Easy-to-use disassembler Author: Ripper (Fuckup5Group) Website: www.fuckup5group.de.vu Begining: 01/21/01 Used compiler: Borland C++ 4.02 Date format: month/day/year Changes: v2.15 ALPHA - Illegal options in popupmenu in hexmode become deactivated (10/30/04) - Double clicking on a function in the exports dialog takes you directly to it (10/30/04) - Improved search function to better show the found stuff and behave more as it should do (10/30/04) - If you choose a mode in the goto dialog, the focus is set back to the edit control (10/28/04) - ETU now creates backups of originals files if not disabled (It creates the backup filename by replacing the extension (the stuff behind the last point AFTER every backslash) by 'bak' or adding '.bak' if the extenstion doesn't exist. Then it deletes any file with that backup name, before it renames the original file to that name) (10/28/04) - You can set or disable the highlighted line by double clicking on the address, and the highlighted line is forced to be shown if it's address is on screen like in the code dump view (10/28/04) - Added an optional AutoMode to the FixedRegs dialog, which automatically enables smaller registers, if bigger ones are enabled, and disables bigger registers, if smaller ones are disabled. You can enable AutoMode in the preferences dialog (10/28/04) - Increased scanning speed minimally (whole 0.4 seconds for Dasmv202.exe ... what a great speed gain...) (10/28/04) - In the search dialog Automatically switch to ASCII string, if you enter 2 or more non digits (10/27/04) - Save last used search mode in ini file (10/27/04) - Changed scan order -> jump/call refs, imports refs, string refs, menu refs (10/27/04) - Export entry points get their names as comments, if not overwritten manually (10/27/04) - Changing the comments will now mark the project as altered and therefore you'll be asked to save it, when closing or loading (10/27/04) - You can now search for 8-, 16-, 24- and 32-bit hex values by writing as much "double nibbles" as you need and 16- and 32-bit decimal values, where you have to prepend a '0' (this tries to be a zero) for 16-bit. (You can get details about the wanted format by specifying nothing, choosing a type and trying to start the search) (10/27/04) - Added a case senstive button to the search dialog in fact allowing case insensitive search now ;) (10/27/04) - Redesigned export box (10/25/04) - Improved scanning speed a bit, but still much more to get... (10/25/04) - Removed coded in pixel positions in preferences and about box to allow proper display on systems with strange dialog units (10/25/04) - Added optional extreme jump and call reference scanning mode to also find references hidden in other commands (see i.e. wwpack'ed stuff) (10/25/04) - Made scanning much more compatible with other threads, so you can work MUCH better with the rest of your system or several ETUs scanning on big files (10/25/04) - Number of found import references is set correctly now (10/24/04) - Added some more goto menu items to the popup menu in hexmode (10/24/04) - Removed a serious bug causing many references not to be shown! The problem was that the class library used binary search for finding the first reference occurrence for an address. But of course this didn't give back the first reference we wanted to see, but the first he found. That's why Dasmv202.exe i.e. missed 40 (!) references to GetSysColor!! (10/23/04) - Jump&call refs are now also checked for executable sections (before only code sections) (10/23/04) - Changed project file to a binary file format and additionally included saving of the current full filename (including path), jump&call refs, import refs, string refs, menu refs and returns (10/23/04) - References don't loose the focus anymore (10/19/04) - The address of a memory reference is now also highlighted in dump windows to allow better orientation (10/19/04) - Statusbar optimized a bit, also shows current cursor offset if available (10/17/04) - Reference dests become highlighted if the mouse hovers them (10/16/04) - The popup dump windows won't get closed anymore after each reference scanning stage (10/16/04) - Added highlighting of referenced lines of searches, imports and stuff, say everything which doesn't show the stuff you wanted to see in the first line (10/16/04) - Pressing in dump windows closes them (10/16/04) - The popup menu now allows everywhere to open code or data dump windows (10/16/04) - ETU now looks much better on non Win98 systems like WinXP (10/16/04) - Return functions have moved out of the menu into the control bar and can now be handled MUCH easier and clearer (10/15/04) - You can now press the right mouse button on a byte in hexmode and set a comment name for that offset or search for references to that address (10/11/04) - About box corrected (10/11/04) - Auto string search improved to also check if an ascii string starts at the next byte (ChaosCreator implemented this for unicode strings some time ago