24 replies to this topic

[was_jaclaz]

As some of the members might know I am particularly fond of this nice hex editor, Tiny Hexer.

Here:
http://www.mirkes.de/
Markus Stephany, the Author, is currently in what could be defined a "maybe sabbatical year", but he kindly let most of his programs available:
http://www.mirkes.de/files/

the file:
http://www.mirkes.de...s/tinyhexer.cab
is the complete BartPE plugin <-this is the "minimal" version that you can get

the file:
http://www.mirkes.de/files/mpth_18.exe
is the "full" install <-this is the one you should download

the file:
http://www.mirkes.de...s/mpthme_18.exe
is the "medium edition" install

Besides a lot of nice features, the really nice feature it has is that it is scriptable.

The scripting language is very "strict", with explicit variable declaration, data types, but once spent some frustrating time on it, even a dinosaur like me can start doing something useful with it.

I just wrote a Structure Viewer script for the MBR, missing in the default library, which you may find attached.

It would be nice if the people interested to/working with MBR's could have a look at it and test it.

File MBR_view.mps should be copied to <whatever>\mirkes.de\Tiny Hexer\scripts\Structure Viewer directory.

You will need to go Tools->Scripts->Rescan Scripts Directory to have it available in Structure Viewer.

As always ideas , comments or discussions , bug reports , etc. ON THE SCRIPT(s) are welcome.



jaclaz

P.S.: added the ON THE SCRIPT(s), since it seems like it wasn't perceived as implied:
http://www.boot-land...?...ic=8736&hl=
at the risk of appearing more grumpy than I really am : I DON'T CARE about other people's choices on hex editors. Everyone is free to choose the one he likes.

Latest version here:

Attached Files

•  BSview.zip   3.74KB   1316 downloads
•  MBRview.zip   2.59KB   1400 downloads
•  PTview.zip   1.5KB   1278 downloads

[was_jaclaz]

Partition Table viewer.

Mimics the output of Beeblebrox or PTEdit/PTView but has hyperlinks to the actual HEX.



jaclaz

Latest version attached to first post.

[bilou_gateux]

Partition Table viewer.

Mimics the output of Beeblebrox or PTEdit/PTView but has hyperlinks to the actual HEX.



jaclaz

I noticed a wrong typo display output for the NumSectors of 4th partition:
data value not vertically right alligned in NumSectors column (maybe increased lenght to >9 characters required - it's like an extra tab is added)

except that, nice job done.

[was_jaclaz]

I noticed a wrong typo display output for the NumSectors of 4th partition:
data value not vertically right alligned in NumSectors column (maybe increased lenght to >9 characters required - it's like an extra tab is added)

except that, nice job done.

Yep, alignment is rather rudimental right now (cannot say if due to limits in the commands or my at the moment still almost complete inadequacy in using them) .
Can you post a screenshot so that I can have a look at it?
(or just copy and paste inside a CODE or CODEBOX....)

jaclaz

[bilou_gateux]

Can you post a screenshot so that I can have a look at it?

jaclaz

[Lancelot]

These are very handy, thanks for sharing

[dog]

matches beeblebrox output here

[was_jaclaz]

(maybe increased lenght to >9 characters required - it's like an extra tab is added)

Yep, that's it.

A TAB resolves to 8 characters and the 9th one "pushes" to next TAB stop.

I'll see if I find a better way, I have similar problems in the script I am currently experimenting with, that uses SIGQWORD (64 bit variables) and messes completely the output.



jacalz

[was_jaclaz]

Once set aside XML, which I find the second best conceived Divine punition to humanity after the Tower of Babel, there is one thing that I hate more than HTML which is TABLES in HTML.

However, new versions of PTview and MBRview.



jaclaz

[was_jaclaz]

I am working on a PBR or bootsector viewer which, unlike the ones already shipped with Tinyhexer can "auto-recognize" known filesystems.

