ــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــــ
غ غ
غ <*> EXE-dumper version 2.2 <*> غ
غ غ
غ by ـؤـ ـ ـؤـ ـؤـ ـؤـ ـؤـ ـ ـؤـ ـؤـ غ
غ غ غ غؤـ كؤـ غؤ كؤـ كؤـ ـ غ غ غ غ غ
غ غ غ غ غ ـ غ غ ـ غ ـ غ غ غ غ غ غ غ
غ ككك ككك ككك ككك ككك ككك ك ككك ك ك 1997 غ
غ غ
غؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤغ
غ Handle Real name Age Profession Group activity غ
غؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤغ
غ Bugsy Benjamin Petersen 23 Programmer Coder, organizer(?) غ
غ Spawn Michael Skovslund 22 Programmer Coder, gfx غ
غ UniSon Henrik Eiriksson 23 Study IFA Music, art غ
غؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤغ
غ PLEASE CHECKOUT OUR INTERNET HOMEPAGE AT : WWW.CYBERNET.DK/USERS/BUGSY غ
غ غ
كككككككككككككككككككككككككككككككككككككككككككككككككككككككككككككككككككككككككككككك
INDEX
History
Introduction
Disclaimer
Keyboard layout
Program documentation
Soft-Ice user notice (New information, please take a look)
GameTools user notice (New information, please take a look)
EatMem utility (New information, please take a look)
How to unpack an exefile
How to get in touch with us
Greetings (New information, please take a look)
History
Version Release Note
1.0 Never released to the public, only for our beta-testers
1.1 First public release
1.2 Now with Soft-Ice debugger support. Activate with INT FCh
2.0 Autodump from TD, S-ICE and GAMETOOLS. Detects a lot of things.
Uses UMB. Added Total Memory Dump feature, Show User Screen. Now it
swaps dos-stack so DUMPEXE can be activated at any time (reentrance)
2.1 Fixed a bug in dos version check. (Damn)
2.2 Added support for overlay as requested by Jos‚ Navarro Mart،nez
Fixed minor bugs in DUMPEXE. Added mail registration form
Added a utility called EATMEM that allocates 4 KB from within DOS.
Removed the WORD version of this doc file (Did anybody use it ?).
Introduction
This program is able to unpack ANY exe-packed file. Many other programs,
such as cup, up, tron, unp and vgacbust give you the same ability. But those
programs can only expand/unpack files packed with known exepackers. By
using the OBSESSiON DUMPEXE toolpack, you can unpack any of those exe-files
that the above utilitys gave up on. Of course this can't be done by inserting
a quarter (kr.) into the crypt-o-mate. We have to do a little more than this.
This is where you, the OBSESSiON DUMPEXE toolpack, and your debugger gets
into the picture.
All you have to do is this :
Load the exeprogram into your favourite debugger (eg. TD, S-ice, GameTools)
Debug the program until first original (unpacked) instruction
Dump the code/data, using the DUMPEXE program, via the FILE 1 option
Terminate the loaded program
Allocate a 4 Kb memory block via the DUMPEXE program (or use EATMEM.EXE)
Reload the program, and ensure that the entry point is different
Debug the program until first original (unpacked) instruction
Dump the code/data, using the DUMPEXE program, via the FILE 2 option
Terminate the loaded program
Deallocate the 4 Kb memory block via the DUMPEXE program (or use EATMEM.EXE)
Run MAKEEXE with the needed parameters.
Example : MAKEEXE.EXE ORIGINAL.EXE NEWFILE.EXE
And 'puf', your done.
To technically understand how this can be done, please refer to selection :
"How to unpack an exefile".
If this sounds easy, exit your doc reader now, if not, keep on reading. 8-)
Disclaimer
This software has been tested and found to work properly. OBSESSiON have no
responsbility whatsoever for any damages caused by use, or misuse of this
software.
IF YOU DISAGREE WITH ANY OF THOSE TERMS, PLEASE REMOVE THIS SOFTWARE NOW.