already) (10/11/04) - now also switches between hex dump and asm code in dump windows and popups (10/11/04) - Added reference popup menu (click right on a reference) (10/11/04) - Complete regrouping of source code, as it's way too much source for only four files... (10/08/04 - 10/10/04) v2.10 ALPHA (not released) - Added option to hide references (07/07/04) - Corrected project load and save functions (07/06/04) - Comments, label names, current state and fixed registers can now be saved in an project file (March 2004) - Added a search function to the string resource viewer (12/01/03) - Menu reference scanner implemented (12/01/03) - Added filters to string resource reference viewer (12/01/03) - Resource string reference scanner implemented (11/29/03) - Added string resource viewer (11/28/03) - Goto remembers its settings during a programm run (11/28/03) - Unicode string search implemented (10/20/03) - Added menu resource viewer (10/14/03) v2.04 ALPHA (released 10/12/03) - WinXP scrollbar thumb bug removed (10/12/03) - Small icon provided for WinXP (10/12/03) v2.03 ALPHA (released 10/12/03) - Minor bug fixes for WinXP (10/11/03) v2.02 ALPHA (released 10/11/03) - Added a reference rescan menuitem (10/11/03) - Changed missing OPCODE.DLL messagebox (10/11/03) - Added empty lines after jmp-commands (10/11/03) v2.01 ALPHA (released 10/04/03) - Show entry point label (09/15/03) - ChaosCreator's label support readded (09/08/03) - Added support for fixed register values including adding and subtracting adjacent values (09/01/03) - Endlines behind ret-commands (ChaosCreator) (05/11/03) - Completly rewritten routine to colorate the programcode... (ChaosCreator) (05/11/03) v2.00 ALPHA (not released) - Goto sectiondata button added to the image properties dialog (11/11/02) - Dump windows only start above the dumped address, if a possible reference becomes shown (10/02/02) - Dump windows start a few lines above the referenced address, which gets highlighted (10/01/02) - Replaced the function name combobox with a listbox for an easier view (10/01/02) - Import dialog enhanced for import refs support (09/30/02) - Scanning for references to imported functions (09/29/02 - 09/30/02) - Maximal references per page increased to 400 (09/29/02) - Multiple possible programm references are shown in one line (09/29/02) - Programm references in dump windows are now shown in the same offset mode as in the main disassembly window (09/28/02) - Put reference checking into a seperate thread (09/27/02 - 09/28/02) - Checking status control added (09/25/02 - 09/26/02) - Jump/call reference lookup added (09/19/02 - 09/20/02) - Undo now moves the view to the changed position (09/19/02) - Dump windows cannot overlap their own line anymore (09/19/02) v1.44 ALPHA (not released) - References to imported functions now come along with their module names (09/17/02) - Enlarged the export and import dialog to display longer function names (05/22/02) - Cursor becomes grayed if window looses the focus (05/10/02) - The hint cursor now is two bytes wide when pointing into the ascii view (04/10/02) - The cursor and cursor hint colors can be set now in the prefs dialog (03/23/02) - In hexview a hint where's the cursor in the other editmode is displayed (03/23/02) v1.43 ALPHA (released 03/22/02) - Changed the programm parameter interpretation so there shouldn't be a problem with spaces in the etu's path name anymore (03/22/02) - The addresses of exported functions now belong to the right names ;D (03/22/02) - Import and export tables are checked for legality to en- or disable the according menu commands (03/22/02) - Killed a bug causing a programm (not system) crash after setting up a smaller font size (03/21/02) - Clicking on our logo or on our url in the about box will open the programm linked to "htmlfile" (03/19/02) - Memory dump scrolling has been corrected (03/19/02) - The number of rows in a dump view is now adjustable in the preferences dialog (03/19/02) - Added an option to disable the file open dialog at startup (03/17/02) - Drag & Drop implemented (03/17/02) - It's possible now to have no file opened (03/17/02) - Far jump references corrected (03/17/02) - Added a welcome message for first startups of new versions (03/16/02) - Return after opening a new file isn't possible anymore (03/16/02) - Some disassembler bugs have been killed and some commands added (03/16/02) v1.42 ALPHA (released 03/15/02) - The "read only" checkbox isn't shown in the open file dialog anymore (03/15/02) - FPU commands have been fixed and enhanced (03/15/02) - Undo function corrected (03/14/02) - Section properties can be edited now (03/11/02) - Deactivated control bar buttons are shown correctly in 24-bit now, too (03/10/02) - Added save button for the control bar (03/10/02) - Changing the MZ- or the PE-header now gets noticed without crashes ;) (03/10/02) v1.41 ALPHA (released 03/08/02) - Cursor finished ;D (03/08/02) - Save only becomes enabled when the file's been changed (03/07/02) - Improved cursor functions (03/07/02) - Undo function implemented (03/06/02) - ChaosCreator's OPCODE.DLL implemented (03/05/02) - Cursor functions rewritten (03/04/02-03/05/02) v1.40 ALPHA (not released) - Added hex editor function (02/28/02 - 03/04/02) v1.30 ALPHA (released 02/25/02) - Programm references don't point to strings anymore (02/24/02) - A search function has been implemented for hex/dec values, byte lists and strings (02/23/02) - A little bug of illegal instructions has been killed (02/23/02) v1.22 ALPHA (released 02/22/02) - 16-bit calls are shown correctly now again (02/22/02) - References to too long strings weren't shown at all (02/22/02) - Killed a bug that caused ETU to frag after pressing PAGEUP (02/19/02) - Minor bug fixes v1.21 ALPHA (released 02/16/02) - Added the CMOVXXX commands (02/16/02) - Strings in code found by ASS are displayed in the text reference color and the ending null is shown in the hexcode of the line too (02/16/02) - The ASS-function now doesn't looses the beginings of strings in commands anymore (02/16/02) - The line up and down functions now work better on strings (02/16/02) - Some minor bugfixes v1.20 ALPHA (released 02/16/02) - The address offsets can now be displayed as programm memory offsets in 32-bit mode, too (02/15/02) - LOOP became a IP-changer ;D (programm references) (02/12/02) - Some bugs got killed (until 02/15/02) v1.12 ALPHA (not released) - Preferences dialog added for customizing the visuals (12/11/01) - Colors have been changed and added for imported functions and string references (12/09/01) v1.10 ALPHA (not released) - Changed the dialog design to make it look less flat ;) @ ChaosCreator Even the comboboxes look alright now! But there's something strange with the captions when you move them... (07/19/01) - Splitted the main file to make handling easier *ggg* (07/19/01 - 07/26/01) - I used a workaround to fix the "disasbled-button-in-32bit-color-mode-bug" by checking which colormode the user is using and depending on the result use different bitmaps for the buttons ;) (07/26/01) - Took paint functions out of the Paint function, so that I'm able to use them in other places, too (07/26/01 + 09/14/01 - 09/16/01) - Added call/jxxx reference assembly dump on mouse passing (10/01/01 - 10/02/01) - Now page up/down really moves ONE PAGE up/down and not a silly number of bytes in some direction (10/03/01) - This programm got a REAL name ;D from now on it's called >>>ETU-Dasm<<< which stands for *surprise* *surprise* "Easy-To-Use-Disassembler" *ggg* (10/03/01) - The size of assembly dump gets changed now depending on how much more space is needed to show everything of the assembly (10/03/01) v1.0 ALPHA (released 07/19/01) - References into programm memory (only for 32bit PEs) can now be viewed in a hex dump by moving the mouse over its position (marked with blue). You can scroll this dump view by using the mouse wheel while holding the mouse still over the reference. There are also the same wheel scroll functions as in the main window. By clicking on the reference the popup becomes a window so that you can move it where you want and have a look at it while looking at other places with the main window (it won't vanish if you move the mouse off the reference). (07/12/01) - Calls into the programm are now highlighted green and can be jumped to by clicking on it. When you want to return to the call you came from you can press the "Return" menuitem. You can step up to 20 levels into the programm on this way. Don't know if this is enough. It can be easily made bigger so... (07/12/01) - Killed a very >>BAAAAD<< bug causing the programm to generate a page fault when it was closed while a dialog was still open (07/12/01) - The prior feature has been implemented for JXXX instructions too (Friday, 07/13/01 !) - Added first item of the new control bar ;) (07/13/01) - Added more items (07/16/01) - Added call/jxxx follow support for 16bit (even far calls/jxxxs work!) (07/16/01) - Added option to view file offsets or programm memory offsets for 16bit (07/18/01) - Added status bar with help strings for the menu items (07/18/01) - Added a text gadget for the status bar to show the filesize (07/18/01) - Some less important things like centering the about dialog on screen ;D (07/18/01) - Recursive reference lookup has been implemented (say 00420030 -> 0042130c -> "Hello world!" can be shown now) (07/19/01) - Heavy reference testing resulting in many bug fixes, but as you can see there are still enough! But because I want to release it they will be fixed in the next release ;) (07/19/01) - WOW, this file grew by 1225 lines(incl. comments) since the last version! OK, somewhere all the new features have to come from... :D (07/19/01) - Legal section added to this file (boooooooooooooring) (07/19/01) v.8 ALPHA (released 07/08/01) - The function to show references to imported functions inside the assembler code has been improved so that it SHOULD work for all programms now (windows