_______ ____|__ | (R) --| | |------------------- | ____|__ | Association of | | |_| Shareware |__| o | Professionals -----| | |--------------------- |___|___| MEMBER ABOUT SHAREWARE This package contains the disassembler named DISASTER. It is made by Feico Nater, Beukweg 24, 7556 DE Hengelo, the Netherlands. The system is available as shareware. What is shareware? It is software which people pass around, but I, the author, retain the rights to it. Maybe you obtained the system from a bulletin-board and paid a few dollars for it, but I don't get a penny of it. I expect to be paid by you, because I make my living out of making shareware software. Therefore, if you like this system and use it, you are supposed to register by sending a US$50 bill (or an equal amount in another reasable currency). Sorry, I can accept neither checks nor credit-cards. The address: Feico Nater Shareware, Beukweg 24, 7556 DE Hengelo, the Netherlands. Why register? Well, it costs you money. But if you do, I will advise you about further developments. Furthermore you will have the right to order later versions for only a few dollars and I will be willing to listen to your wishes. And if you don't like the system? Well, throw it away. But you will like shareware, because it does not let you pay a lot of money for something you dislike afterwards. Whether you register or not, you are encouraged to pass this system around. Give away copies to your friends. However, files with the extension .NAR should not be given away. The copies you pass around must be complete and unmodified, but file-compression is allowed. Any money you collect should be for diskette, packing, postage only and should not exceed five dollars. ABOUT THE AUTHOR I have been working with computers since 1970. I have completed a third-level degree in computer-science. I have been employed for many years in a big company, making defense- equipment, and my colleagues considered me the most skilled programmer among them. However, since the company went broke (Gorbachev was to blame, and he did a good job) I became unemployed and started woring as a shareware author. ******************************* * D I S A S T E R * ******************************* INTRODUCTION Disaster is an interactive disassembler for the IBM-PC. A disassembler is not something special. The program DEBUG, which is part of MSDOS, contains a disassembler. But DEBUG knows only the 8086 and 8088. The program CODEVIEW, which is part of MASM, also contains a disassembler that can handle all 80486 machine instructions. But neither DEBUG nor CODEVIEW produce no coding which can be used as input to an assembler. The ideal disassembler would work simply. It would read the machine language program and translate everything into assembly language, knowing what is code and what is data. However, no actual disassembler produces a neat assembly-language program at once. Instead, disassembling a program takes many days of labor. The simplest conceivable disassembler works straightforward. It reads the machine-language program and translates everything into assembly-language, no matter whether it is code or data. Disaster works interactively. You can inspect the program, add labels and comments, indicate what is code and what is data. The result can be saved so you can continue the next day. Eventually DISASTER makes a neat assembly-language program. This manual is very short. There is little to tell. Knowledge of the PC and its assembly-language is presumed. COMMAND SUMMARY (labels are allowed for any address) ; address,comment supply comments preceding an address ; address,- delete a comment A address,address automatic label generation B address,address automatic control and label generation C address,letter indicate code or data C address,- delete a control F ???? find word L address,label provide a label L address,- delete a label L old-name,new-name replace a label Q quit, or close creation of output-file R progname read a program S write a script-file U address,address unassemble W create output-file DEMONSTRATION The first time DISASTER is started with the DOS command: DISASTER You will see an error message which you can ignore. The prompt --> indicates that DISASTER expects your commands. Now read a program with the command: R name.EXE or: R name.COM or: R name.SYS If you want to disassemble something that is already in memory, then you enter: R segment-address.ROM Now you must tell that the program must be disassemble as code. The command is (exactly this): C LSTARTLOCATION,I That's a long command, but LSTARTLOCATION is simply a label in your program. Now start disassembling! Enter the command: U LSTARTLOCATION and you will see a piece of disassembled program on the screen.. To the left you see the addresses, next the mnemonic codes, and to the right (in color) the original machine language. A green block indicates that no valid opcode was found. Prefixes will be yellow, opcodes green, modrm-bytes and sib-bytes red, operands blue. Different U-commands are: U address disassembles 20 lines from ... U address,address disassembles from .. to .. U disassembles next 20 lines same Addresses in commands are always hexadecimal. Instead of addresses you can enter labels (see below). HELP Help texts are available with the keys F5 through F10. Any key removes the help text. F1 and F3 can be used to repeat a command, just as in COMMAND.COM, and Insert, Delete and Backspace keys may be used with F1 and F3. LABELS All adresses will be hexadecimal. Of course you prefer labels. That can be arranged with the command: L address,label As usual in programming languages, a label must start with a letter. Furthermore it must contain at least once the letter