612 Gettysburg Landing
St. Charles, MO 63303
Tel: (314) 928-7803
Internet: [email protected]
CompuServe: 73003,2553
-----------------------------------------------------------------------------
Todd T. Snoddy
4831-7 McCormick
Fort Riley, KS 66442
Tel: (913) 784-2148
Internet: [email protected]
CompuServe: 71044,1653
America Online: TSnoddy
Windows Disassembler PRODUCT REGISTRATION FORM
Please fill out this form (or a reasonable facsimile thereof) and send it with your check for the correct amount to the address below:
Todd T. Snoddy
4831-7 McCormick
Fort Riley, KS 66442
Date________________________
Name________________________________________ Phone _________________________
Address_______________________________________________________________________
City____________________________________________ State ______ Zip ______________
Please indicate which type of disk you use:______ 5.25" ______ 3.5"
Product:Windows Disassembler Version 1.8
Total Price:$39.95 per copy
Number of copies:_________ copies x $39.95 = ____________ Total Cost
____________ Shipping & Handling
____________ Total Cost
Please make all checks payable to Todd T. Snoddy.l period is prohibited unless it is registered with the authors. A single registered copy of Windows Diwsnjfb`\X T P[[V (@ w t p l)!h2!d"`"\"X"T"P"L[["<#w[#s#o#k#g#d#`$\$X$T%P(%M[[(%*%w1%sD%oE%ku%g%c#[email protected]&[&W&S&O&L[[&&w's"'oT'kh'g)c)_)[*W*S!+O/+K[ /+,w,sW,oc,k,g,c#-_'-[C-WO-Sw-O}-K[}--w-s-o-k-g-cK._L.[/W/S/O/K[/1w1si2o2k2g2c3_*3[43Wb3Td3P3L[33w5s5o5k5g6c6_6[7W7S(7OC7K[C7T7wU7sV7og7kh7gi7cz7_{7[|7W8S8O
9K[
9&9w:s:o!:k&:g(:c.:_9:[;:WA:SL:ON:K[
N:Z:w\:s`:of:kl:gv:cz:_:[:W:S:O=;K[
=;F;wG;s\;og;kk;gm;cv;_w;[~;W;S;O;K[
;=w)=sr=os=k|=g=c=_=[=W=S=O=K[
==w>s>o>k
>g>c>_t>[u>W>S>O?K[
[email protected]@[email protected][@WAS2AO=AK[
=ABAwLAsAoAkAgAcA_A[BWBSBOBK[
BBwBsSCohCkCgCcC_C[
DWDSDOIDK[ID]Dw_DshDoDkDgDcD_D[DWDSDODK[DDwDsEoEk1Eg=EcRE_E[EWESEOEK[EEwEsEoEkFgFc(F_*F[IFWYFSFOFK[FFwFsFoFkFgFcBG_FG[YGWgGS{GOGK[GGwGsGoHkHg Hc'H_0H[BHWHHSLHOQHK[QHHwHsHoIkIgIcI_$I[%IW*IS2IOAIK[AIIwIsIoIkIgIcI_I[.JW;JSJOJK[JmLwLsLoLkLgLcM_M[KNWPNS]NONK[NNwNsOoOkOgOcO_O[OWOSOOPK[PPwPs6Po9Pk>PgMPc}P_P[)QW5QSLQOTQK[TQ,Rw7RsJRoORkRgRcR_R[RWRSUSOaSK[aSSwSsSoSkSgSc0T_7T[CTWWTSoTOsTK[sTTwTsToTlVhVdV`V\VXVTVPVL[VVwWsWo
WkWgWcW_W[WW#WS)WO/WK[/WWwWs/Xo4Xk9XgXXc_X_dX[XWXSXOXK[XXwXsXoXk3Yg4Yc:Y_;Y[LYWPYSYOYK[YZwZs'Zo+Zk0Zg5ZcBZ_CZ[\ZWaZSfZOlZK[lZ}ZwZsZoZkZgZcZ_%[[&[W.[S/[O>[K[>[?[wC[sD[o]k]h]e]b]^ ]Z']V>]RR]N[R]X]wd]s]o]kV^gZ^c^__[_W_S$_O'_K['_s_ww_s_o_k_g_c___[_W_S`O`K[`&`w-`sr`ow`k~`g`c`_`[`W`SaOaK[aawasaoakagacb_
b[bWbS!bO"bK["b+bw-bsIboNbkbgbcb_b[cW
cScO&cK[&c
>[email protected] !
