GetEQExe 3.49   by Independent (IND)

┌──-·· : │ ■ GetEQExe 3.49 ■ │ : ··───· · ┌──-·· │ ■ What is GetEQExe? │ GetEQExe is a program to compare the startup code of COM files, DOS │ executables or Windows PE executables or normal files. │ │ You can use GetEQExe for │ comparing up to 10 EXE startup codes, │ comparing up to 10 normal files, │ ripping code out of a file │ │ GetEQExe does not care if the files is readonly or not. │ │ Homepage: http://surf.to/phax │ eMail: [email protected] │ │ Please mail any suggestions for improvement to me. : ┌──-·· │ ■ The switches: │ │ ≡ Available options: │ /BIN create binary output -> to rip startup code │ /BIT compare bits instead of bytes │ /DIFF print only not identical bytes │ /ENDn goto n bytes before the end of the file │ /EXT extended output (maybe interesting) │ /FILL also print equal bytes in /DIFF mode │ /GOTOn start comparing at filepos n (default = CS:IP [EXE]; 0 [else]) │ /HELP activate the help system │ /MACROxyz execute the macro "xyz" │ /MAGICn set the magic number for the Pascal output file (default = 0) │ /MAXn set the maximum filesize (default = infinite) │ /MINn set the minimum filesize (default = 0) │ /NOCFG do not use the configuration file │ /NODIS do not "disassemble" │ /NOPAS do not create a Pascal include files │ /NOCON do not write anything to STDOUT │ /NONE do not compare new executables (NE/PE) │ /OVER overwrite the Pascal file without asking │ /NAMEfile set the Pascal filename "file" (default = "_outexe.inc") │ /PASLENn set the maximum number of bytes in the Pascal file (default = 80) │ /STOPBn stop comparing after n bytes (default = infinite) │ /STOPMn stop comparing after n matches (default = infinite) │ │ GetEQExe also supports a configuration file called "GETEQEXE.CFG". │ There you can put the following switches: │ /BIN │ /BIT │ /MAXn │ /MINn │ /NODIS * only if you have a registered version │ /NOHEAD │ /NOPAS │ /NOCON │ /OVER │ /NAMEfile │ /EXT * only if you have an extended output version │ Every switch has to be in an extra line. │ │ ≡ Available methods: │ /ADDIPn add IP to old one (subtract if n < 0; relative) │ /SETIPn Change IP to n (absolute) │ │ ≡ Available macro commands (case sensitive): │ c do a long call at the current position (only EXE files) │ f do a far jump at the current position │ j do a jump/call at the current position │ k do a 32 bit jump/call at the current position │ m do a MOV jump at the current position │ o goto overlay position of DOS EXE │ _ seperator for macro commands │ Between every command may be numbers which tell the number of bytes to │ skip. See examples for details. See JMP/CALL sections for details. │ │ ≡ The following switch combinations are invalid: │ /ADDIP and /SETIP -> either set IP or add something to IP │ /ADDIP and /END -> either add something to IP or relative goto │ /ADDIP and /GOTO -> either add something to IP or absolute goto │ /GOTO and /SETIP -> either set IP or absolute goto │ /GOTO and /END -> either absolute goto or relative goto from end │ /END and /SETIP -> either set IP or relative goto │ /BIN and /BIT -> no binary output and bit compare │ /BIN and /EXT -> no binary output and extended output │ /BIN and /DIFF -> no binary output if scan for differences │ /NOCON and /NOPAS -> that would mean no output anyway │ /NOPAS and /PASLEN -> cannot set pascal len if no pascal file is made │ │ ≡ The following switches are required when the first one is used: │ /DIFF -> /NOPAS -> if /DIFF is used /NOPAS is automatically set │ /BIN -> /NODIS -> if /BIN is used /NODIS is automatically set │ /BIT -> /NOPAS -> if /BIT is used /NOPAS is automatically set │ │ /DIFF- -> /FILL- -> if /DIFF is not used /FILL is disabled : ┌──-·· │ ■ Some examples │ GETEQEXE a.exe b.exe c.exe d.exe │ compare the startupcode (at CS:IP) of a.exe, b.exe, c.exe and d.exe │ │ GETEQEXE a.exe b.exe c.exe d.exe /MACROj │ goto CS:IP, evaluate one jump, then compare │ │ GETEQEXE a.exe b.exe c.exe d.exe /MACRO10j │ goto CS:IP, skip 10 bytes, evaluate one jump, then compare │ │ GETEQEXE ?.exe /MACRO10 │ compare all files that match the filemask ?.exe, │ goto CS:IP, skip 10 bytes, then compare │ │ GETEQEXE a b c d /MACRO10 │ the same as above. ".EXE" is the default extension │ │ GETEQEXE /MACRO5jj a b c d │ goto CS:IP, skip 5 bytes, evaluate 2 jumps, then compare │ │ GETEQEXE /MACRO5j10j a b c d │ goto CS:IP, execute macro "5j10j", then compare │ macro: skip 5 bytes, evaluate jump, skip 10 bytes, evaluate jump │ │ GETEQEXE /GOTO128 /MACRO1m6j a.com b.com c.com d.com │ goto position 128, execute macro "1m6j", then compare │ macro: skip 1 byte, evaluate a MOV jump, skip 6 bytes, evaluate jump │ │ GETEQEXE /NOCOM /ADDIP5 /MACRO7j15j a b c d │ will cause an error because it is not allowed to use /ADDIP and │ /MACRO at the same time because if you use a macro you can include │ the /ADDIP command in the macro: /MACRO12j15j : │ ■ Ripping code out of a file: │ GETEQEXE file_to.rip /GOTO512 /STOPB75 /BIN /NOPAS > result.bin │ rip 75 bytes from file_to.rip at position 512 (starting at 1!) │ create binary output and write it to result.bin : ┌──-·· │ ■ JMP/CALL/... section ├──-·· │ The JMP/near call command: │ JMP 1980h │ or │ CALL 1980h │ │ Valid jumps and calls are: │ $74 JE - jump if equal │ $74 JNE - jump if not equal │ $E3 JCXZ - short jump if CX is zero │ $E8 CALL - unconditional call │ $E9 JMP - unconditional jump │ $EB JMPS - unconditional short jump ├──-·· │ The MOV; JMP commands: │ MOV BP, 1980h │ JMP BP │ │ Valid registers (here: BP) are: │ $B8 - AX │ $B9 - CX │ $BA - DX │ $BB - BX │ $BC - SP │ $BD - BP │ $BE - SI │ $BF - DI │ │ Note: GETEQEXE does not validate the JMP command. It just takes the │ value and jumps there. ├──-·· │ The long CALL command: │ CALL 4027h:5622h │ │ Supported CALL commands: │ $9A - CALL ├──-·· │ The JMP FAR command: │ explanation 2 come :( : ┌──-·· │ ■ Some history of GetEQExe: │ │ 3.49 - fixed bug in /BIN command if /OUT is used │ some minor enhancements which were done while developing GT │ excluded 0 byte files │ 3.48 - fixed internal type problem with Win32 version │ 3.47 - added switch /BIT (bit compare support) │ improved documentation │ 3.46 - fixed problem with help system in Win32 variant │ 3.45 - tried to add support for UNC pathes │ fixed problem with path handling of Win32 version │ 3.44 - added support for NE self loading modules │ 3.43 - fixed severe bug with PE and NE executables :( │ 3.42 - first Windows version finished! │ 3.41 - enhanced output format for /DIFF so that equal bytes are marked │ when using /FILL │ 3.40 - added support for LE EXEs │ 3.30 - changed internally to new output method │ 3.29 - added switch /OVLAY │ 3.28 - added switch /FILL │ 3.27 - improved help system (removed "methods" section) │ added possibility to write syntax to file │ 3.26 - added switches /MIN and /MAX to set filesize limitations │ 3.25 - if E9h was found and macro "k" was used "r" is suggested │ fixed small string bug │ 3.24 - fixed memory bug when comparing PE EXEs which can cause crashes │ fixed very stupid bug which disabled the correct handling of macros │ which was in since 3.21 or so │ fixed range check error with negative jumps │ 3.23 - fixed bug if switch /NOPAS was used │ fixed strange output bug - TPs write function does not work ????? │ 3.22 - fixed bug with error that printed bytes. the wrong pos was used │ added "jne" $75 to the valid "j" macro jumps │ 3.21 - split up source code into several units (better readable) │ fixed strange runtime error │ 3.20 - fixed problem with new executables where the relocation offset │ in the header was between 24 and 64 │ fixed problem that /STOPBn always read one byte too much │ added $74 (JE) to the valid short jumps for macro "j" │ fixed bug in long called handling - offset was missing │ now every file has its own PE object table handler ;) │ removed /AAUTO switch - was not tested and made code too difficult │ some internal code restructures │ optimized disassembler module for size (saved ~1800 bytes) │ fixed stupid crach when not comparing PE EXEs │ 3.14 - added switch /NONE to disable scanning for NE/PE executables │ 3.13 - fixed problem with ET_COM/ET_NONE type -> now it's all ET_COM │ added possibility to disable switches with the "-" char at the │ end (e.g. "/nodis-"). used to overwrite switches in the cfg file │ 3.12 - now start counting at 0 │ 3.11 - fixed stupid bug with PE EXE detection │ fixed stupid bug with COM/non EXE files │ 3.10 - no abort if it is a new executable or a linaer executable │ fixed bug with huge offsets of PE executables (word -> longint) │ added explicit detection of new and linear executables │ removed /ADDCS and /SETCS │ /ADDIP and /SETIP are only valid for COMs and DOS EXEs │ now can compare new executables startup code │ Pascal file is deleted if no