
 ۻ  ۻ   ۻ   ۻ ۻ  ۻ   ۻ ۻ   ۻ ۻ
 ۻ ۻ ۻ ͼ ۻ ۺ   ۺ ۻ ۺ ۻ
 ɼ ɼ ۺ   ۺ ۺ      ۺ  ۺ ۺ   ۺ ۺ ɼ
 ͼ  ۻ ۺ   ۺ ۺ      ۺ  ۺ ۺ   ۺ ۺɼۺ ͼ
 ۺ      ۺ  ۺ ɼ ۻ ɼ ɼ ۺ ͼ ۺ ۺ
 ͼ      ͼ  ͼ  ͼ   ͼ ͼ   ͼ  ͼ     ͼ ͼ

	    ProcDump version 1.0 Beta 1 (C) G-RoM & Stone in 1998


Purpose :


  ProcDump  is  brand  new  type  of  tool  that  allows u  to Dump, Unpack
 some Protected PE files without any need of debugger.

 What ProcDump can do :

  Dump any 32 bits running process.
  Dump any 32 bits module.
  Restore Import table.
  Restore PE header.
  Load an external dump & restore the previous features.
  Start & Unpack a given PE file (at least we try !!).
  Learn how to unpack some file by using the script language.
  Unpack in a few secs some well-known packer/protectors.

Disclaimer :


  We, the authors, are *NOT* responsible for any damage caused by the use of
 ProcDump. It  was  tested  with success under Windows 95,98 and NT4 & 5.0.

Requirements :


 This program works fine under :

  Windows 95
  Windows 98
  Windows NT 5.0
  Windows NT 4.0 with restrictions.

  May be some  little knowledge about PE format if u expect to use this tool
 for some  special code. Sometimes, you *may* need to do  some fixups by the
 hand.  I said *sometimes* ;).

Limitations :


 * What ProcDump can't do (yet ?):

  Restore a working DAtA section in Dump mode.
  Restore REAL eip in dump mode.
  Restore Packed Relocs (several converters have to be coded).
  Unpack a DLL (it's possible but... I need time ;)).
  Dump a 16 bit process (DOS or WIN 16 bit applications => Size 0 in array).
   -> for DOS apps, use Softice, cup386,TR or GTR.
   -> win16 apps.... who cares of those ? ;)

 * Imports Restrictions :

   Some protectors destroy Import function NAME, these names can't be resto-
 red actually. The functions names aren't required since I converted all im-
 port by name to import by ordinals in this case. I may implement a function
 name guesser one day.

How to Dump a process :


 That's kinda easy :

 1) Just select it in the array
 2) Click right
 3) Select dump process.
 4) Select the name of the dump.

 And it is done ;)

How to Dump a module attached to a process (not under NT4):


 As much easy as dumping a process ;) :

 1) Select the process
 2) Click Right
 3) Click on Module List
 4) Select the module
 5) Click Right
 6) Click on dump.
 7) Select the name of the dump.

 And it is done ;)

Options For PE unpacking :


 Standard Options :
 

  Ask for reached EIP

  When ProcDump reached the original CODE, It can prompt you if u think it is
 good or not. Generally, U may leave this option unchecked.

  FastDump Mode

  When ProcDump start to analyze, it does first a preDump for internal reason.
 It is possible that some application/games requires some times to be loaded.
 That's why you can say to ProcDump to wait until u say it is loaded or, let
 ProcDump wait a given time.

  Delay To Wait

  Depend of previous options. That's the delay ProcDump will wait for APP is
 loaded. Generally 2000ms is enough.

 Advanced options (EXPERT ONLY !!!!):
 

  Manual Dump

  ProcDump can be said to not do the preliminary dump. It is then, UP TO YOU
 to provide it to ProcDump when it will be asked !!! This may be usefull for
 some special case.

  Import Rebuild

  Normally, ProcDump restore the import table. U can tell to not fix it. This
 option was intended FOR ME to debug !!

  Range Checking

  Normally, ProcDump check if we do not fly out of the code itself for safety
 and security reasons. Anyway, it is possible that ProcDump will say that an
 error of range occured even if it is not. UP to u to check ;)

  Update Objects Size

  When ProcDump dump a PE file, it normally rebuild Object record so that the
 Physical Size fields is no more a ZERO (except for BSS). You can tell to not
 update this.

