home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Tools & Utilities
/
Collection of Tools and Utilities.iso
/
dskut
/
vexe400.zip
/
VEXE.DOC
< prev
next >
Wrap
Text File
|
1991-12-16
|
77KB
|
1,895 lines
╔════════════════════════════════════════════════════════════════╗
║ ▒▒▄ ▒▒▄ ▒▒▒▒▒▒▄ ▒▒▄ ▒▒▄ ▒▒▒▒▒▒▄ ║
║ ▒▒█ ▒▒█ ▒▒█▀▀▀▀ ▒▒▒▒█ ▒▒█▀▀▀▀ ║
║ ▒▒█ ▒▒█ ▒▒▒▒▒▄ ▒▒█ ▒▒▒▒▒▄ ║
║ ▒▒▒▒█▀ ▒▒█▀▀▀ ▒▒▒▒▄ ▒▒█▀▀▀ ║
║ ▒▒█▀ ▒▒▒▒▒▒▄ ▒▒█▀▒▒▄ ▒▒▒▒▒▒▄ ║
║ ▀▀ ▀▀▀▀▀▀ ▀▀ ▀▀ ▀▀▀▀▀▀ ║
╚════════════════════════════════════════════════════════════════╝
╔════════════╦═══════════════════════════════════════════════════╗
║ VEXE v4.00 ║ EXE files analyzer. Copyright (C) 1991 S.Krupa ║
╚════════════╩═══════════════════════════════════════════════════╝
┌────────────────────────────────────────────────────────────────┐
│▒ Topic ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ Line ▒│
└────────────────────────────────────────────────────────────────┘
I) Introduction to VEXE . . . . . . . . . . . . . . . . . 69
1) VEXE Overview . . . . . . . . . . . . . . . . . . 79
2) Software License . . . . . . . . . . . . . . . . . 109
3) Registration Information . . . . . . . . . . . . . 180
II) Using VEXE . . . . . . . . . . . . . . . . . . . . . . 304
1) Explanation of the Command Line. . . . . . . . . . 314
2) VEXE options . . . . . . . . . . . . . . . . . . . 608
c Show filename & filesize with packer & compiler
infos . . . . . . . . . . . . . . . . . . . . . 615
e Show Windows entry table bundles. . . . . . . . 779
h Show classical DOS executable file header . . . 847
l Descend down thru the directories for file
searching . . . . . . . . . . . . . . . . . . . 967
m Show Windows imported modules table . . . . . . 1007
n Show Windows non-resident names table . . . . . 1033
q Query after each block of informations. . . . . 1083
r Show Windows resident names table . . . . . . . 1111
s Show Windows segment table. . . . . . . . . . . 1161
t Show classical DOS executable file relocation
table . . . . . . . . . . . . . . . . . . . . . 1238
w Show Windows executable file header . . . . . . 1275
z Show Windows segments relocation items. . . . . 1420
3) VEXE default options . . . . . . . . . . . . . . . 1521
III) VEXE Error Messages. . . . . . . . . . . . . . . . . . 1567
IV) Bugs and Warnings. . . . . . . . . . . . . . . . . . . 1644
V) VEXE Tips. . . . . . . . . . . . . . . . . . . . . . . 1698
VI) Files included in this archive . . . . . . . . . . . . 1724
VII) Bibliography . . . . . . . . . . . . . . . . . . . . . 1746
VIII) History. . . . . . . . . . . . . . . . . . . . . . . . 1765
IX) Acknowledgements . . . . . . . . . . . . . . . . . . . 1791
X) Trademarks and Copyrights. . . . . . . . . . . . . . . 1808
XI) Last words and address . . . . . . . . . . . . . . . . 1860
┌─┬──────────────────────────┐
│I│▒▒ INTRODUCTION TO VEXE ▒▒│
└─┴──────────────────────────┘
This section contains an introduction to VEXE, one of
the most flexible .EXE, .DLL and .DRV files analyzer.
┌─┬───────────────────┐
│1│▒▒ VEXE OVERVIEW ▒▒│
└─┴───────────────────┘
VEXE is an easy to use utility program designed to
analyze thoroughly any .EXE, or structurally similar,
file.
Executable files may make use of multiple segments
for code, stack, and data. The design of the .EXE file
reflects the segmented design of the Intel 80x86 CPU
architecture.
The .EXE files produced by the linker consist of two
parts, control and relocation information (in the header),
and the load module itself.
The new .EXE format used in Windows and OS/2 .EXE,
.DLL and .DRV files puts more information into the header
section. Although this makes EXE files larger, it allows
an .EXE program to use DLLs (Dynamic Link Libraries) and
to run in a multi-task environment.
This program is designed to examine these Windows or
DOS executables and to report with fidelity every useful
information found in the header or in the load module.
┌─┬──────────────────────┐
│2│▒▒ SOFTWARE LICENSE ▒▒│
└─┴──────────────────────┘
VEXE is not a Public Domain program and is not free.
VEXE is copyright (C) 1991 by Serge Krupa.
Non-registered users of this program are granted a
limited two-week license to VEXE to evaluate the programs
suitability for their requirements. Any usage of VEXE
beyond evaluation time period requires registration of
each copy of the program used. Use of nonregistered copies
of VEXE beyond original evaluation period is prohibited.
Registration entitles you to use VEXE and any future
versions of VEXE for as long as you wish, subject to any
special licensing conditions attached to future versions.
Serge Krupa is in no way obligated to provide future
versions of, or support for, VEXE.
VEXE may NOT be modified in any respect, including but
not limited to, decompiling, disassembling, or reverse
engineering of the program. Patching the medium at places
that carry the software is seen as a program change and is
also forbidden.
You are free to distribute the PUBLICLY AVAILABLE
shareware version of VEXE to others subject to the above
restrictions and also the following:
1. No fee is charged for its use.
2. No renumeration may be accepted for
VEXE. Pay Bulletin Board Systems may
however charge their normal fee
provided that no additional charge
for RA is levied.
3. VEXE must be copied in unaltered
form, complete with all accompanying
files.
System Operators may make VEXE available for download
only if the above conditions are met. The archive VEXE.ZIP
distributed by Serge Krupa or an equivalant archive may be
made available only in complete form.
VEXE may not be included as part of any software
library which is distributed on a commercial basis ("for
money") without prior written permission from Serge Krupa.