I need a copy of a bootsector with following formats (512 bytes):

• FAT12 invoking kernel.sys FREEDOS
• FAT16 invoking kernel.sys FREEDOS
• FAT32 invoking kernel.sys FREEDOS
• FAT12 invoking IO.SYS DOS
• FAT16 invoking IO.SYS DOS
• FAT32 invoking IO.SYS DOS
• FAT12 invoking NTLDR, NT/2K/2003
• FAT16 invoking NTLDR, NT/2K/2003
• FAT32 invoking NTLDR, NT/2K/2003
• NTFS invoking NTLDR, NT/2K/2003
• FAT12 invoking BOOTMGR Vista/2008/7
• FAT16 invoking BOOTMGR Vista/2008/7
• FAT32 invoking BOOTMGR Vista/2008/7
• NTFS invoking BOOTMGR Vista/2008/7

(just joking I do have the above )

The FOLLOWING are what I actually need:

• EXT2FS Linux (LILO, Syslinux and GRUB)
• EXT3FS Linux (if different from above)
• ReiserFS Linux (LILO, Syslinux and GRUB)
• HPFS (OS/2)
• Whatever other filesystem worth being supported

jaclaz

[Icecube]

Syslinux for EXT2/3/4 is called EXTLINUX.
The code that gets installed in the PBR can be found in the file /core/extlinux.bss of the Syslinux package.

For all bootloaders the code for booting of EXT2 or EXT3 should be the same (EXT3 is EXT2 with a journal, but bootloaders don't use the journal).

Syslinux doesn't support ReiserFS (at least for now).

Included in attached file:

• GRUB installed on EXT3
• GRUB installed on EXT4
• EXTLINUX PBR of the Syslinux package

Off topic: 1 MB of attachment space is very little if you have a few attachements on the board .

Attached Files

•  PBR.zip   4.54KB   959 downloads

[was_jaclaz]

Off topic: 1 MB of attachment space is very little if you have a few attachements on the board .

Sure it is.

You are a "common" Advanced user at the moment.

I guess we can trust you with some more space.

Check your attachment capabilities now.



jaclaz

[Icecube]

It is way better now .

[was_jaclaz]

Included in attached file:

• GRUB installed on EXT3
• GRUB installed on EXT4
• EXTLINUX PBR of the Syslinux package

Hmm. maybe that was what you packed.

What I can find:

• GRUB installed on EXT3 a GRUB EMPTY MBR
• GRUB installed on EXT4 a GRUB EMPTY MBR
• EXTLINUX PBR of the Syslinux package some code 512 bytes long that starts with a jump EB5890, seems like a bootsector but ends with D601 (as opposed to 55AA)

Please tell me that you actually packed what I listed and that this is NOT another case of !

Besides, what I meant:

The FOLLOWING are what I actually need:

• EXT2FS Linux (LILO, Syslinux and GRUB)
• EXT3FS Linux (if different from above)
• ReiserFS Linux (LILO, Syslinux and GRUB)
• HPFS (OS/2)
• Whatever other filesystem worth being supported

Was "actual bootsectors" extracted from a working disk/disk image.



jaclaz

[was_jaclaz]

Revised version of PTview (bug in displaying Cylinders > 255 fixed)
Latest version of MBRview (relative addressing possible)
Experimental, completely UNLIKE finished and NOT EVEN "pretty" version of BSview (a viewer for bootsectors: for the moment some work done on FAT12/16 and FAT32 ines, very little on NTFS ones, NOTHING about other filesystems).

Latest version attached to first post.

jaclaz

[maanu]

@ wonko

can you be kind to answer few questions ?
i want to learn manual way of dealing with hdd's / or kind of manual .

1.what is the advantage of these additional scripts ?
2.do they give some more features then " known " hdd tools like beeblebox ?

3.what is " rule of thumb" to calculate hdd space with cylinders ?

i mean destination and its formula ?

isn't there an excel sheet you maintained ?

4. also , please advice some links which i can read and understand , to give me info about manually calculating correct geometry of hdd , its sectors and cylinders etc,


thanks in advance.

[Wonko the Sane]

1.what is the advantage of these additional scripts ?

