ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ
 غغغغغغ»  غغغغغغ»   غغغغغغ»   غغغغغغ» غغغغغغ»  غغ»   غغ» غغغ»   غغغ» غغغغغغ»
 غغةححغغ» غغةححغغ» غغةحححغغ» غغةحححح¼ غغةححغغ» غغ؛   غغ؛ غغغغ» غغغغ؛ غغةححغغ»
 غغغغغغة¼ غغغغغغة¼ غغ؛   غغ؛ غغ؛      غغ؛  غغ؛ غغ؛   غغ؛ غغةغغغغةغغ؛ غغغغغغة¼
 غغةححح¼  غغةححغغ» غغ؛   غغ؛ غغ؛      غغ؛  غغ؛ غغ؛   غغ؛ غغ؛بغغة¼غغ؛ غغةححح¼
 غغ؛      غغ؛  غغ؛ بغغغغغغة¼ بغغغغغغ» غغغغغغة¼ بغغغغغغة¼ غغ؛ بح¼ غغ؛ غغ؛
 بح¼      بح¼  بح¼  بححححح¼   بححححح¼ بححححح¼   بححححح¼  بح¼     بح¼ بح¼
ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ
	   ProcDump version 1.2 (C) G-RoM, Riz la+ & Stone in 1998
ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ
    If you expect to print this dox, I suggest you use TERMINAL font with a
                                  height of 9.





				   Summary



	Purpose....................................................  2

	Disclaimer.................................................  2

   	Requirements...............................................  2

	ProcDump Configuration.....................................  3

	ProcDump Integrated Process monitor/dumper.................  5

	ProcDump integrated PE editor..............................  6

	ProcDump PE/RAW external dump autofix......................  6

	ProcDump unpacker/decryptor................................  7

	Limitations................................................  8

	Credits....................................................  9

	Greetings.................................................. 10



Purpose :
ؤؤؤؤؤؤؤؤؤ

  ProcDump  is  brand  new  type  of  tool  that  allows u  to Dump, Unpack
 some Protected PE files without any need of debugger.

 What ProcDump can do :

 ‏ Dump any 32 bits running process/module by using the CodeShot engine.
 ‏ Phoenix engine can restore the Import table & PE header.
 ‏ Phoenix engine can reoptimize a PE file and Dump made with CodeShot.
 ‏ Shiva engine can start & unpack a given PE file (at least it tries !!).
   With the help of script language, u can unpack in a few secs well-known
   packers and learn to ProcDump how to unpack the others.
 ‏ Alter a given file PE header, kill some object physically.

Disclaimer :
ؤؤؤؤؤؤؤؤؤؤؤؤ

  We, the authors, are *NOT* responsible for any damage caused by the use of
 ProcDump. It  was  tested  with success under Windows 95,98 and NT4 & 5.0.

  عؤؤؤؤؤؤؤ؟
عؤ´CAUTIONأؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ؟
³ ہؤؤؤؤؤؤؤظ                                                                 ³
³ PROCDUMP32 is a tool help for people  who want to unpack/decrypt PE files,³
³PLEASE NOTICE THAT IT IS NOT REALLY INTENDED FOR REAL BEGINNERS. If you are³
³a such person, I recommand that you read CAREFULLY the whole DOCUMENTATION,³
³and to use ONLY the DUMPER & UNPACKER with default OPTIONS.                ³
ہؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤظ

Requirements :
ؤؤؤؤؤؤؤؤؤؤؤؤؤؤ

 This program works fine under :

 ‏ Windows 95
 ‏ Windows 98
 ‏ Windows NT 5.0
 ‏ Windows NT 4.0 with restrictions.

 A good brain and some knowledge about the PE format and PE layer is required,
 if you expect to exploit ProcDump at his full power.

ProcDump Configuration :
ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ

 Rebuilder options :

 ‏ Recompute object size (DEFAULT ON)

   This option allow you to say to ProcDump to use Virtual Size for section
   as physical size. This is necessarry for PACKED PE, because the unpacked
   size of section is bigger than packed one. You can unselect this option
   if you are planning to work against a cryptor.

 ‏ Optimize PE structure (DEFAULT ON)

   This option optimize the PE structure according to the object table  in
   the way to  reduce written PE file. If you unselect this option, the PE
   file will take more space on disk.

 ‏ Check Header Sections (DEFAULT OFF)

   This option check if PE header contains a non paged area. If it found one,
   the problem is corrected.