This condition statement supersedes all previous
agreements.
VEXE may not be used in any unlawful or illegal manner.
Serge Krupa hereby disclaims all warranties relating
to this software, whether express or implied, including
without limitation any implied warranties of merchandabi-
lity or fitness for a particular purpose. Serge Krupa
will not be liable for any special, incidental,
consequential, indirect or similar damages due to loss
of data or any other reason. This includes, but is not
limited to, computer hardware, computer software,
operating systems, and any computer or computing acces-
sories. The person using the software bears all risk as
to the quality and performance of the software.
┌─┬──────────────────────────────┐
│3│▒▒ REGISTRATION INFORMATION ▒▒│
└─┴──────────────────────────────┘
The above license statement does not apply to the
REGISTERED version of VEXE. It must be treated just like
a book with certain exceptions as follows:
1. Serge Krupa authorizes the making
of archival copies of the registered
software for the sole purpose of
backing-up your software.
2. The customer may resell unmodified
copies of the registered software
provided that the customer has
purchased from Serge Krupa one copy
of the registered software for each
one sold or distributed. The
provisions of this software license
shall also be applicable to third
parties receiving copies of the
registered software from the
customer.
3. By saying, just like a book, Serge
Krupa means that the registered
software may be used by any number
of people and may be freely moved
from one computer location to
another so long as there is
absolutely NO possibility of it
being used at one location while
being used at another. Just like a
book that cannot be read by two
different people in two different
locations at the same time.
If you find VEXE fast, easy, and convenient to use,
you can become a registered user. Once a registered user
of VEXE, you are free to utilize the program as often as
you wish. Other than having a clear conscience, there
are many advantages to register. You will receive in the
mail a fully functionnal registered version of VEXE with
much larger tables to handle even the biggest Windows or
OS/2 programs, and any new improvement made to VEXE (such
as ability to list Windows resources, text searching...).
Users who have registered (and received a diskette) may
upgrade to the latest version of VEXE by sending their
VEXE original disk, along with $8 (service and handling).
For $15.00 (not including shipping/handling), I'll
send you the latest shareware and registered versions of
VEXE on disk along with documentation (on disk). If you
want to receive VEXE on a 3.5 inch diskette (720k format),
add an additional $3 for each diskette ordered.
Please use the following form when placing an order.
______________________ ORDER FORM _______________________
Please Remit To: Mr Serge Krupa
19 A chemin des Bois
1255 Geneva
SWITZERLAND
Qty. Description Each Total
____ VEXE Upgrade to latest version $08.00 _____
(You must return your original
diskette containing your copy
of the registered version of
VEXE)
____ VEXE Registration with 5.25" $15.00 _____
diskette (Registration includes
diskette with the latest share-
ware and registered program
versions along with manual on
diskette)
____ VEXE Registration with 3.5" $18.00 _____
diskette (same as above except
on new size media)
Subtotal _____
(Europe orders add $3 shipping) Shipping _____
(Foreign orders add $5 shipping)
TOTAL $_____
Name: _______________________________________________
Company: _______________________________________________
Address: _______________________________________________
_______________________________________________
_______________________________________________
Mail the above form along with a Banker's Draft payable
to:
Mr Serge Krupa, CH-1255 Geneva
at the:
Swiss Bank Corporation
Cornavin
CH-1211 Geneva 1
Check amount must be in Swiss Francs.
┌──┬────────────────┐
│II│▒▒ USING VEXE ▒▒│
└──┴────────────────┘
This section describes the command line structure of
VEXE and explains the options.
┌─┬─────────────────────────────────────┐
│1│▒▒ EXPLANATION OF THE COMMAND LINE ▒▒│
└─┴─────────────────────────────────────┘
All of the commands used with VEXE are entered on the
command line at the DOS prompt. The command options used
with VEXE are explained in detail in the following
section, along with examples.
The VEXE command line structure is shown below.
VEXE [/[options]["output file"]] [path][input file]
VEXE = The executable file analyzer program.
options = The different VEXE options that you
can specify.
path = The path location of the executable
file being analyzed.
input file = The name of the executable file being
analyzed, also referred as input.
DOS wildcards are allowed in this
name.
output file = The name and path location of the text
file produced during analysis of the
input file, also referred as output.
NOTE: Parameters listed in [ ] are optional.
┌──────────────┐
│▒▒ EXAMPLES ▒▒│
└──────────────┘
Suppose that you're interested knowing the content of
the header of PKZIP.EXE. You just type at the DOS prompt:
C:\> VEXE C:\PKZIP.EXE
In this example the file PKZIP.EXE will be analyzed and
the output sent to your computer screen. After you type the
command shown above, VEXE will display the following
information on the screen.
╔════════════╦═══════════════════════════════════════════════════╗
║ VEXE v4.00 ║ EXE files analyzer. Copyright (C) 1991 S.Krupa ║
╚════════════╩═══════════════════════════════════════════════════╝
┌──────┬─────────────────────────────────────────────────────────┐
│ SIZE │ File PKZIP.EXE is really 8070h bytes long. │
├──────┼─────────────────────────────────────────────────────────┤
│ LOAD │ The load module size for this file is 32 Kb. │
├──────┼─────────────────────────────────────────────────────────┤
│ PACK │ File not packed. │
├──────┼─────────────────────────────────────────────────────────┤
│ COMP │ File compiled with Microsoft C or Quick C. │
└──────┴─────────────────────────────────────────────────────────┘
┌──────────────────────────────────────┬─────────────────────────┐
│ File size found in header │ 8070h bytes │
│ Number of relocation table entries │ 0017h │
│ Size of header │ 0200h bytes │
│ Minimum 16-bytes paragraphs needed │ 0D47h │
│ Maximum 16-bytes paragraphs desired │ FFFFh │
│ SS:SP relative to program's start │ 14D6h:0580h │
│ Checksum │ BC7Ah │
│ CS:IP relative to program's start │ 0000h:56D6h │
│ Offset of relocation table │ 001Eh bytes │
│ Overlay number │ 0000h │
└──────────────────────────────────────┴─────────────────────────┘
Because you specified no option in the command line,
VEXE used its default options to process PKZIP.EXE. These
default options will be explained later.
The output shown above is typical for most DOS executable
files, the first block containing results of VEXEs 'smart'
analysis and the second block showing the content of the .EXE
file header.