How to unpack a PE file :


 Preliminary step : Configure OPTIONS (see section below).

 So please configure FastMode & DelayToWait to fit ur need.

 a) Trace mode.

 1) Select the target.
 2) select a name for the unpacked PE file.
 3) File is unpacked .... u should try & pray ;)

	    Ŀ
	    TRACING A CODE IS KINDA SLOW SOMETIMES - BE PATIENT
	                                                       
	    BTW : if 'traced xxxxxx lines' is frozen => Crash  
	    

 b) Fast Unpacking mode.

 1) Choose the appropriate packer/protector.
 2) Select the target.
 3) select a name for the unpacked PE file.
 4) File is unpacked .... u should try & pray ;)

Warning :


 I do not recommend that u dump :

  ProcDump process itself  (import trashed anyway).
  Kernel32.dll process     (Access Violation, System Kill).
  And other system process (Access Violation).

 It may result in some obvious crash... U were warned.

 Ŀ
  Don't start two instances of ProcDump at a time otherwise u will have to 
  REBOOT. Anyway... Why do u want to do this ? My code is not for YOU ;)   
 

Credits :


 Project Coordinator : G-RoM

 Tracer engine       : Stone
 Script Tracer	     : G-RoM
 Memory Dumper	     : G-RoM
 PE rebuilder	     : G-RoM

 Interface design    : G-RoM
 Artworks            : ZeCreator
 This lame dox       : G-RoM

 To Contact me       : G-RoM@innocent.com
  	    Stone    : stone@one.se

Greetings (quick):


 Random : Aaarggghhh... Another import table destroyer trick !! Why the hell
	  did I tell you how I did my rebuilder. Pecrypt32 really rules !!!!
          The most secure, the best packer, etc... Hopefully, it is not used
	  (yet??) by too much persons ;). Final release of version 1.02 will
	  kick ass !!! As an example I trust in it, ProcDump is  packed with
	  it. I love the twoinstancesfastcrashtrick feature ;).

 Acpizer: Continue ur work with the Win console and, start to work on Ring 0
	  hardware breakpoint ;). It will kick ass when it will be done. Are
	  you interresting in coding the interface in ASM ?  Or even better,
	  a visual ASM programming environment ? Check Random Greeting about
	  ur common work.

 Marquis: Thanks for ur interrest in my lame work. The shrinker unpacker was
	  possible as I used to say ;). Good luck with ur PE protector: bugs
	  hunting can take so much time....bah u surely know, as u are using
	  EXCEL macro shit ;).

 Jammer : U were the precursor... Join our team ;) hehehe. I still need more
	  informations about PDB  under windows... Wait for news from you at
	  this subject.

 J0B    : Thanx for the informations about shrinker. BTW: Shrinker 3.2 can't
	  be handled with Software breakpoints neither traced due to faults,
	  check version.txt file for details. So your work on it was fucking
	  essential ;).

 Hendrix: Code me a fully featured tracer for WIN32.... When u have time ;)
	  Good luck with GTR95 and VXD unloading.

 Iceman : How is ur TUI ? Keyboard Layout is weird, VGA port TOO ? :). Bah,
          u will fix all this nice "features".

 Devil  : Okay okay.... I study this new PE packer, and I try to add it.

LordByte: Finally, I enhanced the trace & fast unpack method so that u have
	  only to say what is ur target & the output name. I found an API ;)
	  I will think about ur next suggestions ;) hehehehe. Don't expect I
	  code the NE support for ..... (choose a long period... At this ti-
	  me NE format will have die ;)

 Nop    : U check so much details.... Argggh.. For now, I fixed all bugs you
	  spotted : Things that are still in your list aren't bugs. After, I
	  finished my  code translation, your list might be cleared. Just to
	  laugh... ;) ;) ;) ;) ;) hehehehe.

 Riz+ La: Interface in ASM32 rule like da hell !!! We will do some good work
	  I hope.

 hiho to: #cracking, #bs2000, #PC98-Chat, #ucf2000,
  	  Groups I am in, Groups I were in,
	  NuMega technologies (Softice owns !!),
	  guys & girls I may know somewhere in the world ;).

 U are wondering what greetings would have be if they weren't quick ? Humm..
 Just wait for PECRYPT32 1.02 FiNaL ;). hehehehe.
