what : a TRW2000 v1.22/ v1.23 plugin to make/edit a symbol table for current executed app. what this mean... this mean you can give a name to every disasm line in diasm window so that you dont have to write it on paper or having to remember routines/codes names how : place the sim.sys file in /sys directory launch your application first to add you can type one of cmd below :-) :sim ;add sym at EIP :sim add ;idem :sim add addr ;add sym at addr ;eg. sim add 4010CC you'll see an inputbox. type anything you wish as symbol name. then, you'll see the word at the addr/EIP disasm window =) wrong typing in a name? dont worry, just type one of cmd above again ;) wanna to delete one? type one of below; :sim del ;del sym at EIP :sim del addr ;del sym at addr if you messed the whole symbol table, you could delete it via command below :D :sim gone !!!NOTE!!! this will delete the TABLE aka whole names you've created :p after you finished playing arounds, goto to loader window to save the symbol table [if you want ;)] with click File and choose Save Symbol Table... Then, if you want to load the app again, please load the symbol file first [.esf]. Click Browse and select your.esf file and click Load. And you can load the app now ;) when : 08-18-2002 v0.01 Start 10-14-2002 v0.02 Continue ;) 10-17-2002 v0.03 Gets Better :D who : dion e-mail : daner@go.cc news : i just realized lately that theres a command to name at given addr, its looks like below :NAME addr 'newname' hmm... well, it do the createsymtbl, create- segment, and createsym for you. honestly i dont know this cmd before this day [10-17]. if u dont believe, you can ask my src code ;) but, you know what... it CAN'T delete the sym and *NOT* handling the double sym, hehehe... another related cmd for symbol is :CMT addr 'comment' i'll figure this one later ;) bugs : [These are *NOT* my plugin bug :p] ::One:: There's a flaw in Sym_CreateSegment() routine that prohibit us to have two/more same segment name, behold that in reality same segment name was allowed [see packed application's sections name, or try it yourself]. So, we have to patch the trw2000.sys file. Here are the patch info : !!! see the opcode before attempts to nop !!! for TRW2000 v1.22 : Open hexeditor and goto offset .000381E7, then nop it until offset .000381EE for TRW2000 v1.23 : Open hexeditor and goto offset .00038155, then nop it until offset .0003815C ::Two:: There's another TRW internal bug, thats related to symbol applier. When you load a app that has same name with symbol table loaded, it must be automagically selected. But, it seems work only if the sections are normal meanwhile it didnt work in a packed exe file. To deal with this, i hook hh_PreEnterKernel to apply it ;) ::Three:: *huh* i found that sometimes sym_createsymbol() leave garbage in symbols name memory area. but, dont worry, it doesnt corrupt the table yet ;p ::Four:: hmm... another bug again ;p oh well... its on Sym_DeleteSymbol() func protos, the true new proto is: VOID (__stdcall*Sym_DeleteSymbol)(DWORD segnum, DWORD off,DWORD sel); huh! a *FAKE* proto!!! this's very ugly bugs :p sel param means selector, its usually 1. i'll verify this later ;) guess what...not only the protos wrong, but the routines was wrong TOO!!! bah! how can the author doing double mistake ;D ok, heres the patch info [ bytes to be changed, not to be add] for trw2000.sys file: !!! see the opcode before attempts to patch !!! Open hexeditor and goto offset .0003832E [for TRW2000 v1.22] or offset .0003829C [for TRW2000 v1.23] then change the bytes from : 8B31.83C104.8930.83C004. to 8B30.8931.83C004.83C104. tips : ::One:: there's little problem with string handling. for example, you can type like this: [Blah gAk BletCH! ;)] in the inputbox and it works fine. but, you'll face problem ie: you cant type :bpx Blah gAk BletCH! ;) or type :bpx 'Blah gAk BletCH! ;)' and you know what, i'm not gonna fix this :p so be a good boy when giving a name :o ::Two:: in case that you're tracing a will be crashed app [becoz antidebug or a fatal bug], trace it until the point before that thing, and assemble eip with [jmp eip]. then out to loader to save the symbol table there. later, you can load it again ;) ::Three:: please dont use command NAME/CMT mixed with SIM cmd, i'm not responsible of what will happened ;p about CMT, i'm gonna explore it further :=o ::Four:: be careful when you're editing with two/more symbol table. Dont use TABLE command to switch to another table! you just can work with current app table. so, to work with another table, you must be in its image range and its addr context. todo : . support PDB/DBG formats. . as consequences, i have to handle locals, globals, structs, etc. . make win32 app to convert .esf to .sym & viceversa lic : full source code included. if you use this code, at- least mention the credits somewhere. if you plan to include the code for commercial purpose, then you must contact me first : daner@go.cc say : G>greets to LiuTaoTao and ZhuNanHao from me ;) Q>do you guys stop to update TRW ? S>btw, TRW was really ::cool::, i like it :D