ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ Û Û Û <*> EXE-dumper version 2.1 <*> Û Û Û Û by ÜÄÜ Ü ÜÄÜ ÜÄÜ ÜÄÜ ÜÄÜ Ü ÜÄÜ ÜÄÜ Û Û Û Û ÛÄÜ ßÄÜ ÛÄ ßÄÜ ßÄÜ Ü Û Û Û Û Û Û Û Û Û Û Ü Û Û Ü Û Ü Û Û Û Û Û Û Û Û ßßß ßßß ßßß ßßß ßßß ßßß ß ßßß ß ß 1997 Û Û Û ÛÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ Û Handle Real name Age Profession Group activity Û ÛÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ Û Bugsy Benjamin Petersen 23 Programmer Coder, organizer(?) Û Û Spawn Michael Skovslund 22 Programmer Coder, gfx Û Û UniSon Henrik Eiriksson 23 Study IFA Music, art Û ÛÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÛ Û PLEASE SEE DUMPEXE.DOC FOR A COPY OF THIS DOCUMENTATION WRITTEN Û Û IN MICROSOFT WORD 6.0. I ENSURE YOU THAT IT GIVES A LOT NICER RESULT. Û Û PLEASE CHECKOUT OUR INTERNET HOMEPAGE AT : WWW.CYBERNET.DK/USERS/BUGSY Û ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß INDEX History Introduction Disclaimer Keyboard layout Program documentation Soft-Ice user notice How to unpack an exefile How to get in touch with us Greetings þ History Version Release Note 1.0 Never released to the public, only for our beta-testers 1.1 First public release 1.2 Now with Soft-Ice debugger support. Activate with INT FCh 2.0 Autodump from TD, S-ICE and GAMETOOLS. Detects a lot of things. Uses UMB. Added Total Memory Dump feature, Show User Screen. Now swaps dos stack so DUMPEXE can be activated at any time (reentrance) 2.1 Fixed a bug in dos version check. þ Introduction This program is able to unpack ANY exe-packed file. Many other programs, such as up, tron, unp and vgacbust give you the same ability. But those programs can only expand/unpack files packed with known exepackers. By using the OBSESSiON DUMPEXE toolpack, you can unpack any of those exe-files that the above utilitys gave up on. Of course this can't be done by inserting a quarter (kr.) into the crypt-o-mate. We have to do a little more than this. This is where you, the OBSESSiON DUMPEXE toolpack, and your debugger gets into the picture. All you have to do is this : Load the exeprogram into your favourite debugger (eg. TD, S-ice, GameTools) Debug the program until first original (unpacked) instruction Dump the code/data, using the DUMPEXE program, via the FILE 1 option Terminate the loaded program Allocate a 4 Kb memory block via the DUMPEXE program Reload the program, and ensure that the entry point is different Debug the program until first original (unpacked) instruction Dump the code/data, using the DUMPEXE program, via the FILE 2 option Terminate the loaded program Deallocate the 4 Kb memory block via the DUMPEXE program Run MAKEEXE with the needed parameters. Example : MAKEEXE.EXE #NoName#.1 #NoName#.2 ORIGINAL.EXE UNPACKED.EXE And 'puf', your done. To technically understand how this can be done, please refer to selection : "How to unpack an exefile". If this sounds easy, exit your doc reader now, if not, keep on reading. 8-) þ Disclaimer This software has been tested and found to work properly. OBSESSiON have no responsbility whatsoever for any damages caused by use, or misuse of this software. IF YOU DISAGREE WITH ANY OF THOSE TERMS, PLEASE REMOVE THIS SOFTWARE NOW. If after a 24 hour test period, you still wish to continue using this software, you NEED to send me a postcard with your name and address or register at our homepage at HTTP://WWW.CYBERNET.DK/USERS/BUGSY. The reason is that it's the ONLY way I can explain to my wife why I have invested MORE than 200 hours developing this software. This is the only way I can see that someone really is using this software. If I don't receive anything by mail, I won't update the program any more. This means : IF NOT (ReceivedAnyPostCardOrEMail) THEN HALT (Programmer) ELSE ReleaseNextVersion þ Keyboard layout Left shift + right shift : Activate the resident part of DUMPEXE TAB : Jump to next menu block Shift TAB : Jump to previous menu block Arrow up/down : Next/previous menu selection/block Arrow left/right : Next/previous digit or menu block ESC : Terminate DUMPEXE or return to previous state Enter : Confirm selection/input þ Program documentation Install DUMPEXE into memory by starting the file