 ‏ Import rebuilder method :

   * No rebuild

     Doesn't try at all to locate import section, leave the related import
     informations untouched.

   * Use import informations (DEFAULT)

     Read actual import informations, and use them to recreate a valid import
     table.

   * Rebuild import table.

     Detect import table using heuristical criterea and fixup the import ta-
     ble if found.

   * Full Import rebuild.

     Detect import table, generate a new import section, generate import
     function names & ordinals. There is a BIG chance that generated PE runs
     perfectly ;).

 Unpacker options :

 ‏ Predump method :

   * Use external predump

     You will need to supply a PE/DUMP file with a Valid import table. Import
     Infos will be stamped in generated PE.

   * Predump (DEFAULT with delay 0)

     ProcDump will do the predump to gain the valid import table.
     There are 2 methods :

      1) After user input (delay 0).
      2) After a given delay (delay >0 in HEX).

 ‏ EIP confirmation (DEFAULT OFF)

   When ProcDump reached the original CODE, It can prompt you if u think it is
  good or not.

 ‏ Layer confirmation (DEFAULT OFF)

   When u validated the EntryPoint, U can say too that there was not only one
  protection layer. Generally, U may leave this option unchecked.

 ‏ Ignore Faults (DEFAULT OFF)

   When a breakpoint/faults occurs, ProcDump32 normally handles the exception
   (Breakpoint most of the time because some protectors relocate their code).
   But sometimes, this is source of problems. Some applications indeed create
   volontary faults to do some special work. With this option set, ProcDump32
   will  simply  ignore  exceptions that are not made by itself. Applications
   that create faults volontary will run normally this way ;).

 PE/Raw loader options :

 ‏ Force raw mode (DEFAULT OFF)

   This force ProcDump to consider input file for REBUILD tool as a dump file.
   Use only this if ProcDump crash when u try to supply a PE file.

 ‏ Merge code section (DEFAULT OFF)

   REBUILDed file will have all the image in a single section. Can be usefull
   to analyze some PE loader.

ProcDump Integrated Process monitor/dumper :
ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ

 The monitor show you in two arrays, the actual Tasks running on your system.
 When tou select a task, the module list attached to this task is shown in 2nd
 array. The arrays have contextual menus.

 ‏ Full Dumper

 The task or module is saved to disk using this name. The dumped file is
 reorganized and fixed.

 1) Just select a task or a module in the arrays.
 2) Click right.
 3) Select "Dump (Full)".
 4) Select the name of the dump.

 ‏ Partial dumper

 The task or module is saved to disk in RAW format : NO Fixup are applied.

 1) Just select a task or a module in the arrays.
 2) Click right.
 3) Select "Dump (Partial)".
 4) Choose the range you wish to dump by editing Start & Length fields.
 5) Select the name of the dump.

 Warning !! I do not recommend that u dump :

  ‏ ProcDump process itself  (import trashed anyway).
  ‏ Kernel32.dll process     (Access Violation, System Kill).
  ‏ And other system process (Access Violation).

 It may result in some obvious crash... U were warned.

 ‏ Kill task

 Allow you to suppress a task from your system.

 1) Just select the task you wish to kill.
 2) Hit OK if you are sure.

 WARNING !! Killing KERNEL32.DLL or another system component is equal to
 system CRASH !!

 ‏ Refresh list

 This option refresh task & module list.

ProcDump integrated PE editor :
ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ

 The PE editor allow you to edit an existing PE file and to modify :

 ‏ Entrypoint.
 ‏ Image size.
 ‏ Image base.
 ‏ PE directory RVA & Size.
 ‏ PE sections informations.
 ‏ Save a section to disk.
 ‏ Load a section from disk.

 You need to supply the file to edit.

 ‏ To change Entry point, Image Base, Image Size

 Just edit the appropriate field(s) and hit OK.

 Changes can be applied to PE HEADER only or can be used to Rebuild a new PE
 file according to PE infos (ex : if you removed a section, it will be wiped
 in new PE ;).

 ‏ To Edit Directory infos

 1) Click on Directory button
 2) Edit the fields you need.
 3) hit ok

 ‏ To alter section informations

 1) Click  on Section button
 2) select a given section
 3) click right
 4) Select the appropriate action (EDIT or KILL).
 5) Hit ok

 Warning !! There is no backup made. All modifications apply as soon as you
 hit OK on PE header editor dialog box AND NOT on the sub dialog !!

