--------------------Using EliCZ's Dumper for DOS executables-------------------- Before using EliCZ's Dumper for DOS executables save all documents and close all devices and applications which you don't need to use! -------------------------------------------------------------------------------- PTU = Program To Unpack BPX = BreakPoint on eXecute BPMW? = BreakPoint on Memory Write BPMA? = BreakPoint on Memory Access ?=B,W,D = Byte, Word, Doubleword 0) Start machine 1) Select Microsoft Windows from OS Loader menu 1a) Play your favourite MP3 1b) Start your favourite Windows game 2) Start FAR (Eugene Roshal) 2a) Edit AUTOEXEC.BAT and add ;C:\EliCZ\EDump to PATH 2b) Define File Association: DOS executables Mask *.EXE,*.COM View command C:\HIEW\HIEW.EXE !.! (SEN, Hacker's View) Edit command EDump-MZ.EXE !.! 2c) If you want, update EDump-MZ.exe and EDtup.exe to work with EDump-MZ.exf 3) Start PTU if Crashed then EndWork if YouDon'tHave AMD then LetItBe else Start F1-fix.exe 4) Start PTU if Crashed then EndWork, LetItBe 5) EDtup.exe 5a) Change Signum of EDump to your birthdate 5b) SET EMPTY to every field 6) PTU is on writable medium, and folder doesn't contain both PTU.COM and PTU.EXE 7) EDump-MZ PTU (cursor on PTU and press F4) if Crashed then EndWork, Eat 1000, GoTo 7 or LetItBe EndWork: Press Control+Alt+Del Select Winoldap and press End Task Wait for Dialog (~20 seconds) End Task Run EDump-MZ (not from FAR) without parameters to recover the system WhenCrash: * memory contains some patterns from previous protected programs --> terminate FAR, run FAR * file can't run under Windows 95 --> LetItBe * EDump was detected via INT 3 --> change Signum of EDump * EDump-MZ.exe was detected via memory (RAM, VRAM) content --> rename it, try to change some bytes in EDump-MZ.exe or ask me for the source * unknown cause --> LetItBe and let me know about it -------------------------------------------------------------------------------- EDumping protected .COM or .EXE_beginning_at_PSP+00010H:00H 0) EDtup.exe 0a) Estimate Dump size, Keep last 005H dumps (less or more, what you want) 0b) SET BPX ON PSP+00010H:00H BASE PSP+00010H:00H SET EMPTY to every other field (sometimes is useful SET BPMBW ON PSP+00010H:00H BASE PSP+00010H:00H) 0c) Apply 1) EDump-MZ PTU Wait.. (play the game) if Crashed then EndWork, GoTo WhenCrash 2) EDview (green screen) SELECT Dump you like with LeftArrow or RightArrow Look at Dump content: PageUp,PageDown,Home,End,UpArrow,DownArrow Change Text/Hex View via F7, Change Full/Text View via F6 3) Selecting dump 3a) Selecting .COM PSP=CS=DS=ES=SS, IP=0100, SP>FFF5 Press F3 (SaveCOM) to produce edumped.com 3b) Selecting .EXE PSP=DS=ES, CS=0000..0010, IP=0??0, (SP=???0) Press F4 (SaveEXE) to produce edumped.exe or Press F5 (SaveBIG), when you've got "Images not compatible!" message or edumped.exe was too small, to produce edumped.exe 4) HIEW edumped.com or edumped.exe (Cursor on edumped.??? and press F3) and reduce file size -------- Example: UpStop95 (Szaszi,UpStop.exe,19192) EDumpin' (California Dreamin') I) EDtup: size 00FFB0H, keep last 00AH SET BPX ON PSP+00010H:00H BASE PSP+00010H:00H SET BPMBW ON PSP+00010H:00H BASE PSP+00010H:00H SET BPMBA ON PSP+00008H:00H BASE PSP+00010H:00H SET EMPTY ON ABS+00000H:00H BASE ABS+00000H:00H (default settings) II) EDump-MZ UpStop.exe III) EDview: Dump contains texts, but IP,SP and other registers aren't pretty (it was UpStop command line analysing) (This is Jack talking) LeftArrow (PrevDump) Dump contains texts, IP=0000,SP=???0, other registers=0000 -> this must be the right dump press F4 (SaveEXE) EDumped.exe has size 20233 bytes HIEW Edumped.exe, Hex view, F8 (View header), F4 (Image), Control+F5 (Base), Control+F5 once again (This) or enter *0, Estimate image end: 0D 0A 1A XX XX has offset 00003905 - dump size IV) Reducing file size a) HIEW: cursor on XX, press F3 (Edit), press F10 (Trunc), press Y press F8 (View header), press F3 (Edit), press F2 (Pages), press F9 (Update), ren EDumped.exe UpStopU.exe, Enjoy (unpacked UpStop may not crypt properly!) better is: b) EDtup: size 003905H, keep last 001H SET BPX ON PSP+00010H:00H BASE PSP+00010H:00H SET EMPTY ON PSP+00010H:00H BASE PSP+00010H:00H SET EMPTY ON PSP+00008H:00H BASE PSP+00010H:00H SET EMPTY ON ABS+00000H:00H BASE ABS+00000H:00H EDump-MZ UpStop.exe, SaveEXE, ren EDumped.exe UpStopU.exe, Enjoy *) Determining the last byte of an original image (Advanced EDumping): EDtup: size 0?????H, keep last 0??H SET BPX ON PSP+00010H:00H BASE PSP+00010H:00H SET EMPTY ON PSP+00010H:00H BASE PSP+00010H:00H SET EMPTY ON PSP+00008H:00H BASE PSP+00010H:00H SET BPMBW ON PSP+003A0H:04H BASE PSP+00010H:00H (bpmbw on last byte which probably belongs to an original image, 390H+10H:4) EDump-MZ UpStop.exe EDview: Locate BPX Dump which you've selected (above) and watch all PREVIOUS dumps: if dump doesn't belong to BPX then if CS doesn't belong to command.com (or dos kernel) (usually when PSP_from_BPX == PSP_from_BPMW) then "remember" this dump else size is probably smaller than estimated EDtup: size 0?????H, keep last 0??H SET BPX ON PSP+00010H:00H BASE PSP+00010H:00H SET EMPTY ON PSP+00010H:00H BASE PSP+00010H:00H SET EMPTY ON PSP+00008H:00H BASE PSP+00010H:00H SET BPMBW ON PSP+003A0H:05H BASE PSP+00010H:00H (bpmbw on first byte which probably doesn't belong to original image) EDump-MZ UpStop.exe EDview: Locate BPX Dump which you've selected (above) and watch all PREVIOUS dumps: if exists dump which doesn't belong to BPX or to command.com (or dos kernel) then byte at image offset 3905H probably belongs to an original image else original image size COULD be 3905H -------------------------------------------------------------------------------- EDumping protected .EXE_beginning_at_PSP+0????H:0?H 0) EDtup.exe 0a) Estimate Dump size, Keep last 020H dumps (or less) 0b) SET BPX ON PSP+00010H:00H BASE PSP+00010H:00H SET BPMBW ON PSP+00010H:00H BASE PSP+00010H:00H SET BPMBA ON PSP+00008H:00H BASE PSP+00010H:00H SET ????? ON PSP+0????H:0?H BASE PSP+00010H:00H -select some memory place, which PTU reads from or writes to (that's why BPMBA on CmdLine) -you may also try: SET BPX ON I21+00000H:00H BASE PSP+00010H:00H or SET BPX ON I10+00000H:00H BASE PSP+00010H:00H 0c) Apply 1) EDump-MZ PTU Wait.. (be patient, play the game) if Crashed then EndWork, GoTo WhenCrash 2) EDview (green screen) SELECT Dump you like with LeftArrow or RightArrow Look at Dump content: PageUp,PageDown,Home,End,UpArrow,DownArrow Change Text/Hex View via F7, Change Full/Text View via F6 3) Selecting .EXE (SP=???0) Press F2 (SaveNOW) to produce edumped?.now (you may do it on more