                            ÚÄÄ-úú              :
                            ł ţ GetEQExe 3.49 ţ ł
                            :       úúÄÄÄú      ú

ÚÄÄ-úú
ł ţ What is GetEQExe?
ł   GetEQExe is a program to compare the startup code of COM files, DOS
ł   executables or Windows PE executables or normal files.
ł
ł   You can use GetEQExe for
ł     comparing up to 10 EXE startup codes,
ł     comparing up to 10 normal files,
ł     ripping code out of a file
ł
ł   GetEQExe does not care if the files is readonly or not.
ł
ł   Homepage: http://surf.to/phax
ł      eMail: phax@writeme.com
ł
ł   Please mail any suggestions for improvement to me.
:

ÚÄÄ-úú
ł ţ The switches:
ł
ł đ Available options:
ł   /BIN         create binary output -> to rip startup code
ł   /BIT         compare bits instead of bytes
ł   /DIFF        print only not identical bytes
ł   /ENDn        goto n bytes before the end of the file
ł   /EXT         extended output (maybe interesting)
ł   /FILL        also print equal bytes in /DIFF mode
ł   /GOTOn       start comparing at filepos n (default = CS:IP [EXE]; 0 [else])
ł   /HELP        activate the help system
ł   /MACROxyz    execute the macro "xyz"
ł   /MAGICn      set the magic number for the Pascal output file (default = 0)
ł   /MAXn        set the maximum filesize (default = infinite)
ł   /MINn        set the minimum filesize (default = 0)
ł   /NOCFG       do not use the configuration file
ł   /NODIS       do not "disassemble"
ł   /NOPAS       do not create a Pascal include files
ł   /NOCON       do not write anything to STDOUT
ł   /NONE        do not compare new executables (NE/PE)
ł   /OVER        overwrite the Pascal file without asking
ł   /NAMEfile    set the Pascal filename "file" (default = "_outexe.inc")
ł   /PASLENn     set the maximum number of bytes in the Pascal file (default = 80)
ł   /STOPBn      stop comparing after n bytes (default = infinite)
ł   /STOPMn      stop comparing after n matches (default = infinite)
ł
ł   GetEQExe also supports a configuration file called "GETEQEXE.CFG".
ł   There you can put the following switches:
ł     /BIN
ł     /BIT
ł     /MAXn
ł     /MINn
ł     /NODIS    * only if you have a registered version
ł     /NOHEAD
ł     /NOPAS
ł     /NOCON
ł     /OVER
ł     /NAMEfile
ł     /EXT      * only if you have an extended output version
ł   Every switch has to be in an extra line.
ł
ł đ Available methods:
ł   /ADDIPn      add IP to old one (subtract if n < 0; relative)
ł   /SETIPn      Change IP to n (absolute)
ł
ł đ Available macro commands (case sensitive):
ł   c    do a long call at the current position (only EXE files)
ł   f    do a far jump at the current position
ł   j    do a jump/call at the current position
ł   k    do a 32 bit jump/call at the current position
ł   m    do a MOV jump at the current position
ł   o    goto overlay position of DOS EXE
ł   _    seperator for macro commands
ł   Between every command may be numbers which tell the number of bytes to
ł   skip. See examples for details. See JMP/CALL sections for details.
