
		TR for Win95 ˵(ShareWare Version)

TR for Win95(TRW)  Win95 µĸٵԸ DOS COM,DOS EXE,
DOS protect mode appDPMI,16λ NE,32λ PE 

TRWWin95, OSR2, Win98

ŴҶTRѺϤˡôTR for Win95WinICEWin95µĸ٣
ʲô˼أ

1. WIN95Ķи

˵TRWԵصˣȥרأ

WINICE½иʱWIN95ĽȫֹͣϵͳʱҲͣˡ
ΪϵͳWINICE̵ȴѭ㲻һ߸٣һ
ңWINICEΪʾϢַ棬òȱWIN95ͼĻ
ȻΪַʽʾϢҪ鿴ûĻûʱ,
Ҫָwin95ͼĻ.Ȼ,ҪͻָĻ,ÿʾԼͬ,
winiceֻΪʾ׼.һֱûг׽,
з.,winiceĸжϵû,winiceǰǷ
ڰȫ״̬,winiceҽļ.winiceĸʲôҲ治.

tr for win95win95Ķ,Ưؽ.ʵ,ֻҪtrw
win95һ,ٳһ,һͶ.
ٹ,ֻҪû״̬Ϊsuspend(),ֹܷ,Ϳͬʱ
win95.ǿһ߸,һinternet(?),һ
ߺȿ(java?).ٸٹapiͬʱһhelp.鿴
ûĻ,alt-tabwin95תȥ.иϢtrwĽʾ,ڱ
ͻָûĻɵ,win95ȥɰ,ҲŲ.

Ȼ,win95ǲ,Ǹٽ˷ǳ״̬(critical section),ʱ
alt-tabǲȫ,trwԶرalt-tab.

2. ϵ
	bp if eax>=3456787
	bp if dx<543
	bp if ch==23
	go if ah!=34
	go if new_section

3. CATCH
	TRNEWTCB
	TRNEWDOS
	TRVM
	TRTCB

4. MakePE,PEDUMP

TRWܲ,

һÿոTRWᱦ

		
		liutt@371.net
		ayliutt@hotmail.com
		http://www.netease.com/~ayliutt

					1998.9.20

Thanks to:
	Slava
	The Owl
	Lx
	IceMan81
	Just Stone
	G-Rom
	....

Functions done:
	. load PE runtime & command line
	. hook all API
	. load NE at command line, in full-screen DOS window
	. set options in TRW.ini
	. Ring0 keyboard handler
	. asm
	. file write
	. instance comment
	. BPM BPR BPX
	. dot command
	. load DOS app
	. trace DOS app into protect mode
	. BPIO
	. make PE from memory!
	. press hot key Ctrl+L anytime
	.

Functions will be done:

	. show more information about Win95
	. add some function like IDA, support IDC
	. add some funtion to auto unshell,auto kickdog...
	. mouse support
	. test mode
	. bp message
	. heap
	.

---------------------------------------------------------------
Whats New:
	0.50    98.11.21 fkey,wmsg,task,mod,proc,ȼΪCtrl+L
			GԶû,ϵ㷢ʱtrwԶ
	0.40	98.11.6  lines,wc,wd
	0.39	98.11.3  hwnd
	0.38	98.10.28 hot key 'Ctrl+L', command 'RS',<F4>
	0.37	98.10.25 Help more like WinICE
	0.36	98.10.4  bp if new_section,pedump 
	0.35	98.9.30  Conditional breakpoint
	0.30	98.9.22	 Win98 support
	0.25	98.9.19  MKPE, PAGEIN
	0.22	98.9.12	 BPIO
	0.20	98.9.9   First public version
---------------------------------------------------------------
Powerful than WinICE:
	. dynamic load, dynamic unload, run when need
	. support all video adaptor
	. if possible, multi-task running during trace 
	. file write
	. make PE from memory!
	.

---------------------------------------------------------------
Test Dos Protect Mode app 
	1. begin a dos windows in Win95
	2. run TRW in another dos windows
	3. run 'trnewdos' in TRW
	4. in another dos window, run PMODE.EXE
	5. back to TRW, you will find you are at the beginning of the
DOS program.
		g 342
		t
		g 342
	6. Press <F8> for some times, now enter 16bit protect mode!
	7. 'g 4dd', Press <F8> for some times, now enter 32bit protect mode!
or just:
		g if cs<100		;this will run to PM16!
		g if cs!=cs		;try to run to PM32
		g if cs!=cs		;again, and we are in PM32