If after a 24 hour test period, you still wish to continue using this
software, you NEED to send us a postcard with your name and address or
register at our homepage at HTTP://WWW.CYBERNET.DK/USERS/BUGSY. The reason is
that it's the ONLY way I can explain to my wife why I have invested MORE than
200 hours developing this software. This is the only way I can see that
someone really is using this software. If I don't receive anything by mail,
I won't update the program any more.
This means :
IF NOT (ReceivedAnyPostCardOrEMail) THEN
HALT (Programmer)
ELSE
ReleaseNextVersion
Keyboard layout
Left shift + right shift : Activate the resident part of DUMPEXE
TAB : Jump to next menu block
Shift TAB : Jump to previous menu block
Arrow up/down : Next/previous menu selection/block
Arrow left/right : Next/previous digit or menu block
ESC : Terminate DUMPEXE or return to previous state
Enter : Confirm selection/input
Program documentation
Install DUMPEXE into memory by starting the file DUMPEXE.EXE. The program
will now go resident (TSR) in memory. This means that it can be envoked at
any time and within any program (such as a debugger). If UMB is available,
the 'DOS stack' and 'Screen swap data' will be placed here. To activate
DUMPEXE, please press <LEFT SHIFT> and <RIGHT SHIFT> at the same time (also
called the hotkey). A menu like the one shown below, should appear. To return
to interrupted program, press <ESC>.
NOTICE : In previous versions you couldn't start DUMPEXE by pressing the
hotkey within the dos command line (InDOS). This has now been
fixed by using the technique called 'DOS stack switching'.
FIG 1. The main picture of DUMPEXE
عؤؤؤؤؤؤ DumpExe v2.2 CARDWARE 1997 by BUGSY/OBSESSiON ؤؤ[1]ؤ؟
³ Dos, ٍ80386, V86 mode, Turbo Debugger [2] ³
³ؤؤؤؤؤؤؤؤؤ First file ؤؤؤؤ[3]ؤآؤؤؤؤؤؤؤؤؤ Second file ؤؤؤ[4]ؤ³
³ CS : 0000 ³ CS : 0000 ³
³ IP : 0000 ³ IP : 0000 ³
³ SS : 0000 ³ SS : 0000 ³
³ SP : 0000 ³ SP : 0000 ³
³ PSP : 0000 ³ PSP : 0000 ³
³ Size : 00000 (0) ³ Size : 00000 (0) ³
³ Name : #NoName#.1 ³ Name : #NoName#.2 ³
³ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ[5]ؤإؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ[6]ؤ³
³ Dump exe-code ³ Dump exe-code ³
³ Autodetect name ³ Autodetect name ³
³ Autodetect size ³ Autodetect size ³
³ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ[7]ؤإؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ[8]ؤ³
³ Raster Bar ³ User screen ³
³ Memory snapshot ³ Allocate 4Kb ³
³ Reset menu ³ Auto config file 2 ³
³ Uninstall ³ Fill from debugger ³
³ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤءؤ Free 99 kb, Slack 0 kb [9]ؤ³
³ [10] ³
ہؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ Hotkey : (U)ser screen ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤظ
Overview
[1] Copyright text.
[2] Information on the operating system and found debuggers.
[3] Data for first memory dump, set by the user.
[4] -"- for second memory dump.
[5] Menu concerning first memory dump.
[6] -"- for second memory dump.
[7] General purpose menu, concerning global use of DUMPEXE.
[8] Utility menu with functions, helps you get the job done faster.
[9] Information about the current memory status.
[10] Shows status messages from DUMPEXE and serves as an input prompt.
Explenation
[1] Copyright text.
Tells who made this brilliant program.
[2] Information on the operating system and found debuggers.
Shows if current session is a DOS, WINDOWS or OS/2 session.
Also shows which debuggers have been found active at the present
moment.
