Hiew8 DEMO (based on release 8.

13)
http://www.hiew.ru/
Release notes: version 7.40
New engines are for 64bits disassmbler and assembler with x86-64
commands full support. Added PE32+ format support. Crypt grow up 64bit too.
**VERY IMPORTANT**: Command MUL and DIV are changed !
(See section 'Crypt' for details)
For migrate previous crypt-program are *attentively* examine use the commands
DIV/MUL and replace first line to '[HiewCrypt 6.70]'.
Release notes: version 7.00
After a considerable delay version 7.00 of Hiew has been released.
There are many new features:
- Hiew does not support DOS or OS/2 operating systems any longer.
- Hiew now works with files and blocks of any size, so it can be used with all
physical and logical drives in the system (provided user has sufficient access
rights of course).
- Keyboard macros
- Progress bar
- Fixups highlighting for PE and MZ
- Following offset based jumps/calls with one touch
(for example, when Hiew encounters a call d,[12345678] instruction,
it checks if the value at the offset of 12345678 looks like VA,
and assigns this call a number: call d,[12345678] ;.87654321 --- (1) )
- New algorithm for reading the Import Table.
- Search speed has been slightly (~5-7%) increased.
**VERY IMPORTANT**: Assembler search wildcards have been changed. They are
unified with the File wildcards now (see 'String Wildcards')
Release notes: version 6.70
Crypt is 32-bit now. Crypt programs (*.cry) are written in text format
now. Old binary format from version 5.01 will be supported by current version
(6.7x) only! Tho new operators were added: AND, OR. Programs can be up to 32
lines long. Lines starting with ';' treated as comments.
Release notes: version 6.60
Support for little-endian ELF executables
EDUMP - common dumper for NE/LX/LE/PE/ELF files
Release notes: versions 6.29/6.30
32-bit console version for Windows.
PEDUMP.EXE - dumper for PE files.
All utilities have versions compiled for DOS, OS/2, and Win32
Release notes: version 6.15
Starting with this release HIEW is SHAREWARE. See register.txt for
details.
Release notes: version 6.00
New features in version 6.00:
- "crypt" has been removed (it will be a separate project)
- Switching between files specified in the command line moved to
CtrlF11/CtrlF12.
- Alt- functions moved to Alt-Fn (except for Alt-P, Alt-H, Alt-=). See hiew.hlp
for details.
- History has been added for string input (PgDn) and file section
(press Backspace for menu, Tab to select next file in history).
- "ActionAfterWriteSavefile" option removed from the ini-file.
- "NextFileSaveOffset" option (preserve current offset for next file)
replaced by "NextFileSaveOffset" option (preserve current state for next file)
Contents
About HIEW
Assembler mode (DEMO N/A)
Basing
Block operations
Status bar
Keys
Bookmarks
Jumps (call/jmp) in disassembler mode
String wildcards
Search and replace
Crypt (DEMO N/A)
Local and Global offsets
Keyboard macros (DEMO N/A)
Text string extraction
INI file (DEMO N/A)
SAV file (DEMO N/A)
XLT file structure
Command line
About HIEW
Basically HIEW is a hex viewer for those who need to change some bytes in the
code (usually 7xh to 0EBh). Hiew can view files of unlimited length in text,
hex, and disassembler modes.

Features:
* displaying files of any length in text, hex, and decode modes
* view, edit, search/replace for unicode
* x86-64 disassembler & assembler
* physical & logical drive view & edit
* support for NE, LE, LX, PE, PE32+ and little-endian ELF executable formats
* support for Netware Loadable Modules like NLM, DSK, LAN,...
* following direct call/jmp instructions in any executable file with one touch
* built-in simple 64bit decrypt/crypt system
* built-in powerful 64bit calculator
* operations with blocks of arbitrary length: read, write, fill, copy, move,
insert, delete, crypt
* multifile search and replace
* editing the NewExecutable files header
* keyboard macros
* unicode support
* Hiew Extrenal Module (HEM) support
 Assembler mode
Not available in DEMO version
For true assemblers!
All numbers are hexadecimal by default, but the suffix "t" changes to
decimal (e.g. mov al,10t). Possible use string as immed operand (e.g. mov
eax,"sign") Constant arithmetics is supported (i.e. mov bx,
[123+23-46h] produces same results as mov bx,[100h]). Error messages are
very brief (invalid command, syntax error, invalid operand,
missing/invalid size).
Three non-standart commands exists:
jmps = jmp short
jmpf = jmp far [mem 16:16/32/64]
callf = call far [mem 16:16/32/64]
Commands can be assembled different way. Since version 7.40 appeared
the possibility of the choice: F4 when entering the assembler command switches
to choose from available variants or put the command of the minimum length.
Under included options 'nop' will offers the different length from 1-9 bytes.