explorer's references are shown correct now) (07/07/01) - The exports/imports dialogs aren't shown anymore when there are no exported/imported(!?!) functions (07/07/01) - 16-bit disassembling feature has been added though it's not tested enough so that it may (will ;) contain many bugs (07/08/01) - References to imported functions being imported only by ordinal are now shown correctly (07/08/01) - Menu bug has been killed (07/08/01) v.76 ALPHA (released 06/24/01) - The functions to view the imported functions were greatly improved so that it >SHOULD< work for all PEs now. IF YOU SHOULD DISCOVER PROGRAMMS WHERE IT DOESN'T WORK >PLEEEEEEASE< TELL ME BY WRITING IT INTO GUESTBOOK OR FORUM!!! (06/24/01) - Removed other bugs which were able to frag the programm (06/24/01) - Changed minor things (06/24/01) v.75 ALPHA (released 06/09/01) - At last I added the long awaited *LOL* about box (06/09/01) - Removed some minor bugs (06/09/01) v.74 ALPHA (released 05/17/01) - Added showing references to imported functions (05/12/01) - Added wheel features (05/13/01): wheel + left mouse button = one line wheel + right mouse button = one byte - Added showing references to strings (by address NOT ResId) (05/17/01) - Some minor things v.7 ALPHA (released 02/08/01): - Added a first (bad) implementation of the optional "auto string search" feature in disassembler view (strings need at least 3 chars) - Added the ultimative GOTO dialog with three types of addresses: file offset (hmm, what could this be ;), RVA (relative virtual address) and memory address (it's the RVA plus the imagebase) - changed the structure of the source and some minor things v.6 ALPHA (released 02/05/01): - Added dialog to view exported functions and go to them - Added mouse wheel support (including a bug) - Changed dialog sizes to make them be displayable all at the same time on the right side of the screen left to the scroll bar when using a screen resolution of 800x600 (still not the best way) v.5 ALPHA (released 02/04/01): - it's the first release, so no changes to any prior releases ;) TODO: - Replace damned slow sorted container classes!! This will extremly speed up reference scanning!! - Support more line based scrolling - Check what happens on real CPUs when it gets more than one segment, size, offset or lock prefix before normal commands. ETU simply ignores doubled prefixes and uses the last ones. As far as I already found out an exception is thrown if the size of an command is at least 16 bytes on my system. But I don't know if this is generally correct... - Implement comments for non-PE files - Make sure the user gets a last ability to try to save if ETU crashes - Add multidocument/multiview support (including comparing files) - Let system respond while loading big files/project files - Support REALLY big files (say files not fitting into memory) - Trace asm commands in fixed regs + highlight - Make dialog boxes resizable - Add toggle button to filter out extreme refs - Differentiate between normal jcrefs and extreme jcrefs - Add color style stuff - Let CheckStringRef search for a command in the row with the commands before - Add a pause scan thread menuitem - Colorate offsets according to their section flags and include empty line at section bounds - Show data directory in image properties - Optionally interpret a jump via a reference as a return, if it has the same source address as the last return - Set returnbox size in preferences - Optionally don't open dump window for a reference, if the reference is on screen and aprox. 5 lines away from the borders - Readd proper 16-bit support (currently quite broken...) - Add Win16 support - Use debug informations if available - More PE and section editing functions - Add more support for resource section - Print function - Lookup for hidden code references (mov eax call eax, push x call pop ret) (i.e. 68 xx xx xx xx c3) - Horizontal scrollbar in assembler view - Copy & paste features - Export disassembled text - Reduce flickering - Implement MMX commands - Highlight modified data - Optimize font options (looks VERY ugly with some sizes...) - Adjust size of export dialog depending on the function name lengths - Allow to follow jmp [00414024] -> 00401060 -> "UrM" (jump to 00401060) - Find a way to display references in the middle of an instruction (i.e. mov dword ptr [00412348], eax) Don't just throw the ref-info away ;) - Add interrupt 21h function lookup feature Known bugs: - There seems to be a bug, randomly causing a strange crash in rare unknown situations caused in the runtime library! Still unable to reproduce it! (outcoming 10/29/04) - In autostringsearch mode the text directly above a highlighted line isn't written as a string, if string would overlap the highlighted line (outcoming 10/29/04) - If a address reference is found in data via the popup menu, the correct place where it was found can't be seen very easy, as it displays code which is made of the address. It should be checked, whether the found