dumps) Put down registers and Press F5 (SaveBIG) to produce edumped.exe 4) Analyzing dump 4a) Analyzing edumped?.now HIEW edumped?.now try to find EntryPoint of original program (experience) ....case a) try to find RETF, JMP FAR, JMP ????:???? instructions ....case b) put down offset of instruction ..SSSSS 4aa) CCCC=SSSSS DIV 010H + 010H, I=SSSSS MOD 010H (12345H -> 01244H : 05H) EDtup.exe SET BPX ON PSP+0CCCCH:0IH BASE PSP+00010H:00H SET EMPTY to every other field 4ab) EDump-MZ PTU Wait.. if Crashed then EndWork, GoTo WhenCrash 4ac) EDview (green screen) in case a) SaveEXE or SaveBIG and reduce file size of edumped.exe in HIEW in case b) GoTo 2 4b) Analyzing edumped.exe (from point 3) Turbo Debugger (Borland,TD.exe): TD edumped.exe (set up registers that you've put down) in case that dump was selected for BPMBA on CmdLine, you should see accessing instruction above current instruction try to trace it until you reach something like EntryPoint TD: cs:ip lodsb ; it was accessing instruction (SI=80H) ip+1 or al,al ; you are here .... retf ; trace EntryPoint: CALL AAAA:BBBB CALL CCCC:DDDD ; it was call to procedure which analyzed ; command line FromRet: ..... ; you are here SSSSS = (EntryPointCS-PSP) * 010H + EntryPointIP GoTo 4aa) -------- Example: HackStop 1.18b80 (ROSE,hs386.exe,21238) EDumpin' I) EDtup: (default settings) II) EDump-MZ hs386.exe III) EDview: Dump contains texts, but SP and other registers aren't pretty LeftArrow (PrevDump) Dump contains texts, registers same as above with LeftArrow (PrevDump) select dump with highest # where aren't texts present (IP=019C) (image was in reconstruction) Press F5(SaveBIG) EDumped.exe has size about 655?? bytes IV) Analysing in Turbo Debugger: TD edumped.exe IP points to push bx ,look above - stosw (the first Word of original? image was reconstructed by this instruction) Follow execution (use Control+F on jumps) you'll find: 21F jmp cs:far [bp+0F89] - hm.. BP is needed, press Control+N on this instruction, go to registers window on eax register, enter (cs-es)*10+IP, SSSSS=eax=0758F (-> 758:F), leave TD EDtup: SET BPX ON PSP+00758H:0FH BASE PSP+00010H:00H SET EMPTY ON PSP+00010H:00H BASE PSP+00010H:00H SET EMPTY ON PSP+00008H:00H BASE PSP+00010H:00H SET EMPTY ON ABS+00000H:00H BASE ABS+00000H:00H EDump-MZ hs386.exe EDview: put down BP (F1E8), SaveBIG TD edumped.exe , update BP register, trace until you reach retf 1x trace , you are now on instruction: (sp=0400) mov ax,WXYZ mov ds,ax ... it looks like original program's begin SSSSS=03007, segment ordering is code,data,stack so estimate original image size via stack (in es is PSP) .. dump size = (ss-es-10H)*10H = 007200H EDtup: set dump size SET BPX ON PSP+00300H:07H BASE PSP+00010H:00H SET EMPTY ON PSP+00010H:00H BASE PSP+00010H:00H SET EMPTY ON PSP+00008H:00H BASE PSP+00010H:00H SET EMPTY ON ABS+00000H:00H BASE ABS+00000H:00H EDump-MZ hs386.exe, SaveEXE, ren EDumped.exe hs386U.exe, Enjoy *) Determine_last_byte analysis gives size = 007270H (autopatching loop in future stack) -------------------------------------------------------------------------------- EDumping protected .COM or .EXE_beginning_at_PSP+0????H:0?H with PSPShift you're trying to unpack c:\files\filexx.exe -1) If you have protector with which was file protected: COPY Start.exe c:\files\start0.exe