************************************************
************************************************

Unfortunately, this site has restricted functionality as this browser does not support the HTML button formaction attribute.

Unfortunately, this site has restricted functionality as this browser has HTML web storage turned off.

1 of 1 file smt

n/a

SMT
  • Zip - Windows / Computer tool
23 items in the archive
  • filescanner.05052001-smt/
  • filescanner.05052001-smt/file_id.diz
  • filescanner.05052001-smt/fs.dfs
  • filescanner.05052001-smt/fs.exe
  • filescanner.05052001-smt/fs.faq
  • filescanner.05052001-smt/fs.ini
  • filescanner.05052001-smt/fs_eng.doc
  • filescanner.06062001-smt/
  • filescanner.06062001-smt/fs.dfs
  • filescanner.06062001-smt/FS.DOC
  • filescanner.06062001-smt/fs.exe
  • filescanner.06062001-smt/fs.ini
  • filescanner.06062001-smt/fs_eng.doc
  • filescanner.06062001-smt/ws.doc
  • filescanner.06062001-smt/ws.exe
  • filescanner.08012002-smt/
  • filescanner.08012002-smt/fs.dfs
  • filescanner.08012002-smt/FS.DOC
  • filescanner.08012002-smt/fs.exe
  • filescanner.08012002-smt/fs.ini
  • filescanner.08012002-smt/fs_eng.doc
  • filescanner.08012002-smt/ws.doc
  • filescanner.08012002-smt/ws.exe
[+] Configuration Copy text
,sS$$$$$$ $$ ,s$s ,sS$$$$$ ,$$$$$$$7' ^' ,$$$' ,$$$$$$7' ,$$$' ,sS, ,$$$' ,$$$' ,$$$$$$ ,$$$' ,$$$' ,$$$$$ ,$$$$$$' ,$$$' ,$$$' ,$$$' ,sS$$$$Ss ,$$$' ,$$$' ,$$$' ,$$$$$$$$ ,$$7' ?$P' ?$7' ?$$' ?$$$$$$7' ,$$$' ,$$$$b. ?$$$$$$$$$$b ,sS$Ss, ,sS$Ss$ $b,sSs, $b,sSs, ,sS$Ss, $$$$Ss, ,$$, `?$$$$ $$' `$$ $$' `$$ $$P^?$$ $$P^?$$ $$' `$$ $$' `$$ ,$'`$, `$$$' $$ $$ $$ $$ $$ $$ $$ $$$$S7' $$$$S7' ,$',$' .d$$' $$, ,$$ $$, ,$$ $$ $$ $$ $$ $$, ,, $$`$$, ,$'d$' sS$$$$$$?' `?$$$7' `?$$$^$$ $$ $$ $$ $$ `?$$$7' $$ `?$$b, ,$$$' MjC/SMF `$$w$' FILE SCANNER by SMT/SMF `?7' File Scanner is a freeware program for identifying differrent file formats. Now it can do something more, such as unpacking or decrypting DOS executable files, calculating sizes of directories, handle headers of executables, playing sounds, edit binary files in hex, ascii or asm mode and displaying ANSI, PCB, BMP, PCX, EMF, WMF and SCR pictures, displaying content of DBF. The list of features is still growing... The list of features for different files are different. windows nt specific: On windows nt file scanner may display list of local processes, which opened file and user/domain whom this process belong. this works only for local processes (windows 2000 terminal service should work). this can't help if process started on other windows station and accessed through network (i have no network for such tests). this is not tested with NET_USE'd and SUBST'ed drives. if process uses file as a part of image (as a dlls) it will be reported. This checks uses a lot synchronization functions and a bit slow. they can be disabled with command-line switch '-ns' or in fs.ini work with all files: First of all FS looks to filename, and tries to determine type of this file by its extension (file may not exist on disk, hehe). Also file description can be read from files.bbs, descript.ion, 00index.txt, and so on... Then File Scanner analyzes start of file and compares it with all records in database. And it display more: date of creation, modification and last access (with -inf switch). Date of creation is date, when file was copied to this storage media. For example, you've installed program from CD-ROM. Then timedate of last modification is date when file was compiled, but creation timedate is date when you've installed this file on HDD. Also FS displays file attributes (also only with -inf). The database was not started from scratch, i've partially used base from program by Vadim Tarasov ([email protected]), with him permission, of course; you can get FileAnalyzer from author: http://www.world.lv/vnet. Note that i've done most of database by myself. Work with directories: Calculate size of each sub-directory, and it's actual size (file are stored in clusters, so even if file size is less then cluster size, it occupied entire cluster on disk), and display directories structure as tree. Due to bug in windows95/98, programs can't determine cluster size through win32 API, so i use dos interrupts (VWIN32 device). In windows NT there is no such bug, and cluster size correctly calculates using win32 API. Work with DOS/COM executables: Find program, that processed this