Can show a mixture of the following text strings :
[8086, 80286, ٍ80386],
[Real mode, V86 mode],
[Dos, Win Std, Win Enh, OS/2],
[No debugger, Turbo Debugger, Soft-Ice, GameTools]
Example : Dos, ٍ80386, Real mode, Soft-Ice, GameTools
As you can see, it is possible to have more than one debugger loaded
at the same time. This can be usefull when combining Turbo Debugger
and GameTools.
[3] Data for first memory dump, set by the user.
This subwindow is used to enter information about the program you
want to unpack. You have to fill out ALL fields to get a working
copy of the unpacked program.
CS : Current code segment
IP : Current instruction pointer
SS : Current stack segment
SP : Current stack pointer
PSP : Current program prefix segment, usually the same as ES
Size : Size of program in bytes
Name : Name of dump file
To change a value, move the selector to the decided item and press
<ENTER>. Enter the new value and press <ENTER> again.
REMARK : All numbers are shown and entered in heximal values.
The filename can not be entered manuelly.
[4] -"- for second memory dump. ([3])
[5] Menu concerning first memory dump.
It is used for dumping the code/data block entered in [3] or [4].
Menu items available are :
Dump exe-code : Select this one to dump selected code/data block.
Autodetect name : Let DUMPEXE autodetect the name of the program
its processing, and use it as the dump filename.
Autodetect size : Let DUMPEXE autodetect the size of the code/data
block. There are two ways to autodetect this
size. It can be done by Stack or by PSP. The
most common way is 'By Stack', because this
usually gives a smaller, and more acurrent image
of the original unpacked exefile.
[6] -"- for second memory dump. ([5])
[7] General purpose menu, concerning the global use of DUMPEXE.
Menu items available are :
Raster Bar : Switch between Raster Bar and Textmode Bar.
It's a good idea to choose Textmode Bar if you
are running under other systems than DOS such as
Windows or OS/2.
Memory snapshot : Takes a snapshot of the first megabyte of memory,
and puts it in a file in the current directory,
called SNAPSHOT.MEM. Use it for whatever you may
like.
Reset menu : Sets all items to their initial value. Use it if
something, somehow goes bananas.
Uninstall : Removes the DUMPEXE software from the memory.
Use it if you want to remove the DUMPEXE from
memory.
[8] Utility menu with functions that helps you get the job done faster.
Menu items available are :
User screen : Shows the screen as it was before DUMPEXE was
started. Use this function instead of pressing
<ESC> and then the hotkey. This function can
also be called by pressing <U> while in view
mode.
(De)Allocate 4Kb : Used to allocate/deallocate a block of 0100h
paragraphs (4 Kb). This should be done after
the first dump and termination, and before you
reload the program. Please take a look at the
tutorial later in this document.
NOTICE : This function can ONLY be used within
Turbo Debugger and GameTools. So if
you are using Soft-Ice, please use
the utility called EATMEM.EXE insted.
Auto-Config : Adds 0101h to all segment registers in [2] and
store them in [3]. It is useful after
preparing for second dump. This works only on
9 out 10 packed files. Please notice that CS
in [3] matches the one shown by the debugger.
If not, enter all values manually. You only
have to use this function if
"Fill from debugger" fails.
Fill from debugger : Read the register shown by the debugger and
automatically place the values into first or
second dumpfile. This is a VERVY useful
function, since it gives you the ability to
unpack the exefile FAST.
[9] Information about the current memory status.
Free : Amount of free basememory, in Kb.
Slack : Number of memory fragments in Kb, after allocating 4 Kb.
[10] Status messages from DUMPEXE and input prompt.
This line serves as an error message and input scratch.
Here are some of the error messages that can appear :
No size given.
You have to enter how much memory the program needs to dump.
No memory allocated.
You are trying to auto-config file 2, and you haven't used
"allocate 4KB". You must manually enter the data required to dump
Can't auto-config file 2, sorry.
You have to manuelly, enter the data required to dump a program.