ł
ł đ The following switch combinations are invalid:
ł   /ADDIP and /SETIP  -> either set IP or add something to IP
ł   /ADDIP and /END    -> either add something to IP or relative goto
ł   /ADDIP and /GOTO   -> either add something to IP or absolute goto
ł   /GOTO  and /SETIP  -> either set IP or absolute goto
ł   /GOTO  and /END    -> either absolute goto or relative goto from end
ł   /END   and /SETIP  -> either set IP or relative goto
ł   /BIN   and /BIT    -> no binary output and bit compare
ł   /BIN   and /EXT    -> no binary output and extended output
ł   /BIN   and /DIFF   -> no binary output if scan for differences
ł   /NOCON and /NOPAS  -> that would mean no output anyway
ł   /NOPAS and /PASLEN -> cannot set pascal len if no pascal file is made
ł
ł đ The following switches are required when the first one is used:
ł   /DIFF  -> /NOPAS   -> if /DIFF is used /NOPAS is automatically set
ł   /BIN   -> /NODIS   -> if /BIN is used /NODIS is automatically set
ł   /BIT   -> /NOPAS   -> if /BIT is used /NOPAS is automatically set
ł
ł   /DIFF- -> /FILL-   -> if /DIFF is not used /FILL is disabled
:

ÚÄÄ-úú
ł ţ Some examples
ł   GETEQEXE a.exe b.exe c.exe d.exe
ł       compare the startupcode (at CS:IP) of a.exe, b.exe, c.exe and d.exe
ł
ł   GETEQEXE a.exe b.exe c.exe d.exe /MACROj
ł       goto CS:IP, evaluate one jump, then compare
ł
ł   GETEQEXE a.exe b.exe c.exe d.exe /MACRO10j
ł       goto CS:IP, skip 10 bytes, evaluate one jump, then compare
ł
ł   GETEQEXE ?.exe /MACRO10
ł       compare all files that match the filemask ?.exe,
ł       goto CS:IP, skip 10 bytes, then compare
ł
ł   GETEQEXE a b c d /MACRO10
ł       the same as above. ".EXE" is the default extension
ł
ł   GETEQEXE /MACRO5jj a b c d
ł       goto CS:IP, skip 5 bytes, evaluate 2 jumps, then compare
ł
ł   GETEQEXE /MACRO5j10j a b c d
ł       goto CS:IP, execute macro "5j10j", then compare
ł       macro: skip 5 bytes, evaluate jump, skip 10 bytes, evaluate jump
ł
ł   GETEQEXE /GOTO128 /MACRO1m6j a.com b.com c.com d.com
ł       goto position 128, execute macro "1m6j", then compare
ł       macro: skip 1 byte, evaluate a MOV jump, skip 6 bytes, evaluate jump
ł
ł   GETEQEXE /NOCOM /ADDIP5 /MACRO7j15j a b c d
ł       will cause an error because it is not allowed to use /ADDIP and
ł       /MACRO at the same time because if you use a macro you can include
ł       the /ADDIP command in the macro: /MACRO12j15j
:
ł ţ Ripping code out of a file:
ł   GETEQEXE file_to.rip /GOTO512 /STOPB75 /BIN /NOPAS > result.bin
ł       rip 75 bytes from file_to.rip at position 512 (starting at 1!)
ł       create binary output and write it to result.bin
:

ÚÄÄ-úú
ł ţ JMP/CALL/... section
ĂÄÄ-úú
ł   The JMP/near call command:
ł     JMP 1980h
ł   or
ł     CALL 1980h
ł
ł   Valid jumps and calls are:
ł     $74 JE    -  jump if equal
ł     $74 JNE   -  jump if not equal
ł     $E3 JCXZ  -  short jump if CX is zero
ł     $E8 CALL  -  unconditional call
ł     $E9 JMP   -  unconditional jump
ł     $EB JMPS  -  unconditional short jump
ĂÄÄ-úú
ł   The MOV; JMP commands:
ł     MOV BP, 1980h
ł     JMP BP
ł
ł   Valid registers (here: BP) are:
ł     $B8 - AX
ł     $B9 - CX
ł     $BA - DX
ł     $BB - BX
ł     $BC - SP
ł     $BD - BP
ł     $BE - SI
ł     $BF - DI
ł
ł   Note: GETEQEXE does not validate the JMP command. It just takes the
ł         value and jumps there.