The following example illustrates the analysis of an
ordinary Microsoft Windows file.
C:\> VEXE C:\WINDOWS\CPUUSE.EXE
╔════════════╦═══════════════════════════════════════════════════╗
║ VEXE v4.00 ║ EXE files analyzer. Copyright (C) 1991 S.Krupa ║
╚════════════╩═══════════════════════════════════════════════════╝
┌──────┬─────────────────────────────────────────────────────────┐
│ SIZE │ File CPUUSE.EXE is really 3200h bytes long. │
├──────┼─────────────────────────────────────────────────────────┤
│ LOAD │ The load module size for this file is 1 Kb. │
├──────┼─────────────────────────────────────────────────────────┤
│ PACK │ Microsoft WINDOWS 3.00 program (never packed). │
├──────┼─────────────────────────────────────────────────────────┤
│ COMP │ File compiled with Microsoft C or Quick C. │
└──────┴─────────────────────────────────────────────────────────┘
┌──────────────────────────────────────┬─────────────────────────┐
│ File size found in header │ 527h bytes │
│ Number of relocation table entries │ 0000h │
│ Size of header │ 0200h bytes │
│ Minimum 16-bytes paragraphs needed │ 0000h │
│ Maximum 16-bytes paragraphs desired │ FFFFh │
│ SS:SP relative to program's start │ 0007h:0100h │
│ Checksum │ 4065h │
│ CS:IP relative to program's start │ 0000h:0000h │
│ Offset of relocation table │ 0040h bytes │
│ Overlay number │ 0000h │
│ New-style EXE header offset │ 0400h bytes │
└──────────────────────────────────────┴─────────────────────────┘
┌──────────────────────────────────────┬─────────────────────────┐
│ Linker version and revision numbers │ 5.10 │
│ Offset of entry table │ 00FDh bytes │
│ Bytes in entry table │ 0076h bytes │
│ 32-bit CRC of entire file │ 76A359ADh │
│ Flags │ NONSHARED PMAPI │
│ Segment number of auto data segment │ 0004h │
│ Initial size of dynamic heap │ 0400h bytes │
│ Initial size of stack │ 1000h bytes │
│ Program entry point CS:IP │ 0003h:0011h │
│ Initial stack pointer SS:SP │ 0004h:0000h │
│ Number of entries in segment table │ 0004h │
│ Module reference count │ 0003h │
│ Bytes in nonresident-name table │ 0030h bytes │
│ Offset of segment table │ 0040h bytes │
│ Offset of resource table │ 0060h bytes │
│ Offset of resident-name table │ 00DCh bytes │
│ Offset of module-reference table │ 00E6h bytes │
│ Offset of imported-names table │ 00ECh bytes │
│ Offset of nonresident-name table │ 573h bytes │
│ Number of movable entry points │ 0013h │
│ Shift count of logical sector align │ 0009h │
│ Number of reserved segments │ 0000h │
└──────────────────────────────────────┴─────────────────────────┘
┌────────────────────────────────────────────────────────────────┐
│ Resident-name table │
├──────┬─────────────────────────────────────────────────────────┤
│Number│ Title │
├──────┼─────────────────────────────────────────────────────────┘
│ 0 │cpuuse
├──────┼───────┬──────┬────────┬─────────────────────────────────┐
│Number│Segment│Offset│ Flags │ Name │
├──────┼───────┼──────┼────────┼─────────────────────────────────┘
└──────┴───────┴──────┴────────┘
┌────────────────────────────────────────────────────────────────┐
│ Non-resident name table │
├──────┬─────────────────────────────────────────────────────────┤
│Number│ Description │
├──────┼─────────────────────────────────────────────────────────┘
│ 0 │CPU Usage Meter by Jim Seidman
├──────┼───────┬──────┬────────┬─────────────────────────────────┐
│Number│Segment│Offset│ Flags │ Name │
├──────┼───────┼──────┼────────┼─────────────────────────────────┘
│ 1 │ 1 │ 01E6h│EXPORTED│ MAINWNDPROC
└──────┴───────┴──────┴────────┘
┌────────────────────────────────────────────────────────────────┐
│ Segment table │
├──────┬───────────┬────────┬────────┬───────────────────────────┤
│Number│ Offset │ File │ Memory │ Flags │
├──────┼───────────┼────────┼────────┼───────────────────────────┘
│ 1 │ 800h │ 0527h │ 0527h │ CODE EXECREAD MOVEABLE NONSHARED
│ │ │ │ │ PRELOAD NONCONFORMING RELOC
│ │ │ │ │ NOIOPL NONDISCARDABLE
│ 2 │ 1000h │ 02DEh │ 02DEh │ CODE EXECREAD MOVEABLE NONSHARED
│ │ │ │ │ PRELOAD NONCONFORMING RELOC
│ │ │ │ │ NOIOPL DISCARDABLE
│ 3 │ 1400h │ 079Fh │ 079Fh │ CODE EXECREAD MOVEABLE NONSHARED
│ │ │ │ │ PRELOAD NONCONFORMING RELOC
│ │ │ │ │ NOIOPL NONDISCARDABLE
│ 4 │ 1E00h │ 034Ah │ 034Ah │ DATA READWRITE MOVEABLE NONSHARED
│ │ │ │ │ PRELOAD NONCONFORMING
│ │ │ │ │ NOIOPL NONDISCARDABLE
└──────┴───────────┴────────┴────────┘
┌────────────────────────────────────────────────────────────────┐
│ Entry table bundles │
└────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────┐
│ Moveable segment bundle │
├──────┬───────────┬──────────────────┬──────────────────────────┤
│Number│ Flags │ Segment number │ Offset │
├──────┼───────────┼──────────────────┼──────────────────────────┤
│ 1 │ EXPORTED │ 0001h │ 01E6h │
│ 2 │ 0000h │ 0003h │ 0740h │
│ 3 │ 0000h │ 0003h │ 05FAh │
│ 4 │ 0000h │ 0001h │ 0000h │
│ 5 │ 0000h │ 0002h │ 0000h │
│ 6 │ 0000h │ 0003h │ 062Ch │
│ 7 │ 0000h │ 0003h │ 0648h │
│ 8 │ 0000h │ 0003h │ 06E2h │
│ 9 │ 0000h │ 0003h │ 0720h │
│ 10 │ 0000h │ 0003h │ 0714h │
│ 11 │ 0000h │ 0001h │ 0063h │
│ 12 │ 0000h │ 0003h │ 008Ah │
│ 13 │ 0000h │ 0003h │ 021Ch │
│ 14 │ 0000h │ 0003h │ 03AEh │
│ 15 │ 0000h │ 0001h │ 0165h │
│ 16 │ 0000h │ 0003h │ 0149h │
│ 17 │ 0000h │ 0003h │ 0157h │
│ 18 │ 0000h │ 0003h │ 04F6h │
│ 19 │ 0000h │ 0003h │ 04FCh │
└──────┴───────────┴──────────────────┴──────────────────────────┘
┌──────┬─────────────────────────────────────────────────────────┐
│Number│ Imported module name table │
├──────┼─────────────────────────────────────────────────────────┘
│ 1 │KERNEL
│ 2 │GDI
│ 3 │USER
└──────┘
You see that VEXE produces a much, much, longer list of
informations when dealing with Microsoft Windows executables.