G thru Z. The maximum length is fourteen characters. If a label does not contain any of the letters G thru Z, then DISASTER will assume it is a hexadecimal address. Be careful when using labels which start with the letter L. The function that generates controls assumes that such a label is followed by instruction-code. Labels may be used in commands. The U commando could be: U label,label. Labels can be removed with the command: L label,- or: L adress- Labels can be renamed with the command: L old-name,new-name Two labels cannot be at the same address. The maximum number of labels is 4090. INITIALLY ENTERED LABELS If you read a file, Disaster will automatically generate some labels in the header - PSP area. Most labels begin with the later Z. There is also a label named LSTARTLOCATION, and that is the address where execution starts. RELATIVE LABELS A new feature in version 1.3 is relative labels. A relative label ends in + or - . Here's an example: L3E4,stuff L3E8,stuff+ L3E2,stuff- This defines a common label at address 3E4 and two relative labels at adddresses 3E8 and 3E2. In the disassembly, the relative labels will be displayed as STUFF+4 and STUFF-2. Note that several relative labels may have the same name. Furthermore there must be a common label with the same name as the relative label, but with the + or - removed. If there is no such label, Disaster will not be able to disassemble your program correctly. CONTROLs Not everything is instruction-code. There is also data. The disassembler cannot easily tell the difference. And what's more, there are different kinds of code and data. Therefore you must tell DISASTER what is code and what is data and what kind it is. This is done with the command: C address,letter(s) or: C label,letter(s) A control can be removed by: C address,- or: C label,- At any address, disassembly is controlled by the most recent control letter. The letter(s) can be: B hexadecimal bytes T text in quotes, when possible W hexadecimal words I instruction-code for Intel chips IV instruction-code for NEC V20 of V30 IA instruction-code for 80386 in protected mode with address and operand length of 32 bits. B, T and W are data-controls, the others are code-controls. This distinction is important for the A- and B-commands, which will be discussed below. The controls chop your program into sections. There are data- sections and code-sections. If DISASTER encounters an opcode that is valid on a NEC-chip but not on a Intel-chip, or vice versa, then DISASTER will just disassemble it. Whether I of IV was given is not important. But there are opcodes which have a different meaning on NEC- and Intel-chips. In that case I or IV decides what to do. Programs with these opcodes are rare. IA can only be used in programs which are intended to run on a 80386 in protected mode. In real mode the addresses and operands default to 16 bits. The maximum number of controls is 16380. INITIALLY ENTERED CONTROLS If you read a file, DISASTER will automatically generate some controls in the header. Without the header the initial control is T. That seems strange, it is done because the correct controls are not yet known, and to make it easy to recognise readable text. AUTOMATIC LABEL GENERATION Manually entering labels and controls is a very tedious job. DISASTER can help you. Labels will be generated with the command: A address,address DISASTER now searches your program, at the same time showing a listing. Only code-sections will be searched, data-sections will be skipped. Each time DISASTER encounters an address- reference a label will be entered. This label will look like: L45A3_27E5. The first letter op de label indicates the kind of reference: L branch instruction W word data T byte data That first letter is followed by the hexadecimale address the label refers to. This guarantees that all labels are distinct. It is followed by an underscore and the address where the reference was encountered for the first time. This facilitates surveying the program. Whenever a label is generated DISASTER will show a white block on the screen. Therefore this block is shown in every JMP- and every CALL-instruction and in every memory-reference where there was no label yet. AUTOMATIC CONTROL GENERATION Controls and labels will automaticaly be generated with the command B address,address DISASTER now searches the labels of your program. Whenever DISASTER encounters a label in a data-section which begins with an L, a control I will be generated, causing the next part of the program to be interpreted as code. At the next unconditional RET- or JMP-instruction another control will be generated to restore the previous situation. Whenever a control will be generated DISASTER will show a white block on the screen. Therefore this blok will be shown: 1 at every label that begins with an L and occurs in a data- section. 