ProcDump PE/RAW external dump autofix :
ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ

 This allow you to fix an external Dump or to optimize a given PE file.
 Changes are made according to OPTIONS [rebuilder & Loader].

 You just need to browse to your target ;).

ProcDump PE unpacker/decryptor :
ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ

	 عؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ؟
	 ³Preliminary step : Configure OPTIONS (see section above).³
	 ہؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤظ

 This module allow you to TRY to unpack/decrypt PE file.

عؤREAD THIS FIRSTؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ؟
³                                                                           ³
³Preliminary thing you need to know : Due to weird reason (thanx to M$), the³
³rebuilt  of  a  valid  PE file requires  that the file is not launched with³
³control from ProcDump32 itself : As a direct concequence, ProcDump32  can't³
³guess if your target is initialiazed and running :(. That's why  we have to³
³predump using user confirmation or after a given delay. The goal of predump³
³is to grab an usuable Import section. So, if u wish to use an external pre-³
³dump, that means that u fixed import table by yourself or by using an exis-³
³ting import table, or any other thing BUT with a valid Import Table.       ³
³                                                                           ³
³IE: You can say the external predump is the file you wish to unpack if you ³
³    are sure that import section is the same (Generally OK for cryptors).  ³
³                                                                           ³
ہؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤظ

 Method to unpack/decrypt (AutoPredump):

 1) Click the unpack Button.
 2) Choose unpacker method : if you don't know the protector name, choose
    *unknown*.... but please notice that the processing WILL BE SLOW !!
 3) Select the target.
 4) Wait ProcDump request & look nifty output ;).
 5) select a name for the unpacked PE file.
 6) File is unpacked .... u should try & pray ;)

 Please note that you can cancel tracing at any moment.

 I do not recommend that u :

  ‏ Enable Softice/NTICE i3here. Unpacker would miss all breakpoints !!!!
  ‏ Run softICE for a few nifty protector that may detect it.

 I noticed that unpacking under NT is not that easy coz of some system hooks
 on a few functions. I didn't checked if it was due to NTICE or if that's NT
 itself that hooks those APIs. However, If you run both systems and that un-
 packing is not working under NT, try under 9x.

ProcDump actual limitations :
ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ

 * What ProcDump can't do (yet ?):

 ‏ Restore a working DAtA section in Dump mode.
 ‏ Restore REAL eip in dump mode.
 ‏ Restore Packed Relocs (several converters have to be coded).
 ‏ Unpack a DLL (it's possible but... I need time ;)).
 ‏ Dump a 16 bit process (DOS or WIN 16 bit applications => Size 0 in array).
   -> for DOS apps, use Softice, cup386,TR or GTR.
   -> win16 apps.... who cares of those ? ;)

To be done :
ؤؤؤؤؤؤؤؤؤؤؤؤ

 ‏ Hide debugger to host		 		     (in progress)
 ‏ Stronger tracer.					     (in progress)
 ‏ Protectors/Packers detector for auto unpacking		 (project)
 ‏ Reloc Table scanner & rebuilder.                              (project)
 ‏ Module unpacker.					         (project)
 ‏ Implement an API breakpoint system.  		         (project)

 These points are in development... Any help would be appreciated.

 Especially if u can code :

 ‏ A reloc detector/rebuilder - I wait even ideas ;).

Credits :
ؤؤؤؤؤؤؤؤؤ

 Project Coordinator : G-RoM

 Ideas:

  Tracer engine (orig): Stone
  Tracer enhancement  : G-RoM
  Tracer Ring 0       : Stone
  Rebuilder	      : G-RoM
  Low level fighter   : Stone :)
  Interface design    : Riz La+

 Coding :

  Shiva engine        : G-RoM
  Shiva engine ][     : Stone (We hope to achieve it one day ;).
  CodeShot engine     : G-RoM
  Phoenix engine      : G-RoM
  Interface lame code : G-RoM (Hopefully, Riz La+ is finishing the elite one).

 Various :

  Artworks            : ZeCreator & Riz La+
  This lame dox       : G-RoM

 How to Contact :

  G-RoM		      : G-RoM@innocent.com
  Stone    	      : Stone@miramax.cbs.dk
  Riz La+  	      : GOD@WINDOWS.GUI.ASM32.ELITE.CODER.COM
  ZeCreator	      : GOD@GRAPHICS.DESIGNER.COM

 Please note that we don't mail  ProcDump32 ,  We can "eventually" answer to
 unpacking problem. I precise eventually Coz I already got mails from people
 who didn't read the dox at all and asked stupids questions. I (G-RoM) won't
 explain either how I designed ProcDump32 engine.  Don't ask for source code
 either : Even if you saw Stone  in coding team,  that  doesn't mean all his
 advanced work is for PUBLIC. Moreover, MY CODE is  not !! We spent too much
 time on it to make it public ;).

