Expression Evaluator

The Real-Time Expression Evaluator evaluates interactive expressions able to use values from the target process. It evaluates all C/C++ mathematical operators and parenthesis can be used to enforce order of evaluation. It also accepts square bracket ([ ]) operators to indicate a value should be obtained from the target process.

The Expression Evaluator dialog can be docked onto the main window. All expressions added are remembered. While typing expressions, current values are shown in the box below. Add expressions to the list with the + button. Remove selected expressions with the - button.

Expressions can be copied from the list to the clipboard by right-clicking them in the list and selecting Copy Expression.

 

Operators

The Real-Time Expression Evaluator supports the following operators.

  • Math
    • - (minus) 34 - 3
    • + (plus) 60 + 4
    • * (multiplication) 32 * 23
    • / (division) 1024 / 32
    • % (modulus) 512 % 8
  • Unary Prefixes
    • - (unary negation) -120
    • + (unary positive) +56
    • ! (unary NOT) !90
    • ~ (unary one’s compliment) ~32
  • Bitwise Operators
    • & (bitwise AND) 67 & 15
    • | (bitwise OR) 1024 | 1
    • ^ (bitwise XOR) 37 ^ 1
    • << (bitwise shift left) 1 << 3
    • >> (bitwise shift right) 16 >> 4
  • Equality Operators
    • < (less than) 1 < 0
    • > (greater than) 1 > 0
    • <= (less than or equal) 67 <= 90
    • >= (greater than or equal) 89 >= 50
    • == (equals) 45 == 32
    • != (not equal to) 45 != 32
  • Logical Operators
    • && (AND) 45 && 32
    • || (OR) 0 || 23

Examples of basic expressions using these operators:

  • 32 + 56 (result = 88)
  • 32 + 56 * 3 (result = 200)
  • -5 - 90 * 16 % 7 (result = -10)
  • 67 * 5 & 34 (result = 2)
  • 0 && 21 (result = 0)
  • 0 || 21 (result = 1)

 

Order of Evaluation

Expressions are evaluated with standard operator precedence.

  • ( ) and [ ]
  • ~, !, - (unary), and + (unary)
  • *, /, and %
  • - and +
  • << and >>
  • <, >, <=, and >=
  • &
  • ^
  • |
  • &&
  • ||

 

Numeric Formats

The expression evaluator supports all standard numeric formats.

  • Decimal
    • A number using only digits from 0 to 9 that does not begin with a 0. For example, 56, 897, and 86878 are all decimal numbers.
  • Octal
    • A number using only digits from 0 to 7. The first digit must be a 0. For example, 0, 076, and 0534 are all octal numbers.
  • Hexadecimal
    • A number using only digits from 0 to 9 and characters from A to F (case insensitive). For example, C, C001, and 0100533a are all hexadecimal numbers.
    • Any of the above formats with an 0x or 0X prefix, or an h or H postfix. For example, 0x0, 0x67, 89h, and 07A89DEH are all hexadecimal numbers.
  • Floating-Point
    • A number using only digits from 0 to 9 and with a decimal (.), optional exponent, and optional f or F postfix. For example, 0.0, 3.1415963, and 88.5e-3f are all floating-point numbers.
  • Extra
    • The l or L postfix may be used on any number. This has no effect on the number itself but allows compliance with C/C++ numeric formats.
    • Characters are also resolved into numeric constants. For example, 'E' resolves to 69. Escape sequences are also allowed, so '\x2E' resolves to 46 (0x2E), and '\r' resolves to 13. The l or L prefix is allowed on character constants, however this has no effect on the character or its value.

 

Working With the Target Process

Values used in the expression can come from the target process. These expressions are considered interactive because the values can change at any time. These expressions are evaluated in real-time to show their current values at all times.

The following explains the operators and key information for getting values from the target process.

  • Square brackets ([ ]) indicate that a value should be obtained from the target process. The expression inside the brackets indicates the address from where to get the value. Any numeric value inside the brackets is converted to an unsigned integral value and treated as the address in the target process from where the value is obtained.
    • [0x01005334] gets the value from the target process at address 0x01005334.
    • [0x01005334] * [0x01005338] gets the values from 0x01005334 and 0x01005338 in the target process and multiplies them for the final result.
    • [[0x01005334]+0x44] gets the value from 0x01005334 in the target process, adds 0x44 to it, and then gets that value from that address in the target process.
  • By default the value obtained from the target process is in DWORD format, however prefixes on the brackets can be used to change this.
    • b[ ] gets a byte value.
    • w[ ] gets a word value.
    • [ ] (no prefix) gets a dword value.
    • q[ ] gets qword value.
    • f[ ] gets a float value.
    • d[ ] gets a double value.
  • Module names can be specified in two formats.
    • Format: [identifier].[identifier]. This is the normal format which can be used to specify modules containing only alpha-numeric characters and underscores, and that contain an extension.
    • The second format is a quote-encapsulated C/C++ string, including escape sequences.
    • Given the above two formats, the following are valid module identifiers:
      • lspiro.exe
      • winmine.exe
      • gamex86.dll
      • "winmine.exe"
      • "\xFFgame.ocx"
      • "Great Game.exe"
  • Special operators are available for getting the size of a module and its ending address.
    • Format: SO( MODULE )
      • MODULE can be any module name in any format specified above. This gets the size of the loaded module in bytes.
    • Format: EO( MODULE )
      • This gets the ending address of the module. This value is inclusive. An example value returned by this operator could be 0x0042CFFF.

Module names are resolved into the actual address of the module (unless used inside a special operator) as a 64-bit unsigned integer type. This means an expression such as gamex86.dll+0x154C is valid. gamex86.dll becomes a numeric value and is added to 0x154C for the final result.

When used inside a special operator (SO or EO), the result is not the module base but the return of the operator as a 64-bit unsigned integer type.

 

Evaluation Types

Numeric values are ultimately expressed in any of 3 ways: unsigned 64-bit integers, signed 64-bit integers, and 64-bit doubles. Any evaluations on floating-point values in the expression have the result of a floating-point type. Next, if any evaluation takes place on a signed value (created only by using the - unary prefix), the result is signed. Finally, all other values are unsigned integral types. The results of <, >, <=, >=, ==, !=, &&, and || operators are always a 64-bit unsigned integer with a value of either 0 (false) or 1 (true).

 

Options

The speed of the real-time updating can be adjusted in the General options menu. Go to Tools/Options/General and adjust the speed at which the Expression Evaluator is updated.

Copyright © 2006 Shawn (L. Spiro) Wilcoxen