>>0>[email protected] !?IAI0>[email protected] !AISI0eI0I0C0D0F0H0?I0JV0T0T0T0T0T0JVV0X0gX0Y0Z0Z0|[0T0Jy0y0y0y0x0J[email protected] !zz0z0z0&z0(z0zz0|z0z0J
0Courier [email protected] !
Windows Disassembler 1.8 User's Manual
Windows Disassembler 1.8
A 486 Disassembler for Windows
`7+(PBrushBM^>( ^[email protected]~|2~y9~x?6|8|9s~pv
~UUT~
h~UUT~
~UTUUTv~
~UTUUT~
~UTUUT~
~UTUUT~
~UTUUT~~~~h~~~I~~~~
0~UTUUTA~
~UTUUT`~
~UTUUT~
~UTUUTj~
~UTUUTz~
~UTUUT|~
D~UTUUTN~
~UUUUUTRUUUUUT|UUUUUTtx~UUT~
F~UUT~
t~UUTv~
~UTUUT~
D~UTUUTt~
R~UTUUT~
~UTUUTh~
[email protected]~
~9~~~~v~F~F~~~~~~~~~~~~~~??-VFX>jR,!+vL#hh8]?q]_YwM]~w.e]uw]]}u]uk]]}k>3uukMtM}{Mweu]uYR=q_Y]~?q}
###>1p?cxct##13qca8
User's Manual
Index
Introduction and Specifications....................................page 2
Operation.....................................................................page 2
Opening Files.....................................................page 2
The Display........................................................page 2
Creating Assembly Language Source Code Files...page 3
Assembly Tips....................................................page 4
Differences Between Versions 1.6, 1.7, and 1.8............page 5
The HiLevel Utility.........................................................page 5
License And Warranty Disclaimer................................page 6
Registration Form.........................................................page 8
Introduction
Windows Disassembler disassembes Windows executables and dynamic link libraries. It allows the user to browse at the source code of a program without having to write it to a file. Windows Disassembler generates procedure directives, as well as all of the literal Windows API function call names.
Specifications
Files
Works on Windows 3.x executables and dynamic link libraries only.
Instruction Set
Translates all instructions within the 486 instruction set. It assumes that all code is executed in 16-bit mode (since Windows 3.1 uses 16-bit mode only).
Operating System and Hardware
Requires at least DOS 4.0, Windows 3.1, and a 286 or above IBM compatible computer. Installation of SMARTDRV (which comes with Windows) is recommended.
Operation
Opening Files
The default file name extension is ".exe" for opening files if no extension is specified. Windows Disassembler processes one file at a time. If a file is opened while another one is already open, the old file will be automatically closed. When opened, the file's assembly language code appears on the screen, provided that the file has a DOS executable file header, a new executable file header, and at least one segment. Otherwise, a dialog box will inform the user that the file does not meet a particular specification.
The Display
Displaying code in the display window is presented as an alternative to generating a gigantic assembly language source code file, since some programs are large, and the user may merely want to glance at a program's source code.
The code that initially appears in the window when a file is opened is the first segment within the file. Numbers are assigned to segments according to their chronological order within the new executable file header. Windows Disassembler displays one segment at a time within the window. The View | Segment command must be used to go to another segment. To scroll the text in the window, use the Up Arrow, Down Arrow, Page Up, and Page Down keys, or the scroll bar. To see the address offsets of each instruction, select View | Address Offsets from the main menu. To jump to a specific address, select View | Go To from the main menu and enter the address in hexadecimal format.
The View | Far Call Names command toggles between displaying far function call names and the actual relocation values in far CALL instructions (for example, 0000H:0FFFFH).