This is perfectly natural, since Windows .EXE files contains
a new header (third output block) and many tables (other
output blocks) in addition of the ancient DOS header.
Listed below is a summary of important facts to keep in
mind while using VEXE.
- The commands can be typed using either upper case or
lower case.
- The first option, or the output file specification,
must be preceded by the MS-DOS switch character '/'
(i.e. VEXE/CQ input -OR- VEXE/"output"CQ input).
- Options must be combined with no space between them
(i.e. VEXE/CQWL"output" input).
- The order in which options appears on the command
line has no effect on the order information blocks
are listed on-screen.
- Typing VEXE on the command line with no options, will
bring up a help screen listing all the program
options.
- Every DOS wildcards are allowed in the input file
name (i.e. VEXE EX??.*).
- Path and input file name together are limited to 63
characters.
The following table lists all the options available with
VEXE. A brief summary is also given in the table. The
options are explained in detail, along with programming
examples in the following section.
VEXE COMMAND OPTIONS
───────────────────────────────────────────────────
Option Summary
c show filename & filesize with packer & compiler infos
e show Windows entry table bundles
h show classical DOS executable file header
l descend down thru the directories for file searching
m show Windows imported modules table
n show Windows non-resident names table
q query after each block of informations
r show Windows resident names table
s show Windows segment table
t show classical DOS executable file relocation table
w show Windows executable file header
z show Windows segments relocation items
────────────────────────────────────────────────────
┌─┬──────────────────┐
│2│▒▒ VEXE OPTIONS ▒▒│
└─┴──────────────────┘
The VEXE options are described below.
┌─┬─────────────────────────────────────────────────────┐
│c│show filename & filesize with packer & compiler infos│
└─┴─────────────────────────────────────────────────────┘
This option is used to tell VEXE to do a 'smart' analysis
of the executable input file.
C:\> VEXE/C MYPROG.EXE
In the example shown above a block containing informations
about the input file will be produced. Below is a list and
explanation of each section of this block.
SIZE : input file's disk size (in hex notation).
LOAD : input file's load module size. This is
the added size of code and constant data
contained in the executable. It's not the
memory requirement of this executable !
You need to add the minimum number of
paragraphs required to this size to find
the executable memory occupation.
PACK : Packing is a way to reduce the .EXE file
size, leaving the code executable. VEXE
will detect if the EXE file is packed by
one of the following packers:
EXEPACK : A MicroSoft product, not usual-
ly available but packaged with
certain software (MASM 5.1).
Apparently the first such
program of this type (1986
copyright). New versions of Link
optionally EXEPACK the .EXE file
linked.
LZEXE : Developed by Fabrice Bellard
( current version is 0.91,
backward compatible with version
0.90 ). This program was the
first generally available
executable file compressor and
is the most widely used. VEXE
reports packing by any version
of LZEXE, even if no packer mark
could be found ! Files compres-
sed by LZEXE are unpacked on the
fly by VEXE for better compiler
search.
PKLITE : Developed by PKWARE (purveyors
of PKZIP), this program compres-
ses (and un-compresses) .COM
and .EXE only. VEXE features
recognition of files compressed
with PKLITE v1.03 to v1.13. The
kind of compression used is also
stated, even the unusual 'favor'
compression used when packing
well-known softwares.
DIET : Created by Teddy Matsumoto, the
author of LEXEM an archive soft
used in Japan. Files packed by
DIET version 1.00 to v1.10a are
recognized, but DIET v1.10a
compression is not distinguished
from DIET v1.02 compression.
TINYPROG: Shareware from Tranzoa Ass. Only
the latest versions offer a
slightly more effective packing
than EXEPACK. No uncompressor
available.
SCRNCH : G.W. McRae's SCRNCH is mostly
used to pack .COM files, so you
are not likely to encounter any
.EXE file packed with this
program.
The packing is detected by the presence of
an unpacking routine at a given point of
the file. This way the ID bytes stored by
some packers aren't necessary to determine
if the file is compressed, and by which
method. There is no hidden packing to VEXE!
When some conditions are met, VEXE guess
that the .EXE file currently analyzed was
packed, but the packing method is unknown.
If the file is a Microsoft WINDOWS, or OS2,
one, a message stating this is output,
along with Windows version necessary to
run the program.
COMP : Most of the .EXE files are produced by
compilers. Reflecting this fact, VEXE will
try to determine the compiler used to
produce the code of the file. The current
version of VEXE can detect files created
with:
- Microsoft C or Quick C
- Turbo C
- Turbo C++
- Meridian C, Ada or Pascal
- Lattice C
- Power C
- Zortech C
- Quick Basic
- Turbo Basic
- Turbo Pascal (version 5.5 & 6.0)
- Turbo Prolog
- Logitech Modula 2
- JPI TopSpeed Modula 2
- Janus Ada
A proprietary algorithm is also used to
spot .EXE files made using assembly
language. The accuracy of this detection
is over 85 % .
Sometimes VEXE is unable to find what
compiler produced the .EXE file. This is
often the case with files generated by old
versions of Turbo Pascal, or some unknown
(to VEXE) C compilers.
Another reason that prevent VEXE from
finding the compiler who has produced the
.EXE code is file packing. In packed files
the compiler mark is often unreadable.This
is why I decided to include a slightly
modified version of the code of UNLZEXE
v0.6, written by Mitugu(Kou) Kurizono, in
VEXE. Therefore, when a file packed with
LZEXE v0.90 or v0.91 is processed, VEXE
will unpack it on the fly to search more
accuratly the compiler mark. This usually
result in much longer processing time.