containing command really uses the value! (outcoming 10/28/04) - Mouse doesn't behaves as it should if you mouse buttons with the mouse wheel the normal action is still executed (i.e. kill cursor although you just wanted to scroll). (outcoming 10/22/04) - Cursor doesn't follow correctly in asm mode when it hits the bottom border (outcoming 10/16/04) - Dump window doesn't show last code byte (outcoming 10/11/04) - The plus sign vanishes when the cursor was moved after the 10th byte of a not byte column fitting byte list and then back (outcoming 10/20/03) - Clicking around in the assembler byte list, when there are too many bytes for the normal display isn't too comfortable (outcoming 10/20/03) - Jumps to places more than 128 bytes before the next command aren't assembled correctly (outcoming 10/10/03) - "push dword ptr [ebp+8]", "push 004011d6" and stuff like this won't become assembled correct (outcoming 10/10/03) - Jumps at section ends point to wrong places (problem: file <-> memory offs) (outcoming 09/15/03) - Still problems with 16 bit programm references (outcoming 09/29/02) - In 16 bit mode programm references in programm offset mode refer to the wrong address in their dump windows (outcoming 09/28/02) - Programm refs to strings (ptbsync.exe i.e. @000343d (in its dumpview,too)) (outcoming 02/22/02, thought killed 02/24/02, moved back to bugs 03/23/02) - Doesn't look very well: mov dword ptr [bla] -> blub, blii (dasmv100.exe@000325f5) (outcoming 02/16/02) - When moving the dialogs the caption is painted wrong.....!?!?!? (outcoming 07/19/01) - When you give the focus to the dump window and then to another programm it's not that easy to get back to the disassembler and the dump window (outcoming 07/16/01) - Some "argh!"s that theoretically could make it able for trojans to hack the system by being disassembled (COOL ;D if this program would try to write there! But just in time this isn't possible! Oh, I think it wouldn't work then, too! Sorry guys ;( But still there are some ways a disassembled programm can crash the system This should REALLY be fixed some time.... (outcoming 02/01/01, update 10/03/01)) History of killed bugs: - Autostringsearch doesn't recognize unicode strings correct again... (outcoming+killed 10/30/04) - The endline colors wasn't used for endlines and programm entry points (outcoming+killed 10/30/04) - Direct calls and move commands using imported addresses weren't correctly found during import scan (a reference to the value was generated instead of a reference to the begining of the command) (outcoming+killed 10/30/04) - Many 8-bit ressource string references aren't shown in code (outcoming+killed 10/29/04) - 8-bit ressource string references aren't recognized at all! (outcoming+killed 10/29/04) - The cursor offset isn't printed in the correct offset mode (outcoming 10/28/04, killed 10/29/04) - Autostringsearch produces stuff like 'db "",0' (outcoming+killed 10/29/04) - When using fixed registers comments set for results of arithmetic stuff like [esi+33h] become replaced by their names without being a reference (outcoming 10/19/04, killed 10/28/04) - No comments are shown for indirect import references (outcoming 10/26/04, killed 10/28/04) - Possible references make problems when they are in the first line and the view size is only two lines big (outcoming 10/19/04, killed 10/27/04) - Hex and decimal value search only search for 32-bit values (outcoming+killed 10/27/04) - Search doesn't notice invalid ASCII or Unicode strings (empty strings) (outcoming+killed 10/26/04) - The string ressource dialog takes an enourmous time to initialise its listbox (i.e. kernel32.dll) (outcoming 10/22/04, killed 10/25/04) - Removed a bug causing an endless loop caused by changes in statusbar (outcoming 10/22/04, killed 10/24/04) - In DASMV202.EXE the first conditional jump after the EP doesn't have a reference back at the destination (see changes for more details) (outcoming+killed 10/23/04) - Jumps in the first row have no blank line below it (outcoming 10/20/04) - Section gotos aren't displayed correctly in the return box (outcoming+killed 10/20/04) - If you click on a programm reference to the first line of the view and then click a second time without moving, an edit assembler command dialog appears (outcoming+killed 10/19/04) - There are problems with dump popups during scanning (outcoming 10/16/04, killed 10/19/04) - Return box doesn't respond to offset mode changes (outcoming 10/18/04, killed 10/19/04) - 16-bit fixed registers aren't evaluated according to their 32-bit register (outcoming+killed 10/19/04) - Dump window doesn't react on offset mode changes (outcoming 10/16/04, killed 10/19/04) - If you close a popup menu above a reference by choosing one option a dump popup is opened for this reference which isn't closed after executing the menu command (outcoming 10/18/04, killed 10/19/04) - Controlbar and statusbar sizes are completely wrong for 800x600 and 640x480 (outcoming 10/16/04, hacked 