file, or compiler. If there is a unpacker for this program, you can use "fs -u" to restore file. exe/com unpacker requires pentium or higher CPU. Work with DOS/EXE files: Almost same as COM executables, and besides show structure of exe-files: size of header, image and overlay. Available options: fs -rd - remake executable. It can reduce size of EXE-header and re-optimize relocations. Most of linkers (TLINK, LINK) align header to 512 bytes, so even small assembly program have a large header. When remaking header, FS decrease it size as much as possible. FS also may analyze first 256 bytes of overlay (with option fs -o), so it can detect SFX-archives. use fs -sd to delete overlay, fs -us to save image and overlay to files Work with LE/NE files: Shows some parameters from new-exe header. Shows description of NE file, stored in header. In windows LE/NE, FS looks for versionInfo in resources. By default it displays only description and number of version. Use fs -v to display all info. -v switch is also works with MS compress packed files. Many NE-files contains two different descriptions: one in header and one in resources. FS can display exported resident and non-resident names (fs -e) and can display used modules (fs -i). Note, that in NE files all import is performing by ordinals (function numbers), so FS does not display names of imported functions. You can use other utilities (New-view) to see imported ordinals. Work with Portable Executables (win32 files): First FS tries to display all info about DOS part of executable (so called 'stub'). It can give info about compiler, even if file is packed/altered. For example, Micosoft compilers detects as 'DOS stub from MSVC', Borland's as 'Borland tlink32'. As for NE-files, FS displays many info from PE-header. The most interesting is linking datetime, so it is possible to find out, when this program really was done, and compare it with release date. Now both time formats are supported: Microsoft (absolute time from 1601) and Borland (usual dos timedate, count starts from 1980). To view detailed info, use fs -i, fs -id, fs -s and fs -e switches. Some words about fs -s: there is additional section "flags", like entry_here, import_here, etc... They are not stored in section flags, but calculates by values in header. For example, if START_RVA is in section RVA area, then flag 'entry_here' will be added. Also FS calculates PE checksum and compares it with value in header. FS must read entire file, so it may take some time, especially on big files, and FS don't try to find checksum, if it is not defined in PE-header. Handling of PE-files: 'fs -c' - set correct PE-checksum. You may need to set checksum after every change of PE-file, otherwise file may not start (in windows NT). 'fs -rd' - optimize dos stub, make align to 512 bytes - least possible value, sometimes it decreases file size. it is also sorts file sections by virtual size, thus making executables compatible with windows 2000. use flag -spl to split sections with large zero areas. this zero areas will be saved as uninitialized sections, and file size will be decreased. flag -spl is also used to join adjacent sections with same memory protection attributes; this flags may be used only with -rn or -rd. another switch, used with -rn,-rd is -ren. it's renames sections of portable executable according their content and protection attributes, the following names are used: .text for section with entrypoint, .bss for pure virtual sections, .rsrc for resources, .idata for imports, .edata for exports, .reloc for base relocations, .data for other data, .rdata for read-only data, and .mixed for sections with at least two of resources, imports, exports or relocations. 'fs -rn' - same 'as -rd', plus replacing dos stub. It's replaces dos part to smallest (64 bytes). Some programs able to reduce stub to 12-byte or less, but sometimes their results fails to run, especially on windowsNT. use -rd and -rn to restore 'damaged' files, that are not running. thus, it's possible to make UPXed0.50 file run on windows NT (but you must set 'writeable' attribute at last section yourself). 'fs -rn:<dos_file> <pe_file>' - combine two executables: when you are in DOS, first executable runs, in windows - second. All DOS executables, that are not self-checking can be used here: files with overlay may also work. original algorithm allows to use very large DOS files for stub. FS displays mangled C++ names in imports/exports, so it'll show 'public: __thiscall ios::ios(class streambuf *)' instead of unreadable '??0ios@@QAE@PAVstreambuf@@@Z'. 