When a file that hasn't been packed by
LZEXE is analyzed and no compiler mark is
found, VEXE assume that packing rendered
this mark unreadable.
┌─┬────────────────────────────────┐
│e│show Windows entry table bundles│
└─┴────────────────────────────────┘
This option will instruct VEXE to display the
entry table bundles of a Windows or OS/2 .EXE,
.DLL or .DRV file.
C:\> VEXE/E WINPROG.EXE
The entry table contains bundles of entry point
ordinal values. Other .EXE files may refer to
entry points within a given bundle by their
ordinal value. They are two kind of bundles, each
having its particular format.
First, the moveable segment bundle contains the
following fields:
- Entry point ordinal value (1 to 999).
This is the only value not printed in
hex (h stands for "hex").
- Flags. VEXE can interpret three flags,
exported, shared and exported and
shared. Other flags are shown in hex
value.
- Segment number (see segment table).
- Offset in the segment.
Second, the fixed segment bundle contains the
following fields:
- Entry point ordinal value (1 to 999).
This is the only value not printed in
hex (h stands for "hex").
- Flags. VEXE can interpret three flags,
exported, shared and exported and
shared. Other flags are shown in hex
value.
- Offset in the segment.
The fixed segment number appears in the header of
the block.
If you want to abort the display of this table,
just press ESCAPE.
Other tables refer to this entry table, therefore
it is loaded every time a Windows or OS/2 file is
processed. The unregistered version of VEXE can
only hold 100 entries. This is enough for little
programs, but if you want to analyze a big file,
the registered version of VEXE with its table
capable of holding 800 entries will be necessary.
Caution: Borland's TDUMP is unable to properly
list the entry table. You better use
VEXE!
┌─┬─────────────────────────────────────────┐
│h│show classical DOS executable file header│
└─┴─────────────────────────────────────────┘
This option is used to produce an output of the
standard, "classical", .EXE header, found a the
very beginning of every DOS, Windows or OS/2
executable or library file.
C:\> VEXE/H DOSPROG.EXE
The .EXE format can support programs larger than
64K. It does this by allowing separate segments
to be defined for code, data, and the stack, each
of which can be up to 64K long. Programs in EXE
format may contain explicit references to segment
addresses. This .EXE file header has informations
for DOS to resolve these references.
The .EXE header bears the following informations:
- File size found in header:
This is the size of the program found in the
EXE header. The real size of the program on
disk could be different than this size. In this
case the executable probably contains internal
overlays. Overlays always means that the
program wasn't compressed.
- Number of relocation table entries:
Depending how many subroutines, for example,
the EXE program contain, the number of
relocation entries found in the relocation
table will be different.
- Size of header:
The header size is also the offset to the load
module in the executable file.
- Minimum 16-bytes paragraphs needed:
This field gives the DOS during code loading
the absolute minimum number of paragraphs
required above the end of the loaded program.
- Maximum 16-bytes paragraphs desired:
Maximum number of 16 byte paragraphs desired
above the end of the loaded program. If the
minimum and maximum number of paragraphs are
both zero, the program will be loaded as high
in memory as possible.
- SS:SP relative to program's start:
The SS:SP pair indicates the position of the
stack segment, usually the last one in the file.
- Checksum:
Negative sum of all the words in the file,
ignoring overflow. This checksum is essentially
used to store flags showing that the file is a
packed one (EXEPACK do it this way).
- CS:IP relative to program's start:
The CS:IP pointer is an usual INTEL format four
bytes seg:ofs pointer.CS:IP points to the first
instruction of the program code. This
instruction could be found at location
(CS:IP)+(header size)
of the .EXE file. After the loading of the
program and the segments reference adaptation,
the control will be given to the code at CS:IP.
- Offset of relocation table:
The relocation table is located immediatly above
a reserved space (this space is often used to
hold identification strings, like LZ91 for
programs compressed with LZEXE v0.91) at the
end of the header. The offset of the relocation
table is the number of bytes you must count
from the beginning of the file to the first
entry of the table. This table hold relocation
entries.
- Overlay number:
The overlay number is always 0 for the resident
part of the program.
- New-style EXE header offset:
Microsoft Windows and OS/2 .EXE files includes
a second header. The offset of this new
executable header is only found if the offset
of the relocation table is 40h or greater.
┌─┬────────────────────────────────────────────────────┐
│l│descend down thru the directories for file searching│
└─┴────────────────────────────────────────────────────┘
A convenient feature of VEXE is recursive search.
C:\> VEXE/L C:\EXAMPLE\*.EXE
Tell VEXE to descend down thru the directories,
searching for one or more filename matching the
one that you specified. The search will begin at
the directory appearing in the command line.
The example shown above instruct VEXE to search
all filenames with .EXE extension in the
C:\EXAMPLE\ directory, and to continue the search
in subdirectories of C:\EXAMPLE\, as deep as
necessary in the directory structure.
However, be cautious in using this option: the
directory structure of your (hard) disk can't be
processed deeper than the 32nd level.
If more than one file is found, VEXE will
continuously display the results of its analysis
of all the files found, until the informations of
all file are listed.You can interrupt the listing
of these informations by pressing ESCAPE several
times (if you are lucky one time will be enough,
but its possible that you will first interrupt
the current table listing, and only later the
whole process).
When you select the L option, it's added to the
default options, or the ones you already entered:
it can't be selected alone!
┌─┬───────────────────────────────────┐
│m│show Windows imported modules table│
└─┴───────────────────────────────────┘
To view this concatenation of the module reference
and imported name tables of a Windows or OS/2 .EXE
or library file, just enter a command line
including the M option.
C:\> VEXE/M WINPROG.EXE
A table containing names of modules imported by
the executable file, together with modules ordinal
values in base 10, will be produced.
The imported modules table is necessary to properly
handle Windows relocation tables. VEXEs module
table can hold up to 8 module names. The registered
version of VEXE can naturally hold much more module
names: 20 in total. Another benefit of registering
your copy of VEXE!
┌─┬─────────────────────────────────────┐
│n│show Windows non-resident names table│
└─┴─────────────────────────────────────┘
This option is used to produce an output of the
nonresident-name table found in every Windows or
OS/2 executable or library file.