10/17/04...) - Scrollbar still doesn't work correctly on Win2k/WinXP in hex mode (outcoming+killed 10/17/04) - Right mouse button works now while popup menus are open (outcoming+killed 10/16/04) - Disabled buttons look ugly, pressed buttons don't come out very good and the background color doesn't fit too good to the normal background (if not using "my" standard windows colors...) (outcoming 10/11/03, killed 10/16/04) - There's a transparent pixel row between the menu- and controlbar (WinXP) (outcoming 10/11/03, killed 10/16/04) - The dump window appears and disappears again at once (when the dump window is much too long at the reference's address) (or when the main window's right border is out of the screen and a dump window would also reach out of the screen) (TestDLLProject.exe @00000903 (ref @0000093a)) (outcoming 09/17/02, update 10/11/03, killed 10/15/04) - Dump windows tried to show more lines than it was able to show (outcoming+killed 10/15/04) - Scan thread may crash when a new file is loaded while scanning (outcoming+killed 10/12/04) - The string dialog showed multiple references to the same address (outcoming+killed 10/10/04) - When resource or menu scanning found an unexpected end the appropriate reference locks weren't released and the status bar not updated (outcoming+killed 10/10/04) - When retrieving the number of resource strings the string length wasn't checked, which caused the string pointer to move out into space when the resource strings have been encrypted (outcoming+killed 10/10/04) - In hex mode the cursor wasn't erased in the last column when the lower nibble of the view offset wasn't 0 (i.e. 0000231D) (outcoming+killed 07/15/04) - The A0 XXXXXXXX and A2 XXXXXXXX commands were misinterpretated as dword memory access instead of byte memory access (outcoming+killed 07/15/04) - References checking routines could crash with wrong references (outcoming+killed 03/16/04) - Empty comments can be added and comments can't be deleted (outcoming+killed 12/02/03) - In some situations pushs are displayed as something like "db 51" (outcoming+killed 12/01/03) - The programm icon isn't displayed in the title bar (WinXP) (outcoming 10/11/03, killed 10/12/03) - Crashes when a reference has been shown and the scrollbar is moved down (it will try to display things far off the file memory) (WinXP) (use a 32-bit thumb position now using the GetScrollInfo function) (outcoming 10/11/03, killed 10/12/03) - Undo can produce some grafical artifacts (outcoming 10/10/03, killed 10/12/03) - Again problems with cursor and possible refs entries.... (outcoming+killed 10/12/03) - Programm dump windows don't adjust their size to references to imported functions (outcoming 10/11/03, killed 10/12/03) - Reference scanner thread hangs while scanning the dos programm STEUERN.EXE (outcoming 10/11/03, killed xx/12/03) - The text alignment is totally screwed with some fonts which also leads to wrong ref places (outcoming+killed 10/11/03) - The link in the about box has a wrong background color (if not using "my" standart windows colors...) (outcoming+killed 10/11/03) - The text alignment is totally screwed with some fonts sizes which also leads to wrong ref places (Win98) (outcoming+killed 10/11/03) - Some jmps have a "#" at their tails (TestDLLProject.exe @0000060d) -> doesn't appear anymore... (outcoming 09/27/02, removed from bug list 10/11/03) - Fixed register replacing routine has problems with adding two registers -> already fixed, date unknown (outcoming 09/08/03, removed from bug list 10/11/03) - You can scroll the code popup at 0422e5d in DASMV201B.EXE only 2 times down before it disappears -> doesn't happen anymore... (outcoming 09/08/03, removed from bug list 10/11/03) - ETU doesn't find ANY references in very small programms (ALLINONE8.EXE) -> ETU only checks CODE sections and that proggie didn't have any section marked as one... but perhaps other sections should be checked, too... (outcoming 09/08/03, removed from bug list 10/11/03) - Possible reference addresses don't become displayed in the last row (outcoming+killed 10/11/03) - Programm crashed while closing it... where does it come from??? It crashed due to a buffer overflow in Paint (outcoming 10/03/03, killed 10/11/03) - Buffer overflow in GetNextInstr caused in CheckFixedRegs (outcoming 09/30/03, killed 10/03/03) - Some memory addresses ([xxxxxxxx]) become displayed without a leading size descriptor (i.e. FF 25 xxxxxxxx, FF 14 25 xxxxxxxx, a1 xxxxxxxx, 8d 1d xxxxxxxx) (outcoming 09/29/03, killed 09/30/03) - Screen flickers when holding down unused keys (outcoming 09/14/03, killed 09/15/03) - Code references may not show the address their pointing at because of wrong alignment (i.e. data bytes before that address) (wndcmd32.exe @0008d407) (outcoming+killed 09/14/03) - ChaosCreator: Cursor movement has problems with possible reference lines (outcoming 04/28/03, killed 09/13/03) - ETU crashes when import references are to be displayed in the import dialog when there