------------------------------Questions and Answers-----------------------------


Q: Why under Windows 95?
A: Because there are hard restrictions (hard is relative word) for DOS apps
   under Windows 95 (similar as for PEs under Windows NT).

Q: Why didn't you code EDump "legally" ? - I mean VxD.
A: Because I don't have DDK :( .
   (I wonder that ExDs are "so stable" too.)

Q: Can you tell me the history of EDump?
A: dd.mm.yy

   EliCZ's Dumper for DOS executables 

   10.09.98  v1.0 betatest   - sent to EXE mailing list (with AMDBug.zip)
                             - little bug in TF setting

   21.09.98  v1.0 ultra      - sent to EXE mailing list
                             - added DRX Monitor, now is EDump informed
                               about all debugging-registers-transactions
                               in system!!!  (can unpack AdFlt2)
                             - because EBP is not cleaned before passing
                               control to program-to-unpack, constructions
                               like following can cause crash:
                                        SUB BP,BP
                               Looping: INC BP
                                        INT 03
                                        JNE Looping

   23.09.98  v1.0 final      - sent to www.SuddenDischarge.com
                             - added    SUB EBP,EBP

Q: What's the principle of DRX Monitor?
A: Never-before-seen employing GD (GlobalDisable) bit in DR7. EDump is notified
   about EVERY (of course ring0) manipulation - illegal&direct (AdFlt2) or 
   legal&indirect (AdFlt2A via kernel) - with debugging registers. By this way
   EDump can respect strange breakpoints.

Q: I've sent you an email to elicz@email.cz, but you didn't answer. What does it
   mean?
A: I'll answer. I'm on Internet one time per week or two only :(. The questions
   about EDump send to elicz@email.cz, my other email accounts will be ignored.

Q: I can't unpack protector.exe. Where's the problem?
A: In protector.exe's code can be used something nonstandard. But try to
   unpack protected.exe (protect start.exe and unpack it).
   EDump has no built-in intelligence, no emulation, no tracing, no alarms and
   no surprises. It does what you specify. What more do you want from those
   5 kilobytes?

Q: How can I detect EDump?
A: GetVersion    EQU  000000
   SignumOfEdump =    "DUMP"   ;default value

   MOV  AL , GetVersion
   MOV  EBP, SignumOfEDump
   STC
   INT  3                      ;INT3 vector points to IRET
   JNC  EDumpDetected          ;and BX contains version number


-END of Q&A.txt-----------------------------------------------------------------