96 lines
3.9 KiB
HTML
96 lines
3.9 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<title>Input</title>
|
|
<meta name="GENERATOR" content="WinCHM">
|
|
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
|
<style>
|
|
html,body {
|
|
/* Default Font */
|
|
font-family: Courier New;
|
|
font-size: 11pt;
|
|
}
|
|
</style>
|
|
|
|
</head>
|
|
|
|
<body>
|
|
<P class=rvps3><SPAN class=rvts10><STRONG>Input</STRONG><BR></SPAN><SPAN
|
|
class=rvts9>This program accepts various options of input:</SPAN><SPAN
|
|
class=rvts9><BR></SPAN></P>
|
|
<P class=rvps3><SPAN class=rvts11><U>commands</U></SPAN><SPAN class=rvts9>:
|
|
Commands have the following format: "</SPAN><SPAN
|
|
class=rvts10>command[space]arg1,[optional space]arg2,argN</SPAN><SPAN
|
|
class=rvts9>".</SPAN><SPAN class=rvts9><BR></SPAN></P>
|
|
<P class=rvps3><SPAN class=rvts11><U>variables</U></SPAN><SPAN class=rvts9>:
|
|
Variables optionally start with a $ and can only store one DWORD (QWORD on
|
|
x64).</SPAN><SPAN class=rvts9><BR></SPAN></P>
|
|
<P class=rvps3><SPAN class=rvts11><U>debug registers</U></SPAN><SPAN
|
|
class=rvts9>: All debug registers (all sizes) can be used as
|
|
variables.</SPAN><SPAN class=rvts9><BR></SPAN></P>
|
|
<P class=rvps3><SPAN class=rvts11><U>memory locations</U></SPAN><SPAN
|
|
class=rvts9>: You can read from a memory location by using one of the
|
|
following expressions:<BR>[addr] - read a
|
|
DWORD/QWORD, depending on the architecture.<BR>
|
|
|
|
|
|
|
|
|
|
</SPAN><SPAN
|
|
class=rvts9>@addr - same as
|
|
above.<BR><EM>n</EM>:[addr] - read <EM>n</EM>
|
|
|
|
|
|
|
|
|
|
bytes.</SPAN><SPAN
|
|
class=rvts9><BR>
|
|
@<EM>n</EM>:addr - same as
|
|
above.<BR><STRONG>REMARKS</STRONG>:<BR>- <EM>n</EM> is the amount of bytes to
|
|
read, this can be anything smaller than 4 on x32 and smaller than 8 on x64 when
|
|
specified, otherwise there will be an error.<BR>- addr is directly interpreted
|
|
as a value, when you want to read [addr+1] you should use
|
|
brackets:<BR>
|
|
|
|
|
|
|
|
|
|
@(addr+1), @addr+1 will read: [addr]+1.</SPAN></P>
|
|
<P class=rvps3><SPAN
|
|
class=rvts9>
|
|
|
|
|
|
|
|
|
|
</SPAN><SPAN
|
|
class=rvts9><U>flags</U> : Debug flags
|
|
(interpreted as integer) can be used as input. Flags are prefixed with a '!' following the flag name.
|
|
Valid flags are: !cf, !pf, !af, !zf, !sf, !tf, !if, !df, !of, !rf, !vm, !ac, !vif, !vip and !id.</SPAN><SPAN class=rvts9></P></SPAN>
|
|
<P class=rvps3><SPAN class=rvts11><U>numbers</U></SPAN><SPAN class=rvts9>:
|
|
All numbers are interpreted as
|
|
hex by default. If you want to be sure, you can use the "x" prefix or
|
|
the "0x" prefix. Decimal numbers can be used by prefixing the number with a "."
|
|
(.123=7B).</SPAN></P>
|
|
<P class=rvps3><SPAN class=rvts9><U>basic calculations</U>:
|
|
See "Calculations" for more
|
|
information.</SPAN></P>
|
|
<P class=rvps3><SPAN class=rvts9><U>DLL exports</U>: Type 'GetProcAddress' and it will
|
|
automatically be resolved to the actual address of the function. To explicitly
|
|
define from which module to load the API, use: "kernel32.dll:GetProcAddress" or "kernel32:GetProcAddress". In a similar way
|
|
you can resolve ordinals, try "ntdll:1". Another macro allows you to get the loaded
|
|
base of a module. Try
|
|
|
|
"ntdll:0", "ntdll:base", "ntdll:imagebase" or
|
|
"ntdll:header".</SPAN></P>
|
|
<P class=rvps3><SPAN class=rvts9><U>labels/symbols</U>
|
|
: user-defined labels
|
|
|
|
and symbols are a valid
|
|
expressions.</SPAN></P>
|
|
<P class=rvps3><SPAN class=rvts9><STRONG>Input for arguments can always be done in any of
|
|
the above forms, except if stated otherwise.</STRONG>
|
|
|
|
|
|
|
|
|
|
</SPAN></P></BODY></HTML>
|