'fs -inf' - show more details from PE header. 'fs -us' - saves dos image, and pe sections info separate files PE unpacker unpacker can handle redirected and trapped imports, works in winNT/2k and may work in win95 (not tested much, so expect bugs). if you're running windows nt, please report bugs. it is strongly recommended use 'fs -rn -spl' on unpacked file after unpacking Work with RIFF and IFF files: RIFF stands for 'resource interchange file format'. RIFF file can contain any type of information. This files are mostly used by windows applications. RIFF file contain sections. Every section has identifier, so called TAG, that shows, what info is stored in section. FS database contains info about this tags. Now there is only a few tags. FS shows details in RIFFs with tag 'WAVE': sound codec, bitrate, quantization frequency, and some other info, and AVI files: resolution, bitrate, codecs, audio format, etc... FS also analyze amiga IFF files, and may show info about ILBM pictures: resolution and number of colors. Use -n switch to display only valuable info. use fs -us to extract chunks Work with MPEG files: FS shows most interesting parameters of MPEG: MPEG version, layer, bitrate, frequency, flags and more... Size of MPEG header is too small (4 byte), and it contains too many info, so fake 'MPEG' streams could appare almost anywhere, though i tried to avoid them (FS checks bitrate, frequency and skip strange files, also FS tries to find a sequence of same headers in MPEG stream...). So rely on your common sence if FS find MPEG stream :) MP3 music files can contain ID3 info, then FS can show artist, album name, music style and other info from ID3. Work with music modules: Now only MOD, 669, S3M and MTM music modules are supported. FS shows version (if there is in file format), module title, and list of samples used... Often there are info about module, greetings and other composer's notes in sample names, so it useful. Binary registry files binary registry files from windows nt (tested on windows 2000) and windows 95 could be extracted to .reg format. useful for exploring stealed registry files without compatibility troubles, hehe ;-) Content-dependent viewer: use -view key. Now it supports formats: 1. wave, 2. midi/rmi, 3. bin (raw textscreen dump) with filesize = 4000 or 8000 (dec) 4. ANSI there can be multiple pictures in 1 file, delimited by CLS command use -del:nn to set slideshow delay in 1/1000 of second 5. RAW sound - sound played when -snd: of -sbf: switch used default format is 22KH, 8bit, mono, soundbuffer size is 16Kb must be overriden with switch -snd:f,b,c or -sbf:nnn 6. creative VOC files. limited support - no player for silence blocks and for looped samples 7. windows bitmaps. keys: left, right, up, down - scroll picture, GrayPlus - ZoomIn, GrayMinus - ZoomOut, GrayMult - ZoomToScreen, GrayDiv - set original size Enter - ZoomToMaxWithoutAspectDistortions 8. ZSoft pcx images. supported color formats in decoder: 8 bits * 3 planes (16M,64K,32K colors) 8 bits * 1 plane (256 colors) 1 bit * 4 planes (16 colors) 1 bit * 1 plane (monochrome) i think, that it's all possible pcx formats 9. SCR-6912 and SCR-6144 files, keyboard controls are same. 10. windows ICO, ANI, CUR 11. unix-style manuals. it is usual text files with 'bold' and 'understriked' codes. this is not 'man' document format, but files, prepared for printing (for example by 'man <cmd> > <file>') 12. DBF files. supported: dBASE III, FOX PRO, dBASE IV sorry, viewer is GUI-based and very simple - no search (maybe later...), but i coded sorting (click column header; as in many programs, click to same header again for reverse sorting) hint: try CTRL+GreyPlus while exploring DBF 13. windows metafiles (*.wmf) and enhanced metafiles (*.emf) vector files 14. fonts preview: .FON and .TTF formats. works only on nt 15. JPEG viewer: displays true color and monochrome JPEGs, progressive JPEGs are not supported File optimizer: now supported only DOS EXE and PE EXE formats... it described above Hex viewer/editor this are -hex and -hxr switches. editor are fully customizable, you can set your own keys in fs.ini and your colors. I added this function, because most popular hexeditor (hiew) become shareware, and i don't like to