ĂÄÄ-úú
ł   The long CALL command:
ł     CALL 4027h:5622h
ł
ł   Supported CALL commands:
ł     $9A - CALL
ĂÄÄ-úú
ł   The JMP FAR command:
ł     explanation 2 come :(
:

ÚÄÄ-úú
ł ţ Some history of GetEQExe:
ł
ł 3.49 - fixed bug in /BIN command if /OUT is used
ł        some minor enhancements which were done while developing GT
ł        excluded 0 byte files
ł 3.48 - fixed internal type problem with Win32 version
ł 3.47 - added switch /BIT (bit compare support)
ł        improved documentation
ł 3.46 - fixed problem with help system in Win32 variant
ł 3.45 - tried to add support for UNC pathes
ł        fixed problem with path handling of Win32 version
ł 3.44 - added support for NE self loading modules
ł 3.43 - fixed severe bug with PE and NE executables :(
ł 3.42 - first Windows version finished!
ł 3.41 - enhanced output format for /DIFF so that equal bytes are marked
ł          when using /FILL
ł 3.40 - added support for LE EXEs
ł 3.30 - changed internally to new output method
ł 3.29 - added switch /OVLAY
ł 3.28 - added switch /FILL
ł 3.27 - improved help system (removed "methods" section)
ł        added possibility to write syntax to file
ł 3.26 - added switches /MIN and /MAX to set filesize limitations
ł 3.25 - if E9h was found and macro "k" was used "r" is suggested
ł        fixed small string bug
ł 3.24 - fixed memory bug when comparing PE EXEs which can cause crashes
ł        fixed very stupid bug which disabled the correct handling of macros
ł          which was in since 3.21 or so
ł        fixed range check error with negative jumps
ł 3.23 - fixed bug if switch /NOPAS was used
ł        fixed strange output bug - TPs write function does not work ?????
ł 3.22 - fixed bug with error that printed bytes. the wrong pos was used
ł        added "jne" $75 to the valid "j" macro jumps
ł 3.21 - split up source code into several units (better readable)
ł        fixed strange runtime error
ł 3.20 - fixed problem with new executables where the relocation offset
ł          in the header was between 24 and 64
ł        fixed problem that /STOPBn always read one byte too much
ł        added $74 (JE) to the valid short jumps for macro "j"
ł        fixed bug in long called handling - offset was missing
ł        now every file has its own PE object table handler ;)
ł        removed /AAUTO switch - was not tested and made code too difficult
ł        some internal code restructures
ł        optimized disassembler module for size (saved ~1800 bytes)
ł        fixed stupid crach when not comparing PE EXEs
ł 3.14 - added switch /NONE to disable scanning for NE/PE executables
ł 3.13 - fixed problem with ET_COM/ET_NONE type -> now it's all ET_COM
ł        added possibility to disable switches with the "-" char at the
ł          end (e.g. "/nodis-"). used to overwrite switches in the cfg file
ł 3.12 - now start counting at 0
ł 3.11 - fixed stupid bug with PE EXE detection
ł        fixed stupid bug with COM/non EXE files
ł 3.10 - no abort if it is a new executable or a linaer executable
ł        fixed bug with huge offsets of PE executables (word -> longint)
ł        added explicit detection of new and linear executables
ł        removed /ADDCS and /SETCS
ł        /ADDIP and /SETIP are only valid for COMs and DOS EXEs
ł        now can compare new executables startup code
ł        Pascal file is deleted if no equal bytes are inside
ł 3.04 - added output to switch /MAGICn
ł 3.03 - added switch /STOPEn
ł        if no more space is on the drive for the Pascal file, it will
ł          automatically be canceled
ł 3.02 - fixed problem with FindFirst - adding path manually
ł        fixed stupid bug if called without parameters
ł 3.01 - added message if output is redirected and /NOCON is used
ł        added output of two message if switches are automatically set
ł        removed that no pascal file is created if only one file was found
ł        if no file matches the given masks, anothe message appears
ł 3.00 - no Pascal file is created if /V is used
ł        no Pascal file is created if only one file is in use
ł        new FindFirst/Next/Close support for Delphi
