Glossary

Address slide.

When displaying data, BE is showing a particular definition at a given address. This address is shown on the title. Address sliding is a mechanism whereby this address may be advanced forwards or backwards.

Alignment.

Certain data items are required to exist at addresses which are multiples of 2, 4 or other numbers. This is often because certain processor architectures run slower accessing mis-aligned data, or are unable to do so.

Caching.

Caching is the practice of keeping a local copy of (less easily accessible) data, for speedier access. For example, when BE uses a memory extension as a means of editing some data not in a file, the memory extension may cache some of the data in memory. If the user does a full refresh (using the R key), this cached data is discarded, so any data which is subsequently displayed definitely comes from the actual data, rather than the cached copy. Also, when the user uses BE to modify data, the data in the cache may be updated, and the real data may not immediately be updated. If the user flushes the data, any pending changes (in the cache) are written back into to the real data.

Current offset.

As a definition is being defined, the current offset indicates the byte offset within it that the next field will be placed. Typically in a C structure, each field immediately follows the previous field (subject to alignment restrictions). In a C union, all the fields can overlay each other, sharing the same offset. BEs definitions are flexible enough to handle all these cases.

Data display attributes.

Each data field on display has some data display attributes which govern the way in which the fields data is fetched from memory (ie: the endianness), and the way it is displayed.

Definition.

A definition is like a C structure or union definition. It is made up of a number of fields. A definition is defined via the def keyword in the initialisation file.

Disassembler extension.

A BE disassembler extension is a peice of (possibly user written) code which BE can call upon to disassemble raw bytes of data into some instruction set. Typically disassembler extensions exist as DLLs or shared libraries.

Endianness.

Multibyte numeric values can be stored within the data with the most or least significant byte first or last. If the least significant byte is first, then the data is typically referred to as little endian, or in the Intel byte order. If the most significant byte is first, then the data is typically referred to as big endian, or in the Motorola byte order.

Expression.

Typically refers to a numeric expression, such as 1+2*3. Wherever BE prompts for a number, any numeric expression may be used. Basic arithmetic is supported, along with symbol table lookup and support for mapping. See the section on numbers for more details.

Extended Regular Expression.

This is a powerful form of a search pattern, which allows for searching for several alternatives at once, zero or one occurance of a pattern, or one or more, or zero or more, and character classes.

Field.

A number of fields together form a definition. Fields in a definition can be made to overlay each other or not, thus acheiving the effect of C structures or unions. It is possible to tell BE to display the fields in a variety of ways, via the use of data display attributes.

Flushing.

BE may hold data in a memory cache for speed of access, and may choose to 'make the changes good' in response to a flush command. The @W key will try to flush any cached data. The W key can be used to flush cached data from a single memory section. BE prompts you as to whether you wish to flush any unsaved changes before exiting.

Initialisation file.

When BE runs it locates and processes an initialisation file which includes within it all the definitions of all the structures within the data.

Level of detail.

When displaying a field, BE displays it to a specific level of detail. This level of detail may be adjusted using the + and - keys. Increasing the level of detail can result in the fields of definitions being displayed, or pointers being followed and the fields in the 'pointed-to' definitions being displayed, or elements of an array being shown.

Long jump.

The ARM instruction set only includes a branch instruction which can only jump a certain distance forwards or backwards in memory. The ARM C compiler typically generates code which uses this branch instruction. To branch long distances, a trick can be done whereby the normal branch is made to branch to an instruction which loads the instruction pointer from the word of memory immediately following. This trick means that the mapping of addresses to function names using the symbol table doesn't work properly. By using the long jump data display attribute, BE is told to take this mechanism into account, when displaying code addresses symbolically. The lj and nolj keywords are used for this purpose.

Map.

The map keyword in the initialisation file defines a mapping between numbers and strings. Essentially it is a way of mapping numbers back to more a readable enumerated type form. The map MAPNAME "MAPLETSTRING" syntax may be used in any expression in the initialisation file or at any time BE prompts you for a number, and it evaluates the the numeric equivelent of the enumerated type named value. Data displayed via mapping tables can be edited via the M key.

Memory section.

In any given invokation of BE a number of filename arguments are specified, and each of these constitutes a memory section, because the data from the file covers a section of the memory space. BE can also edit data, where the data is provided to BE via a memory extension, invoked with some parameters.

Memory space.

Every byte of data BE can edit is presented to BE at an address in the BE memory space.

Memory extension.

A BE memory extension is a peice of (possibly user written) code which provides access to the data on demand. Typically memory extensions exist as DLLs or shared libraries.

Named constant.

BE keeps a small collection of named constants. These can be created by use of the -S name=val command line argument, or through the set and unset keywords in the initialisation file.

Null pointer.

Is a pointer whose numeric value indicates that the pointer doesn't actually point to another data item at this time. Typically the numeric value 0 is used to represent this. BE has a data display attribute which indicates whether the numeric value 0 represents a null pointer. The keywords nullptr and nonullptr are used. When the user presses Enter on a pointer value, BE pops up the data in the 'pointed to' definition, unless the value is 0, and null-pointer attribute is present.

Parent definition(s)

Often definitions include other definitions. Thus any given definition will have 0 or more parent definitions which include it. When displaying a definition @P will pop-up a list of all those definitions which use the current definition on display.

Pointer.

A pointer is typically a numeric value which somehow gives the address of another definition in the data. The keyword ptr DEFN is used in a field definition to indicate that a numeric field identifies the address of another definition.

Pointer glue.

When one PowerPC function calls another function via a function pointer this function pointer is actually the address of a 12 byte 'glue block'. The caller loads the address of the glue block and calls a routine called _ptrgl. This loads the TOC register from bytes 4 to 7 in the glue block and branches to the code specified by bytes 0 to 3 in the glue block. This mechanism is much like __loadds in 16 bit Intel code, in that it ensures the callee can access its own global data, even if it is a seperate library or module.

Power address slide.

This is a form of address slide, whereby BE can be made to automatically address slide until certain patterns (which can be Extended Regular Expressions) appear in the decoded data.

Session.

Navigation of the data being edited starts by displaying a list of some of the data, and bringing up other lists. You effectively build up a stack of lists, and can step back to an earlier list. This stack of lists, or thread of investigation, is referred to as a session, and BE maintains 10 independent sessions, which may be switched between via @0, @1, ... @9.

Suppressing

When displaying a definition, BE normally displays all the fields. However it is possible to display all the fields of a definition in a single one line summary, by increasing the level of detail of display. In this case, only non-suppressed fields are displayed. When viewing a structure definition with one field to a line, suppressed fields are shown in round brackets. The suppress keyword may be used in the initialisation file on a field, or the @S and @N keys may be used interactively.

Symbol table

Is typically provided from a file via the -y symtab command line argument. It is a list of names (the symbols) and their values. Typically these are code or data addresses for functions or variable within an executable program. BE can use this information so it can display addresses in symbol+offset form, or so it can allow you to type addr "symbol" in an expression and have BE substitute the numeric value of the symbol.

Validity check.

Any field can have a validity check expression associated with it, either using the valid "EXPR" syntax in the initialisation file, or by pressing the V key whilst on the field. Fields with validity checks have either ++ or -- shown next to them, depending upon whether the check passes. Fields failing their validity check are suppressed when viewing a structure definition in single line summary form. This feature can be used to effectively give conditional decode.

Zero terminator.

When strings are stored in memory or in files, often a 0 byte is appended to indicate the end of the string. BE can be told to stop displaying string data (or not) when it hits a 0 byte via the 'stop at zero terminator' data display attribute, specified using the zterm or nozterm keywords in the initialisation file.