Or you could use the function : "Fill from debugger"
The PSP-segment is not valid.
You are using a function that requires a valid PSP segment,
entered in [3] or [4].
The PSP-segment for file 1 is not valid.
See the above.
Can't find name.
DUMPEXE is not able to find the name of the program you want
to dump. The program is using a standard name instead.
Can't uninstall, vector hooked by another program.
You have loaded another program after DUMPEXE. Unfortunately the
two programs have both hooked onto the same interrupt. Unload the
other program first and try again.
Can't allocate necessary memory.
Boot your machine with fewer drivers, and try again. If this
does'nt help, you are f.....
Out of stack.
Your memory is fragmented to much. The DUMPEXE has a 4 Kb stack and
in this case it doesn't seem to be enough. Contact us and ask for
a version with a larger stack, or modify the exeheader yourself. :)
Can't release memory.
This error is most likely caused by the program you are about to
dump, or the stack of this program has been destroyed. Dump the
code and boot your PC. (the dumpfile should be okay, I hope...)
Can't make file.
Oops, a disk error. Check your harddisk with "chkdsk /f" or
"scandisk"
Can't write file, disk full ?.
Free some disk space, and try again.
Can't deallocate memory.
The MCB (memory control block) has been destroyed. Dump the code
and boot your PC. (again, the dumpfile should be okay, I hope...)
Soft-Ice user notice
If you are using Soft-Ice, the hotkey is disabled. This is because Soft-Ice
runs in protected mode and uses its own interrupt vector table. To activate
DUMPEXE, enter the following sequence at the Soft-Ice command line prompt :
BPX CS:IP : So we can return after Int 0FCh has terminated
GENINT FC : Start the exe-dumper
GENINT FC : Start the exe-dumper again (if you need it)
BC 0 : Clear the breakpoint set by BPX. The number (in this case
0) is the name of the breakpoint label.
Don't start DUMPEXE unless you are are at the very first instruction of
the unpacked exefile because your current location might be in the keyboard
handler or equal.
NOTICE : You cannot use the DUMPEXE menu called 'Allocate 4Kb' within
soft-ice. This function can ONLY be used within Turbo Debugger
and GameTools. Please use the utility called EATMEM.EXE insted.
(Look at selection 'EatMem utility' later)
GameTools user notice
If you are using GameTools, be SURE to load DUMPEXE BEFORE you load
GameTools. If you don't, you can't activate DUMPEXE within GameTools.
EatMem utility
EatMem is a program that from within dos allows you to allocates
a 4 KB memory block.
When you start EATMEM.EXE the first time it starts DUMPEXE (if resident) and
allocates a 4 KB memory block. The next time you start EATMEM.EXE it frees
the 4 KB memory block.
Use this utility if you can't allocate a 4 KB memory block within DUMPEXE.
So insted of using the menu (in DUMPEXE) 'Allocate 4 KB', just return to dos,
and run EATMEM.EXE. When you are finished with the second dump, just run
EATMEM.EXE again, or release the 4 KB memory block via DUMPEXE.
How to unpack an exefile
The file named TESTEXE.EXE is a packed exe-file. It is used to illustrate
how to use this tool, and nothing more. The file is packed with pklite
version 2.01 using normal compression.
I will use Turbo Debugger for this example, because if you know how to use
the ultimate debugger Soft-Ice, you probably don't need this introduction
anyway.
If you don't know anything about using a debugger, I advise you to consult
your debuggers manual.
Try to execute the tutorial program TESTEXE.EXE and take look at the text
it displays. The program will tell you if it's packed or not.
REMEMBER : Start DUMPEXE.EXE before proceeding with the next step.
