                            -              :
                              GetEQExe 3.xx  
                            :             

-
  What is GetEQExe?
   GetEQExe is a program to compare the startup code of COM files, DOS
   executables or Windows PE executables or normal files.

   You can use GetEQExe for
     comparing up to 10 EXE startup codes,
     comparing up to 10 normal files,
     ripping code out of a file

   GetEQExe does not care if the files is readonly or not.

   Homepage: http://surf.to/phax
      eMail: phax@writeme.com

   Please mail any suggestions for improvement to me.
:

-
  The switches:

  Available options:
   /BIN         create binary output -> to rip startup code
   /BIT         compare bits instead of bytes
   /DIFF        print only not identical bytes
   /ENDn        goto n bytes before the end of the file
   /EXT         extended output (maybe interesting)
   /FILL        also print equal bytes in /DIFF mode
   /GOTOn       start comparing at filepos n (default = CS:IP [EXE]; 0 [else])
   /HELP        activate the help system
   /MACROxyz    execute the macro "xyz"
   /MAGICn      set the magic number for the Pascal output file (default = 0)
   /MAXn        set the maximum filesize (default = infinite)
   /MINn        set the minimum filesize (default = 0)
   /NOCFG       do not use the configuration file
   /NODIS       do not "disassemble"
   /NOPAS       do not create a Pascal include files
   /NOCON       do not write anything to STDOUT
   /NONE        do not compare new executables (NE/PE)
   /OVER        overwrite the Pascal file without asking
   /NAMEfile    set the Pascal filename "file" (default = "_outexe.inc")
   /PASLENn     set the maximum number of bytes in the Pascal file (default = 80)
   /STOPBn      stop comparing after n bytes (default = infinite)
   /STOPMn      stop comparing after n matches (default = infinite)

   GetEQExe also supports a configuration file called "GETEQEXE.CFG".
   There you can put the following switches:
     /BIN
     /BIT
     /MAXn
     /MINn
     /NODIS    * only if you have a registered version
     /NOHEAD
     /NOPAS
     /NOCON
     /OVER
     /NAMEfile
     /EXT      * only if you have an extended output version
   Every switch has to be in an extra line.

  Available methods:
   /ADDIPn      add IP to old one (subtract if n < 0; relative)
   /SETIPn      Change IP to n (absolute)

  Available macro commands (case sensitive):
   c    do a long call at the current position (only EXE files)
   f    do a far jump at the current position
   j    do a jump/call at the current position
   k    do a 32 bit jump/call at the current position
   m    do a MOV jump at the current position
   o    goto overlay position of DOS EXE
   _    seperator for macro commands
   Between every command may be numbers which tell the number of bytes to
   skip. See examples for details. See JMP/CALL sections for details.

  The following switch combinations are invalid:
   /ADDIP and /SETIP  -> either set IP or add something to IP
   /ADDIP and /END    -> either add something to IP or relative goto
   /ADDIP and /GOTO   -> either add something to IP or absolute goto
   /GOTO  and /SETIP  -> either set IP or absolute goto
   /GOTO  and /END    -> either absolute goto or relative goto from end
   /END   and /SETIP  -> either set IP or relative goto
   /BIN   and /BIT    -> no binary output and bit compare
   /BIN   and /EXT    -> no binary output and extended output
   /BIN   and /DIFF   -> no binary output if scan for differences
   /NOCON and /NOPAS  -> that would mean no output anyway
   /NOPAS and /PASLEN -> cannot set pascal len if no pascal file is made

  The following switches are required when the first one is used:
   /DIFF  -> /NOPAS   -> if /DIFF is used /NOPAS is automatically set
   /BIN   -> /NODIS   -> if /BIN is used /NODIS is automatically set
   /BIT   -> /NOPAS   -> if /BIT is used /NOPAS is automatically set

   /DIFF- -> /FILL-   -> if /DIFF is not used /FILL is disabled
:

-
  Some examples
   GETEQEXE a.exe b.exe c.exe d.exe
       compare the startupcode (at CS:IP) of a.exe, b.exe, c.exe and d.exe

   GETEQEXE a.exe b.exe c.exe d.exe /MACROj
       goto CS:IP, evaluate one jump, then compare

   GETEQEXE a.exe b.exe c.exe d.exe /MACRO10j
       goto CS:IP, skip 10 bytes, evaluate one jump, then compare

   GETEQEXE ?.exe /MACRO10
       compare all files that match the filemask ?.exe,
       goto CS:IP, skip 10 bytes, then compare