All labels have the form of either LxxxxH or DxxxxH, where xxxx is a 4-digit hexadecimal number equal to the offset of the location being referenced. Labels with an 'L' prefix denote locations within the immediate code segment, and labels with a 'D' prefix denote locations within a data segment. Labels within a code segment can either be procedure labels, jump/loop labels, or data labels within the code segment. Assembler directives, while generated for source code text files, are not shown in the display window.
Strings are detected and translated by Windows Disassembler whenever five or more visible characters occur within a data segment.
The Edit! command allows the user to convert a desired range of bytes from byte declarations into instructions, or vice versa, or to give labels to a specified range of bytes. This command is necessary for programs which have data declarations in their code segments. Note that all modifications which the user has made to a segment will be lost when exiting that segment. The user can save that segment using the Save Current Segment Only option as a text file first before quitting to save the changes. However, when the user leaves the segment, there is no way to restore the byte settings except by specifying them over again. Selecting the Create Separate Files For Each Segment option will result in the the modifications/settings being erased (lost) before the file is created, hence the user must use the Save Current Segment Only option.
Creating Assembly Language Source Code Files
After opening an executable, the user can create an assembly language source code file for it using the Save Text As command. If the source code file name that the user specifies is the name of an already existing file, then that file will be automatically overwritten with the new source code file. Three options are available for generating (a) file(s). The first is to put all of the source code into one file. The name of this file will be the name the user specifies. The second option is to put each segment of the source code into separate files. Each segment's file name will be of the form yournameN.ext, where yourname.ext is the name the user specifies in the dialog box, and N is an integer corresponding to the segment's number and which is appended to the base-name of the file (if necessary, this base name will be truncated to perform the appending). For example, if the user specifies \work\myprog.asm as the file name, Windows Disassembler will generate files named \work\myprog1.asm, \work\myprog2.asm, \work\myprog3.asm, etc.. The third option is to generate a file for the current segment only (which is currently being displayed in the window). In this case Windows Disassembler uses the file name exactly as specified.
All editing done will be lost if the user exits a segment which the user has just modified, or if the user tries writing all of the segments to a file(s) at one time. However, if the user uses the Save Current Segment Only option, all modifications will remain.
The new file will contain tabs. To display the file in the way in which it was intended to be displayed, the user should set his or her editor's tab stop option to 8 spaces.
Windows Disassembler will create TITLE, .CODE segmentname, .DATA segmentname, .MODEL LARGE, .486, and EXTRN winAPIfunc:FAR directives. PROC and ENDP directives are also created for all exported and far procedures. In the case of non-exported functions, these procedure directives will all have the following form:
FunctionnPROCFAR PUBLIC
(code)
RETF
FunctionnENDP
where n is the ordinal number (a decimal integer value) of the procedure in the entry table of the program's executable file header. For exported functions, the name of the function is explicitly written as it is listed in the resident and non-resident names tables in the program's header. For calls to functions in fixed memory segments, a comment is written beside the call. For example,
CALLFAR PTR Proc0AD0HSeg5
For far calls to procedures within the program in a different segment, EXTERNDEF's are generated. Near procedures are written in the following form:
ProcXXXXSegNPROCFAR PUBLIC
(code)
RET
ProcXXXXSegNENDP
where XXXX is a four-digit hexidecimal value equal to the offset of the procedure in the segment and N is the decimal number of the segment the procedure is in.
Windows Disassembler generates segment names for segment directives of the form .CODE SEGn, where n is the segment number. This name is produced in order to distinguish between segments, and can be deleted or changed. (If the segments are in separate files then the name isn't needed.) If there are exactly 2 segments in a program, Windows Disassembler treats the program as having a small model, otherwise it assumes the program has a medium memory model. If the program has a compact or large model, then the MODEL directive must be changed to reflect the actual memory model. Windows Dissassembler 1.8 translates functions belonging to commdlg.dll and shell.dll. It also generates information for unknown function calls in the form Module modulename Ordinal n. The user can look up the names of these function names using an executable-file header utility on the given dynamic link library. (In other words, one can use the relocation table names and offsets provided by an .exe file header utility to determine the function/variable names in the source code.)