pay for soft; moreover, full version, and shareware demo version are different, so it's not possible to crack shareware version to get it work like full version... this hexeditor has many advantages in compare with competing products: it's freeware (unlike hiew), it's not portable (unlike biew and hiew), so uses all OS power (though biew contains OS-dependent file I/O may compete with FS by speed), it's a win32 application, unlike qview (dos apps requires loading ntvdm.exe, executing autoexec.nt and config.nt, so they are slow) its customizable, i'm adding new functions there frequently, more friendly interface, windows clipboard support, easy block selections and manipulations, and many other... Drawbacks: no support for SYS/NE/LE/LX/ELF/etc formats, only MZ/PE. Undo operations: it's really useful - you can undo any changes (and redo them again). undo history list is best way to see what changes are made. number of undo steps is only limited by free disk space. file scanner keeps undo data between edit sessions by default. you may disable it in .ini file (if free disk space is important). some interesting thing is 'UndoByte' command - its restore original byte value in changed block (so it's not necessary to undo whole block) Some words about clipboard. it is designed to be compatible with other applications, that's why FS does not create own clipboard format and uses standart CF_TEXT. Therefore there is some limitations: you can't place control characters into clipboard. When cursor in hex area clipboard works with hex dump of data, so every byte can be stored; in text area clipboard works with normal text strings. If you want to do binary block operations make sure that cursor is in hex area, do not mix text and dump. Search - there are three search modes: 1. byte sequence or string. here is a trick from hiew: when you press enter on text field search is not case-sensitive, when on hex field, case is important. you can search with mask (this feature taken from STS monitor - the coolest debugger i've ever seen ;-]), so you can find all instructions like add [eax+nn],15 - search for 80400015 with mask FFFF00FF string search starts from cursor 2. find relative reference - find call, jump, long 386 jump or loop to point at cursor. make sure needed disasm mode active (16 or 32 bit) this search starts from begin of file 3. find absolute reference. you can find raw 32-bit pointer to cursor or pointer to cursor virtual address. i often use this when cracking win32 progs - for example, find string "Insert CD..." and then immediately find reference to this string... then find conditional jump (using relative search) to this routine and patch it! this type of search also starts from begin of file FindNext - repeat last search, but from cursor position goto function - it's possible to use virtual address if VA-mode is on Splitscreen mode - using this feature you can see two part of your file simultaneously; for ex. in 16-bit and 32-bit disasm modes, or in text and in disasm modes. all two windows are completely independent - they have own selected block marks, view, put and bitness modes and so on. Any changes, made in first window will be immediately displayed in second.. also you can adjust sizes of view windows. Save block - just saves selected block to file into given offset. you must select some block. Load block - if there is a block selected, then loads block from file into selected block (size of loaded part not more than size of selection), if there is no selected block, loads file from given offset until end of file to cursor location... Note that like in copy&paste operations, put mode is important... so you can LOAD, INSERT, XOR, AND, and OR data. PE header editor, data directory & sections editor - press esc to undo changes or enter to accept. pressing enter on rva field of data directory or on any field of section dialog will jump to corresponding data structure. goto exports: redirected exports are showed as oldname -> newdll.newname goto imports: jumps to IAT entry, corresponding to selected function. hint: press 'FindRawRef' (mapped to Alt-F7 by default) for searching references to imported function. if you've found stub like 'jump dword [func]', then place cursor to start of 'jmp' and press 'FindRelRef' (Ctrl-F7) to get refs to this stub Fill: fill operation uses put mode.. so you can fill block with pattern, 'xor', 'and', 'or' block