Try them, and you'll see.

2.do they give some more features then " known " hdd tools like beeblebox ?

Yes and No. (see above)

3.what is " rule of thumb" to calculate hdd space with cylinders ?

NO "rule of thumb" AFAIK. There are mathematical formulas.
If you are within the realms of "orthodox" partitioning and using the "common" 255/63 geometry on "common" 512 bytes/sector media, there is a "rounded" method:
since 1x255x63x512= 8,225,280 bytes, each cylinder is ROUGHLY 8 Mb.

i mean destination and its formula ?

I don't understand, but see below.

isn't there an excel sheet you maintained ?

YES.
http://homepages.tes...no-answers.html
(you should have learned by now )


Here :
http://reboot.pro/2959/
get BOTH the original one in first post and the V2 version:
http://reboot.pro/2959/page__st__9

Take some time on them and most part will become clear.

4. also , please advice some links which i can read and understand , to give me info about manually calculating correct geometry of hdd , its sectors and cylinders etc,

See above.


Wonko

[Wonko the Sane]

Since I already had someone WHINING he was not able to download Tiny Hexer, in order to prevent any additional WHINING:

• the original site is NO MORE. (and asks for a password)
• of course the actual tool can be downloaded from half the internet, like here:
  http://www.softpedia...load-35737.html
• and the Wayback Machine has a cache :
  http://web.archive.o...irkes.de/files/
• unfortunately it has not cached the actual files

If you need any of the "other" files, post a request on Lost&Found:
http://reboot.pro/forum/78/
maybe someone can provide it.


Wonko

[Legorol]

16-bit disassembly view in the Structure Viewer using external disassembler:
===========================================================
Link: http://dl.dropbox.co...4418/disasm.zip
One of the things that some other hex editors can do is to do a quick disassembly of the data you are examining into x86 assembly code. Actually, not many of them can do this, and even the ones that do can only disassemble the data as 32-bit code (IA-32) and sometimes 64-bit (AMD64). However, I wanted to be able to view a 16-bit (real mode) disassembly of the data, so I made a Tiny Hexer script for the Structure Viewer. I wasn't going to write a whole disassembler, so I rely on an external disassembler (hardcoded in the script at the moment). Why is this useful: when you are examining master boot records, boot sectors and other such animals, the code in there is 16-bit. There are surprisingly few tools that can help you examine that code.

Installation and Usage:
The external disassembler I use is objdump, part of GNU binutils, as installed with Cygwin. The script is currently hardcoded with the path "c:\Cygwin\bin\obdjump.exe".
Place the attached disasm.mps file into <installlocation>\Tiny Hexer\scripts\Structure Viewer.
In Tiny Hexer, "Disassembly (16-bit)" should now be a new option in the Structure Viewer.
When you open a file, this will disassemble the first 1024 bytes of the data (this limit is hardcoded in the script).
If you "unlock" the Structure Viewer (depress the four blue arrows pointing at each other), the disassembly will start at the cursor instead. If you make a selection, the disassembly will apply to the selection only.

Notes:
The disassembly output from objdump is placed in a temporary file, which is created in %TEMP% with the name "~mpthdisasmxxxx.tmp", where xxxx is a random integer. The script should delete this file after it's used.
You can replace the disassembler with a different version of objdump, or even a different disassembler altogether. The analysis of the output however assumes a certain structure, so if you change disassembler, you need to modify the script accordingly.

If anyone knows of a decent hex editor that can show the data as 16-bit disassembled code, I would be very interested.

Link: http://dl.dropbox.co...4418/disasm.zip

PS: How do I make an attachement to a post?

[Wonko the Sane]

Installation and Usage:
The external disassembler I use is objdump, part of GNU binutils, as installed with Cygwin. The script is currently hardcoded with the path "c:Cygwinbinobdjump.exe".
Place the attached disasm.mps file into <installlocation>Tiny HexerscriptsStructure Viewer.

