Disassembler - Options

Disassembler - Options

The Disassembler has many options for customization. You can change appearances, fonts, decodings, and certain aspects of functionality. Select the Disassembler category in the Options Dialog (Tools/Options from the main window) or select the Tools/Options menu item from the Disassembler window.

Misc.

The Disassembler can load data not only from its own file format but also from UDD files from OllyDbg. In the Misc. tab you can specify the directories where this data is stored. Environment Variables are allowed here.

Auto-Hack can use software or hardware breakpoints. The following table lists the uses of each.

Type

Pros

Cons

Software

Any number of them may be set. This allows any number of Auto-Hack items.

Results are shown on the instruction that reads/writes/accesses the data before the read/write/access actually took place, so registers can be shown correctly.

Slows down the target process substantially. Often renders games unplayable.

Hardware

Very fast; no noticeable slowdown in the target process.

Only 4 are allowed.

Results are shown on the next instruction instead of the instruction that actually read/wrote/accessed the data. Although MHS uses an advanced algorithm to correct this, it can not provide accurate information on the registers at the actual time of the access.

Font/Colors

The Font/Colors tab allows you to change the font and colors.

While most Disassemblers limit you to using only fixed-width fonts, in MHS you are not limited in which fonts or styles you may use.

Selection: The color shown on items that are selected.
Focused Item: The color shown on the item that has focus. The focused item is the item last clicked.
Link: Clickable links (in square brackets ([ ]) in the disassembly) are shown in this color.
EIP: The current instruction during Single Stepping is shown in this color.
JMP/CALL Start: When mousing over a JMP or CALL instruction, this is the color shown on that instruction.
JMP/CALL Middle: When mousing over a JMP or CALL instruction, this is the color shown between the start and end locations.
JMP/CALL Target: When mousing over a JMP or CALL instruction, this is the color shown at the target of the JMP/CALL.

Output

Force IDEAL Decoding

IDEAL syntax enforces that every property of a memory operand be included inside the brackets, which is in contrast to MASM syntax where only the address must be inside square brackets.
For example, from MASM to IDEAL, MOV EAX, DWORD PTR SS:[EAX+EBP+20] would become MOV EAX, [DWORD SS:EAX+EBP+20].

Use Lower-Case Output

Commands, registers, and modifiers will be displayed in lower-case. No change is made to labels or constants.

Tab Betweeb Mnemonics and Arguments

Commands are padded with spaces such that the arguments begin on the 8th column. This only appears correctly in fixed-width fonts.

Extra Space Between Arguments

Inserts an extra space after the comma separating operands.

Show Default Segments

80x86 commands always use some segment register when accessing memory. If the segment register is different from the default for the command, it must be explicitly supplied. When enabled, this option displays the segment register in all cases, instead of only when it is different from the default.

Show Memory Sizes

When set, sizes of operands are always shown. Otherwise, sizes are only shown when it is not clear which size is being used.

Show NEAR Modifiers

When set, the NEAR modifier is shown on all intrasegmental (code within the same region) jumps and calls.

Short Form of String Commands

Some string commands are very long when represented in long form. This allows them to be described with much shorter output.
For example, MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI] would become MOVSD, and REP STOS DWORD PTR ES:[EDI] would become REP STOSB.

Show Symbolic Addresses

Allows decoding of constants as symbolic names (for example, NULL is a symbolic name for 0).

Method to Decode Size-Sensitive 16/32 Mnemonics

Allows to select the decoding method for commands whose mnemonics depends on the sizes of the address data.

Warnings

Some commands or conditions are rare encounters in valid Windows®, but still valid. Usually encounters with these commands or conditions, however, indicate invalid code. These options allow you to decide what is flagged as potentially being invalid code.

Accept FAR Calls

To allow direct calls to procedures in other regions of code. Very rare.

Decode VxD Calls (Windows® ‘95/Windows® ‘98)

DOS-based Windows® ‘95/Windows® ‘98 use INT 20 followed by a DWORD containing the code of the requested service to communicate to virtual devices. This is not to be found inside user-mode applications but inside device drivers.

Accept Privileged Commands

Some commands can be executed only by device drivers (due to privilege levels) and not by user-mode applications.

Accept I/O Commands

Windows® NT does not allow direct access to I/O (in/out) ports, however some drivers can modify the I/O Permission Bit Map to allow access, and Windows® ‘95/Windows® ‘98 are not as strict. Check this if you feel the target process may be accessing I/O ports directly.

Accept Shifts Out of Range 1-31

Compilers typically ensure constant shifts are within a valid range (0-31) and shifts of 0 are omitted. Although theoretically possible, shifts outside the range from 1 to 31 are usually the result of data being interpreted as code rather than valid code.

Accept Superfluous Prefixes

Allows repeated or contradictory prefixes on commands. Usually not useful to allow.

Accept LOCK Prefixes

Applications usually do not use the LOCK prefix themselves, instead relying on EnterCriticalSection or other system functions.

Accept Unaligned Stack Operations

Applications typically keep the stack aligned on DWORD’s (multiples of 4). To lose this alignment for any but very special purposes is guaranteed to cause crashes. If code such as INC ESP or ADD ESP, 7 is seen, it is almost certainly the result of data being interpreted as code.