dwarf

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

-i, --interactive, --shell

interactive (shell mode)

-c '{commands}', --command '{commands}'

command mode (executes commands) For example, dwarf -c 'print 2+2;' will output: 4

-h, --help

print usage info

-x < file >, --execute < file >

loads and executes file script.

-t, --type

shows the file type.

If more than one or all options are given at the same time the execution order will be: 1)open the file in the command line, 2)loads file structures, 3)execute the script file(-x), 4)executes commands from command line(-c), 5)enter the shell(-i)

THE DWARF'S LANGUAGE

VARIABLES

dwarf recognizes two types of variables: the normal variables (simply called variables) and the structured variables. The normal variables are preceded by the dollar symbol ($) and are created by the user for normal variable operation (i.e. $a=5; $b=$a+3; print $b; ). The structured variables are created by dwarf when it loads a file into memory. The structured variables reflects the opened file structure and they depends on the file type opened. So, for example, the Elf structured variables are different from the PE structured variables. Structured variables can be accessed in read or write mode like the normal variables. Structured variables syntax is similar to a C struct: print s->ph_num; will print the ph_num variable of the main header (s) of a Elf file. s->sh_num=3; will modify the sh_num (number of section headers) in the main header (s) of the Elf file.

EXPRESSIONS

Expressions EXPR are in the form : EXPR + EXPR, or EXPR - EXPR, or EXPR * EXPR, or EXPR / EXPR, or EXPR %EXPR. a single expression item can be a number (in decimal or hex form 10=0xa) or an offset. hex values are preceded by a 0x...example: $a=0x10; ($a is 16 decimal!).

OFFSETS

offsets syntax is @<foo or @>foo where foo is a symbol referring to a specific file data structure. The major (>) or minor (<) symbol indicate if the offset point to the end (>) or the beginning (<) of the specified data structure. whith @< we indicate the beginning of the file. Whith @> wh indicate the end of the file. For example print @>; will output the lenth of the file. Offsets return an integer and can be combined in any expressions EXPR (i.e. $a=@>+3; will assign to the variable $a the length of the file plus 3).

COMMANDS

SAVE [ save; | save(filename); ]

saves all the changes into the opened file. This action once performed is unreversible: changes will be permanently written on the disk.

OPEN [ open filename; | open(filename); ]

Closes the file opened if any and then load the specified file and creates all related data structures associated to the file.

WHILE [ while(expr) command(s); ]

a typical while construct.

IF-ELSE [ if(expr) command(s); | if(expr) command(s); else command(s); ]

a typical if-else costruct.

PRINT [print expr; | print %fmt expr; ]

outputs the result of the expression (numerical or string). The %fmt force a different output mode. fmt indicates the output mode desired. Valid option for the output modes are: x for hex output, d for decimal, b for binary output. examples: print %x 16 (outputs 0xa), print %d 0xa (outputs 16).

QUIT [ quit; ]

quits dwarf.

INFO [ info; ]

display info on opened file.

TYPE [ type; ]

display the file type of the opened file.

FORCE [ force filetype; | force(filetype); ]

force the file type to be 'filetype' value.

GROUTH [ grouth expr; | grouth (expr);]

grouth the file.

SHRINK [ shrink expr; | shrink(expr); ]

shrink the file.

REFRESH [ refresh; ]

unloads and reloads the file strucutres.

RELOAD [ reload; ]

closes the opened file and reopens it reloading all the data structures.

MOVE [ move(expr1,expr2,expr3); | move(expr1,+expr2,expr3); | move(expr1,-expr2,expr3); ]

move blocks of file around. (expr1=from, expr2=[len|end], expr3=to). moves from expr1 to expr3. expr2 can be a len if precede by plus(+) or minus(-), otherwise it refers to an absolute address indicating the end of the from-end block to move.

HELP [ help; ]

display the help menu.

INJECT [ inject(expr1,expr2,expr3,expr4); | inject(expr1,expr2,expr3); | inject(expr1,expr2); ]

injects data inside the opened file. ( expr1=file|byte, expr2=offs-from, expr3=len, expr4=">>"(shift) )if expr1 is a string it refers to a file to be injected into the opened file. if expr1 is a numerical value it represent the byte to inject (eventually repeated) inside the opened file. expr2 indicates the offset from where to begin to inject. expr4 can be ">>" or omitted. if omitted the file is not grouth by injecting data. expr3 can be a numerical value representing the len or the end-offset of the injecting data or cen be omitted. if expr3 is omitted dwarf uses a default len thas is 1 for the byte-injection or the file length for the file-injection.if expr4 is moitted expr3 can refer to the shift value (">>") or to the len-offset...dwarf is able to disambiguate.

CREATE [ create(type,offs[,update][,shift]); ]

creates a new header. type is the header type, offs tells the offset where to create the header. offs is an integer an it refers to the position where to create the new header. update tells dwarf to update the other data structures of the new header presence (relocates offsets and section numbers).shift (">>") tells dwarf to eventually shift the opened file so that the new header does not overwrite portions of the file.

REMOVE [ remove(type,offs[,update[,shift]]); ]

removes a header. see CREATE for parameters explanation.

LEN [ len expr; ]

grouth or shrinks the opened file depending if expr is >0 or <0. LEN will call GROUTH or SHRINK depending on expr sign.

NEW [ new; | new filename; | new(filename); ]

creates a new empty file.

CLOSE [ close; ]

closes the opened file.

DUMP [ dump [%fmt] expr; ]

dumps portion of opened file from expr offset in various formats depending on %fmt. The %fmt force a different output mode. fmt is in the form: xnn (<letter><number>) where the letter x indicates the output mode desired, and the number nn indicates the number of bytes to output. Valid option for the output modes are: x for hex output, d for decimal putput s for string output c for char output, b for binary output,e (default) for a nice dump output. examples: dump @<; (dumps the beginning of the file), dump %x3 @<+10; (displays 3 bytes in hex format from 10 positions from the beginning of the file).

EXTRACT [ extract(from,len,file); ]

extract 'len' bytes from opened file from 'from' position and save it into a new file called 'file'.

FILE TYPES

ELF

foo

PE

foo

MACH-O

foo

MACH-O FAT BINARY (UNIVERSAL BINARY)

foo

EXAMPLES

SEE ALSO

AUTHOR

Fernando Iazeolla < elboza@autistici.org > - founder & core developer.

COPYRIGHT

Copyright (C) 2007-2008 Fernando Iazeolla < elboza@autistici.org >
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.

Index

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

THE DWARF'S LANGUAGE

COMMANDS

FILE TYPES

EXAMPLES

SEE ALSO

AUTHOR

COPYRIGHT