filename and path must have the same length COPY Start.exe c:\files\start1.exe protector start1.exe run c:\files\start0.exe (with specified path) , put down CS .. oCS run c:\files\start1.exe (with specified path) , put down CS .. nCS PPPP=nCS-oCS+010H ; it depends on path and filename length Try normal EDumping .EXE (above) if it was not successful: 0) EDtup.exe 0a) Estimate Dump size, Keep last 020H dumps (or less) 0b) SET BPX ON PSP+0PPPPH:00H BASE PSP+0PPPPH:00H SET BPMBW ON PSP+0PPPPH:00H BASE PSP+0PPPPH:00H SET BPMBA ON PSP+00008H:00H BASE PSP+0PPPPH:00H SET ????? ON PSP+0????H:0?H BASE PSP+0PPPPH:00H -select some memory place, which PTU reads from or writes to (that's why I use BPMBA on CmdLine) -you may also try: SET BPX ON I21+00000:00H BASE PSP+0PPPPH:00H or SET BPX ON I10+00000:00H BASE PSP+0PPPPH:00H -you may also try BASE PSP+00010H and then use SaveBIG 0c) Apply 1) EDump-MZ c:\files\filexx.exe (with specified path) Wait.. (be patient, play the game) if Crashed then EndWork, GoTo WhenCrash GoTo 2) -------- Example: Start.exe protected with CryEXE 4.0 (Iosco) - COPY Start.exe C:\TEMP - CryEXE Start.exe - ren Crypted.exe Stars.exe ;the same file name length I) C:\TEMP\START.EXE ;path presence is crucial put down tCS II) C:\TEMP\STARS.EXE ;path presence is crucial put down sCS, IP III) PPPP=(sCS-tCS+10H), KLMNO=(sCS-tCS+10H)*10H + IP ;for CryEXE is PSPShift about 18??H IV) EDtup: SET BPX ON PSP+0KLMNH:0OH BASE PSP+0PPPPH:00H SET EMPTY ON PSP+00010H:00H BASE PSP+00000H:00H SET EMPTY ON PSP+00008H:00H BASE PSP+00000H:00H SET EMPTY ON ABS+00000H:00H BASE ABS+00000H:00H V) EDump-MZ C:\TEMP\STARS.EXE ;path presence is crucial VI) EDview: Press F4 (SaveEXE) to produce EDumped.exe -------- Example: Start.exe protected with FSE V0.6+ (ZeNiX) BTW: Here is PSPShift artificial (I think it's not compatible with some memory operations, apply FSE on LZEXEd file) - USE EDump-MZ.exf module - FSE Start.exe Stars.exe ;file name lengths must be equal I) START.EXE ;path not needed put down tCS II) STARS.EXE ;path not needed put down sCS, IP III) PPPP=(sCS-tCS+10H), KLMNO=(sCS-tCS+10H)*10H + IP ;for FSE V0.6+ is PSPShift always 00075H IV) EDtup: SET BPX ON PSP+0KLMNH:0OH BASE PSP+0PPPPH:00H SET EMPTY ON PSP+00010H:00H BASE PSP+00000H:00H SET EMPTY ON PSP+00008H:00H BASE PSP+00000H:00H SET EMPTY ON ABS+00000H:00H BASE ABS+00000H:00H V) EDump-MZ STARS.EXE ;path not needed VI) EDview: Press F4 (SaveEXE) to produce EDumped.exe -------------------------------------------------------------------------------- Result of your job should be BPX adress (plus BPM if needed) and file size -------------------------------------------------------------------------------- Known Anomalies Last dump is sometimes missing when edumping crackstopped files, so repeat dumping procedure until you succeed. (Probably bug in EDump) AMD K6+ list of files that you don't try to edump (because of EliCZ's Effect): crackstop.exe, fse.exe (versions below 0.6+), unpackme.exe (from UpStop95), erp.exe, ds-crped .COMs will show SP=0000 (because of pop ax) instead of SP=FFFE, ... -END of Trainspotting.txt------------------------------------------------------- Addendum: You can EDump executables, which cannot run in Win9x by running Emu4W9x from 9xEDK. Then you can unpack for example Gardian Angel, Mask, ...