EDump II is dedicated to (and for) my fans in EXElist and to people who understand the beauty of bottom level. EliCZ's Dumper II for DOS executables is able to: - hang Your computer (MS Windows) because of incompatible protector, CPU bugs,.. - convert .COM to .EXE, sometimes .EXE to .COM - minimize DOS .EXE size, header, etc.. - unpack any packed DOS executable - remove any runtime encryption - remove protections from DOS executables, which can run in 3.1/9x/NT - remove protections from DOS executables, which can't run in 3.1/9x/NT (GA) - remove protections from DOS executables, which can't run in DOS (PCRYPT) Nobody uses DOS protectors. When You don't want to waste Your time with tracing and disk space with specific unpackers use EliCZ's Dumper for DOS executables - the only TRULY and FULLY generic "unpacker". Complex polymorphic, mutation engines and similar stuff have absolutely NO effect. EDump is able to unpack most DOS executables from all unpackers, even if it requires Windows. But now, when I provide files for MS Windows 3.1, can be EDump used everywhere. Requirements ------------ Intel 486+ | AMD K6+ MS Windows | Windows NT 4 | Windows 2K ? EMM586, HIEW, CALC, some CUI file manager (FAR,NCW,..) Overall ------- Read EDumping.txt from EDumpAll.zip. The texnology hasn't changed. I changed colours to B/W (it's elegant) and the meaning of key F6 - it's now "User" screen. All files from archive must be in one directory which mayn't be in PATH. Now it's possible to run program to unpack (PTU) from EDu16/EDu32 (Setup for EDump for Win16 and Win32). "Line" can contain full file specification and parameters. Path and the name of DOS executable must be "short" (no spaces, 8.3 filenames).Path mustn't contain both PTU.COM and PTU.EXE. All numbers (EDu16/32) must be decimal, negative values allowed. "Dump size" can be 0..Internal error!, "Keep last hits" can be 1..32. For converting HEX numbers to DEC use CALC or SoftICE, then Copy and Paste to Setup (in case of CALC). *After crashing, apply EDump on some normal file to recover OS.* Don't forget that You can change "Dump size" and breakpoints - use Your brain! Unpack protected files, not protectors themselves! MS Windows ---------- MS Windows (all versions) is nothing more than DOS extender - unpacking is fast. Everybody telling that DOS is dead and using MS Windows should turn off the computer. The best results gives unpacking from full screen CUI. Fix ICEBP problem (MASK, ALEC,PCRYPT) on AMD by running F1-fix.exe (9x) from EDumpAll.zip; under 3.1 is it fixed by EDump itself. Use Monitor in EDu16/32 ONLY if You want to remove DPMI protections (the technique developed by me year ago; AdFlt2A will be forever the most original protector: it introduced PM,DPMI,VCPI,..). Monitor means emulating DRx for whole OS (enjoy 'cpu' in WinICE while Wait..). When You want to unpack Windows incompatible files, run EMM586 and use Monitor. On PII+ is EMM586 not needed. Then You are able to run/unpack for example Gardian Angel ,etc.. WinICE shouldn't be present, every protector can detect it thru 'lost INT41' and crash OS. Moreover SoftICE's (all versions) handler can't handle inner GD. Because I got no message telling me that EDump caused Page fault I still didn't add the address validation. MS Windows 3.1 installation: In file system.ini add to [386Enh] section string: device=C:\Path\2\386\EDump.386 ;example: device=C:\TEMP\EDump\EDump.386 Use EDu16.exe. Windows NT ---------- Windows NT is normal OS (see definition on my webpage) with kewl multitasking. Every DOS box is distress for scheduler and Win32 applications. You can run program to unpack from EDu32. Windows incompatible programs run from CUI full screen. Hanging OS or rebooting is impossible. After crashing or killing DOS box apply EDump on other normal file to recover OS. AMD ICEBP problem is fixed by EDump itself. Monitor means emulating DRx for whole ntoskrnl (it is quite courage, isn't it?) (enjoy 'cpu' in NTice while Wait..). Monitor must be used with EMM586 and vice versa. Once EMM586 is started, DOS executables can do what they want - for example hang,reboot machine - it's not caused by EDump. Standard EDump can run/unpack everything what runs under NT and 95% of applications that run under 9x.So even if program crashes under NT try to run it under EDump. If You want to use Monitor then rename EDum_.sys to EDump.sys. Monitor without EMM586 may lead to BSOD. You can then run/unpack for example: GA,SnpStop,.. My handlers are better than handlers of NTice. NTice doesn't respect the sacred (a priori) places on ring-0 stack, it may lead to BSOD, especially when tracing DOS executables in NTice.So NTice can be present when using standard EDump.sys, when using EDum_.sys NTice shouldn't be present - start it later. NTice interventions like pressing hot key and changing register (CX) value are allowed. Monitor on NT with PII+ wasn't tested. EDump will probably not work on SMP systems. If You are able to run EDump on 2K, mail me about it, please. It'll be a nice surprise for me, because 2K and Linux are the future of PCs. Finally, I have no illusions that EDump will work on Your computer, but it works fine on mine. EDump (incl. Monitor) works perfectly on: Intel486SX/25MHz/MS Windows 3.1 AMD K6/233MHz/MS Windows 3.1, MS Windows 95, Windows NT 4 Pentium II/350MHz/MS Windows 98 Tell_me ------- For DOS protector authors and users I wrote Tell_me.com. Protect it with the protector and run it (!!! with and without EMM586 !!!), or run it after running of other protected file. If it'll say that protector is danger, don't use it, don't EDump it and reboot, otherwise you'll be surprised. EliCZ, chemical student, http://elicz.cjb.net, EFnet: #kurva, Jun-21-1999 ================================================================================ INIT: Jun-13-1999 UPDATES: Jun-16-1999 - added file for MS Windows 3.1 (EDump.386) - Tell_me.com can be used for testing under any system Changed files: EDump.386, EDump.exe, EDtup.exe, EDtup.txt, Tell_me.com Jun-20-1999 Changed files: EDtup.exe -> EDu16.exe + EDu32.exe , EDtup.txt original EDump.sys -> EDum_.sys written new 'light' EDump.sys Monitor on PII will be solved in Tuesday. Jun-21-1999 Changed files: .386, .vxd, _.sys to work in Monitor mode on PII+ See Bugs on my page for description of PII+ GD feature FINIT: for now and thanks to gonza