Basing
Base is a constant that is added to all offset and jump addresses.
If current offset is YY, and you want it to be XX, you can enter "*XX" as a
base (note the asterisks!). Pressing Ctrl-F5/Ctrl-F5 produces same result.

Block operations
Block operations work only in "Hex" and "Decode" modes. You can mark
blocks without switching to Edit. Marked block can be written to a file by
pressing F2 (PutBlk).
To append the block to the end of file, type '*' character. You can load a
block from another file by pressing Ctrl-F2 (GetBlk). Block will be loaded at
the current offset.
Since version 6.10, if nothing is marked in the current file, history is
searched for the latest file where the block is marked, and this block is used.

Status Bar

xx% Filename.ext .dFRO -------- xxx PE xxxxxxxxHiew8 DEMO (c)SEN

percentage current progress bar will
indicator offset appear here
(when BAR=P V
in HIEW.INI) neexecutable type
V
file name
> * Text mode: index of the
first column
kbmacro state: < * DeCode mode: operands and
R - recording addresses width;
 0..8 - replay 'a' means it was
recognized automatically
search direction < for executable

search area: < > status of all bookmarks
F - whole file '-' free
B - block '1..8' occupied
A - list from the command line '*' current

file state: <
R - opened in Read mode
W - opened in Write mode
U - modified

O - overwrite block <
I - insert block

Keys
All keys described in the HIEW32DEMO.HLP help file (press F1 to open). You may m
ay
modify HIEW32DEMO.HLP, but modified version should keep "[HiewHelp 7.00]" in the
first line. Semicolon
';' denotes a comment. F1 calls corresponding section (from [xxxx] to [yyyy]).
HIEW32DEMO.HLP must end with section called [End].
Since version 7.00 it is possible to create section links with:
+[SectionName]

Bookmarks
Bookmarks allows you to save the current screen and restore it later. Press
'+' to save state of the current screen. Up to eight screens can be saved, and
each saved screen is assigned an index 1..8. To restore a screen press one of
Alt-1...Alt-8 according to the screen index. Bookmarks are kept separately for
each mode (Text/Hex/Decode).

Jumps (call/jmp) in disassembler mode

Jumps are more configurable now. They can be specified in the jumpTable
array of HIEW.INI. It is a string (in C since) of digits and letters. First
character ('0' in HIEW 4, 'Z' in HIEW 5 day 28) is used to undo jump. Character
read from the keyboard are converted to upper case, then looked for in the
jumpTable. By default jumpTable consists of digits '1'-'9' followed by letters
'A'-'Z'.

String wildcards
String wildcards are used in the following places:
1. Search for wildcard in decode mode (F7-F7)
2. File masks in filemanager (F9)
3. Mask for imported functions in the Import Table (F8-F7)
Wildcard symbols:
? - any single character
* - arbitrary number of any characters (0 or more)
{ABD} - A, B, or D
{A-D} - A, B, C, or D
{!ABC} - any single character except A, B, and C
! - anything but ... (must be the first character)
Examples:
All executable files in file manager: *.exe
All non-executable files in file manager: !*.exe
Filter from imported functions ones working with registry:
reg*key* = RegCreateKey, RegDeleteKey, RegQueryKeyValue, etc.

Search and replace

If Enter was pressed in ASCII field, search is case insensitive, for
case sensitive search move cursor to HEX field before pressing Enter.
You can search assembler commands (F7). (DEMO N/A)
Search/replace can be restricted to a selected block now (F4 while
entering the search or replace string).
In the disassembler mode assembler commands can be searched with wildcards
(see above). If entered assembler command contains any of the wildcard
characters, wildcard search is started, otherwise command is just assembled.
Assembling can be forced with Ctrl+Enter for commands like 'mov eax,[eax*2]'
For example, in the DECODE mode <F7><F7> 'mov ax, *' will find 'mov ax,1234h",
"mov ax,sp", and like.
"mov ?x, ax" will find "mov ax,ax", "mov bx,ax", "mov cx,ax", and "mov dx,
ax",
but not "mov bp,ax" or "mov si,ax".

*** IMPORTANT ***

strings are compared without conversion! Do not forget any leading
zeroes, like 'cmp *,0ab' for byte, 'cmp *,000ab' for word, etc...

