 
                                                                             
                      <*>   EXEdumper version 1.2   <*>                      
                                                                             
                   by                                 
                                                        
                                                             
                                1995                 
                                                                             
 
  Handle          Real name           Age   Profession   Group activity      
 
  Bugsy           Benjamin Petersen    22   Programmer   Coder, organizer    
  Spawn           Michael Skovslund    21   Programmer   Coder, gfx          
  UniSon          Henrik Eiriksson     22   Study IFA    Music, art          
  Fading Nimbus   Emil Hansen          20   Study HTX    Music               
 
                                                                             
 

INDEX 

  History
  Introduction
  Disclaimer
  Keyboard layout
  Program dokumentation
  Soft-Ice user notice
  How to unpack a exefile
  Greetings


 History

  Version   Notice

      1.0   Never released to public, only for our beta-testers
      1.1   First public release
      1.2   Now with Soft-Ice debugger support. Activate with INT FCh

 Introduction

  This program is able to unpack ANY exe-file, however this can only be done
  if it's packed with a exe-packer. Of course it can't be done by inserting
  a coin into the cryptomate. You have to do something for it. This is where 
  you and your debugger comes in.

  All you have to do is this :
    Load the program into your favourite debugger, debug the program until 
    first original instruction, dump the code/data, terminate the program, 
    allocate 4 Kb, reload the program, debug until first original instruc-
    tion, dump the code/data, terminate the program, deallocate 4 Kb and
    read MakeExe.Doc
  
  If this sounds easy, exit your doc reader, if not, keep on reading. 8+)
                                                                        
 Disclaimer

  This software has been tested and found to work properly. OBSESSiON have no 
  responsability whatsoever for any damages caused by use, or misuse, of this 
  software.

  If you, after a 24 hour test period, wish to continue using this program,
  you NEED to send me a postcard with your name and address. This is the
  only way I can see that someone is really using this software. If I don't
  receive any postcard, I won't update the program. This means :
  NO MORE UPDATE OR BUG FIXES, IF NO POSTCARD IS SEND TO ME!


 Keyboard layout

  Left shift + right shift : Activate the resident part of DumpExe
  TAB                      : Jump to next menu block
  Shift TAB                : Jump to previous menu block
  Arrow up/down            : Next/previous menu selection
  Arrow left/right         : Next/previous number in input field
  ESC                      : Terminate DumpExe or return to previous state
  Enter                    : Confirm selection/input

 Program documentation 

  Install DumpExe into memory, by starting the file DUMPEXE.EXE. The program 
  will now be resident (TSR) in memory. To activate, press LEFT SHIFT and 
  RIGHT SHIFT at the same time. A menu, the one shown here below, will appear.
  To return to what you were doing, press ESC. 

  Notice : You cannot start DumpExe by pressing the hotkey while you are at
  the dos command line. This is because dos says it's busy, or not safe to 
  interrupt, at the present time. If you try to start it anyhow, two beep can
  be heard from the PC-speaker. This beep sequence can also appear while an 
  attempt have been made inside a debugger, ignore this and try again.

          Exe-dumper v1.2 CARDWARE 1995 by BUGSY of OBSESSiON [1]
          First file  Second file ĺ
          CS   : 0000             [2]  CS   : 0000             [3] 
          IP   : 0000                  IP   : 0000                 
          SS   : 0000                  SS   : 0000                 
          SP   : 0000                  SP   : 0000                 
          PSP  : 0000                  PSP  : 0000                 
          Size : 00000 (0)             Size : 00000 (0)            
          Name : #NoName#.1            Name : #NoName#.2           
         ĺ
               Dump exe-code      [4]      Dump exe-code       [5] 
               Autodetect name             Autodetect name         
               Autodetect size             Autodetect size         
         ĺ
                                Allocate 4Kb                    [6] 
                                Auto-Config                         
                                Reset menu                          
                                Uninstall                           
          Free 167 kb. Slack 0 kb [7]ĺ
                                                                [8] 
         ͼ

  Overview
    [1] Copyright text. 
    [2] Data for first filedump, set by the user.
    [3] -do- for second file.
    [4] Menu concerning first filedump.
    [5] -do- for second file.
    [6] General purpose menu, concerning global use of DumpExe.
    [7] Information about current memory status.
    [8] Status message from DumpExe and input prompt from user.

  Explenation
    [1] Copyright text. 
          Tells who made this brilliant program.

    [2] This sub window are used to enter information about the program you
        want to unpack. You have to fill out ALL fields, for a working copy
        of the unpacked file.

          CS   : Current code segment
          IP   : Current instruction pointer
          SS   : Current stack segment
          SP   : Current stack pointer
          PSP  : Current program prefix segment
          Size : Size of program in bytes
          Name : Name of dump file

        To change a value, move selector to decided item and press enter.
        Enter the new value and press enter again.
        REMARK : All numbers are shown and entered in heximal values.

    [3] -do- for [2]

    [4] Menu for processing first unpacked data block. It is use for dumping
        the code/data block entered in [2] or [3].

        Menuitems available are :

          Dump exe-code    : Press this one to dump selected data block.

          Autodetect name  : Make DumpExe autodetect the name of the program
                             it are processing and use it for the dump name.

          Autodetect size  : Used to make the program autodetect the size of 
                             the data block. There are too ways to autodetect 
                             the size of a program. It can be done by Stack 
                             or PSP. The most common way is 'By Stack', 
                             because this will give a smaller exefile.

    [5] -do- for [4]

    [6] This is a misc. menu, containing rutines for the global use of the
        exe-dumper.

        Menuitems available are :

          Allocate 4Kb : Used to allocate/deallocate a block of 0100h
                         paragraphs or 4 kb. This should be done after 
                         first dump and termination, and before reload
                         of the program. Please take a look at the tutorial
                         at the bottom of this document.


          Auto-Config  : Add 0101h to all segment registers in [2] and 
                         store them in [3]. It is usefull after preparing 
                         for second dump. This only works 9 out 10 packed
                         files. Please notice that CS in [3] matches the one
                         shown by the debugger. If not, you have to enter all
                         values manuelly.

          Reset menu   : Sets all items to there initial value.

          Uninstall    : Use this one to remove DumpExe from memory.

    [7] Information about current memory status.

          Free  : Amount of free memory.
          Slack : Amount of memory fragment after allocating 4 kb.

    [8] Status message from the program and prompt file for user.

        Here is some of the error messages that can appeare here :

          No size given.
            You have to enter how much memory the program shall dump.

          No memory allocated.
            You are trying to auto-config file 2, and you have'nt used
            'allocate 4KB'. You must manuelly enter the data required to dump

          Can't auto-config file 2, sorry.
            You must manuelly enter the data required to dump a program.

          The PSP-segment is not valid.
            You are using a function that required a valid PSP segment, 
            entered in [2] or [3].

          The PSP-segment for file 1 is not valid.
            See the above.

          Can't find name.
            DumpEXE is not able to find the name of the program you want
            to dump. The program are using a standard name instead.

          Can't uninstall, vector hooked by another program.
            You have loaded another program after this DumpEXE. Unfortunately
            they have hooked the same interrupt. