
 ۻ  ۻ   ۻ   ۻ ۻ  ۻ   ۻ ۻ   ۻ ۻ
 ۻ ۻ ۻ ͼ ۻ ۺ   ۺ ۻ ۺ ۻ
 ɼ ɼ ۺ   ۺ ۺ      ۺ  ۺ ۺ   ۺ ۺ ɼ
 ͼ  ۻ ۺ   ۺ ۺ      ۺ  ۺ ۺ   ۺ ۺɼۺ ͼ
 ۺ      ۺ  ۺ ɼ ۻ ɼ ɼ ۺ ͼ ۺ ۺ
 ͼ      ͼ  ͼ  ͼ   ͼ ͼ   ͼ  ͼ     ͼ ͼ

	   ProcDump version 1.0 alpha 8 (C) G-RoM & Stone in 1998


Purpose :


  ProcDump  is  brand  new  type  of  tool  that  allows u  to Dump, Unpack
 some Protected PE files without any need of debugger.

 What ProcDump can do :

  Dump any 32 bits running process.
  Restore the Import table (98% of fiability in one pass/99% after reload).
  Restore the PE header.
  Load an external dump & restore the previous features.
  Start & Unpack a given PE file (at least we try !!).

Disclaimer :


  We, the authors, are *NOT* responsible for any damage caused by the use of
 ProcDump. It  was  tested  with success under Windows 95,98 and NT 5.0.

Requirements :


 This program works fine under :

  Windows 95
  Windows 98
  Windows NT 5.0

 BUT WILL NEVER WORK UNDER NT < 5.0 ! I may work on a NT update... one day ;)

  May be some  little knowledge about  PE format if u expect to  use this tool
 for some special code. Sometimes, u *may* need to do some fixup by the  hand.
 I said *sometimes* ;).

Limitations :


 * What ProcDump can't do (yet ?):

  Restore a working DAtA section in Dump mode.
  Restore REAL eip in dump mode.
  Restore Packed Relocs (several converters have to be coded).
  Unpack/dump a DLL or a module (future enhancement).
  Restore a valid PE if header was destroyed with KillHeader (C) myself ;).

 * Imports special case :

   Some dumps will have still some mangled function name in import section : U
 can fix this  problem by reloading dump with LOAD EXTERNAL function. It  will
 apply  an  exhaustiv  fixup  that will  may  be destroy some import by name &
 replace them by ordinal instead. This code is still in development and I will
 implement a function name guesser may be soon.

How to unpack a PE file :


 1) Launch the target EXE
 2) Do a memory dump (select from array et click-right).
 2) Trace the target (Trace button).
 3) wait until EIP is catched.
 4) select a name for the unpacked PE file.
 5) Select the memory dump file u did in step 1).
 6) File is unpacked .... u should try & pray ;)

  I apologize  on  the  way  it  works....  BUT  Windows  is unfair on certain
 particular point and there is NO WAY to automate the step 1) through 2). If I
 do it at your  place the import section  is fucked up and  I dunno HOW to fix
 this. Target Process must not be  a child of the dumper/unpacker when u  dump
 it.

Warning :


 I do not recommend that u dump :

  ProcDump process itself
  Kernel32.dll process
  And other system process

 It may result in some obvious crash... U were warned.

	    Ŀ
	    TRACING A CODE IS KINDA SLOW SOMETIMES - BE PATIENT
	                                                       
	    BTW : if 'traced xxxxxx lines' is frozen => Crash  
	    

Credits :


 Project Coordinator : G-RoM

 Tracer engine (YES!): Stone
 Memory Dumper	     : G-RoM
 PE rebuilder	     : G-RoM

 Interface design    : G-RoM
 Artworks            : ZeCreator
 This lame dox       : G-RoM

 To Contact me       : G-RoM@innocent.com
  	    Stone    : stone@one.se

Greetings (quick):


 Random : Thanks for some tips & example of pb with my dumper.
 	  I really hate ur function name mangler... !
	  Pecrypt really rules !!! arghhh :)
	  Hopefully it is not used (yet??) by too much persons ;)

 Acpizer: Continue ur work with the Win console ;).
	  Are u interresting in coding the interface in ASM ? ;)
	  See Random Greetz about ur common work ;)

 Marquis: Thanks for ur interrest in my lame work.
  	  Shrinker unpacker is possible as I used to say ;)

 Jammer : U were the precursor... Join our team ;) hehehe.

 Hendrix: Code me a fully featured tracer for WIN32.... When u have time ;)

 Iceman : How is ur TUI ? Keyboard Layout is weird ? :)

 hiho to: #cracking, #bs2000, #PC98-Chat, #ucf2000,
  	  Groups I am in,
	  guys & girls I may know somewhere in the world ;).
