I) EDumping G5.exe (file size = 8470) ------------------------------------- 01) Run EDu16.exe or EDu32.exe (Win 3.1 or 9x/NT/2K) 02) Set Dump Size for example = 16304 (assume file can be packed) 03) Set BPX on PSP+256 base PSP+256 Set BPA on PSP+128 base PSP+256 ;victim's command line all other BP? fields can be NUL 04) Save 05) Line, Select DOS executable G5.exe 06) Go 07) G5.exe has terminated and EDview screen appears 08) Last dump has BASE=PSP+100 (we set it: base PSP+256; 256=100h) CS:IP = BASE:0000, SS:SP = BASE+29D:0080, DS and ES = PSP (BASE-100) and you see there readable parts (e.g. texts which are on the User screen) ..so these conditions are good sign that this dump was made in the moment the 1st instruction of original .EXE was about executing, because .EXEs at startup usually have: DS=ES=PSP and SP=???0 09) Select this (last) dump and press F4 SaveEXE 10) G5.exe has terminated and EDumped.exe appears 11) Run EDumped.exe - it works! View it - it was written in BC++, it has typical structure of .EXE build with this tool 12) Now we can reduce the file size: Load EDumped.exe to SEN's Hiew 13) Go Hex mode press F8 (View Header) and press F4 (Goto Image). On this position Set base =0 (press Ctrl+F5+F5) 14) View Header and look at SS:SP = 029D:0080 Press Esc and F5 (Goto) 29D0 (it is where stack begins) Because standard .EXE files have segment ordering: code,data,stack We have two possibilities: a) to reduce Dump size to SS*10 = 29D0 or b) to reduce Dump size to SS*10+SP = 2A50 Let's select b) 15) Leave Hiew, go EDu16/32 change Dump Size to 10832 (=2A50h) Repeat points 06) to 10) (you can SaveBIG),rename EDumped.exe to G5u.exe (it has size 10864) I) EDumping G4.exe (file size = 7490) ------------------------------------- 01) Run EDu16.exe or EDu32.exe (Win 3.1 or 9x/NT/2K) 02) Set Dump Size for example = 16304 (assume file can be packed) 03) Set BPX on PSP+256 base PSP+256 Set BPA on PSP+128 base PSP+256 ;victim's command line all other BP? fields can be NUL 04) Save 05) Line, Select DOS executable G4.exe 06) Go 07) G4.exe has terminated and EDview screen appears 08) hmm... you don't see readable parts (e.g. texts which are on the User screen) and you don't see EXE-start-registers registers DS=ES=PSP and SP=???0 (if original file was COM there should be CS=SS=DS=ES=PSP and SP>FFF5) ... we must help ourselves with shooting (= BPW SomeWhere) to find restore_or_decompress_original_image followed by jump to original entry jump to oe can be realized as follows: JMP ????:???? or RETF or IRET or RET or JMP ???? 09) Select no dump and press Esc 10) In EDu16/32 you don't need our 2 BP? so set them to NUL and set BPW on PSP+6000 for example (6000 is < 7490) 11) Save 12) Go 13) G4.exe has terminated and EDview screen appears 14) hmm... you see readable parts, select the 1st dump where are readable parts: there is IP=03A2 15) SaveBIG (press F5) 16) G4.exe has terminated and EDumped.exe appears 17) Now we will find original program's entry (jump to oe): Load EDumped.exe to SEN's Hiew 18) Go Hex mode press F8 (View Header) and press F4 (Goto Header). On this position Set base =0 (press Ctrl+F5+F5) 19) Go Entry (Go Header press F8) (press F5) and try to find above instructions here I can't help you... try to follow jumps down in code ... on 1CBB is LOOP followed by 1CBD is JMP .. follow this JMP and now you are on 1CC0 JMP 0172:0010 .. this must be jump to oe so we will set BPX on PSP+ 01720+0010 +100 (PSP+100 is standard base) 20) Leave Hiew go EDu16/32 and set BPX on PSP+6192 base PSP+256 all other BP? you can set to NUL 21) Save 22) Go 23) Select the dump where are our EXE conditions: DS=ES=PSP, SP=???0, IP=0010 and SaveEXE (press F4) 24) EDumped.exe works, you can reduce size even if stack is above image just take size where appear old good protector or COMMAND texts, they (of course) do no belong to the original image Load EDumped.exe to Hiew and set 0 on image as showed above, then on the offset 1CB6 is code which belongs to SuckStop, so you can change Dump Size to 7350 (=1CB6h) and repeat the dumping procedure G4u.exe has size 7382.