equal bytes are inside │ 3.04 - added output to switch /MAGICn │ 3.03 - added switch /STOPEn │ if no more space is on the drive for the Pascal file, it will │ automatically be canceled │ 3.02 - fixed problem with FindFirst - adding path manually │ fixed stupid bug if called without parameters │ 3.01 - added message if output is redirected and /NOCON is used │ added output of two message if switches are automatically set │ removed that no pascal file is created if only one file was found │ if no file matches the given masks, anothe message appears │ 3.00 - no Pascal file is created if /V is used │ no Pascal file is created if only one file is in use │ new FindFirst/Next/Close support for Delphi │ added headline for help system │ fixed big bug in C/ACS and I/AIP handling │ changed to long name commands │ code clearings │ more general command line handling │ now aborting if new Pascal filename is invalid │ fixed problem in commandline handling with long names and values │ removed all single command modifier (/A*) - should use macros │ updated documentation │ error if /NODIS and /BIN used at the same time │ 2.94 - fixed small problem with output of equal bytes on abort │ removed switch /F - now automatic detection │ 2.93 - added switch /A32J and according macro "k" │ added output of PE Entrypoint RVA │ 2.92 - changed from Get/SetFAttr to FileMode setting │ splitted switch /S into /SB and /SM │ 2.91 - fixed range check error with CS:IP output │ 2.90 - fixed problem if no files were opened │ added output of equal bytes found │ 2.89 - fixed problem if value of /E was too high │ made it compile with Free Pascal │ 2.88 - added switch /E - comparing at the end of the file │ added extending of path from switch /Fpath │ 2.87 - now I have asm code for every byte (except F1h) │ added switch /ND - no disassembler │ 2.86 - added a little assembler output (maybe helpful??) │ fixed problems with offset of new executable │ 2.85 - added error code on jmp/call otu of file border │ added some information to the output │ improved configuration file handling │ 2.84 - made better output and smaller code │ disallowed comparison of COM and EXE files │ 2.83 - generalized the MOV jumps ($B8 - $BF) │ advanced documentation │ added output of the bytes at the position of a wrong jump │ 2.82 - added switch /B for binary output │ added $E3 to the valid jumps (JCXZ) │ fixed bug with the switches AIP/I and ACS/C │ 2.81 - removed switch /Y │ allowed usage of /I within PE files │ 2.80 - hope I fixed type problem with E8 and E9 jumps │ made better code in PE entrypoint detection │ 2.79 - fixed problem with automatic filename extension if a directory │ with the same name exists │ 2.78 - if first identical byte is a jump -> print comment │ if nothing was found, Pascal file will be deleted │ Changed error message if file was not found │ 2.77 - removed switch /ACOM - now automatic detection │ added error messages if file is NE, LE or LX otherwise continue │ 2.76 - added $BE as valid move jump │ added check if it is really a PE or not │ 2.75 - disabled many switches in the configuration file │ 2.74 - fixed bug in calculation of PE entry point │ now using the values in the object table │ added possibility to capture startup code of a single file │ added switch /NH │ 2.73 - added automatic support for portable executables !! │ added switch /Y to move entrypoint of PE's │ released to the EXE mailinglist │ 2.72 - fixed bug that only allowed to use /F :( │ code clearings - smaller code │ advanced output of /X │ now an error occurs if file has no overlays and switch /AOVR is set │ 2.71 - fixed bug in loop handling │ added output of config file switches │ added support for filemasks (/F) │ 2.70 - removed bug in output │ 2.69 - added configuration file support │ optimized code a little bit │ first public release │ 2.68 - now attributes are restored on error │ now using string constants -> saved ~1 KB │ made complex but small parameter handling │ 2.67 - added check for redirection │ added documentation │ added additional commandline parameter check (NP, NS) │ added error if Pascal file exists │ added switch /O │ removed with /AIP and /I │ 2.66 - added faster print method : │ prior version were not documented because I never though that I'll │ ever release this piece of difficulty ... : ┌──-·· │ ■ GetEQExe is Copyright (c) 1997 - 2000 by PHaX ([email protected]) : --- EOF ---