
 what : a TRW2000 v1.22/ v1.23 plugin to make/edit
        a symbol table for  current executed  app.
	what this mean... this mean you can give a
	name to  every disasm line in diasm window
	so that you dont have to write it on paper
	or having to remember routines/codes names

 how  : place the sim.sys file in /sys directory

	launch your application first

	to add you can type one of cmd below :-)
        :sim		  ;add sym at EIP
	:sim add	  ;idem
	:sim add addr	  ;add sym at addr
			  ;eg. sim add 4010CC
	you'll see an inputbox. type anything you
	wish as symbol name. then, you'll see the
	word at	the addr/EIP disasm window =)

	wrong typing in a name? dont worry, just
	type one of cmd above again ;)

	wanna to delete one? type one of below;
	:sim del	  ;del sym at EIP
	:sim del addr     ;del sym at addr
		
	if you messed the whole symbol table, you
	could delete it via command below :D
	:sim gone
	!!!NOTE!!! this will delete the TABLE aka
	whole names you've created :p

	after you finished playing arounds, goto
	to loader window to save the symbol table
	[if you want ;)] with click File and choose
	Save Symbol Table...

	Then, if you want to load the app again,
	please load the symbol file first [.esf].
	Click Browse and select your.esf file and
	click Load. And you can load the app now ;)

 when : 08-18-2002  v0.01  Start
	10-14-2002  v0.02  Continue ;)
	10-17-2002  v0.03  Gets Better :D

 who  : dion	e-mail : daner@go.cc

 news : i just realized lately that theres a command
	to name at given addr, its looks like below
	:NAME addr 'newname'
	hmm... well, it do the createsymtbl, create-
	segment, and createsym for you. honestly i 
	dont know this cmd before this day [10-17].
	if u dont believe, you can ask my src code ;)
	but, you know what... it CAN'T delete the sym
	and *NOT* handling the double sym, hehehe...
	another related cmd for symbol is
	:CMT addr 'comment'
	i'll figure this one later ;)

 bugs : [These are *NOT* my plugin bug :p]

	::One::
        There's a flaw in Sym_CreateSegment() routine
	that prohibit us to have two/more same segment
	name, behold that in reality same segment name
	was allowed [see packed application's sections
	name, or try it yourself]. So, we have to patch
	the trw2000.sys file. Here are the patch info :

        !!! see the opcode before attempts to nop !!!

             for TRW2000 v1.22 :
	     Open hexeditor and goto offset .000381E7,
	     then nop it until offset .000381EE

	     for TRW2000 v1.23 :
	     Open hexeditor and goto offset .00038155,
	     then nop it until offset .0003815C

	::Two::
	There's another TRW internal bug, thats related
	to symbol applier. When you load a app that has
	same name with symbol table loaded, it must be 
	automagically selected. But, it seems work only
	if the sections are normal meanwhile it didnt 
	work in a packed exe file. To deal with this, 
	i hook hh_PreEnterKernel to apply it ;)

	::Three::
	*huh* i found that sometimes sym_createsymbol()
	leave garbage in symbols name memory area. but,
	dont worry, it doesnt corrupt the table yet ;p

	::Four::
	hmm... another bug again ;p  oh well...
	its on Sym_DeleteSymbol() func protos, the true
	new proto is:
	VOID (__stdcall*Sym_DeleteSymbol)(DWORD segnum,
	DWORD off,DWORD sel);
	huh! a *FAKE* proto!!! this's very ugly bugs :p
	sel param means selector, its usually 1. i'll 
	verify this later ;)
	guess what...not only the protos wrong, but the
	routines was wrong TOO!!!
	bah! how can the author doing double mistake ;D
	ok, heres the patch info [ bytes to be changed,
	not to be add] for trw2000.sys file:

        !!! see the opcode before attempts to patch !!!

	     Open hexeditor and goto offset .0003832E 
	     [for TRW2000 v1.22]  or offset .0003829C 
	     [for TRW2000 v1.23] then change the bytes
	     from :

	     8B31.83C104.8930.83C004. 
	     to
	     8B30.8931.83C004.83C104.

 tips : 
	::One::
	there's little problem with string handling. for
	example, you can type like this:
        [Blah gAk BletCH! ;)] in the inputbox and it works
	fine. but, you'll face problem ie: you cant type
	:bpx Blah gAk BletCH! ;) or type
	:bpx 'Blah gAk BletCH! ;)'
	and you know what, i'm not gonna fix this :p so be
	a good boy when giving a name :o

	::Two::
	in case that you're tracing a will be crashed app
	[becoz antidebug or a fatal bug], trace it until 
	the point before that thing, and assemble eip with
	[jmp eip]. then out to loader to save the symbol 
	table there. later, you can load it again ;)

	::Three::
	please dont use command NAME/CMT mixed with SIM 
	cmd, i'm not responsible of what will happened ;p
	about CMT, i'm gonna explore it further :=o

	::Four::
	be careful when you're editing with two/more symbol
	table. Dont use TABLE command to switch to another 
	table! you just can work with current app table. so,
	to work with another table, you must be in its image
	range and its addr context.

 todo : . support PDB/DBG formats.
	. as consequences, i have to handle locals, globals,
	  structs, etc.
	. make win32 app to convert .esf to .sym & viceversa

 lic  : full source code included. if you use this code, at-
	least mention the credits somewhere. if you plan to
	include the code for commercial purpose, then you
	must contact me first : daner@go.cc

 say  :	G>greets to LiuTaoTao and ZhuNanHao from me ;)
	Q>do you guys stop to update TRW ?
	S>btw, TRW was really ::cool::, i like it :D
