home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
PC Media 20
/
PC MEDIA CD20.iso
/
share
/
prog
/
spytrak
/
spy.doc
< prev
next >
Wrap
Text File
|
1995-07-01
|
25KB
|
507 lines
<FOR INFO ON LATEST CORRECTIONS & IMPROVMENTS GO TO THE END OF THE FILE>
1.0 A FEW WORDS ABOUT SPY-TRAK:
SPY-TRAK is a disassembling and debugging tool for executable
.EXE and .COM programs.
There is a few products on the market used for dis-
assembling. Most of them do a job that may be termed as
examination of a program's dead body. They dissect programs
while these programs don't do anything - no data is input
from the command line, neither there is an input of data
during these programs execution. On few occasions we even
don't know if the code we got from such disassembling
actually is the one used by the program during its
execution. A program can have a self modifying capability,
such as for example packed files, which may be hard to reveal
by this "dead body" disassembling.
SPY-TRAK is unique because it does the disassembling during
the program execution. It tracks, step by step, each operation
performed by the program, recording the status of its
registers, flags and finally instructions, unassembled into
opcode.
The SPY-TRAK package generates 3 output programs:
1. $filename.TRC, which very much resembles a product of
DEBUG Trace Command. Except that $filename.TRC is
documenting the actual execution of the program.
2. $filename.LST is a list file of the executed program
tracked part of the code. $filename.LST provides a
brief synopsis of the tracked code. Tracked
segments (CS) are listed in the ascending order
of CS values.
3. $filename.PRT documents IN and OUT operations performed by
the tracked program on Parallel 1&2 Printer I/O Ports.
The .PRT file may be a helping tool for those who are trying
to beat anti-copy protection Keys/Dungels.
These ports are as follows: 03BCh - Parallel 1, Data Port;
03BDh - Parallel 1, Status Port; 03BEh - Parallel 1, Control Port;
0378h - Parallel 2, Data Port; 0379h - Parallel 2 Status Port;
037Ah - Parallel 2, Control Port.
Parallel Port 3 is not reported.
Tracking and generating the list file is controlled from
a user friendly shell program - SpyTrak.exe. More on SpyTrak
menus is given in p. 1.4, 1.5 and 1.6.
For some applications the tracking program SPY.COM can be
used without the shell - SpyTrak.exe.
SPY-TRAK disassembles most applications designed to operate
in real-time on 16-bit registers. To operate, it requires
a hard disk and DOS 3.10 or later.
The current shareware copy of SPY-TRAK is limited to
processing programs no bigger than 3 kilobytes. Licensed
up-grades of SPY-TRAK can track programs of any size.
1.1 LIST OF PROGRAMS AND FILES MAKING THE SPY-TRAK PACKAGE:
Wheres.COM - 1Spy.bat installation program;
1Spy.bat - the shell calling program, created when
executing Wheres.COM;
1Spy.txt - a brief message;
1TEST.BAT - to open for reading TEST.DOC;
SpyTrak.exe - the shell program;
SB1992.COM - never change name of this program!
SPY.COM - neither change name of this program!
SORT.EXE - leave this name unchanged too!
THREAD.EXE - interrupt data editor;
FILES.EXE - .THR files manager;
LIST.COM - Vernon D. Buerg's text viewing program;
SZCZOTA.COM
KORVIN.BAT - to get Main Menu on the screen;
SPYDOC.BAT - it calls-out LIST.COM to show SPY.DOC;
SPY.DOC - documentation file;
MAINMENU.TXT - Menu file;
TEST.ASM - tutorial source code file;
TEST.EXE - tutorial program;
TEST.DOC - tutorial documentation.
1.2 PRE-INSTALLATION NOTE:
SPY-TRAK has been designed as a TSR program. Therefore, to
avoid potential conflict, do not install it while other TSRs
are running. Do not install SPY-TRAK using DOS Shells ! Do
it directly from DOS instead.
SpyTrak program, and the SPY-TRAK main tracking module, need
a number of file handles to operate. Therefore, to track
some programs that open many files at a time, you may have
to increase the limit set on open files in your computer
system. In the case of problems check the FILES directive in
your CONFIG.SYS !
************************************************************************
* VERY IMPORTANT!
* Before you try SPY-TRAK for the first time your DOS shall be
* loaded LOW in your CONFIG.SYS
* After performing the post-installation tests, and everything is fine,
* you may try DOS = HIGH. Some systems don't accept SPY-TRAK
* when DOS is loaded HIGH.