   GETEQEXE a b c d /MACRO10
       the same as above. ".EXE" is the default extension

   GETEQEXE /MACRO5jj a b c d
       goto CS:IP, skip 5 bytes, evaluate 2 jumps, then compare

   GETEQEXE /MACRO5j10j a b c d
       goto CS:IP, execute macro "5j10j", then compare
       macro: skip 5 bytes, evaluate jump, skip 10 bytes, evaluate jump

   GETEQEXE /GOTO128 /MACRO1m6j a.com b.com c.com d.com
       goto position 128, execute macro "1m6j", then compare
       macro: skip 1 byte, evaluate a MOV jump, skip 6 bytes, evaluate jump

   GETEQEXE /NOCOM /ADDIP5 /MACRO7j15j a b c d
       will cause an error because it is not allowed to use /ADDIP and
       /MACRO at the same time because if you use a macro you can include
       the /ADDIP command in the macro: /MACRO12j15j
:
  Ripping code out of a file:
   GETEQEXE file_to.rip /GOTO512 /STOPB75 /BIN /NOPAS > result.bin
       rip 75 bytes from file_to.rip at position 512 (starting at 1!)
       create binary output and write it to result.bin
:

-
  JMP/CALL/... section
-
   The JMP/near call command:
     JMP 1980h
   or
     CALL 1980h

   Valid jumps and calls are:
     $74 JE    -  jump if equal
     $74 JNE   -  jump if not equal
     $E3 JCXZ  -  short jump if CX is zero
     $E8 CALL  -  unconditional call
     $E9 JMP   -  unconditional jump
     $EB JMPS  -  unconditional short jump
-
   The MOV; JMP commands:
     MOV BP, 1980h
     JMP BP

   Valid registers (here: BP) are:
     $B8 - AX
     $B9 - CX
     $BA - DX
     $BB - BX
     $BC - SP
     $BD - BP
     $BE - SI
     $BF - DI

   Note: GETEQEXE does not validate the JMP command. It just takes the
         value and jumps there.
-
   The long CALL command:
     CALL 4027h:5622h

   Supported CALL commands:
     $9A - CALL
-
   The JMP FAR command:
     explanation 2 come :(
:

-
  Some history of GetEQExe:

 3.48 - fixed internal type problem with Win32 version
 3.47 - added switch /BIT (bit compare support)
        improved documentation
 3.46 - fixed problem with help system in Win32 variant
 3.45 - tried to add support for UNC pathes
        fixed problem with path handling of Win32 version
 3.44 - added support for NE self loading modules
 3.43 - fixed severe bug with PE and NE executables :(
 3.42 - first Windows version finished!
 3.41 - enhanced output format for /DIFF so that equal bytes are marked
          when using /FILL
 3.40 - added support for LE EXEs
 3.30 - changed internally to new output method
 3.29 - added switch /OVLAY
 3.28 - added switch /FILL
 3.27 - improved help system (removed "methods" section)
        added possibility to write syntax to file
 3.26 - added switches /MIN and /MAX to set filesize limitations
 3.25 - if E9h was found and macro "k" was used "r" is suggested
        fixed small string bug
 3.24 - fixed memory bug when comparing PE EXEs which can cause crashes
        fixed very stupid bug which disabled the correct handling of macros
          which was in since 3.21 or so
        fixed range check error with negative jumps
 3.23 - fixed bug if switch /NOPAS was used
        fixed strange output bug - TPs write function does not work ?????
 3.22 - fixed bug with error that printed bytes. the wrong pos was used
        added "jne" $75 to the valid "j" macro jumps
 3.21 - split up source code into several units (better readable)
        fixed strange runtime error
 3.20 - fixed problem with new executables where the relocation offset
          in the header was between 24 and 64
        fixed problem that /STOPBn always read one byte too much
        added $74 (JE) to the valid short jumps for macro "j"
        fixed bug in long called handling - offset was missing
        now every file has its own PE object table handler ;)
        removed /AAUTO switch - was not tested and made code too difficult
        some internal code restructures
        optimized disassembler module for size (saved ~1800 bytes)
        fixed stupid crach when not comparing PE EXEs
 3.14 - added switch /NONE to disable scanning for NE/PE executables
 3.13 - fixed problem with ET_COM/ET_NONE type -> now it's all ET_COM
        added possibility to disable switches with the "-" char at the
          end (e.g. "/nodis-"). used to overwrite switches in the cfg file
 3.12 - now start counting at 0
 3.11 - fixed stupid bug with PE EXE detection
        fixed stupid bug with COM/non EXE files
 3.10 - no abort if it is a new executable or a linaer executable
        fixed bug with huge offsets of PE executables (word -> longint)
        added explicit detection of new and linear executables
        removed /ADDCS and /SETCS
        /ADDIP and /SETIP are only valid for COMs and DOS EXEs
        now can compare new executables startup code
        Pascal file is deleted if no equal bytes are inside
 3.04 - added output to switch /MAGICn
 3.03 - added switch /STOPEn
        if no more space is on the drive for the Pascal file, it will
          automatically be canceled
 3.02 - fixed problem with FindFirst - adding path manually
        fixed stupid bug if called without parameters
 3.01 - added message if output is redirected and /NOCON is used
        added output of two message if switches are automatically set
        removed that no pascal file is created if only one file was found
        if no file matches the given masks, anothe message appears
 3.00 - no Pascal file is created if /V is used
        no Pascal file is created if only one file is in use
        new FindFirst/Next/Close support for Delphi
        added headline for help system
        fixed big bug in C/ACS and I/AIP handling
        changed to long name commands
        code clearings
        more general command line handling
        now aborting if new Pascal filename is invalid
        fixed problem in commandline handling with long names and values
        removed all single command modifier (/A*) - should use macros
        updated documentation
        error if /NODIS and /BIN used at the same time
 2.94 - fixed small problem with output of equal bytes on abort
        removed switch /F - now automatic detection
 2.93 - added switch /A32J and according macro "k"
        added output of PE Entrypoint RVA
 2.92 - changed from Get/SetFAttr to FileMode setting
        splitted switch /S into /SB and /SM
 2.91 - fixed range check error with CS:IP output
 2.90 - fixed problem if no files were opened
        added output of equal bytes found
 2.89 - fixed problem if value of /E was too high
        made it compile with Free Pascal
 2.88 - added switch /E - comparing at the end of the file
        added extending of path from switch /Fpath
 2.87 - now I have asm code for every byte (except F1h)
        added switch /ND - no disassembler
 2.86 - added a little assembler output (maybe helpful??)
        fixed problems with offset of new executable
 2.85 - added error code on jmp/call otu of file border
        added some information to the output
        improved configuration file handling
 2.84 - made better output and smaller code
        disallowed comparison of COM and EXE files
 2.83 - generalized the MOV jumps ($B8 - $BF)
        advanced documentation
        added output of the bytes at the position of a wrong jump
 2.82 - added switch /B for binary output
        added $E3 to the valid jumps (JCXZ)
        fixed bug with the switches AIP/I and ACS/C
 2.81 - removed switch /Y
        allowed usage of /I within PE files
 2.80 - hope I fixed type problem with E8 and E9 jumps
        made better code in PE entrypoint detection
 2.79 - fixed problem with automatic filename extension if a directory
          with the same name exists
 2.78 - if first identical byte is a jump -> print comment
        if nothing was found, Pascal file will be deleted
        Changed error message if file was not found
 2.77 - removed switch /ACOM - now automatic detection
        added error messages if file is NE, LE or LX otherwise continue
 2.76 - added $BE as valid move jump
        added check if it is really a PE or not
 2.75 - disabled many switches in the configuration file
 2.74 - fixed bug in calculation of PE entry point
          now using the values in the object table
        added possibility to capture startup code of a single file
        added switch /NH
 2.73 - added automatic support for portable executables !!
        added switch /Y to move entrypoint of PE's
        released to the EXE mailinglist
 2.72 - fixed bug that only allowed to use /F :(
        code clearings - smaller code
        advanced output of /X
        now an error occurs if file has no overlays and switch /AOVR is set
 2.71 - fixed bug in loop handling
        added output of config file switches
        added support for filemasks (/F)
 2.70 - removed bug in output
 2.69 - added configuration file support
        optimized code a little bit
        first public release
 2.68 - now attributes are restored on error
        now using string constants -> saved ~1 KB
        made complex but small parameter handling
 2.67 - added check for redirection
        added documentation
        added additional commandline parameter check (NP, NS)
        added error if Pascal file exists
        added switch /O
        removed with /AIP and /I
 2.66 - added faster print method
:
 prior version were not documented because I never though that I'll
 ever release this piece of difficulty ...
:

-
  GetEQExe is Copyright (c) 1997 - 1999 by PHaX (phax@writeme.com)
:                                 --- EOF ---