with pattern and use mask for this operations. for example, to reset low byte in each dword you may use and mode with pattern 00,FF,FF,FF or put mode with pattern 00,FF,FF,FF and mask FF,00,00,00; for setting low byte of each dword in block to 46 use put mode with pattern 46,00,00,00 with mask FF,00,00,00. obviously, you may set/reset particular bits in block. i hope, you got idea... Assembler and disassembler: supported x86 architecture (without MMX,3DNow,SSE), Zilog Z80 (complete! all opcodes, even undocumented) for hacking ZX-spectrum snapshots and 6502 for hacking Nintendo (aka Dendy) games and a lot of other platforms, that uses 6502. calculator: calculator has following operators: ~,!,*,%,/,+,-,<<,>>,<,>,<=,>=,=,==,!=,&,^,|,&&,|| and round brackets operator precedence is same with C/C++ all numbers are hex by default and must start with digit (e.g. 0-9) decimal numbers must start with @ character codes - contructions like 'x', 'abcd' and so on.. you can use cut and paste to move value from calculator to another dialog bookmarks: there are usual ('fixed') and 'sticky' bookmarks. usual bookmarks contain absolute offset from start of file. sticky bookmarks 'sticks' to marked byte: if there is insertion or deletion operation before bookmark, it moves. if you delete block, containing sticky bookmark, bookmark will be deleted too. bookmarks may be saved between edit sessions (KeepBookmarks=1 in .ini file) Many functions and options described in fs.ini Non-file & misc. functions: -inf - show more info: filetimes, filesize, details from headers, etc... Switch -n: use this switch for brief info about file. when this switch active, FS does not display filetimes and filesizes, RIFF tags, music module' samplenames, strange values in PE/NE-exe headers, and some other additional info. Switch -p: wait keypress after printing full screen -mono - disable colors -cs:<new_cluster_size> : override cluster size. useful for estimation directory size on drive with another cluster size without copying directory here. cluster size can't be zero -ans - ansi output - very useful with wildcards. you can specify output ansi filename as shown here: fs -n -ans:c:\test.ans *.exe *.com and view result with your favourite ansi viewer, you can even output fs database contents to ansi file. use it with switch -mono to create text log-file. -slnt - show messages only about performing actions, such as "checksum: setting to right value". may be used with bat-files or with wildcards: 'fs -rr2 -slnt *.exe *.dll *.ocx' this switch was undocumented some time Ansi and PC-Board viewer: Keyboard controls in ansi viewer: ESC - return, UP, DOWN, PGUP, PGDN, HOME, END - scroll; same keys with CTRL - quick scroll. Known BUGS: Unpacking DOS COM/EXE: file extension don't changes, even if file format changes; e.g. if you unpack EXE file, created by COM2EXE, output file will be COM-file, but extension remains .EXE Does not show FileVersionInfo of VxDs when running on windows NT displays blinking in ansi only if VGA is already in blinking mode. you must run DOS-program that sets needed video mode (like acidview.exe or pv.exe) before running FS with blinking ANSIs unpacker: can't detect hackstop 1.11, 1.13 for .com-files due to limitations of my script detection system, it detects it as RCC/286 but unpacking fails, because script must be different ansi viewer and hexeditor looks strange in 80x50 videomode - please don't use this mode! Win9x-specific bugs (too many, that's why i plan to stop support 9x) -view -sbf:7000000 can completely hang-up system on some sound cards hexeditor: can't enter symbols in alternative keyboard layouts pe-unpacker not tested very good a lot scripts for pe-unpacker will not work (copy-on-write not implemented) font viewer will not work Plans for future versions: hexeditor: mouse support (?) hexeditor: 3DNow!, MMX, SSE instructions General info: File Scanner was written by SMT ([email protected]) last updates of FS can be found on http://smf.chat.ru/ Greets: Greets to Veit Kannegieser - why you don't develop typ3 anymore ??? Hello to Liu TaoTao - TR is great!!! Big thanks to those people, who helped me to make this incredible program: MajestiC - logo, a lot of packers Duke/SMF - many ideas, comments, *file*formats*, packers, etc... Alexander Alferowich - bugreports and some suggestions mAXX - some suggestions
filescanner.05052001-smt/fs_eng.doc 80x489 Font
80