Start debugging TESTEXE.EXE by writing : TD.EXE TESTEXE.EXE
The picture shown, by TD (Turbo Debugger), should look something like
this :
ةح[]حCPU 80486ححححححححححححححححححححححححححححححححححرححححححح1ح[�][�]ح»
؛ cs:0100�50 push ax � ax 0000 ³c=0؛
؛ cs:0101 B82D06 mov ax,062D bx 0000 ³z=0؛
؛ cs:0104 BA8201 mov dx,0182 ± cx 0000 ³s=0؛
؛ cs:0107 050B63 add ax,630B ± dx 0000 ³o=0؛
؛ cs:010A 3B060200 cmp ax,[0002] ± si 0000 ³p=0؛
؛ cs:010E 722A jb 013A ± di 0000 ³a=0؛
؛ cs:0110 B409 mov ah,09 ± bp 0000 ³i=1؛
؛ cs:0112 BA1C01 mov dx,011C ± sp 0200 ³d=0؛
؛ cs:0115 CD21 int 21 ± ds 62FB ³ ؛
؛ cs:0117 B8014C mov ax,4C01 ± es 62FB ³ ؛
؛ cs:011A CD21 int 21 ± ss 64B3 ³ ؛
؛ cs:011C 4E dec si ± cs 62FB ³ ؛
؛ cs:011D 6F outsw ± ip 0100 ³ ؛
؛ cs:011E 7420 je 0140 ± ³ ؛
؛ cs:0120 656E outsb gs: � ³ ؛
ا�±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±�إؤؤؤؤؤؤؤؤؤؤؤؤءؤؤؤ¶
؛ ds:0000 CD 20 67 69 00 9A C0 00 ح gi ڑہ ³ ss:0208 0A76 ؛
؛ ds:0008 00 00 E4 01 D3 29 AE 01 ن�س)®� ³ ss:0206 8BCB ؛
؛ ds:0010 D3 29 80 02 2E 24 9C 15 س)€�.$œ� ³ ss:0204 8BF8 ؛
؛ ds:0018 01 01 01 00 02 FF FF FF ��� �ےےے ³ ss:0202 8B0E ؛
؛ ds:0020 FF FF FF FF FF FF FF FF ےےےےےےےے ³ ss:0200�74A6 ؛
بححححححححححححححححححححححححححححححححححححححححححححححححدحححححححححححححححؤظ
NOTICE : Due to the nature of the PC-memory, the segment registers
(CS, DS, ES, SS) might show different values than the one
shown.
Start executing the code until cs:0153, by pressing <F4> at location cs:0153,
shown below. (Press <PAGEDOWN> 2 or 3 times)
ةح[]حCPU 80486ححححححححححححححححححححححححححححححححححرححححححح1ح[�][�]ح»
؛ cs:0146 50 push ax � ax 68FF ³c=0؛
؛ cs:0147 B9C500 mov cx,00C5 bx 0000 ³z=1؛
؛ cs:014A 33FF xor di,di ± cx 0000 ³s=0؛
؛ cs:014C 57 push di ± dx 0182 ³o=0؛
؛ cs:014D BE5401 mov si,0154 ± si 02DE ³p=1؛
؛ cs:0150 FC cld ± di 018A ³a=0؛
؛ cs:0151 F3A5 rep movsw ± bp 0000 ³i=1؛
؛ cs:0153�CB retf ± sp 01FA ³d=0؛
؛ cs:0154 FD std ± ds 62FB ³ ؛
؛ cs:0155 8CDB mov bx,ds ± es 68FF ³ ؛
؛ cs:0157 53 push bx ± ss 6918 ³ ؛
؛ cs:0158 83C32E add bx,002E ± cs 62FB ³ ؛
؛ cs:015B 90 nop ± ip 0153 ³ ؛
؛ cs:015C 03DA add bx,dx ± ³ ؛
؛ cs:015E 8CCD mov bp,cs � ³ ؛
ا�±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±�إؤؤؤؤؤؤؤؤؤؤؤؤءؤؤؤ¶
؛ ds:0000 CD 20 67 69 00 9A C0 00 ح gi ڑہ ³ ss:0202 0005 ؛
؛ ds:0008 00 00 E4 01 D3 29 AE 01 ن�س)®� ³ ss:0200 73A0 ؛
؛ ds:0010 D3 29 80 02 2E 24 9C 15 س)€�.$œ� ³ ss:01FE 0000 ؛
؛ ds:0018 01 01 01 00 02 FF FF FF ��� �ےےے ³ ss:01FC 68FF ؛
؛ ds:0020 FF FF FF FF FF FF FF FF ےےےےےےےے ³ ss:01FA�0000 ؛