C:\> VEXE/N WINPROG.DLL
The nonresident-name table listing will contain
the following elements:
- A description of the program or library
(this is usually the content of entry
number 0 of this table). This sentence
could be longer than 80 characters and
will not fit on the screen. VEXE will
show a '»' at the end of such sentences.
- Series of non-resident names, each
accompanied with four fields:
- An ordinal value (1 to 999) refering
to an entry table entry point.
The fields described below are
extracted directly from the entry
table.
- Flags. VEXE recognize three flags,
exported, shared and exported and
shared. Other flags are shown in hex
value.
- Segment number (see segment table).
- Offset in the segment, in bytes.
Exported nonresident code modules could be
dynamically called at execution time by another
executable file. This is especially the case
with nonresident modules found in standard
Microsoft Windows libraries (KERNEL, USER, GDI).
This table could reasonably be empty in some
files.
┌─┬──────────────────────────────────────┐
│q│query after each block of informations│
└─┴──────────────────────────────────────┘
Many tables that VEXE is able to display
will extend on multiple screens. It's therefore
possible that you'll miss the beginning of the
next table when looking at a very long one.
The solution is including the Q option in the
command line.
C:\> VEXE/Q MYPROG.EXE
VEXE will stop scrolling after every block of
informations and will ask you to press SPACE to
view another block. If you're tired looking at
endless tables, just press any other key to
abort VEXE.
When you select the Q option, it's added to the
default options, or the ones you already
entered: it can't be selected alone!
┌─┬─────────────────────────────────┐
│r│show Windows resident names table│
└─┴─────────────────────────────────┘
This option is used to produce an output of the
resident-name table found in every Windows or OS2
executable or library file.
C:\> VEXE/N WINPROG.EXE
The resident-name table listing will contain the
following elements:
- The name of the program or library,
usually the content of entry number 0
of this table.This name could be longer
than 80 characters and will not fit on
the screen. VEXE will put a '»' at the
end of such names.
- Series of resident module names, each
accompanied with four fields:
- An ordinal value (1 to 999) refering
to an entry table entry point.
The fields described below are
extracted directly from the entry
table.
- Flags. VEXE recognize three flags,
exported, shared and exported and
shared. Other flags are shown in hex
value.
- Segment number (see segment table).
- Offset in the segment, in bytes.
I noticed that resident modules exported by an
executable or a library and imported by an
other executable have their names copied in the
imported module names table of this executable,
just after the module name.
This table could reasonably be empty in some
files.
┌─┬──────────────────────────┐
│s│show Windows segment table│
└─┴──────────────────────────┘
The segment table contains entries for each
segment in the executable or library file.
This table appears only in Windows or OS/2
programs.
C:\> VEXE/S WINPROG.EXE
Using this option you tell VEXE to display a
list of segment entries, each containing the
following subentries:
- Segment number. Segment number one is
always the first (decimal numbers).
- Offset in file. Right alignment shift
done by VEXE: no more calculation
needed, it's a clean n-bytes offset (in
hexadecimal).
- Length of image in file (in bytes).
- Size to allocate in memory (in bytes).
- Flags. Shown below is an explanation of
each flag.
- Data segment flags. Segment can be
CODE, DATA, DATA TYPE n.
- Iterated.
- Movable (segment not fixed).
- Sharable. A segment can be SHARED or
NONSHARED.
- Preloaded (segment will be preloaded).
A segment can be PRELOAD or LOADONCALL.
- Execute-only. A CODE segment can be
EXECONLY or EXECREAD; a DATA segment
can be READONLY or READWRITE.
- Relocations (directly following code
for this segment). Not every segment
have RELOC.
- Debug info (CONFORMING or not).
- 80286 DPL bits (IOPL, NOIOPL).
- Discardable (with discard priority).
A segment can be DISCARDABLE or not.
If you want to abort the display of this table,
just press ESCAPE.
The segment table indicates VEXE which segment
have relocation entries, and is therefore very
important to properly handle Windows relocation
tables. VEXE have the ability to hold up to 50
segment entries. The registered version of VEXE
can naturally hold much larger segment tables, up
to 200 entries. So consider registering VEXE if
well done job is a primary concern for you!
┌─┬───────────────────────────────────────────────────┐
│t│show classical DOS executable file relocation table│
└─┴───────────────────────────────────────────────────┘
The relocation table is an ordered list of
relocation items. Every segment reference made in
a DOS or DOS&Windows program must be relocated
using the relocation items.
C:\> VEXE/T DOSPROG.EXE
This option tells VEXE to produce an output of
the relocation table items pointing to target
locations needing to be relocated.
The relocation item contains two fields: a word
offset value, followed by a word segment value.
These two fields represent the displacement into
the load module before the module is given control.
The target location is a word in the load module
to which is added the start segment value. The
result is placed back into the word in the load
module.
Because the relocation table may contain several
hundred entries, the T option is inactive by
default to avoid generation of Kb of unwanted
informations every time you use VEXE.
You can abort the display of these entries
by pressing ESCAPE.
┌─┬───────────────────────────────────┐
│w│show Windows executable file header│
└─┴───────────────────────────────────┘
Applications that run under Microsoft Windows or
OS/2 uses a new EXE format that puts more
information into the header section.
C:\> VEXE/W WINPROG.EXE
This command line makes VEXE producing a header
elements list bearing the following informations:
- Linker version and revision numbers:
Major and minor version of the linker used
to make the executable or library file are
shown in decimal numbers.
- Offset of entry table:
Offset in bytes, relative to the beginning
of the new-style header.
- Bytes in entry table:
Length in bytes.
- 32-bit CRC of entire file:
This double-word is 0 in Borland's Turbo
Pascal for Windows, and is not checked for
consistency.
- Flags:
1) DGROUP type : SHARED
NONSHARED
none
2) Global initialization: GLOBALINI
3) Protected mode only : PROT
4) Instruction set : 86
286
386
x87
5) API awareness : PMAPI
(uses Windows/P.M. API)
NOTPM
(full screen)
PMCOMP
(compatible Windows/P.M. API)
6) Errors in image : ERROR
7) Library (DLL) file : LIB
- Segment number of auto data segment:
It's an index into the segment table.
- Initial size of dynamic heap:
Size in bytes added to the data segment.
- Initial size of stack:
Size in bytes added to the data segment.