2 at the first RET- or JMP-instruction afterwards. Furthermore, whenever a control I is generated, that bit of coding will be searched for address-references to generate labels (as described in the previous chapter). USING THE MOUSE You may want to enter a label or a control at some place in your program, but you don't know the exact address. For example, the disassembly contains the line: 0357 DB 'Press any key',0,'Invalid command' You 'd want to insert a label at the letter I. Now type L, take the mouse and click with the left button on the letter I. The address is inserted on the command line. Now complete the command. Whenever you click with the left button on any part of the disassembly, the address of that point is inserted on the command line, just as if you had typed it. If you click the right button, the number or name you clicked on is inserted. The left button is a bit buggy: it will not work when there is a line wrap in the disassembly. Such line wraps do not often occur. HINTS Usually a disassembly starts like this: C:\disaster Start DISASTER --->Rprogr.com read the program --->B100,ffff generate labels and controls --->B100,ffff --->B100,ffff --->B100,ffff You will see that more and more labels and code-controls will appear. The command B100,ffff can easily be repeated with the F3-key. Repeat it until DISASTER reports that no more labels and controls were added. If you are lucky this has almost completed disassembly, and you hardly did anything! How many other disassemblers will do that for you? Is there anything to go wrong? Alas, nothing is perfect, for example in these cases: 0150 JNZ L0123 0152 JZ L0156 0154 ADD B[BX+SI],AL The B-command thinks that the instruction at 0154 is code, since it is not preceded by a unconditional jump. But JNZ and JZ taken together are unconditional, and the instructions from 0154 and further should be data. If there are, beyond 0154, things which look like instructions with address-references, then there will be false labels. If you watch while the B-command is executing, then you will see this happen. Interrupt the command with any key, search for the right spot and enter a data-control at address 0154. INT 020 This is the end of the program, just like INT 021 with AH=00 or 04C. The B-command does not recognize it JMP [08170+BX] This is a branch through a table of branch-addresses. DISASTER does not recognize this. You must give labels to the addresses in the table. Use labels which begin with the letter L, so the B-command will treat it as code. COMMENTS You can enter comments with the command: ;address,text or, of course: ;label,text Note the semicolon that is the first character of this command. Comments can be removed with: ;address,- or: ;label,- Comments will be output preceding the addressed line. When control is B, T or W, a comment causes a line break. A comment halfway a word constant or halfway an instruction will not be output. The backslash \ has a special meaning in a comment. It produces a new line, so a comment can span several lines. Two backslashes at the beginning of a comment produce a new page. ;address,single line comment ;address,\single line preceded by blank line ;address,\\first line on a page\second line The maximum length of a comment is 127 bytes. There can be no two comments on one address. The maximum amount of commentary is about 62500 bytes, plus some overhead. Sorry, comments cannot be edited. But you can edit the SCR file with a text editor. INTERRUPTING AND CONTINUING You have worked some time and entered many labels, controls and comments. You want to go on the next day. This is done with the command: S DISASTER now writes a script-file. This file has extensie .SCR and, unless you gave another name, the same name as your program. If the script-file exists, DISASTER will ask you to confirm. Eventually stop with the command: Q When no script-file has been made. DISASTER will ask you to confirm. To continue the next day start the disassembler with the command: DISASTER filename entering the name of the script-file. A script-file is an ASCII-file containing commands for the disassembler. Feel free to modify this file with a text-editor. The commands do not need to be sorted and do not need to be in upper case. Disaster will convert to upper case (except comments) and sort the commands as it loads them from the script- file or keyboard input. OPTIONS Certain settings of the disassembler can be changed. An option can be set by entering the letter O, followed by a letter describing which option you want to set. An option can be turned off by entering the letter O, followed by a letter describing which option you want to set, followed bu a comma and a hyphen. The following options are available. OP memory reference preceded by B, W or D OP,- memory reference preceded by BYTE PTR or (D)WORD PTR OL output code labels on a separate line OL,- output labels and code on the same line OA output addresses to file and screen OA,- output addresses to screen only OH hexadecimal values are preceded by a zero when the initial digit would otherwise be A through F, and they are followed by the letter h. OH,- hexadecimal values are always preceded by a zero and not followed by h. OO implicit operands after XLAT, MOVS, OUTS, SCAS and similar instructions are always output. OO,- implicit operands are output only when there is a segment override. Press F10 to see the current settings of the options. MAKING A SOURCE-FILE Eventually you'll want to produce a source-file. This source- file can be re-assembled with an assembler, such as Eric Isaacson's A86. The source-file is opened with the command: W The source-file has the same name as the .SYS-, .EXE- or .COM- file, but the extension is .8. As long as the source-file is open the prompt is >>>. The only legal commands now are O, U and Q. So it is possible to change an option while writing the output file. After the command W you will enter one or more U-commands. You will only see the addresses on the screen, the disassembled text goes to the file. Eventually close the file with the command: Q This redisplays the prompt -->. Perhaps you expect that assembling the source-file should produce the same .COM- of .EXE-file again. Actually many machine instructions have the same mnemonic code, such as: MOV AX,BX 8BC3 of 89D8 REP MOVSB F3A4 of F2A4 ADD BX,5 83C305 of 81C30500 JMP $+8 EB06 of E90500 Furthermore some instructions are conceivable but not acceptable to the processor, such as SHL AL,30 of BOUND AX,BX. DISASTER accepts these, the assembler may refuse them.