Finally, EXTRN's (or EXTERNDEF's) must be supplied for any far variables used by the program not already supplied by Windows Disassembler (typically the far variable __winflags is used by Windows programs, for example).
As an example, the files hello.exe, hello.c, hello.def, hello2.inc, hello1.asm, and hello2.asm are included to demonstrate disassembly using Windows Disassembler. hello.exe (a "hello world" program) is a compilation of hello.c. hello.exh is an .exe file-header listing for hello.exe generated by EXEHDR.
hello1.asm and hello2.asm were generated using Windows Disassembler (using the Create Separate Files option) and were edited as follows. The labels L0627H, L01ACH, and L0360H were made global labels via the :: (double colon) since these are accessed outside of the procedure in which they exist. (In MASM 5.1 the ::'s wouldn't be necessary.) An EXTRN __winflags directive was added, and the segment names SEG1 and SEG2 were deleted.
The include file was created by copying the file hello2.asm to hello2.inc. Then, using an editor with a regular expression search function, each occurance of "^D" was replaced with EXTERNDEF D, each occurance of DB 00[A-F,0-9][A-F,0-9]H was replaced with :BYTE, and each occurance of DB "[A-Z,a-z,0-9,\\,\.,\,,\ ,\*,\%,\~,\<,\>,+,=,-,?,@,_]*" was replaced with :BYTE. The EXTERNDEFs serve as either PUBLIC or EXTRN specifiers, depending on whether the corresponding argument of an EXTERNDEF is located in the same file or else in a different module (like function prototypes in C).
One can rebuild hello.exe from hello2.asm with MASM 6.0 by typing:
ml /c hello1.asm
ml /c hello2.asm
link /ALIGN:4 hello1 hello2,hello2,, libw slibcew, hello.def;
which will generate hello2.exe.
Borland's Resource Workshop can be used for obtaining the resources from executables if necessary.
Assembly Tips
A problem that sometimes occurs is that of undefined label errors because of references to labels that are located in a different procedure. In MASM 6.0, the :: operator must be used to make such labels global. Another problem is a linking error in which a given module references a global variable that doesn't exist. The problem is usually that the variable is a string which follows another non-null terminating string in the data segment and the two strings are thus combined as one string. In this case you must separate the strings. The error, "A2006 : undefined symbol" will occur when there are fixed relocations in the program, which require EXTRNs and PUBLICs. However it is possible that procedure names could conflict, requiring the procedure(s) to be renamed, especially in the case of procedures with the name, Procedure0000.
To make the code modifiable and more readable, it is necessary to change all literal addresses in the code (hexidecimal numbers) into their symbolic equivalents. For example, in the hello program,
MOVAX, 00B0H
MOVDX, DS
PUSHDX
PUSHAX
should be changed to
MOVAX, OFFSET D00B0H
MOVDX, DS
PUSHDX
PUSHAX
since this portion of code is clearly passing the address of a string to a Windows function.
It is advisable that the user also makes a hardcopy of the windows.h file and that the user converts the windows.h file into its MASM equivalent using the H2INC which comes with MASM 6.0. H2INC cannot translate certain macros, such as RGB and MAKEINTRESOURCE, and hence these must be manually rewritten in MASM or else deleted. This way, certain constants such as message values can be replaced by their symbolic equivalents. It is also suggested that the user incorporate the prologue.inc file which comes with MASM 6.0 into the program in place of the existing prologue and epilogue code to make things more legible. Finally, the user should replace all other variable names and constants with more meaningful expressions. With the windows.inc file generated by H2INC, procedure calls usually can be written in a more legible form using INVOKEs. If the NOCASEMAP option is used (for employing case sensitivity), the prologue.inc file will need to modified slightly. In particular, the case of three or four of the words in the prologue.inc file will have to be changed in order to agree. .IF, .WHILE, and .REPEAT constructs can also be used to make the code more clear. The steps mentioned above can be accomplished faster with the help of the HiLevel utility.
Windows Disassembler 1.8 always outputs the .486 directive following the TITLE directive in every file.
Differences Between Versions 1.6, 1.7, and 1.8
Versions 1.0 through 1.6 disassembled only 286 instructions. Version 1.7 disassembles all 486 instructions, including the floating-point instruction set.