- Program entry point CS:IP:
CS is an index into the segment table.
- Initial stack pointer SS:SP:
SS is an index into the segment table.
- Number of entries in segment table:
How many segments the file contains.
- Module reference count:
How many imported modules the file
contains. This entry is missing in Windows
2.03 documentation and many utilities that
list the Windows header are passing over
this field. This is NOT the case with
EXEHDR (or VEXE).
- Bytes in nonresident-name table:
- Offset of segment table:
Offset in bytes from the beginning of the
new header.
- Offset of resource table:
Offset in bytes from the beginning of the
new header. VEXE doesn't list the content
of this table. Newer registred versions
will surely have the ability to do this.
- Offset of resident-name table:
Offset in bytes from the beginning of the
new header.
- Offset of module-reference table:
Offset in bytes from the beginning of the
new header. VEXE doesn't list the content
of this table. Instead, it use it to make
a combined imported modules name table
listing.
- Offset of imported-names table:
Offset in bytes from the beginning of the
new header. VEXE doesn't list the content
of this table. Instead, it use it to make
a combined imported modules name table
listing.
- Offset of nonresident-name table:
Offset in bytes from the beginning of the
FILE!
- Number of movable entry points:
- Shift count of logical sector align:
The sector size is 2^(shift count).
- Number of reserved segments:
┌─┬──────────────────────────────────────┐
│z│show Windows segments relocation items│
└─┴──────────────────────────────────────┘
Segment relocation tables immediatly follows
every segment in Windows or OS/2 files having the
RELOC flag set. They contain, like their DOS
counterparts, relocation entries, but their
likeness stops here: entries holds much more
informations.
C:\> VEXE/Z WINPROG.DLL
Series of information blocks are displayed when
you start VEXE with the Z parameter. Each block
begin with a header telling you which segment
relocation table is currently processed. Follows
a generally long list of relocation entries for
this segment.
I must confess that I wrote relocation tables
display routines without any documentation for
their format other than what I could guess. It
seems to work pretty well, but the explanation
following must be read with caution, because I
haven't wrote facts, but rather the results of my
own analysis.
Basically, three types of relocation entries
could be distinguished:
- IMP entries containing calls to Windows
services, or to library functions.
- SEG entries containing relocatable
segment references.
- OS entries probably containing calls
to operating system functions.
Let's see how VEXE handle each entry type:
- IMP: the type field come first (BASE, PTR or
OFFSET) followed by an offset to the
call (relative to the beginning of the
segment).
The target field holds the module's name,
the entry point ordinal value when
reference is by value, or directly the
external name when reference is by name.
For external names referenced by value,
VEXE will first search the value in its
own tables containing every function
exported by these Windows 3.0 modules:
- KERNEL.EXE
- GDI.EXE
- USER.EXE
- SYSTEM.DRV
- COMM.DRV
- KEYBOARD.DRV
- SOUND.DRV
If no name corresponding to the ordinal
value is found, VEXE will try to find the
referenced module as 'module.EXE',
'module.DLL' or 'module.DRV' in the
current directory.
The name will be displayed if one search
was succesfull.
- SEG: the type field come first (BASE, PTR or
OFFSET) followed by an offset to the
segment reference to be relocated.
The target field contains the address
used to relocate the segment reference.
- OS : Any idea concerning this entry type is
welcome!
Because the relocation tables may contain several
hundred entries, the Z option is inactive by
default to avoid generation of Kb of unwanted
informations every time you use VEXE.
You can abort the display of these entries
by pressing ESCAPE.
┌─┬──────────────────────────┐
│2│▒▒ VEXE DEFAULT OPTIONS ▒▒│
└─┴──────────────────────────┘
Some options are nearly essential to analyze a .EXE,
.DLL or .DRV file correclty. Therefore VEXE doesn't ask
you to include the folowing options in your command line:
c show filename & filesize with packer
& compiler infos
e show Windows entry table bundles
h show classical DOS executable file header
m show Windows imported modules table
n show Windows non-resident names table
r show Windows resident names table
s show Windows segment table
w show Windows executable file header
If you include one of them anyway, only this option
will be considered by VEXE when processing the input file.
In fact, for VEXE only L and Q options are additive, other
options override the default settings.
C:\> VEXE/CL C:\EXAMPLE\*.EXE
In this example the output of VEXE is made of blocks
of size, load module, packer and compiler informations
for every executable file found in the C:\EXAMPLE
directory, or deeper in the directory structure. All
default options were overrided by the C option, and the
L option added to form the complete command line.
┌───┬─────────────────────────┐
│III│▒▒ VEXE ERROR MESSAGES ▒▒│
└───┴─────────────────────────┘
The following error messages may appear when using
VEXE. A brief explanation of each message along with
possible solutions is listed below.
- Error creating output file FILENAME !!!! Try again...
> VEXE could not create the output file. If you have
specified an output file, make sure it is a valid
filename and location.
- Missing quotes near output filename's end !!!!
> VEXE is unable to find one of the quotes surrounding
the output file name. Make sure you correctly
surrounded the output file name with quotes.
- Incorrect option '?' in command line !!!!
Type VEXE alone to view the option summary.
> This error appears when the VEXE command line you
have entered contains an invalid option. Just type
VEXE alone to print the help screen showing all the
program options on the monitor.
- No file found that match FILENAME !!!! Try again...
> The file you have attempted to analyze cannot be
opened by VEXE. Verify that you didn't mis-spell the
file name.
- Incorrect parameter in command line !!!!
Type VEXE alone to view the help screen.
> You probably forget to enter the slash ('/') at the
beginning of your options list. Please keep in mind
when you use two parameters to put first the options
list preceded by a slash, then the input file name.
- EXE signature 4D5Ah not found. This isn't an EXE file !
> The file you have attempted to analyze isn't a true
.EXE file. True .EXE files contains a signature in
their two first bytes (4D5Ah). VEXE will only
analyze files beginning with this signature.
- EXE's header too large. File not processed !
> The header information of the file contains too much
information to be analyzed. This error appears when
you try to list a DOS relocation table bigger than
64 Kb.
- Not enough memory left to run VEXE.EXE...
> This error will only occur when there is insufficient
memory available to load every input file names to be
analyzed. Try making more memory available.
VEXE is able to tell you that you're analyzing a
Windows or OS/2 program containing too many tables items,
and that VEXE, unregistred version, is unable to load all
of them. Nevertheless, VEXE will try to complete the
analysis of the file. If you specified option 'Z' to view
the Windows segment relocation tables, be warned that the
content of those tables maybe inaccurate and strange !
┌──┬───────────────────────┐
│IV│▒▒ BUGS AND WARNINGS ▒▒│
└──┴───────────────────────┘
VEXE was written in several stages. It started as a
replacement for F.Bellard's INFOEXE.EXE, and growed up
to finally become this public release version. Now VEXE
is so complex that some parts of its code would be hard
to modify. Naturally, the most questionable parts are
the more likely to requer a change. Shown below is a
non-exhaustive list of these poorly written code parts:
- If VEXE is unable to open, to create or to
read a specified file, it may be possible
that a system error message appears on
your screen. This is due to a lack of error
handling from me. Please try to understand
the meaning of this message to correct the
error (if possible).
- The advice shown above is also true for
write error and disk full error messages.
- If not enough memory could be allocated to
VEXE, prepare yourself to really horrible
DOS messages. However, this error is very
unlikely.
- The compiler searching routine is potentially
incorrect. It's possible that VEXE couldn't
recognize the compiler used to produce the
file, although the compiler mark is still in
it. This is a very improbable case that will
occur if the mark is only partially read in
the buffer of VEXE. On 200 executable files
analyzed, none showed such problem, because
VEXE's read buffer is very big to achieve
maximum processing speed.
Undoubtly some bugs remains hidden in VEXE. I did a
thorough testing of the program before I released it,
but I cannot guarantee that it will work perfectly
under all circumstances.
If you you encounter any bugs, I would like to know
about them. My name and address may be found at the end
of this file. I would also appreciate any suggestions,
and will try to include them in future releases of VEXE.
┌─┬───────────────┐
│V│▒▒ VEXE TIPS ▒▒│
└─┴───────────────┘
Here are some tips that will make your life easier
when using VEXE:
- If you're viewing a long table and like
to stop VEXE without losing your output
file or crashing your system, just press
CTRL BREAK. VEXE includes a break-handler
that will close the output file and exit
flawlessly. Don't mind the system message
'Run time error', it's only the compiler
runtime saying 'everything OK for exit' .
- When using VEXE on very large number of
files,you better choose the output option
(i.e. /"output filename") if you want
break-handling capabilities and faster
output speed. DOS redirection is 30 %
slower than VEXEs write routines.
┌──┬────────────────────────────────────┐
│VI│▒▒ FILES INCLUDED IN THIS ARCHIVE ▒▒│
└──┴────────────────────────────────────┘
Shown below is a list of files that should be included
in this archive file:
VEXE.EXE : the file analyzer itself
VEXE.DOC : this file
ORDER.FRM : the order form stand
alone version
If one of these files is missing, please contact me
to receive the latest unregistered version of VEXE (don't
forget shipping charges).
┌───┬──────────────────┐
│VII│▒▒ BIBLIOGRAPHY ▒▒│
└───┴──────────────────┘
A programmer is often lost without the precious help
of his predecessors. This help, for me, was well-written
programs and clear reference texts. I wish to include in
this little bibliography a partial list of all these
books, texts and jewels of code without them doing VEXE
were impossible. Many thanks to their authors.
- The Programmers PC SourceBook, Thom Hogan, Microsoft Press
- The MSDOS Interrupt List, Ralf Brown
- EXEHDR.EXE, Microsoft Corp.
- INFOEXE.EXE, F.Bellard
- UNDOCFCT.EXE, D.J. Murdoch
- WHATIS.EXE, J.E. Smith
- CHK4COMP.EXE, John Land
┌────┬─────────────┐
│VIII│▒▒ HISTORY ▒▒│
└────┴─────────────┘
09/91 - VEXE v2.22, Swiss public release. Windows
tables listing not included. Many little
bugs. Public Domain.
12/91 - VEXE v4.00, International public release.
Windows tables listing included. Tested
and debugged version. Several cosmetic
changes. Crippled Shareware.
┌──┬──────────────────────┐
│IX│▒▒ ACKNOWLEDGEMENTS ▒▒│
└──┴──────────────────────┘
All the following people deserve recognition for their
contributions:
- My mother, for all her love and help.
- Patrick Galley, for invaluable advices on many occasions.
- The beta test team, for testing VEXE during long hours.
┌─┬───────────────────────────────┐
│X│▒▒ TRADEMARKS AND COPYRIGHTS ▒▒│
└─┴───────────────────────────────┘
- INTEL is a trademark of Intel Corporation
- OS/2,
MS-DOS,
WINDOWS,
EXEPACK,
QUICK C,
QUICK BASIC,
MICROSOFT C are trademarks of Microsoft Corporation
- PKLITE,
PKZIP are trademarks of PKWare Inc.
- LZEXE is a trademark of Fabrice Bellard
- DIET is a trademark of Teddy Matsumoto
- TINYPROG is a trademark of Tranzoa Co.
- SCRNCH is a trademark of G.W. McRae
- CPUUSE is a trademark of Jim Seidman
- TPW,
TDUMP,
TURBO C,
TURBO C++,
TURBO BASIC,
TURBO PROLOG,
TURBO PASCAL are trademarks of Borland International
- LOGITECH MODULA2 is a trademark of Logitech Inc.
- JPI TOPSPEED M2 is a trademark of Jensen & Partners
- LATTICE C is a trademark of Lattice Inc.
- POWER C is a trademark of MIX Software
- ZORTECH C is a trademark of Zortech
- JANUS ADA is a trademark of RR Software
- MERIDIAN ADA is a trademark of Meridian
┌──┬────────────────────────────┐
│XI│▒▒ LAST WORDS AND ADDRESS ▒▒│
└──┴────────────────────────────┘
Any comments of what you think of VEXE and suggestions
of future enhancements you would like to see can be sent
via ordinary SnailMail or Email to me.
Requests for site license, source code or customized
versions are welcome. They will be examined on case by case
basis.I'll make my best to answer quickly to every request.
If you have comments, bug reports, etc., you can reach
me through:
My address : Mr Serge Krupa
19 A chemin des Bois
1255 Geneva
Switzerland
Internet mail: krupa@eig.unige.ch
(until June 92)
(I wish to apologize for my poor english. Many thanks for
reading this text to the end !)
─────────────────────────── EOF ───────────────────────────