27{
28 ShowMessages("db dc dd dq !db !dc !dd !dq & u u64 !u !u64 u2 u32 !u2 !u32 : reads the "
29 "memory different shapes (hex) and disassembler\n");
30 ShowMessages("db Byte and ASCII characters\n");
31 ShowMessages("dc Double-word values (4 bytes) and ASCII characters\n");
32 ShowMessages("dd Double-word values (4 bytes)\n");
33 ShowMessages("dq Quad-word values (8 bytes). \n");
34 ShowMessages("u u64 Disassembler at the target address (x64) \n");
35 ShowMessages("u2 u32 Disassembler at the target address (x86) \n");
36 ShowMessages("\nIf you want to read physical memory then add '!' at the "
37 "start of the command\n");
38 ShowMessages("you can also disassemble physical memory using '!u'\n\n");
39
40 ShowMessages("syntax : \tdb [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
41 ShowMessages("syntax : \tdc [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
42 ShowMessages("syntax : \tdd [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
43 ShowMessages("syntax : \tdq [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
44 ShowMessages("syntax : \tu [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
45 ShowMessages("syntax : \tu64 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
46 ShowMessages("syntax : \tu2 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
47 ShowMessages("syntax : \tu32 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
48
49 ShowMessages("\n");
50 ShowMessages("\t\te.g : db nt!Kd_DEFAULT_Mask\n");
51 ShowMessages("\t\te.g : db nt!Kd_DEFAULT_Mask+10\n");
52 ShowMessages("\t\te.g : db @rax\n");
53 ShowMessages("\t\te.g : db @rax+50\n");
54 ShowMessages("\t\te.g : db fffff8077356f010\n");
55 ShowMessages("\t\te.g : !dq 100000\n");
56 ShowMessages("\t\te.g : !dq @rax+77\n");
57 ShowMessages("\t\te.g : u32 @eip\n");
58 ShowMessages("\t\te.g : u nt!ExAllocatePoolWithTag\n");
59 ShowMessages("\t\te.g : u nt!ExAllocatePoolWithTag+30\n");
60 ShowMessages("\t\te.g : u fffff8077356f010\n");
61 ShowMessages("\t\te.g : u fffff8077356f010+@rcx\n");
62}