Since version 5.83 possible search for the sequence of the commands,
preparing their special character. Since version 7.40 such chracter is '/'.
For example: "push *10 / call * / add *"
will find: will not find:
-------- ---------
push 00010 push 00010
call 01234:05678 push 00011
add sp,00006 add ax,00006

Since version 6.10 search and replace can be performed in all files
that were specified in the command line. Option "filArg" must be activated by
pressing "F4" while entering search or replace string.
Alt-? can be used in ASCII and hex searches as any symbol wildcard. For
example (HEX mode, F7): 00 01 ?? 03 04 (?? is shown in place of Alt-?) will
find '00 01 02 03 04', '00 01 FF 03 04', '00 01 AC 03 04', and like.

Crypt (F7 in Edit mode)

Not available in DEMO version
Crypt can be used for (de-)crypting code or data with some simple
algorithm. Byte/Word/Dword/Qword of code or data is crypted at a time
(press F2 to change crypt width). Crypt routine must end with "LOOP lineNumber"
operator.
Available commands:
Reg mode : neg,mul,div
Reg-Reg mode: mov,xor,add,sub,rol,ror,xchg,and,or
Reg-Imm mode: mov,xor,add,sub,rol,ror,and,or
Imm mode : mul,div,loop
All 8/16/32/64-bit registers are available and equipollent, except for
AL/AX/EAX/RAX that is used for (de-)crypted byte/word/dword/qword input and
output.
Differences from usual assembler:
* there are no jumps;
* 'loop' means jump or stop
* 'rol/ror' operands must have the same width, i.e. ROL AX,CL is not
allowed.
* (7.40+) command DIV divides unsigned value in the register RAX by
source operand (register or immed) and store quotient in the RAX
and remainder in the RDX.
* (7.40+) command MUL performs an unsigned multiplication of the
operand (register ot immed) by register RAX and the result store
in register RAX.
Example:
a. XOR byte with 0AAh:
1. XOR al,0aah
2. LOOP 1
b. XOR word with mask increment
1. MOV dx,0
2. XOR ax,dx <-+
3. ADD dx,1 |
4. LOOP 2 --+

Local and Global offsets

Since version 5.40 Hiew can show (and set) local offsets, i.e. offsets from the
beginning of a segment or an object. Local offset is represented by a dot
followed by the offset itself.
For the case of the local offset in the NE/LX files, the new offset is
calculated as SSSSOOOO, where SSSS is a segment number for NE, or base for LX;
OOOO is a local offset. If SSSS is zero, then the offset is calculated from the
current segment.
For PE files object alignment (OA) is used in calculating the base. If you
enter (with F5) a local offset that is less than OA, the jump is performed in
the current section.
For LX files having objects larger than 0xFFFF (see object 1 in FC.EXE),
offsets are displayed as in some debuggers (for example, in SD386), and you
should use jumps like .0x200234, although there's no such base as 0x200000.
If the cursor is outside of a segment/object, error message is shown (incorrect
jump calculation).
*NB!* If the first input symbol is '.', the offset is considered local,
otherwise it is global.
Examples of local offset inputs with F5:
a: (NE) .10023 - offset 0x0023 in the first segment
b: (NE/LX/PE) .23 - offset 0x0023 in the current segment
c: (LX) .10023 - object with base 0x10000 is searched in Object Table
and a jump to local offset 0x0023 is performed
d: (PE) .401023 - virtual address (VA) 401023
If a local offset is set, then wildcards and NE/LX/PE links are searched only
in code segments. For dual-EXE the search area is defined by the active header.
If MZ header is active, then search stops at NewExe header.
Since version 7.00 64-bit offset representation is switched on for files larger
than 4 gigabytes. The offset is shown as "high32'low32". This is because
otherwise long numbers with lots of zeroes are difficult to read.
Titlebar for this kind of files always displays 64-bit offset, while in the
left column it's only shown on screens wider than 89 characters, otherwise just
low 32 bits are displayed, and you have to check the titlebar for the rest.