Version 1.7b contains bug fixes for the incorrect disassembly of certain floating-point instructions in version 1.7. These bug fixes include fixes for the following bugs in version 1.7:
1.)Incorrect stack registers were supplied for instructions having one of the following stack registers as their operands: ST(1) through ST(7).
2.)The no-wait instructions FNCLEX, FNDISI, FNENI, FNINIT, FNSAVE, FNSTCW, FNSTENV, and FNSTSW were each incorrectly translated into their corresponding wait versions. In version 1.7b, the wait version of each of these instructions is given as a WAIT instruction followed by the corresponding no-wait version of the instrucion.
3.)The instruction FCOM mem64 was incorrectly translated as FIDIVR mem64.
4.)For the instructions FLDENV, FRSTOR, FSAVE, and FSTENV, version 1.7 failed to differentiate between the 16-bit versions and the 32-bit versions of the instructions. Version 1.7b will append either a W or a D (as required by MASM 6.0) to these instructions in order to differentiate between the 16-bit versions and the 32-bit versions of each instruction.
5.)The instruction FYL2X was incorrectly translated as FYL2XP1.
6.)The instructions IRET and IRETD now have an F appended to them (i.e., IRETF and IRETDF) as required by MASM 6.0 to prevent epilogue code from being generated.
7.)For the 386/486 instruction Jcond disp(2) (conditional near jump), the label was incorrectly calculated as L(xxxx-1)H instead of as LxxxxH (i.e., the numeric portion of the label was off by 1)
Version 1.8 contains a bug fix for the vertical scroll bar problem that occured when viewing large segments. In addition, version 1.8 shares the CPU with other applications while it disassembles unlike previous versions. Similarly, HiLevel 2.03 (included with version 1.8) was updated so that it shares the CPU. In addition, HiLevel no longer crashes as it did in previous versions.
The HiLevel Utility
The HiLevel utility included with Windows Disassembler is a Windows 3.1 utility which attempts to build high-level constructs out of the bare instructions generated by Windows Disassembler. The result is a smaller, more understandable, and more readily modifiable source code file. It will accept as input basic MASM programs, provided they do not have macros or certain other directives and high-level syntax keywords. It should accept all source code generated by Windows Disassembler. HiLevel can construct nested .IF statements for each corresponding block of instructions found in the given MASM source code file. Locals are given symbols of the form localn and parameters are given the symbol parn, where n is the offset of the variable relative to the BP register.
HiLevel also constructs "pseudo-function calls" via a macro procedure named hCall. The hCall macro is defined in the hilevel.inc which is included with Windows Disassembler. This macro does not perform any high-level operation, but rather is just a more legible way of performing a series of pushes followed by a procedure call, regardless of whether the arguments being pushed are actually being passed to the given function or not. HiLevel generates an OFFSET DxxxxH instead of xxxxH when a number xxxxH follows DS in the parameter list of a hCall invokation, since this combination is practically always a far address being passed as an argument.
The PROC directives produced by HiLevel are designed to work with either the hilevel.inc file or the prologue.inc file that comes with MASM 6.0. If HiLevel detects prologue code in a procedure, it then checks for matching epilogue code. If the prologue and epilogue do not logically agree, HiLevel generates a comment above the procedure that explains what is missing in the epilogue code, and consequently the procedure is left as is with no prologue/epilogue directives. If the epilogue and prologue logically agree, then the literal code is replaced by the appropriate prologue/epilogue directives, including the FORCEFRAME and LOCAL directives, plus by specifying any parameters.
If there is a syntax error in the source file, HiLevel will halt and give the line number on which the syntax error was found. Otherwise it displays the message, "Compilation was successful!". During compilation, it releases the CPU to other applications, but it does not give up the input focus. Therefore, because compilation is relatively slow, never attempt to compile a large file unless you can afford to wait 5 to 10 minutes.