---------------------------------------------------------------
Test Make PE from memory
	del newpe.exe
	TRW msg.exe
		MKPE	
	PEcompare msg.exe newpe.exe

or: PESHIELD msg.exe
	PECRYPT  msg.exe
	PELOCK   msg.exe
	PE??     msg.exe
	del newpe.exe
	TRW msg.exe
		g 4010fd		;this is the entrypoint, I know
					;or you can 'g if new_section'
		mkpe			;eip will be the new PE's entrypoint
	PEcompare origin_msg.exe newpe.exe

Always del newpe.exe before 'MKPE', or TRW will append it!
---------------------------------------------------------------
test1:
	trw msg.exe
		<f8>,<f8>,<f8>....	
		q

test2:
	trw msg.exe
		g

test3:
	trw msg.exe
		<f8>,<f8>
		<Alt+Tab>	;Now in Win95 desktop, press <Alt+Tab> again to back
		q

test4:
	trw ne.exe
		<f8>,<f8>	
		g			;you can not 'q' when trace a NE app

test5:
	trw msg.exe
		g ord_61
		<f8> some times,back-color of statusline changed means we are
			in critical status. Now <Alt-Tab> is disabled.
		g

test6:
	trw msg.exe
		g GetVersion
		pret
		<f8>
		g

test7:
	trw msg.exe
		bpx messageboxa
		g
		bc			;clear all breakpoint
		g

test8:
	trw msg.exe
		<f8>
		w cs:eip,eip+70 >dump.txt	;write mem dump to file
		u cs:eip,eip+20 >asm.txt	;write unasm output to file

test9:
	trw msg.exe
		<f8>
		bpio 21
		r edx 21
		e 401112 ec			;in al,dx
		g 40111f			;bpio will break at 401112
		q

---------------------------------------------------------------

Test auto change Ring0 & Ring3 keyboard handler:
	1. TRW msg.exe
	2. <F8> some times
	3. press <Alt>+<Tab>, now you can change to other task
	because TRW use Ring3 keyboard handler.
	4. g ord_61, After the 'dec ...', you can not press
	<Alt>+<Tab> anymore, because now TRW use Ring0 keyboard handler.
	5. g ord_62, press <F8> some time, we back to Ring3 again.

This is the first highlight of TRW.
I like TRW!

---------------------------------------------------------------
		Commands

H	[command]
	display help for all commands, or the given command in detail.

HWND	[HWND]
	ʾб.ʾָڵϸϢ.

E address datas
	Edit memory.
	E cs:eip 23 45 56
	EW ds:esi 2345 5465
	ED es:edi 1223434 43546565

FKEY	[function-key strings]
	ʾ/ùܼ
	ex:
		FKEY
		FKEY f10 d 2;U 3:4

PageIn <address>
	Load the not present page to memory.
	PageIn cs:401000

Lines  [25 | 43 | 50 | 60]
	Ļ.ϲ50!
	ex: lines 43

MKPE
	Make a PE program 'newpe.exe' from the memory.
	Always 'del newpe.exe' before 'MKPE', or TRW will append it!
	Current EIP will be the new entrypoint.

	A util in TRW 'PEcompare' can help you compare the origin PE
	and NewPE to test how TRW work.

PEDUMP
	Dump PE image memory direct to file 'PEDUMP.EXE'.
	You can use G_Rom's MakePE to rebuild a valid PE.

BPIO port
	BreakPoint on port I/O

BPR start_addr end_addr   
	BreakPoint on Range access.


BP  [[seg:]address]  
BPX [[seg:]address]  
	BreakPoint on Execute
	'BPX offset' when trace a DOS app will ignore segment.
	On tracing a PE thread, this is same as 'BPM X'.

One-Time BreakPoint commands
	each 'BPXX' command can be replaced as 'GOXX' for a one-time break-point.
	TRW will set this breakpoinnt, go, and clear it.
		gor fs:0 fs:10
		gomd r ds:40000

BP if condition
	BreakPoint on condition
	bp if eax>=3456787
	bp if dx<543
	bp if ch==23
	go if ah!=34

RS
	ָûĻ. (F4).
	һ, Alt+Tab л.
	Ctrl+LAlt+TabTRW

WC	[codewindow_lines]
	ô봰.,ô봰Ϊ򿪻ر.
	ex:
		wc 25
		wc

WD	[datawindow_lines]
	ݴ.,ݴΪ򿪻ر.
	ex:
		wd 25
		wd

WMSG     - windowsϢ
	﷨:
	      WMSG     [partial-name] [WMSG-number]

...
---------------------------------------------------------------
Hot Key Ctrl+L
	Most time, you can Alt+Tab to switch betreen your app and TRW.
	If this was disabled, you can press Ctrl+L to back to TRW quickly.
---------------------------------------------------------------
		Services

TRW provides UNASM (and ASM ?) service to DOS programs.
Check test1.asm for more.

---------------------------------------------------------------
Your suggestion to TRW:

	.....


							----- the end -----

