ERP [0.97b] - Richie 1996,97 Executable Recovery Program This little program can sometimes remove append-protectors like Hackstop, and also viruses, from EXE-files. Starting the program without any options or filenames shows the help screen. Usage: ERP infile [outfile [opt]] -a[n] increases stack. Rarely needed (I hope). -o copy overlays (if any) -p prompts for confirmation. Useful when it finds more than just one. -s alternative size-calculation. Uses the more rigid method for calculating the new size, just in case anyone ever needs it. This program could be very useful when you have had a virus infect most of your files, or when a protector used is not compatible with your system. Test the resulting file carefully, before you even think about deleting the original (infile) ! No guarantees !! When the resulting executable does not work correctly (or not at all), you can try to have ERP find other layers via '-p', or you can try to increase the stack via '-a', and you can use an increment value here, and you can add as much of them as you like, as in '-a -a -a -a', max. command line length permitting. Technical stuff... ERP searches for the StartUp-Code of known packing-programs, like WWPACK, or compilers, like Turbo Pascal. If it finds such a code, it will try to rebuild the header, and remove the protector or virus. This method only works with protectors that don't encrypt the EXE-file. They only set the CS:IP-value to their own code and jump to the start of the EXE-code at the end of their code (simply put). Most EXE-viruses also use this method. Because it does not run any of the code from the infile, it is save to use (in a clean environment) on infected files. As an extra precaution it is always wise to use an anti-virus protection before trying to execute the resulting outfile, and boot from a clean write-protected floppy when attempting to remove viruses. Protectors we have tested, that can be removed with ERP (aka RichUnHS): * HackStop, all versions up to v1.18 * CrackStop v1.0 and v1.0b, when used without the -e command * Immun v1.2 * ExeGuard v1.3 * Ciphator v4.0 (only 1 file tested) * And some unidentified protectors Only 2 viruses tested, and removed, so far: * Major.1644 Virus * Eastern_Digital.A If you have successfully removed any other protector or virus from an executable with ERP, please let me know. Lastly I'd like to mention some of my friends. Thanks and greetings go out to: Hann0 Boeck.... For pushing me into doing this. You can write all my docs ;) Stonehead...... For being my personal advisor on exe-protection. Ralf........... For all the files I could handle. Ben C.......... For getting me interested. Fridrik S...... For putting this in perspective. Stefan Esser... For the registered CrackStop. Jauming........ Sorry you are so busy now. Rose........... Don't worry, ERP is easy to fool ;( Richie (doc co-written by Hann0 Boeck )