aren't such references for that imported function (outcoming+killed 09/14/03) - Buffer overflow, when opening a dump window while still scanning (outcoming 10/01/02, killed 09/09/03) - Menu and toolbar get disabled when the programm is minimized and maximized again (outcoming some time ago, killed 09/07/03) - Crashes when addresses inside a non-pe-file are checked (outcoming 08/28/03, killed 09/07/03) - You can open the assembler edit dialog when no file is opened (ChaosCreator) (outcoming 09/30/02, killed 11/05/03) - The dump view disappears if you want to change the dump view to a ref next to the active one (seems to be able to cause a programm crash) (outcoming 03/23/02, killed 10/01/02) - Missing memory refs at JMPs (ptbsync.exe i.e. @0000e8ce) (outcoming 02/22/02, killed aprox. 09/20/02) - Strange import references (TestDLLProjekt.exe @00002944) (=module names don't show up with ordinals) (outcoming 03/27/02, killed 09/17/02) - Windows flicker when mouse is over a reference (outcoming+killed 05/14/02) - The display of far calls and jumps to registers was wrong (outcoming+killed 04/10/02) - The scrollbar doesn't show up if ETU is opened without a file and then given a PE file via drag&drop (outcoming+killed 03/29/02) - Dump windows aren't placed correctly when near screen edges (outcoming+killed 03/22/02) - The programm won't start if it's started in a directory containing spaces (outcoming 02/16/02, killed 03/22/02) - Export addresses aren't extracted correctly for dynamic link libraries (outcoming 03/15/02, killed 03/22/02) - Same with non-existing imported functions (outcoming 01/09/02, workaround 02/15/02, killed 03/22/02) - The programm frags when it's told to display exports of a file which doesn't have any exports (outcoming 12/08/01, workaround 12/09/01, killed 03/22/02) - It crashes at shutdown after reducing the font size while viewing a non MZ and non PE file if ychar gets changed (TDWin::Paint : PaintDasm loop with i>=counter-2)(exact condition unknown) (lineptrs wasn't enlarged after choosing a smaller font...) (outcoming 03/20/02, killed 03/21/02) - Memory dump scrolling doesn't work right (outcoming+killed 03/19/02) - In the assembly dump view there are call references leading to strings (outcoming 10/02/01, killed ??/??/??) - Sometimes when moving the mouse cursor very fast over jxxx and memory references one jxxx stays highlighted (outcoming 07/19/01, killed 03/17/02) - Jumps to 16-bit far JMPs don't work (outcoming 03/16/02, killed 03/17/02) - REPNZ and REPZ appear with non string commands (outcoming 03/15/02, killed 03/16/02) - The return adresses aren't cleared after loading a new file (outcoming+killed 03/16/02) - MOVSX and MOVZX aren't displayed correctly (i.e. movsw edx,edx) (outcoming 02/16/02, killed 03/16/02) - Far calls and jumps are displayed as near ones (outcoming+killed 03/16/02) - Double, triple, ... REPs were all displayed in one line instead of not allowing multiple REPs after another (outcoming+killed 03/15/02) - Probably the disassembly of FPU instructions is all the way wrong cause I don't know shit about the FPU... (outcoming a long, long time ago, killed 03/15/02) - In hexview the undo function doesn't work in ascii when pressing backspace (outcoming+killed 03/14/02) - The DF XX command (FPU) is displayed wrong (a db DF is appended) (outcoming 03/13/02, killed 03/14/02) - Undo doesn't leave the menu after saving (outcoming 03/11/02, killed 03/14/02) - Deactivated buttons aren't painted alright in 24-bit video mode (outcoming+killed 03/10/02) - 32-bit programm offset isn't fully implemented yet!! (-> hex view) (outcoming 02/16/02, killed 02/23/02) - Wrong set segment overrides are left in the hex code of a asm line (outcoming+killed 02/23/02) - 16-bit CALLs show their destination only after moving the mouse over it (outcoming+killed 02/22/02) - Some PUSHs (i.e. push 00418a90) don't become memory refs (@0ae91 ptbcrkt2) (outcoming 02/19/02, killed 02/22/02) - Makes a small mess when disassembling AAM or AAD (outcoming+killed 02/19/02) - It frags if you do a pageup at 0000eb9a in file ptbcrkt2.exe (outcoming+killed 02/19/02) - The file endings are displayed wrong, especially in ASS-mode (outcoming+killed 02/16/02) - If a string with a following null is found in the code, the null isn't shown in the hex code of that line (outcoming+killed 02/16/02) - The "enter" command isn't interpretated correct (outcoming 02/03/02, killed 02/15/02) - Reference hints don't get removed at calls and jumps to places above the image base (outcoming 23/01/02, killed 25/01/02) - It finds string references in a disassembly AFTER the disassembly string;) (outcoming+killed 25/01/02) - When jumping to jmp [xxxxxxxx] -> yyyyyyyy then the return function doesn't work OOPS, it doesn't work at all anymore... (outcoming+killed 10/03/01) - In 16-bit negative 8-bit values were displayed as 32-bit values (outcoming+killed 10/02/01) - Again the >Extreme far reference<-bug had to be killed... (outcoming+killed 