* Also, check your PATH in AUTOEXEC.BAT: Both the default directory
* and the directory where SPY-TRAK package is up-loaded shall be defined
* in the PATH.
* DO NOT place a copy of the SPY-TRAK package in another directory that
* is also defined in the PATH. The program file SPY.COM is used as
* a beacon for WHERES.COM, and if SPY.COM is showing in several
* directories it will mess-up the automated installation of 1SPY.BAT.
************************************************************************
1.3 HOW TO RUN SPY-TRAK:
On your hard disk create e.g. SPYDIR directory - this is
your default directory. Load all executable SPY-TRAK files in
this directory. Open a path to the SPYDIR directory by
expanding the PATH command in the AUTOEXEC.BAT file.
Run WHERES.COM program. WHERES.COM will locate the SPYDIR
directory and create the 1SPY.BAT file in it.
Once 1SPY.BAT is created, to access the SpyTrak.exe shell,
execute 1SPY.BAT from any directory declared by the PATH
command.
Programs which you want to disassemble, can be called from
any place in your subdirectory system, provided the drive
and path for the program are defined. If no drive and path
is given, SPY-TRAK will look for the program in the current
directory.
The current version of SPY-TRAK is filename sensitive.
Tracking process is tripped by the tracked program name
while processed within COMMAND.COM by the DOS EXEC function.
SPY-TRAK output is written into default directory.
You can review the output file using Vernon D. Buerg's
LIST.COM program, inclosed. To use LIST.COM type:
LIST [$filename.TRC], for track file
or, LIST [$filename.LST] for list file.
While tracking, be aware of your hard disk storage
limitations. The $filename.TRC may quickly reach quite
sizable proportions.
1.4 ON SPY-TRAK MENU:
The front page menu is providing the following options:
Track program...........1
Create list file........2
Setup menu..............3
THREADING DATA Editor...4
Exit to DOS...........ESC
┌────────┐
│ Select │
│ Option │
│ ┌┐ │
│ └┘ │
└────────┘
┌───────────┐ ┌────────────┐ ┌──────────┐ ┌────────┐
│EXEC CODE 0│ │LOOPS CLOSED│ │RUN DIRECT│ │INT OFF │
└───────────┘ └────────────┘ └──────────┘ └────────┘
1.4.1 TRACK PROGRAM selection:
The edit line data shall be input as follows:
┌───────────────────┐
───────────────────────┘ Track a program └────────────────
Track filespec: filename[.ext] [parameters]
────────────────────────────────────────────────────────────
"Alt hot key combo" allows to access SPY-TRAK during the tracked
program run. You can preselect the hot key combination to avoid
collision with the tracked program key setting. Default is <Alt_T>.
More on this option is given in 1.6.
"Hot Start" means start tracking from your program`s first
instruction. Default is [Y].
"Single Step" - use this option if the tested program is
crushing your computer system. You will have records of the
last performed instruction. Default for this mode is [N].
Single step mode will result in slowing down the tracking
process. But it may become, for some, the last resort to find
out why the system keeps crushing.
"Stop for ACTION SCREEN" option allows to access the tracked
program FLAGS at a location predefined by the Instruction Pointer
and the first byte following IP in the tracked program. Once
the tracking stopped for the ACTION SCREEN, you can change
the tracked program flow by changing flags preceding conditional
jumps.
You can also define next ACTION SCREEN stops, break the program
loops, open and close loops for tracking.
More information on ACTION SCREEN is provided in 1.8.
1.4.2 CREATE LIST FILE selection:
┌───────────────────┐
───────────────────────┘ Create list file └────────────────
Track filename: $filename.TRC
────────────────────────────────────────────────────────────
SpyTrak.exe is equipped with an error detection system.
It will intervene with ERROR message to most of false steps
taken by the SPY-TRAK user.
1.4.3 SETUP MENU selection:
This selection allows to change 4 parameters controlling
the tracking process.
1. EXEC level
2. Loops handling mode.
3. Direct/Indirect Mode.
4. Interrupt tracking.
The current parameter values are given in the 4 boxes provided
at the screen bottom. Defaults are EXEC LEVEL=0, LOOPS CLOSED,
DIRECT MODE, INTERRUPTS OFF.
EXEC LEVEL > 0 allows to access for tracking a program called
by DOS function ah=4Bh (EXECUTE, or MAKE OVERLAY). The depth
of accessing a subsequent child process can be defined from
1 through (hex) F.
LOOPS can be processed as they are performed, and that may
mean spending a lot of time by SPY-TRAK to record all this
looping. It makes also more difficult for the user to
follow such full loop records loaded in .TRC file.
Using option LOOP CLOSED provides full information on the
registers status before the loop is entered. The first loop
lap is fully recorded but then the tracking program stops
to wait for the first instruction after the program left
the loop.
DIRECT/INDIRECT MODE defines the mode of executing the
program you want to track. DIRECT MODE means using the
SpyTrak.exe shell.
The SpyTrak shell is accessed 1SPY.BAT - generated during
installation by WHERES.COM.
In a case of the tracked program call hidden in a batch
file you can not use the shell command line. Use the INDIRECT
MODE instead, which will lead you to DOS prompt where you can
run your batch file.
In both cases tracking is activated by the program name loaded
for processing by DOS function EXEC (int 21h, ah=4Bh).
Once the INDIRECT MODE tracking is done, run 1SPY U - to uninstall
SPY.COM and SB1992.COM. Don't be forgetful! If SPY.COM is left
uninstalled, and you try to run 1SPY.BAT again, some problems
may arise.
INTERRUPT TRACKING option selection allows to enter preselected
interrupts. Default for this option is OFF. Change it to ON
if you intend to track an interrupt. The exact definition of
the interrupt(s) to track is made by accessing the THREADING DATA
Editor, option selection #4 in the main manu.
1.4.4 THREADING DATA Editor:
Threading Data Editor is menu driven. It allows to open for
tracking up to 20 interrupts. Each interrupt can be conditioned
for opening by the AX, BX, CX, DX, CS and IP register values.
Only values defined for the registers are screened for compliance.
Registers left blank are omitted in the verification process.
Appending and correcting of the interrupt data is also provided
in the editor.
Each time the editor is being accessed, a tiny FILE MANAGER is
scanning the default directory for the presence of INTERRUPT
data files (file extension .THR). These files, if obsolete, can
be deleted using the manager's menu.
REMEMBER! Interrupt tracking is accomplish only if INT is ON in
the shell definitions, and the threading data file
for the tracked program is created.
1.5 USING SPY.COM PROGRAM WITHOUT THE SHELL:
The information on this option is displayed when SPY is typed.
Remenber to run SB1992.COM first, and to uninstall SPY.COM by
typing SPY/U.
Tracking of interrupts can be done by making your threading data
file first. Access the shell for this purpose by typing 1SPY.
All the options are available when running SPY.COM without the
shell.
It is advisible to track a program, without going through the
shell, when not much of the operating memory is left for
the application, or using the shell affects the SPY-TRAK
performance.
1.6 ABOUT ALT HOT KEY COMBO APPLICATION:
The tracking process is switched ON/OFF by application
of the hot key combination.
The default Hot Key combination is <Alt T>. If for some
reason you want to use a different combination, the
redefinition should be made in response to the menu
questions.
In "Hot Start" [Y] mode the hot key combo serves to STOP
tracking. In "Hot Start" [N] mode the hot key is used both
for START and STOP of tracking. If "Hot Start" is [N] and
IP and CODE BYTE are defined for ACTION SCREEN (read 1.8)
SPY-TRACK will start tracking at the ACTION SCREEN stop.
NOTE: Once you stopped tracking using Hot Key, you
cannot restart by Hot Key.
1.7 ABOUT SPY-TRAK HANDLING OF INTERRUPTS:
Interrupts are not entered by SPY-TRAK, except DOS function
4Bh if EXEC LEVEL parameter was setup for a value greater
than 0.
Interrupts such as 20h, 27h, 31h and DOS function AH=4Ch
end the tracking process.
An address checking mechanism is built in SPY-TRAK. It
allows to limit the recording only to operations performed
by the tracked program.
The user may be occasionally baffled by the presence of
INT 20h at IP=0000, as the last operation registered by
SPY-TRAK, when tracking a .COM program. It happens if the
.COM program is returning to DOS via its PSP interrupt.
It is because SPY-TRAK is recording any operation performed
by the program within the memory limits assigned to it,
including the PSP.
1.8 ACTION SCREEN:
Action Screen displays the registers status and
the instruction before the instruction is executed.