Keyboard macros
Not available in DEMO version
Macros allow you to record a sequence of keypresses in order to replay it
later.
1. Press Ctrl-. to start recording
2. Press any keys you want to record
3. Press Ctrl-. to stop recording
Recorded sequence is assigned to Ctrl + 0 as Macro0. It is possible to move it
to anothercombination (from Ctrl + 1 to Ctrl + 8) with Ctrl-Minus; it is also
possible to save it to a file, load it from file, specify delay between
replayed keypresses and set other various flags.
Key combinations for macro recording and playback:
Ctrl-Minus - Macro manager (see button functions below)
Ctrl-. - record/stop macros to Macro0
Ctrl-0 - replay Macro0
Ctrl-1 - replay Macro1
...
Ctrl-8 - replay Macro8
Macro manager:
Enter - replay current macro
F2 - From 0 - copy Macro0 here
F4 - Delay - set delay between keypresses
F5 - Rename - rename macro
F8 - Unload - unload from memory
F9 - Store - save macro to a file (DEMO N/A)
F10 - Load - load macro from file (DEMO N/A)
F11 - Up - move macro up
F12 - Down - move macro down
AltF1 - Loop - loop macro playback
AltF2 - FailSr - stop playback if search returned no results
Also it is possible to run Hiew with a macros from the command line:
HIEW /MACRO0=<filename> (DEMO N/A)

Text string extraction

Starting from version 7.10 it's possible to extract all text strings
(sequences of letters, digits and some ASCII7 special characters) from
the file or selected block, and pass extraction results through
a wildcard-based filter. You have to be in hex mode in order to invoke
this function; whole file is being used for extraction when no block
is selected. Strings with length smaller than 'MinStringLength='
ini-file parameter value are ignored, and this value itself cannot
be smaller than 4. Also, wildcard search is limited to the first 1000
characters of a string.

INI file
Not available in DEMO version
HIEW.INI file is searched in HIEW.EXE home directory. INI file can be
specified in "/INI=<inifile>" command line parameter. HIEW.INI must start with
"[HiewIni 5.03]" in the first line! Blank lines and commented lines (starting
with ';') are ignored.
Detailed information about all options is provided in the HIEW.INI itself.

HEMKEYS.INI file
Not available in DEMO version
Since version 7.45 in hem-directory can be placed the file HEMKEYS.INI
with one-character keys of direct call hem-modules in hem-menu (F11).
First line must be line '[HemKeys 7.45]'. Next lines are keys defined:
k: hemfile
Blank lines and commented lines are ignored.
Characters are converted in uppercase.
The hem-file name is compared from begin and is taken the first coincidence.
Example:
[HemKeys 7.45]
w: FileWalker.hem
V: PEVERIFY

SAV file
Not available in DEMO version
 If started without any parameters, HIEW looks for SAV-file in the
current directory ("HIEW.SAV", or the value of 'savefile' statement in
HIEW.INI), and restores the previously saved (with Ctrl-F10) state.

XLT file structure

typedef struct{
BYTE sign[ 9 ], // "HiewXlat",0
unused[ 5 ],
versionMajor, // 0x05
versionMinor; // 0x40
}XLAT_HEADER;
typedef struct{
BYTE title[ 16 ], // show in F8
tableOut[ 256 ], // for output
tableIn[ 256 ], // for input
tableUpper[ 256 ]; // for search with ignore case
}XLAT;
Maximum number of translation tables is 15
All translation tables can be viewed with F8-F9 in textmode, or Alt-F8-F9 in
other modes, including Edit mode.
Command line
Hiew [options] [/s]filemask...[/s][filemask]
/O[thc]=OEP|END|[.]offset[th] - assign start mode and start offset (DEMO N
/A)
/MACRO0=<macrofile> - run keyboard macro after start (DEMO N/A)
/SAV=<savefile> - location of savefile (DEMO N/A)
/INI=<inifile> - location of inifile (DEMO N/A)
[/s]filemask...[/s][filemask] - more files, including wildcards

* option /s toggles search with subdirectories:

hiew /s *.dll *.exe /s *.txt -> search for .dll and .exe in subdirectories,
and for .txt files in current directory only

* offset in option '/O' possible reference in any type supported by hiew insid
e:
- with first dot as local offset
- base by default (16) may be changed by suffix 't'
as well as:
- special offset 'END' (without quote) set cursor at last byte of the file
- special offset 'OEP' (without quote) set cursor at entry-point of the exe-
file
examples:
/Ot=END - text mode, end of the file
/Oc=OEP - code mode, cursor at entry-point
/Oh=1234 - hex mode, offset as 1234 (hex)
/Oh=0x1234 - too most as above
/Oh=1234t - hex mode, offset as 1234 (decimal)
/Oc=.401234 - code mode, local offset 401234
* since version 7.40 the option '/O' it is used to all files
of the command line under CtrlF9/CtrlF11/CtrlF12
 Eugeny Suslikov <[email protected]>, <[email protected]>