DUMPEXE.EXE. The program will now go resident (TSR) in memory. This means that it can be envoked at any time and within any program (such as a debugger). If UMB is available, the 'DOS stack' and 'Screen swap data' will be placed here. To activate DUMPEXE, please press and at the same time (also called the hotkey). A menu like the one shown below, should appear. To return to interrupted program, press . NOTICE : In previous versions you couldn't start DUMPEXE by pressing the hotkey within the dos command line (InDOS). This has now been fixed by using the technique called 'DOS stack switching'. FIG 1. The main picture of DUMPEXE ÚÄÄÄÄÄÄ DumpExe v2.0 CARDWARE 1997 by BUGSY/OBSESSiON ÄÄ[1]Ä¿ ³ Dos, ò80386, V86 mode, Turbo Debugger [2] ³ ³ÄÄÄÄÄÄÄÄÄ First file ÄÄÄÄ[3]ÄÂÄÄÄÄÄÄÄÄÄ Second file ÄÄÄ[4]ij ³ CS : 0000 ³ CS : 0000 ³ ³ IP : 0000 ³ IP : 0000 ³ ³ SS : 0000 ³ SS : 0000 ³ ³ SP : 0000 ³ SP : 0000 ³ ³ PSP : 0000 ³ PSP : 0000 ³ ³ Size : 00000 (0) ³ Size : 00000 (0) ³ ³ Name : #NoName#.1 ³ Name : #NoName#.2 ³ ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[5]ÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[6]ij ³ Dump exe-code ³ Dump exe-code ³ ³ Autodetect name ³ Autodetect name ³ ³ Autodetect size ³ Autodetect size ³ ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[7]ÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[8]ij ³ Raster Bar ³ User screen ³ ³ Memory snapshot ³ Allocate 4Kb ³ ³ Reset menu ³ Auto config file 2 ³ ³ Uninstall ³ Fill from debugger ³ ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄ Free 99 kb, Slack 0 kb [9]ij ³ [10] ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Hotkey : (U)ser screen ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Overview [1] Copyright text. [2] Information on the operating system and found debuggers. [3] Data for first memory dump, set by the user. [4] -"- for second memory dump. [5] Menu concerning first memory dump. [6] -"- for second memory dump. [7] General purpose menu, concerning global use of DUMPEXE. [8] Utility menu with functions, helps you get the job done faster. [9] Information about the current memory status. [10] Shows status messages from DUMPEXE and serves as an input prompt. Explenation [1] Copyright text. Tells who made this brilliant program. [2] Information on the operating system and found debuggers. Shows if current session is a DOS, WINDOWS or OS/2 session. Also shows which debuggers have been found active at the present moment. Can show a mixture of the following text strings : [8086, 80286, ò80386], [Real mode, V86 mode], [Dos, Win Std, Win Enh, OS/2], [No debugger, Turbo Debugger, Soft-Ice, GameTools] Example : Dos, ò80386, Real mode, Soft-Ice, GameTools As you can see, it is possible to have more than one debugger loaded at the same time. This can be usefull when combining Turbo Debugger and GameTools. [3] Data for first memory dump, set by the user. This subwindow is used to enter information about the program you want to unpack. You have to fill out ALL fields to get a working copy of the unpacked program. CS : Current code segment IP : Current instruction pointer SS : Current stack segment SP : Current stack pointer PSP : Current program prefix segment, usually the same as ES Size : Size of program in bytes Name : Name of dump file To change a value, move the selector to the decided item and press . Enter the new value and press again. REMARK : All numbers are shown and entered in heximal values. The filename can not be entered manuelly. [4] -"- for second memory dump. ([3]) [5] Menu concerning first memory dump. It is used for dumping the code/data block entered in [3] or [4]. Menu items available are : Dump exe-code : Select this one to dump selected code/data block. Autodetect name : Let DUMPEXE autodetect the name of the program its processing, and use it as the dump filename. Autodetect size : Let DUMPEXE autodetect the size of the code/data block. There are two ways to autodetect this size. It can be done by Stack or by PSP. The most common way is 'By Stack', because this usually gives a smaller, and more acurrent image of the original unpacked exefile. [6] -"- for second memory dump. ([5]) [7] General purpose