It would be nice if you could provide exact instructions for the Cygwin installation procedure, and/or list the exact files neeeded and where exactly to get them, to avoid to the poor peeps experiences like:
http://reboot.pro/15207/

If anyone knows of a decent hex editor that can show the data as 16-bit disassembled code, I would be very interested.

What about biew beye ?
http://en.wikipedia.org/wiki/Beye
http://beye.sourcefo...et/en/beye.html

PS: How do I make an attachement to a post?

You make more posts until you reach the threshold set to allow attachments (cannot remember if currently set to 50 or 100 posts) or ask Nuno (nicely ) if he can allow you.

@all
Just for the record, some of the found missing files are listed here:
http://reboot.pro/16263/
but the actual "last version" of the SDK is stil amiss, if anyone has a copy of it it would be nice to have it.


Wonko

[Icecube]

WXHexeditor can show you 16-bit disassembly:
http://www.wxhexeditor.org/

You could also try ndisasm of the nasm package as external disassembler:
http://www.nasm.us/

[Legorol]

It would be nice if you could provide exact instructions for the Cygwin installation procedure, and/or list the exact files neeeded and where exactly to get them, to avoid to the poor peeps experiences like:
http://reboot.pro/15207/

It would be nice if you could provide exact instructions for the Cygwin installation procedure, and/or list the exact files neeeded and where exactly to get them, to avoid to the poor peeps experiences like:
http://reboot.pro/15207/

You are right, I didn't explain how you could get objdump.exe in Cygwin. I intended this post as an initial release of the script: this is how far I got with it so far, you can use it if you want, your milage may vary ;-) I already use Cygwin regularly, so I made use of it, but I don't expect others to do the same. Here are some instructions then for installing Cygwin:

Cygwin (http://www.cygwin.com) is a Linux API layer providing substantial Linux API functionality under Windows, as well as a large set of Linux tools and applications ported to this layer. If you like, you can set up a virtual Linux environment under Windows. I am not sure if you can just grab a single tool or executable out of it and use it on its own.

To use Cygwin, you must download its web-based setup program (http://cygwin.com/setup.exe) and run it. Follow the on-screen instructions. You will get a choice of packages to install. "objdump" is found in "binutils", under the "Devel" category. You can try and eliminate all other packages, I don't know how many you must install as a bare minimum. You will also have to specify the Cygwin installation directory (I use C:Cygwin).

Once Cygwin is installed, any tools/applications that come with it can just be executed directly in Windows, for example from a Command Prompt or launched by another application (as I do with the Tiny Hexer script).

PS: How do I edit an existing post which already had some replies to it?

Edited by Legorol, 29 January 2012 - 12:33 PM.

[Legorol]

WXHexeditor can show you 16-bit disassembly:
http://www.wxhexeditor.org/

I found wxHexEditor as well, it's an excellent initiative, but at the moment it seems like its rather in its infancy still. I have tried its built-in 16-bit disassembler, but it chokes after 2-3 instructions. I am looking forward to see what becomes of this project in the future.

You could also try ndisasm of the nasm package as external disassembler:
http://www.nasm.us/

Very good idea!

[Wonko the Sane]

PS: How do I edit an existing post which already had some replies to it?

Hmmm , I will re-phrase :

You make more posts until you reach the threshold set to allow attachments or editing of own posts (cannot remember if currently set to 50 or 100 posts) or ask Nuno (nicely ) if he can allow you.

Wonko

[Legorol]

Here is the second version:
http://dl.dropbox.co.../disasmv0.2.zip

This version uses NDISASM (http://www.nasm.us/) as the external disassembler. It assumes that ndisasm is located at c:nasmndisasm.exe. This is a standalone executable, if you like you can just keep that one file and don't need anything else. Link to win32 binary package that you just need to unzip: http://www.nasm.us/p...09.10-win32.zip

This is a much cleaner solution, thanks Icecube!

I also reduced the default disassembled amount of bytes to 256, unless you make a selection (you can select the whole file if you desire).

Possible future enhancements are:
Add a configuration dialog so that you can set the path to the external disassembler and to switch between disassembly mode (16-, 32- and 64-bit).