بححححححححححححححححححححححححححححححححححححححححححححححححدحححححححححححححححؤظ
The unpacker has copied itself to a location, which is just after the
(not yet) unpacked code location. Singlestep one instruction (<F7>), and
you'll hopefully see this :
ةح[]حCPU 80486ححححححححححححححححححححححححححححححححححرححححححح1ح[�][�]ح»
؛ cs:0000�FD std � ax 68FF ³c=0؛
؛ cs:0001 8CDB mov bx,ds bx 0000 ³z=1؛
؛ cs:0003 53 push bx ± cx 0000 ³s=0؛
؛ cs:0004 83C32E add bx,002E ± dx 0182 ³o=0؛
؛ cs:0007 90 nop ± si 02DE ³p=1؛
؛ cs:0008 03DA add bx,dx ± di 018A ³a=0؛
؛ cs:000A 8CCD mov bp,cs ± bp 0000 ³i=1؛
؛ cs:000C 8BC2 mov ax,dx ± sp 01FE ³d=0؛
؛ cs:000E 80E40F and ah,0F ± ds 62FB ³ ؛
؛ cs:0011 B104 mov cl,04 ± es 68FF ³ ؛
؛ cs:0013 8BF2 mov si,dx ± ss 6918 ³ ؛
؛ cs:0015 D3E6 shl si,cl ± cs 68FF ³ ؛
؛ cs:0017 8BCE mov cx,si ± ip 0000 ³ ؛
؛ cs:0019 D1E9 shr cx,1 ± ³ ؛
؛ cs:001B 4E dec si � ³ ؛
ا�±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±�إؤؤؤؤؤؤؤؤؤؤؤؤءؤؤؤ¶
؛ ds:0000 CD 20 67 69 00 9A C0 00 ح gi ڑہ ³ ss:0206 0000 ؛
؛ ds:0008 00 00 E4 01 D3 29 AE 01 ن�س)®� ³ ss:0204 0000 ؛
؛ ds:0010 D3 29 80 02 2E 24 9C 15 س)€�.$œ� ³ ss:0202 0005 ؛
؛ ds:0018 01 01 01 00 02 FF FF FF ��� �ےےے ³ ss:0200 73A0 ؛
؛ ds:0020 FF FF FF FF FF FF FF FF ےےےےےےےے ³ ss:01FE�0000 ؛
بححححححححححححححححححححححححححححححححححححححححححححححححدحححححححححححححححؤظ
Press <F4> at location cs:0161 (the retf instruction), found by pressing
<PageDown> 13 - 14 times; and then <F7>. That's it. You have now unpacked
the TESTEXE program. If you have done it right, TD shows something like this :
ةح[]حCPU 80486ححححححححححححححححححححححححححححححححححرححححححح1ح[�][�]ح»
؛ cs:010F�9A00001464 call 6414:0000 � ax 0000 ³c=0؛
؛ cs:0114 9A0D00B263 call 63B2:000D bx 0000 ³z=1؛
؛ cs:0119 9A60073A63 call 633A:0760 ± cx 0000 ³s=0؛
؛ cs:011E 55 push bp ± dx 0000 ³o=0؛
؛ cs:011F 89E5 mov bp,sp ± si 0000 ³p=1؛
؛ cs:0121 B80001 mov ax,0100 ± di 0000 ³a=0؛
؛ cs:0124 9ACD021464 call 6414:02CD ± bp 0000 ³i=1؛
؛ cs:0129 81EC0001 sub sp,0100 ± sp 4000 ³d=0؛
؛ cs:012D 9ACC01B263 call 63B2:01CC ± ds 62FB ³ ؛
؛ cs:0132 BFB400 mov di,00B4 ± es 62FB ³ ؛
؛ cs:0135 1E push ds ± ss 6548 ³ ؛
؛ cs:0136 57 push di ± cs 630B ³ ؛
؛ cs:0137 8DBE00FF lea di,[bp-0100] ± ip 010F ³ ؛
؛ cs:013B 16 push ss ± ³ ؛
؛ cs:013C 57 push di � ³ ؛
ا�±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±�إؤؤؤؤؤؤؤؤؤؤؤؤءؤؤؤ¶
؛ ds:0000 CD 20 67 69 00 9A C0 00 ح gi ڑہ ³ ss:4008 0000 ؛
؛ ds:0008 00 00 E4 01 D3 29 AE 01 ن�س)®� ³ ss:4006 0000 ؛
؛ ds:0010 D3 29 80 02 2E 24 9C 15 س)€�.$œ� ³ ss:4004 0000 ؛