menu, concerning the global use of DUMPEXE. Menu items available are : Raster Bar : Switch between Raster Bar and Textmode Bar. It's a good idea to choose Textmode Bar if you are running under other systems than DOS such as Windows and OS/2. Memory snapshot : Takes a snapshot of the first megabyte of memory, and puts it in a file in the current directory, called SNAPSHOT.MEM Reset menu : Sets all items to their initial value. Use it if something, somehow goes bananas. Uninstall : Removes the DUMPEXE software from the memory. Use it if you want to remove the DUMPEXE from memory. [8] Utility menu with functions that helps you get the job done faster. Menu items available are : User screen : Shows the screen as it was before DUMPEXE was started. Use this function instead of pressing and then the hotkey. This function can also be called by pressing while in view mode. (De)Allocate 4Kb : Used to allocate/deallocate a block of 0100h paragraphs (4 Kb). This should be done after the first dump and termination, and before you reload the program. Please take a look at the tutorial later in this document. Auto-Config : Adds 0101h to all segment registers in [2] and store them in [3]. It is useful after preparing for second dump. This works only on 9 out 10 packed files. Please notice that CS in [3] matches the one shown by the debugger. If not, enter all values manually. You only have to use this function if "Fill from debugger" fails. Fill from debugger : Read the register shown by the debugger and automatically place the values into first or second dumpfile. This is a very useful function, since it gives you the ability to unpack the exefile FAST. [9] Information about the current memory status. Free : Amount of free basememory, in Kb. Slack : Number of memory fragments in Kb, after allocating 4 Kb. [10] Status messages from DUMPEXE and input prompt. This line serves as an error message and input scratch. Here are some of the error messages that can appear : No size given. You have to enter how much memory the program needs to dump. No memory allocated. You are trying to auto-config file 2, and you haven't used "allocate 4KB". You must manually enter the data required to dump Can't auto-config file 2, sorry. You have to manuelly, enter the data required to dump a program. Or you could use the function : "Fill from debugger" The PSP-segment is not valid. You are using a function that requires a valid PSP segment, entered in [3] or [4]. The PSP-segment for file 1 is not valid. See the above. Can't find name. DUMPEXE is not able to find the name of the program you want to dump. The program is using a standard name instead. Can't uninstall, vector hooked by another program. You have loaded another program after DUMPEXE. Unfortunately the two programs have both hooked onto the same interrupt. Unload the other program first and try again. Can't allocate necessary memory. Boot your machine with fewer drivers, and try again. If this does'nt help, you are f..... Out of stack. Your memory is fragmented to much. The DUMPEXE has a 4 Kb stack and in this case it doesn't seem to be enough. Contact me (BUGSY) and ask for a version with a larger stack, or modify the exeheader yourself. :) Can't release memory. This error is most likely caused by the program you are about to dump, or the stack of this program has been destroyed. Dump the code and boot your PC. (the dumpfile should be okay, I hope...) Can't make file. Oops, a disk error. Check your harddisk with "chkdsk /f" or "scandisk" Can't write file, disk full ?. Free some disk space, and try again. Can't deallocate memory. The MCB (memory control block) has been destroyed. Dump the code and boot your PC. (again, the dumpfile should be okay, I hope...) þ Soft-Ice user notice If you are using Soft-Ice, the hotkey is disabled. This is because Soft-Ice runs in protected mode and uses its own interrupt vector table. To activate DUMPEXE, enter the following sequence at the Soft-Ice command line prompt : BPX CS:IP : So we can return after Int 0FCh has terminated GENINT FC : Start the exe-dumper GENINT FC : Start the exe-dumper again (if you need it) BC 0 : Clear the breakpoint set by BPX. The number (in this case 0) is the name of the breakpoint label. Don't start DUMPEXE unless you are are at the very first instruction of the unpacked exefile because your current location might be in the keyboard handler or equal. þ How to unpack an exefile The file named "unpackme.exe" is a packed exe-file. It is used to illustrate how to use this tool, and nothing more. BTW : The file is packed with pklite using normal compression. I will use Turbo Debugger for this example, because if you know how to use the ultimate debugger Soft-Ice, you probably don't need this introduction anyway. If you don't know anything about using a debugger, I advise you to consult your debuggers manual. Try to execute the tutorial program TESTEXE.EXE and take look at the text it displays. The program will tell you if it's packed or not. REMEMBER : Start DUMPEXE.EXE before proceeding with the next step. Start debugging TESTEXE.EXE by writing : TD.EXE TESTEXE.EXE The picture shown, by TD (Turbo Debugger), should look something like this : ÉÍ[þ]ÍCPU 80486ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍ1Í[][]Í» º cs:0100B8B805 mov ax,05B8  ax 0000 ³c=0º º cs:0103 BA5801 mov dx,0158 þ bx 0000 ³z=0º º cs:0106 05C65E add ax,5EC6 ± cx 0000 ³s=0º º cs:0109 3B060200 cmp ax,[0002] ± dx 0000 ³o=0º º cs:010D 731A jnb 0129 ± si 0000 ³p=0º º cs:010F 2D2000 sub ax,0020 ± di 0000 ³a=0º º cs:0112 FA cli ± bp 0000 ³i=1º º cs:0113 8ED0 mov ss,ax ± sp 0200 ³d=0º º cs:0115 FB sti ± ds 5EB6 ³ º º cs:0116 2D1900 sub ax,0019 ± es 5EB6 ³ º º cs:0119 8EC0 mov es,ax ± ss 6026 ³ º º cs:011B 50 push ax ± cs 5EB6 ³ º º cs:011C B9C300 mov cx,00C3 ± ip 0100 ³ º º cs:011F 33FF xor di,di ± ³ º º cs:0121 57 push di  ³ º Çþ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±ÅÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄĶ º ds:0000 CD 20 98 64 00 9A C0 00 Í ˜d šÀ ³ ss:0202 2020 º º ds:0008 00 00 E4 01 AC 25 AE 01 ä¬%® ³ ss:02002020 º º ds:0010 AC 25 80 02 07 20 75 11 ¬%€ u ³ ss:01FE 0000 º º ds:0018 01 01 01 00 02 FF FF FF  ÿÿÿ ³ ss:01FC 3846 º º ds:0020 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ ³ ss:01FA 4238 º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÙ NOTICE : Due to the nature of the PC-memory, the segment registers (CS, DS, ES, SS) might show different values than the one shown. Start executing the code until cs:0128, by pressing at location cs:0128, shown below. ÉÍ[þ]ÍCPU 80486ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍ1Í[][]Í» º cs:0119 8EC0 mov es,ax  ax 6445 ³c=0º º cs:011B 50 push ax þ bx 0000 ³z=1º º cs:011C B9C300 mov cx,00C3 ± cx 0000 ³s=0º º cs:011F 33FF xor di,di ± dx 0158 ³o=0º º cs:0121 57 push di ± si 02CA ³p=1º º cs:0122 BE4401 mov si,0144 ± di 0186 ³a=0º º cs:0125 FC cld ± bp 0000 ³i=1º º cs:0126 F3A5 rep movsw ± sp 01FC ³d=0º º cs:0128CB retf ± ds 5EB6 ³ º º cs:0129 B409 mov ah,09 ± es 6445 ³ º º cs:012B BA3201 mov dx,0132 ± ss 645E ³ º º cs:012E CD21 int 21 ± cs 5EB6 ³ º º cs:0130 CD20 int 20 ± ip 0128 ³ º º cs:0132 4E dec si ± ³ º º cs:0133 6F outsw  ³ º Çþ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±ÅÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄĶ º ds:0000 CD 20 98 64 00 9A C0 00 Í ˜d šÀ ³ ss:0204 0875 º º ds:0008 00 00 E4 01 AC 25 AE 01 ä¬%® ³ ss:0202 03A8 º º ds:0010 AC 25 80 02 07 20 75 11 ¬%€ u ³ ss:0200 61E4 º º ds:0018 01 01 01 00 02 FF FF FF  ÿÿÿ ³ ss:01FE 6445 º º ds:0020 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ ³ ss:01FC0000 º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÙ The unpacker has copied itself to a location, which is just after the (not yet) unpacked code location. Singlestep one instruction (), and you'll hopefully see this : ÉÍ[þ]ÍCPU 80486ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍ1Í[][]Í» º cs:0000FD std  ax 6445 ³c=0º º cs:0001 8CDB mov bx,ds þ bx 0000 ³z=1º º cs:0003 53 push bx ± cx 0000 ³s=0º º cs:0004 83C32D add bx,002D ± dx 0158 ³o=0º º cs:0007 03DA add bx,dx ± si 02CA ³p=1º º cs:0009 8CCD mov bp,cs ± di 0186 ³a=0º º cs:000B 8BC2 mov ax,dx ± bp 0000 ³i=1º º cs:000D 80E40F and ah,0F ± sp 0200 ³d=0º º cs:0010 B104 mov cl,04 ± ds 5EB6 ³ º º cs:0012 8BF2 mov si,dx ± es 6445 ³ º º cs:0014 D3E6 shl si,cl ± ss 645E ³ º º cs:0016 8BCE mov cx,si ± cs 6445 ³ º º cs:0018 D1E9 shr cx,1 ± ip 0000 ³ º º cs:001A 4E dec si ± ³ º º cs:001B 4E dec si  ³ º Çþ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±ÅÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄĶ º ds:0000 CD 20 98 64 00 9A C0 00 Í ˜d šÀ ³ ss:0208 A800 º º ds:0008 00 00 E4 01 AC 25 AE 01 ä¬%® ³ ss:0206 030C º º ds:0010 AC 25 80 02 07 20 75 11 ¬%€ u ³ ss:0204 0875 º º ds:0018 01 01 01 00 02 FF FF FF  ÿÿÿ ³ ss:0202 03A8 º º ds:0020 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ ³ ss:020061E4 º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÙ Press at location cs:015d (the retf instruction), found by pressing a couple of times; and then . That's it. You have now unpacked the TESTEXE program. If you have done it right, TD shows something like this : ÉÍ[þ]ÍCPU 80486ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍ1Í[][]Í» º cs:01179A00007C5F call 5F7C:0000  ax 0000 ³c=0º º cs:011C 9A0D001A5F call 5F1A:000D þ bx 0000 ³z=1º º cs:0121 9A1B02F65E call 5EF6:021B ± cx 0000 ³s=0º º cs:0126 55 push bp ± dx 0000 ³o=0º º cs:0127 89E5 mov bp,sp ± si 0000 ³p=1º º cs:0129 B80001 mov ax,0100 ± di 0000 ³a=0º º cs:012C 9ACD027C5F call 5F7C:02CD ± bp 0000 ³i=1º º cs:0131 81EC0001 sub sp,0100 ± sp 4000 ³d=0º º cs:0135 9ACC011A5F call 5F1A:01CC ± ds 5EB6 ³ º º cs:013A BFA400 mov di,00A4 ± es 5EB6 ³ º º cs:013D 1E push ds ± ss 608E ³ º º cs:013E 57 push di ± cs 5EC6 ³ º º cs:013F 8DBE00FF lea di,[bp-0100] ± ip 0117 ³ º º cs:0143 16 push ss ± ³ º º cs:0144 57 push di  ³ º Çþ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±ÅÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄĶ º ds:0000 CD 20 98 64 00 9A C0 00 Í ˜d šÀ ³ ss:4008 74DB º º ds:0008 00 00 E4 01 AC 25 AE 01 ä¬%® ³ ss:4006 0BBC º º ds:0010 AC 25 80 02 07 20 75 11 ¬%€ u ³ ss:4004 EBF3 º º ds:0018 01 01 01 00 02 FF FF FF  ÿÿÿ ³ ss:4002 8BC0 º º ds:0020 FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿ ³ ss:40007600 º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÙ As you can see there are three far calls. These are direct calls. This means that it will make a call to a certain location in memory. If we dump the memory used by TESTEXEE, we'll have an image of the program. But this is not enough to make a new exefile. This is because an exefile is not just an image of the memory, like a com file is. We need a second dump from a different memory location. This is because of the direct calls. By comparing the two dumps, we can find the relocations (direct calls) needed to build a new exefile. Information like min/max memory usage is taken from the original exefiles header, but let's get on with the tutorial. There are serval ways to enter the values of SP, DS, ES, SS, CS and IP into DUMPEXE. Since we are using one of the supported debuggers, we can use the "Fill from debugger" function. This function takes register values, shown by the debugger, and automatically puts them into DUMPEXE. Start DUMPEXE by pressing the hotkey, and then at the "Fill from debugger" function. Answer <1> to whatever the values should be places in first or second dump file. Another way is to remember the values of SP, DS, ES, SS, CS and IP before pressing the hotkey, and enter the values at their corresponding locations in [2]. If you decide to do so, you will probably notice that there is no field for ES. This is because the initial value of ES, points to the PSP, so write the value of ES in the PSP field instead. It's now time to tell DUMPEXE the size of the memory block we want to dump. Use TAB until you get to [4]. Press at "Autodetect size". There are two ways of getting the size of the program. One is by using the stack, the other is by using PSP. 99 % of all cases, you should use "by stack". Press , and the size will be put into size field. If DUMPEXE somehow fails to calculate the right value, you have the option of entering a size that you decide. Press at "Autodetect name", and the name of the executeable file will be put into the name field. The last thing we have to do is to dump the program to a file. This is done by pressing at "Dump exe-code". DUMPEXE will probably do it so fast that you won't notice the "process message" that appears. Below is a