As an example, the file hellohil.asm has been included, which is generated from hello1.asm. Hellohil.asm was assembled and linked with the old hello2.obj and hello.def files as follows:
ml /c hellohil.asm
link /ALIGN:2 hellohil hello2,hellohil,, libw slibcew, hello.def;
The only changes made were the renaming of Proc042ASeg1 to _aNchkstk (because the prologue/epilogue code requires this), the addition of double colons (::) for the global labels, and carriage returns (lines) inserted after the labels following the PROC directive in procedures Proc03EBSeg1 and Proc03FASeg1 (otherwise an assembler error results for some unknown reason).
License / Warranty Disclaimer
You may freely distribute the shareware version of Windows Disassembler 1.8 (which has an opening banner displaying the word "Shareware" and the word "Unregistered" in the about dialog box) provided that no fee is charged for copying, distribution, or use, and that it is unmodified and distributed with all of its original accompanying files and documentation. Registered copies of Windows Disassembler (which have an explicitly denoted registration number in the About
dialog box) may not be copied or distributed in any way or form. Eric Grass and Todd Snoddy disclaim all warranties, express or implied, including but not limited to warranty of merchantability or fitness for a particular purpose, and will not be liable for any damages resulting from the use of this software, including loss of data. Use this software at your own risk.
Windows Disassembler is copyrighted 1993 by Eric Grass and Todd T. Snoddy. Use of this software beyond a 30-day trial period is prohibited unless it is registered with the authors. A single registered copy of Windows Disassembler 1.8 can be obtained for $39.95, plus $3.00 for shipping and handling if shippped in the U.S.A., $4.50 if in Canada or Mexico, and $8.50 if shipped elsewhere. Registered users will receive a copy of Windows Disassembler 1.8 and a
hardcopy of the manual. In addition, registered users will receive a free evaulation copy of Version Resource Editor 1.0, a Windows programmer's tool for creating version resources. To register, either fill out and send the enclosed form (or a facsimile thereof) located in the accompanying file wdmanual.wri with the appropriate payment or dial the PsL registration Service listed below and use your credit card number. Registration forms may be sent to:
Todd T. Snoddy
4831-7 McCormick
Fort Riley, KS 66442
Please make all checks payable to Todd T. Snoddy.
FOR CREDIT CARD ORDERS ONLY -
You can order with MC, Visa, Amex, or Discover from Public (software) Library by calling 800-2424-PsL or 713-524-6394 or by FAX to 713-524-6398 or by CIS Email to 71355,470. You can also mail credit card orders to PsL at P.O.Box 35705, Houston, TX 77235-5705.
When ordering using PsL, you will need the product number for Windows Disassembler. The product number is 10964.
THE ABOVE NUMBERS ARE FOR ORDERS ONLY.
Any questions about the status of the shipment of the order, refunds, registration options, product details, technical support, volume discounts, dealer pricing, site licenses, etc, must be directed to either Eric Grass or Todd T. Snoddy.
To insure that you get the latest version, PsL will notify us the day of your order and we will ship Windows Disassembler directly to you.
COMPUSERVE REGISTRATION SERVICE -
If you are a CompuServe subscriber, you may also register Windows Disassembler using CompuServe's shareware registration service. Simply issue the command GO SWREG and choose the option to register a shareware program. The registration ID for Windows Disassembler 1.8 is 1347. Note that since CompuServe's registration service doesn't provide the ability to charge separately for shipping and handling, the total amount charged to your CompuServe bill will be $45.00 to cover the cost of shipping and handling.