؛ ds:0018 01 01 01 00 02 FF FF FF ��� �ےےے ³ ss:4002 0005 ؛
؛ ds:0020 FF FF FF FF FF FF FF FF ےےےےےےےے ³ ss:4000�74A0 ؛
بححححححححححححححححححححححححححححححححححححححححححححححححدحححححححححححححححؤظ
As you can see there are three far calls. These are direct calls. This means
that it will make a call to a certain location in memory. If we dump the
memory used by TESTEXEE, we'll have an image of the program. But this is not
enough to make a new exefile. This is because an exefile is not just an image
of the memory, like a COM file is. We need a second dump from a different
memory location. This is because of the direct calls. By comparing the two
dumps, we can find the relocations (direct calls) needed to build a new
exefile. Information like min/max memory usage is taken from the original
exefiles header, but let's get on with the tutorial.
There are serval ways to enter the values of SP, DS, ES, SS, CS and IP into
DUMPEXE. Since we are using one of the supported debuggers, we can use
the "Fill from debugger" function. This function takes register values, shown
by the debugger, and automatically puts them into DUMPEXE. Start DUMPEXE
by pressing the hotkey, and then <ENTER> at the "Fill from debugger"
function. Answer <1> to whatever the values should be places in first or
second dump file. Another way is to remember the values of SP, DS, ES, SS,
CS and IP before pressing the hotkey, and enter the values at their
corresponding locations in [2]. If you decide to do so, you will probably
notice that there is no field for ES. This is because the initial value of
ES, points to the PSP, so write the value of ES in the PSP field instead.
It's now time to tell DUMPEXE the size of the memory block we want to dump.
Use TAB until you get to [4]. Press <ENTER> at "Autodetect size". There are
two ways of getting the size of the program. One is by using the stack, the
other is by using PSP. 99 % of all cases, you should use "by stack". Press
<S>, and the size will be put into size field. If DUMPEXE somehow fails to
calculate the right value, you have the option of entering a size that you
decide. Press <ENTER> at "Autodetect name", and the name of the executeable
file will be put into the name field. The last thing we have to do is to
dump the program to a file. This is done by pressing <ENTER> at
"Dump exe-code". DUMPEXE will probably do it so fast that you won't notice
the "process message" that appears.
Below is a picture of DUMPEXE after the first dump. Again, remember that
values varie from dump to dump.