picture of DUMPEXE after the first dump. Again, remember that values varie from dump to dump. ÚÄÄÄÄÄÄ DumpExe v2.0 CARDWARE 1997 by BUGSY/OBSESSiON ÄÄÄÄÄÄ¿ ³ Dos, ò80386, V86 mode, Turbo Debugger ³ ³ÄÄÄÄÄÄÄÄÄ First file ÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄ Second file ÄÄÄÄÄÄij ³ CS : 5EC6 ³ CS : 0000 ³ ³ IP : 0117 ³ IP : 0000 ³ ³ SS : 608E ³ SS : 0000 ³ ³ SP : 4000 ³ SP : 0000 ³ ³ PSP : 5EB6 ³ PSP : 0000 ³ ³ Size : 01C80 (7296) ³ Size : 00000 (0) ³ ³ Name : TESTEXE.1 ³ Name : #NoName#.2 ³ ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij ³ Dump exe-code ³ Dump exe-code ³ ³ Autodetect name ³ Autodetect name ³ ³ Autodetect size ³ Autodetect size ³ ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij ³ Raster Bar ³ User screen ³ ³ Memory snapshot ³ Allocate 4Kb ³ ³ Reset menu ³ Auto config file 2 ³ ³ Uninstall ³ Fill from debugger ³ ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄ Free 237 kb, Slack 0 kb ÄÄij ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Hotkey : (U)ser screen ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Press ESC and then F9 in TD. The program has now terminated, and it's time to allocate a 4KB memory block. Start DUMPEXE again, and press enter at "Allocate 4Kb". The menu item will change to "Deallocate 4Kb". Press , and reload the program by pressing . Start debugging like you did the first time. When you have reached the first instruction of the original code, enter all the information, like CS, SS.... in [3]. Autodetect size and name. Dump the code, and we are almost done. Again terminate your program, by pressing in TD. Start DUMPEXE again, and press at 'Deallocate 4Kb'. Exit your debugger. Run the MAKEEXE program with parameters : First dump, second dump, original exefile, new filename. or like this : MAKEEXE.EXE TESTEXE.1 TESTEXE.2 TEXTEXE.EXE UNPACKED.EXE The MAKEEXE program compares the two memory dump and builds a new exefile of the information found in the original exefiles header. After MAKEEXE has built the new exefile, the screen should look like this : ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ÄÅÄÄ MakeExe v2.0 CARDWARE 1996 by BUGSY/OBSESSiON ÄÅÄÄ ³ ³ ³ ³ Read exeinfo : ooo ³ ³ Make new exefile. ³ ³ Makeing temp file. ³ ³ ³ ³ Processing dump files: o ³ ³ ³ ³ Number of relocation : 0069h ³ ³ Add zero code : oooooooooooo ³ ³ Size of EXE-header : 001F0h ³ ³ Write code : o ³ ³ Write new exeheader. ³ ³ All done ! ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ If the message 'End of valid code detected at ...' shows up, just press 'N' This message means that MAKEEXE has detected that the two dumps do not contain valid code/data anymore. Normally one would answer 'No', to whether MAKEEXE should continue or not. If you answer 'yes', the current position would be concidered as a relocation in the exe header. In special cases, where the unpacked exefile is smaller than the packed, one should say yes, even if MAKEEXE asks more than oncs. But as I said, only in special cases. I think this would be enough for you to continue on your own. þ How to get in touch with us If you have any questions about the use of these programs, feel free to contact us. You can get in touch with us by : Writing a letter to : Benjamin Petersen Joergen Jensensvej 16B DK-4700 Naestved Denmark E-Mail me at : bugsy@cybernet.dk World Wide Web (WWW) : http://www.cybernet.dk/users/bugsy Call me at : +45 53 725-610 or +45 40 204-347 þ Greetings My greetings goes to (no order) : Spawn/OBSESSiON : Thanks for the menu system in this production! Darkman/VLAD : Thanks for your help about TSR detection. Ping (pingelingelater) : Thanks for proofreading this documentation. HiTech : Never put a bug into a bottle of coca cola! Bionic : Why did you close STH ? Jazz : Sorry, but I've quit smoking (NOT). Sketz/Silente PC : No more logos for 'the top BBS', sad... Drake : Thanks for the Soft-Ice tip! And all those people whose nane I've forgotten : Sorry, kill us in our next cyberlife. Have fun, and remember there are still some people who DONT take money for making good programs. [BUGSY/OBSESSiON] If you are interrested in the source code, just contact me. I'm sure we can work it out.