Inquiries, questions, comments, and suggestions regarding Windows Disassembler may be directed to Eric Grass or Todd T. Snoddy via the following:
-----------------------------------------------------------------------------
Eric Grass
1612 Gettysburg Landing
St. Charles, MO 63303
Tel: (314) 928-7803
Internet: [email protected]
CompuServe: 73003,2553
-----------------------------------------------------------------------------
Todd T. Snoddy
4831-7 McCormick
Fort Riley, KS 66442
Tel: (913) 784-2148
Internet: [email protected]
CompuServe: 71044,1653
America Online: TSnoddy
Windows Disassembler PRODUCT REGISTRATION FORM
Please fill out this form (or a reasonable facsimile thereof) and send it with your check for the correct amount to the address below:
Todd T. Snoddy
4831-7 McCormick
Fort Riley, KS 66442
Date________________________
Name________________________________________ Phone _________________________
Address_______________________________________________________________________
City____________________________________________ State ______ Zip ______________
Please indicate which type of disk you use:______ 5.25" ______ 3.5"
Product:Windows Disassembler Version 1.8
Total Price:$39.95 per copy
Number of copies:_________ copies x $39.95 = ____________ Total Cost
____________ Shipping & Handling
____________ Total Cost
Please make all checks payable to Todd T. Snoddy.l period is prohibited unless it is registered with the authors. A single registered copy of Windows Diwsnjfb`\X T P[[V (@ w t p l)!h2!d"`"\"X"T"P"L[["<#w[#s#o#k#g#d#`$\$X$T%P(%M[[(%*%w1%sD%oE%ku%g%c#[email protected]&[&W&S&O&L[[&&w's"'oT'kh'g)c)_)[*W*S!+O/+K[ /+,w,sW,oc,k,g,c#-_'-[C-WO-Sw-O}-K[}--w-s-o-k-g-cK._L.[/W/S/O/K[/1w1si2o2k2g2c3_*3[43Wb3Td3P3L[33w5s5o5k5g6c6_6[7W7S(7OC7K[C7T7wU7sV7og7kh7gi7cz7_{7[|7W8S8O
9K[
9&9w:s:o!:k&:g(:c.:_9:[;:WA:SL:ON:K[
N:Z:w\:s`:of:kl:gv:cz:_:[:W:S:O=;K[
=;F;wG;s\;og;kk;gm;cv;_w;[~;W;S;O;K[
;=w)=sr=os=k|=g=c=_=[=W=S=O=K[
==w>s>o>k
>g>c>_t>[u>W>S>O?K[
[email protected]@[email protected][@WAS2AO=AK[
=ABAwLAsAoAkAgAcA_A[BWBSBOBK[
BBwBsSCohCkCgCcC_C[
DWDSDOIDK[ID]Dw_DshDoDkDgDcD_D[DWDSDODK[DDwDsEoEk1Eg=EcRE_E[EWESEOEK[EEwEsEoEkFgFc(F_*F[IFWYFSFOFK[FFwFsFoFkFgFcBG_FG[YGWgGS{GOGK[GGwGsGoHkHg Hc'H_0H[BHWHHSLHOQHK[QHHwHsHoIkIgIcI_$I[%IW*IS2IOAIK[AIIwIsIoIkIgIcI_I[.JW;JSJOJK[JmLwLsLoLkLgLcM_M[KNWPNS]NONK[NNwNsOoOkOgOcO_O[OWOSOOPK[PPwPs6Po9Pk>PgMPc}P_P[)QW5QSLQOTQK[TQ,Rw7RsJRoORkRgRcR_R[RWRSUSOaSK[aSSwSsSoSkSgSc0T_7T[CTWWTSoTOsTK[sTTwTsToTlVhVdV`V\VXVTVPVL[VVwWsWo
WkWgWcW_W[WW#WS)WO/WK[/WWwWs/Xo4Xk9XgXXc_X_dX[XWXSXOXK[XXwXsXoXk3Yg4Yc:Y_;Y[LYWPYSYOYK[YZwZs'Zo+Zk0Zg5ZcBZ_CZ[\ZWaZSfZOlZK[lZ}ZwZsZoZkZgZcZ_%[[&[W.[S/[O>[K[>[?[wC[sD[o]k]h]e]b]^ ]Z']V>]RR]N[R]X]wd]s]o]kV^gZ^c^__[_W_S$_O'_K['_s_ww_s_o_k_g_c___[_W_S`O`K[`&`w-`sr`ow`k~`g`c`_`[`W`SaOaK[aawasaoakagacb_
b[bWbS!bO"bK["b+bw-bsIboNbkbgbcb_b[cW
cScO&cK[&c
>[email protected] !
>>0>[email protected] !?IAI0>[email protected] !AISI0eI0I0C0D0F0H0?I0J
0Courier [email protected] !
December 6, 2017
Add comments