Therefore execution of the conditional jumps can be modified
within the tracked program by changing flag values.
1.8.1 STATUS FLAGS:
Flags displayed at the disassembled program instruction
conform with the DEBUG (DOS) program system, provided below.
DEBUG FLAGS:
overflaw: set=OV, clear=NV;
direction: set=DN, clear=UP;
interrupt: set=EI, clear=DI;
sign: set=NG, clear=PL;
zero: set=ZR, clear=NZ;
auxiliary: set=AC, clear=NA;
parity: set=PE, clear=PO;
carry: set=CY, clear=NC.
The same flags are given in the ACTION SCREEN flag status
window but they have different symbols.
ACTION SCREEN STATUS FLAGS symbols:
OF - overflow, DF - direction, IF - interrupt enable,
SF - sigh, ZF - zero, AF - auxiliary carry,
PF - parity, CF - carry.
These flags assume values: 1=set,0=clear.
1.8.2 NEXT STOP AT:
You can stop at a next location defined by Instruction Pointer
(IP) value and the first byte of CODE at this IP. All the values
are displayed in HEX.
Note:
In a situation as the one below, when a repeat, or forced segment
prefix preceds the intruction, define your next stop at the prefix IP,
e.g.: IP CODE
0FC7 F2
Next Stop definition at IP=0FC8 will not work!
AX=3E80 BX=0321 CX=2000 DX=3192 SP=FFFE BP=091C SI=0100 DI=0321
DS=3192 ES=0116 SS=3192 CS=3192 IP=0FC7 NV UP EI NG ZR NA PO NC
3192:0FC7 F2 REPNE
3192:0FC8 AF SCASW
1.8.3 EXECUTE NEXT STEP AND DISPLAY:
SPY-TRAK will stop and display ACTION SCREEN at the next
instruction. This selection overrides the next stop values set
per 1.8.2.
1.8.4 LOOP CLOSED or OPEN:
This selection allows for changing the present status of the
SPY-TRAK loop flag.
"Loop closed" means that only the first lap of each loop is
recorded by SPY-TRAK, then recording stops until the first
instruction after the loop is encountered.
"Loops open" means that all laps are recorded.
The SPAY-TRAK loop flag can be changed in ACTION SCREEN.
1.8.5 RETURN TO PROGRAM, DISPLAY AT NEXT STOP:
This selection works only if IP and CODE were defined per 1.8.2.
Otherwise, selecting this option, will result in returning to
the program and continued tracking.
1.8.6 FORCE CX -> 0001:
This selection shows only if the CX register value is greater
than 1. By this selection you will force CX to assume 1.
The option allows to break out of unwanted looping. It may
help beat antitracking schemes applied by some programers.
1.8.7 RETURN TO PROGRAM, STOP TRACKING:
By exiting ACTION SCREEN using this selection you will stop
tracking, while the program you had tracked will continue
to execute.
2.0 ON SUPPORT AND FUTURE UP-GRADES:
If you have any questions, you can contact Korvin Comm. by
CompuServe, addressing your mail to BOX#
76356,2033
or FAX to (310) 424 6823.
New features will be provided at a nominal cost of
shipping and handling to legal owners of SPY-TRAK.
We will keep you posted on these up-grades.
WE CAN ALSO CUSTOMIZE SPY-TRAK TO MEET YOUR SPECIFIC NEEDS.
CONSULTING IS AVAILABLE.
3.0 LICENSE
To acquire a licensed copy of SPY-TRAK, please send check for
$29.50 + $5.50 S.H. in U.S. Money orders are required for
shipping outside the United States. Shipping and handling for
overseas buyers is $7.00. Checks and money orders shall be
sent to KORVIN COMMUNICATIONS CO. 4067 Hardwick St. #306-H,
Lakewood, CA 90712.
SPY-TRAK is copyright (c) 1992,93,94 by KORVIN COMMUNICATIONS CO.
To contact KORVIN COMMUNICATIONS for information about
dealer pricing, volume discounts, site licensing, the status
of shipment of the product , the latest version number or
for technical information, or to discuss returns, use
CompuServe Electronic Mail address:
76356,2033
or FAX to (310) 424 6823,
or write to
╔═════════════════════════════════════╗
║ KORVIN COMMUNICATIONS CO. ║
║ ║
║ 4067 Hardwick St. #306-H ║
║ Lakewood, CA 90712 ║
╚═════════════════════════════════════╝
Use of non-licensed copies of SPY-TRAK by any person,
business, corporation, governmental agency or other entity
is strictly prohibited.