 Regardless of this, I can answer to technical problems u may encounter with
 PE format handling, unpacking/protecting. But I suggest you analyze fucking
 Well PE format DOX before to mail us about such thing. Unless you are ready
 to pay for my technical assistance, in this case any stupid question can be
 asked ;). [I doubt a company will contact me... but who knows].

 =>

 If (question==TOO_STUPID)³If (question=TOO_STUPID) ³cmp question, TOO_STUPID
    {                     ³then begin               ³jnz reply
     NO_ANSWER();         ³      NO_ANSWER ;        ³call NO_ANSWER
     MOVE_TO_RECYLE_BIN();³      MOVE_TO_RECYLE_BIN;³call MOVE_TO_RECYLE_BIN
    }                     ³     end;                ³call exitprocess, 0
                          ³                         ³reply :

Greetings from G-RoM (packed version ;):
ؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤؤ

 Random : Finally released... hehe. And still ProcDump proof. Less than in
	  the past but can't unpack it auto. May be in 1 year ? ;) Anyhow,
          I was happy that my debugging helped ya. Good luck under Linux.

 Acpizer: Continue ur work with the Win console and, start to work on Ring 0
	  hardware breakpoint ;). It will kick ass when it will be done.

 Marquis: PELockNT looks more accurate than BJFnt for sure... But there are
	  still some big holes. Try to think about things I told You ;).

 Jammer : U were the precursor... Thanx for ur support ;)

 J0B    : Your new deshrink rulez !! Major size change hehe. But More power-
	  full too ;)

 Killa  : Nice GUI.... Never forget that NT has weird things & reactions ;).
	  I may ask you one day how to do tooltips... if I can't find ;).

 Hendrix: I would like to know like you how to do a VXD tracer ;) I hope I
	  will one day ;).

 Iceman : Good luck with your PECRYPTOR.... U will need much ;).

LordByte: I will think about autodetectors soon, someone else suggested this
	  too ;). But again, Never forget ProcDump32 is not dedicated to
	  beginners : It was in fact designed as a tool for ME !!

 MrNop  : Okay, I rewrote the docs  to explain to beginners some few things.
	  But I still think this is useless since ProcDump  is not dedicated
	  at all for common peoples. At least, ur GUI remarks & bugs reports
	  were cool... thanx !!! BTW: No I don't code 20h a day .. hehe.

 Riz La+: Interface in ASM32 rule like da hell !!! Your skill in this domain
	  is fucking awesome... I may think about CatchNewTCB ;).

 Ryder  : I hope it helped you quite much ;). If you find  again a  cryptor,
	  tell me.

 Devil  : Humm.. Seems that your PMODE/W skills is still intact unlike mine.
	  I hope ProcDump32 suits ur need too ;).

 Bunter : Thanx for showing me this new cryptor.. Find me more ;). Thanx too
	  for showing me that my script  building explanation was not enough
	  explicit, even if it was indirect.

 The Owl: Well, I like much your Dumper ! Please contact Numega so that they
	  include it by default ;).
 Liu
 TaoTao : TRW rulez !!! Very good debugger !

 Lorian : Good luck with NT kernel driver !!

 Icepic : Good luck to u and ur team... Kick Sony's ASS ;).

 BeoWulf: Welcome to the PE researcher family ;).

 Miramax: Your trainers rulezzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz (fuck !! still 
          this virus ;).

Protector
 Coders : I suggest that you really think about something nice & compatible.
	  Never forget that we are under an instable OS ;). Never forget too
	  that If ur code run, It can be defeated/unpacked/uncrypted. So I
	  suggest you really think of the other side too... How would you do
	  to unpack/decrypt ;).

BetaTeam: Thanx for all bugs report guys ! Without ur test, ProcDump32 would
	  not be as efficient as it is.

 hiho to: #cracking, #bs2000, #ucf2000, #real<censored>
  	  Other groups I am in, Groups I were in,
	  NuMega technologies (Softice owns !!),
	  guys & girls I may know somewhere in the world ;).