10/02/01) - There are some strange calls i.e. in explorer.exe @ 0000f80d which are looked up as string references! Don't know what they are pointing at right now but because of the >call< a string reference is impossible ;) This one was fixed (it's a reference to a by ordinal imported function), but there are still call references "leading" to strings like explorer.exe @ 00003bea Now this is fixed, too. Time to close this bug entry and open a new one ;) (outcoming 07/08/01, update 07/19/01, killed 10/02/01) - In 32-bit color video mode the disabled buttons a painted in a wrong way (outcoming 07/19/01, killed 07/26/01) - A mov eax,[00457af8 -> 0043068c] appeared for the first time! DAMN, thought it wouldn't come up... OH DAMN!!!!!! I FORGOT WHERE I FOUND IT!!! Ahhhhhh, GOTCHA!!! (outcoming 07/19/01, killed 07/20/01) - >Extreme far calls/jxxx< (segment:32-bit-offset) are displayed fully wrong (outcoming+killed 07/19/01) - In big 16bit programms negative near calls (i.e. call $-1a) in areas over :0000ffff lead to things like call 1fe45 instead of call fe45 (outcoming+killed 07/18/01) - In big 16bit programms with code in areas over :0000ffff relative references (i.e. jnb 24e07) are recognized wrong cause it's NOT 16bit (outcoming 07/17/01, killed 07/18/01) - The dialog memory isn't freed after closing them => MEMORY LEAKS!!! (outcoming 07/12/01, killed 07/16/01) - The programm generates a page fault when there are still some dialogs open while exiting (outcoming+killed 07/12/01) - Disabling of menu item "Show image properties" doesn't work I killed it by deleting the menu items and not trying to disable them anymore ;) THIS is effective and it looks much better :p Comment: Now (18/07/01) I know why it didn't work: it's because of this automatic command enabling! But now that I know I used it for the GotoEP and the ViewOffsProg button ;) (outcoming 01/27/01, killed 07/08/01) - references to imported functions aren't shown if the function address list doesn't point to the function names (i.e. the windows explorer does it) (outcoming + killed 07/07/01) - Import, export and goto dialogs aren't closed after loading another file! This leads to a page access fault when trying to view imports from another module imported by the former opened file! (outcoming 06/24/01, killed 06/24/01) - Imported dialog sometimes shows "
" (DSOUND.DLL and COMCTL32.DLL being imported by my modem driver) (outcoming 02/05/01, killed 06/24/01) - Can't go to a relative or memory address of the last section (outcoming 0?/??/01, killed 06/09/01) - Again a small outbut bug when hex dumping the end of file (the same???) (outcoming + killed 06/09/01) - Can't open image property dialog when closed once (outcoming 01/27/01, killed 02/01/01) - Added some missing GlobalUnlocks (outcoming + killed 02/01/01) - A small output bug when hex dumping the end of file (outcoming + killed 02/01/01) - Killed some arghs (how boring ;) (outcoming 02/01/01, killed 02/08/01) - Removed bug related to invalid ESC-instructions output (outcoming + killed 02/08/01) - Wheel granularity doesn't work in disassembler view (outcoming 02/05/01, killed 13/05/01) Keys: General: Toggle between assembler and hex view (also popups!) , Move view up/down one page , Move view to begining/end of file In view mode: , Move view up/down one line , Move view by one byte "left/right" = "up/down" In edit mode (only hex values editable in asm or hex view): Cursor keys Move cursor Mouse wheel functions: Standard Move view up/down four lines With left button Move view up/down one line With right button Move view by one byte up/down Mouse button functions: General: Offset column: Right button Open popup menu Assembler view mode: Hex code column: Left button Set cursor Command column: Left button Edit assembler command (still commands missing) Programm references: Left button Jump to address and add a return entry Right button Open popup menu Memory references: Left button Open hex dump window Right button Open popup menu Comments to legality: BEFORE you use this programm to disassemble all (or only some) of your programms MAKE SURE THAT YOU ARE ALLOWED TO DISASSEMBLE THEM! Many (if not most) programms you use tell you in their license agreement you agreed that you are NOT ALLOWED to disassemble them! So if you do it anyways and you're caught (what is very improbable, but...), it's NOT MY PROBLEM! You have been warned to use this programm only on your own programms or ones that you are allowed to disassemble! More disclaimer blah blah: This programm is still in more or less heavy development (depending on our mood ;)). So it does contain bugs (please report any you find) and can crash. Of course we always try to make a release as stable as possible, but we're just humans, too! So be very careful with important non-recoverable data, although we never had any data loss, especially as the files viewed are opened as short as possible and everything is in memory... Use this programm on your own danger!