User is licensed to use SPY-TRAK only on a single computer
at the same time.
No user may modify SPY-TRAK in any way, including but not
limited to decompiling, disassembling or otherwise reverse
engineering the program.
SPY-TRAK may not be resold. No fee, charge or other
compensation may be accepted or requested by any licensee.
SPY-TRAK may not be distributed in conjunction with any
other product without a specific license to do so from
KORVIN COMMUNICATIONS CO.
4.0 WARRANTY
KORVIN warrants that all disks provided constitute an
accurate duplication of the software product and KORVIN
will replace any disks found to be defective within 30 days
from date of purchase.
KORVIN will not honor this warranty where the product has
been subjected to physical abuse, or used in defective or
non-compatible equipment.
KORVIN warrants that the program will perform in substantial
compliance with the documentation supplied with the software
product.
If a significant defect in the product is found, licensed
Purchaser will be entitled to a refund. In no event will
such a refund exceed the purchase price of the product.
┌────────────────────────────────────────────────────────────┐
│ All disk replacements and refunds shall be negotiated│
│ directly with KORVIN COMMUNICATIONS CO. Shareware retailers│
│ distributing shareware copies of SPY-TRAK have not been│
│ authorized to process returns of licensed copies. │
└────────────────────────────────────────────────────────────┘
EXCEPT AS PROVIDED ABOVE, KORVIN COMMUNICATIONS DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE PRODUCT.
SHOULD THE PROGRAM PROVE TO BE DEFECTIVE, THE PURCHASER
ASSUMES THE RISK OF PAYING THE ENTIRE COST OF ALL NECESSARY
SERVICING, REPAIR, OR CORRECTION AND ANY INCIDENTAL OR
CONSEQUENTIAL DAMAGES. IN NO EVENT WILL KORVIN BE LIABLE
FOR ANY DAMAGES WHATSOEVER (INCLUDING WITHOUT LIMITATION
DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION,
LOSS OF BUSINESS INFORMATION AND THE LIKE) ARISING OUT OF
THE USE OF OR INABILITY TO USE THIS PRODUCT EVEN IF
KORVIN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Use of this software product for any period of time
constitutes your assumed acceptance of this agreement and
subjects you to it's contents.
===================================================================== =========
LATEST CORRECTIONS & IMPROVMENTS (01/07/95):
a) By a strange flaw some DOS systems change the Drive:\Path\Program.EXE
lettercase when a program is defined for Interrupt 21, AH=4B at DS:DX.
Since SPY-TRAK is case sensitive to trigger tracking flags, accasionally it
was failing to recognize a program name. The problem has been fixed.
b) Colors and displays have been improved and/or corrected both in ACTION SCREEN
and THREADING DATA EDITOR.
c) We have managed to improve the SPY-TRAK's performance when DOS is loaded
HIGH,UMB. It is tracking now, however, still there is a conflict between
SPY-TRAK and the EMM386.EXE program. In other words you cannot instal RAM
disk when you run SPY-TRAK, but you still can use the SMARTDRIVE Cache.
d) Since the way of treating Interrupts has been changed in SPY-TRAK, we
also have had to change the treatment of LOOP addressed to itself.
Previously LOOP such as
3184:0100 B9FF0F MOV CX,0FFF
3184:0103 E2FE LOOP 0103
was treated the same way as Interrupts, i.e. tracking was suspended
for the time of the loop execution. Now the loop is fully processed
in the tracking mode. If you find it inconvenient, or suspect the loop
is put in program to check timing for antitracking measures, you can cut
its running time by forcing CX->0, see 1.8.6.
Of course, the LOOP could be tracked in the LOOPS OPEN mode, which would,
in the above case, mean 0FFFh = 4095 lines of disassembled information for
this non-informative LOOP. Most probably you would not want it to happen.
VERSION 2.52 (March 8, 1995):
This sub-version is marked by a further improvment in the handling of
Inerrupts. No more breakpoints using INT 3 to go over INT's. The new way
of handling helps when INT 3 is used in the application, in cases
such as KEY-LOCKS.
July 2, 1995:
Parallel PORTS 1 & 2 are documented in $filename.PRT. Read p. 1.3.
===================================================================== ========