ł        added headline for help system
ł        fixed big bug in C/ACS and I/AIP handling
ł        changed to long name commands
ł        code clearings
ł        more general command line handling
ł        now aborting if new Pascal filename is invalid
ł        fixed problem in commandline handling with long names and values
ł        removed all single command modifier (/A*) - should use macros
ł        updated documentation
ł        error if /NODIS and /BIN used at the same time
ł 2.94 - fixed small problem with output of equal bytes on abort
ł        removed switch /F - now automatic detection
ł 2.93 - added switch /A32J and according macro "k"
ł        added output of PE Entrypoint RVA
ł 2.92 - changed from Get/SetFAttr to FileMode setting
ł        splitted switch /S into /SB and /SM
ł 2.91 - fixed range check error with CS:IP output
ł 2.90 - fixed problem if no files were opened
ł        added output of equal bytes found
ł 2.89 - fixed problem if value of /E was too high
ł        made it compile with Free Pascal
ł 2.88 - added switch /E - comparing at the end of the file
ł        added extending of path from switch /Fpath
ł 2.87 - now I have asm code for every byte (except F1h)
ł        added switch /ND - no disassembler
ł 2.86 - added a little assembler output (maybe helpful??)
ł        fixed problems with offset of new executable
ł 2.85 - added error code on jmp/call otu of file border
ł        added some information to the output
ł        improved configuration file handling
ł 2.84 - made better output and smaller code
ł        disallowed comparison of COM and EXE files
ł 2.83 - generalized the MOV jumps ($B8 - $BF)
ł        advanced documentation
ł        added output of the bytes at the position of a wrong jump
ł 2.82 - added switch /B for binary output
ł        added $E3 to the valid jumps (JCXZ)
ł        fixed bug with the switches AIP/I and ACS/C
ł 2.81 - removed switch /Y
ł        allowed usage of /I within PE files
ł 2.80 - hope I fixed type problem with E8 and E9 jumps
ł        made better code in PE entrypoint detection
ł 2.79 - fixed problem with automatic filename extension if a directory
ł          with the same name exists
ł 2.78 - if first identical byte is a jump -> print comment
ł        if nothing was found, Pascal file will be deleted
ł        Changed error message if file was not found
ł 2.77 - removed switch /ACOM - now automatic detection
ł        added error messages if file is NE, LE or LX otherwise continue
ł 2.76 - added $BE as valid move jump
ł        added check if it is really a PE or not
ł 2.75 - disabled many switches in the configuration file
ł 2.74 - fixed bug in calculation of PE entry point
ł          now using the values in the object table
ł        added possibility to capture startup code of a single file
ł        added switch /NH
ł 2.73 - added automatic support for portable executables !!
ł        added switch /Y to move entrypoint of PE's
ł        released to the EXE mailinglist
ł 2.72 - fixed bug that only allowed to use /F :(
ł        code clearings - smaller code
ł        advanced output of /X
ł        now an error occurs if file has no overlays and switch /AOVR is set
ł 2.71 - fixed bug in loop handling
ł        added output of config file switches
ł        added support for filemasks (/F)
ł 2.70 - removed bug in output
ł 2.69 - added configuration file support
ł        optimized code a little bit
ł        first public release
ł 2.68 - now attributes are restored on error
ł        now using string constants -> saved ~1 KB
ł        made complex but small parameter handling
ł 2.67 - added check for redirection
ł        added documentation
ł        added additional commandline parameter check (NP, NS)
ł        added error if Pascal file exists
ł        added switch /O
ł        removed with /AIP and /I
ł 2.66 - added faster print method
:
ł prior version were not documented because I never though that I'll
ł ever release this piece of difficulty ...
:

ÚÄÄ-úú
ł ţ GetEQExe is Copyright (c) 1997 - 2000 by PHaX (phax@writeme.com)
:                                 --- EOF ---