عؤؤؤؤؤؤ DumpExe v2.2 CARDWARE 1997 by BUGSY/OBSESSiON ؤؤؤؤؤؤ؟
³ Dos, ٍ80386, V86 mode, Turbo Debugger ³
³ؤؤؤؤؤؤؤؤؤ First file ؤؤؤؤؤؤؤؤآؤؤؤؤؤؤؤؤؤ Second file ؤؤؤؤؤؤؤ³
³ CS : 630B ³ CS : 0000 ³
³ IP : 010F ³ IP : 0000 ³
³ SS : 6548 ³ SS : 0000 ³
³ SP : 4000 ³ SP : 0000 ³
³ PSP : 62FB ³ PSP : 0000 ³
³ Size : 023D0 (9168) ³ Size : 00000 (0) ³
³ Name : TESTEXE.1 ³ Name : #NoName#.2 ³
³ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤإؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ³
³ Dump exe-code ³ Dump exe-code ³
³ Autodetect name ³ Autodetect name ³
³ Autodetect size ³ Autodetect size ³
³ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤإؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ³
³ Raster Bar ³ User screen ³
³ Memory snapshot ³ Allocate 4Kb ³
³ Reset menu ³ Auto config file 2 ³
³ Uninstall ³ Fill from debugger ³
³ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤءؤ Free 218 kb, Slack 0 kb ؤؤؤ³
³ ³
ہؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ Hotkey : (U)ser screenؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤظ
Press <ESC> (in DUMPEXE) and then <F9> in TD. The program has now terminated,
and it's time to allocate a 4KB memory block.
Start DUMPEXE again, and press enter at "Allocate 4Kb". The menu item will
change to "Deallocate 4Kb". Press <ESC>, and reload the program by pressing
<CTRL F2>. Start debugging like you did the first time. When you have reached
the first instruction of the original code, enter all the information, like CS,
SS.... in [3]. Autodetect size and name. Dump the code, and we are almost
done. Again terminate your program, by pressing <F9> in TD. Start DUMPEXE
again, and press <ENTER> at 'Deallocate 4Kb'. Exit your debugger.
Run the MAKEEXE program with parameters : TESTEXE.EXE UNPACKED.EXE
or like this : MAKEEXE.EXE TEXTEXE.EXE UNPACKED.EXE
The MAKEEXE program compares the two memory dump and builds a new exefile
out of the information found there and in the original exefiles header.
After MAKEEXE has built the new exefile, the screen should look like this :
عؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ؟
³ ؤإؤؤ MakeExe v2.2 CARDWARE 1997 by BUGSY/OBSESSiON ؤإؤؤ ³
³ ³
³ ³
³Unpacking TESTEXE.EXE into UNPACKED.EXE ³
³ ³
³ Read dump info ³
³ Read exe info ³
³ Create new file ³
³ Create tempfile ³
³ Write relocations ³
³ Write zero data ³
³ Write code ³
³ Write new header ³
³ Number of relocations 00BEh ³
³ ³
³All done! ³
³ ³
ہؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤظ
Try to execute UNPACKED.EXE (it is now unpacked) and see how it reacts.
I think this would be enough for you to continue on your own.
How to get in touch with us
If you have any questions about the use of these programs, feel free to
contact us.
You can get in touch with us by :
Writing a letter to : Benjamin Petersen
Joergen Jensensvej 16B
DK-4700 Naestved
Denmark
After 1997-04-15 (Y-M-D) :
Benjamin Petersen
Skovburren 271
4700 Naestved
Denmark
E-Mail us at : bugsy@cybernet.dk
World Wide Web (WWW) : http://www.cybernet.dk/users/bugsy/default.htm
Call us at : +45 53 725-610 or +45 40 204-347
Greetings
Our greetings goes to (no order) :
Darkman/VLAD, Ping (pingelingelater), HiTech, Bionic, Jazz/PM,
--=DaRk sTAlKeR 97=--, JauMing Tseng, Kevin Tseng, Philippe Ahles,
Hades Wu, Jean-Stephane PERRI, Michael Pedersen, tHEpHARAo^mSH
Daniel Fazekas, Jung-ho Ryu, Mariusz Kowalczyk aka -KoVi-,
Jos‚ Navarro Mart،nez, TBD/FeR, LiBaTiOn, MaNaGeR
Have fun, and remember there are still some people who DON'T take money
for making ?good? programs.
[BUGSY/OBSESSiON]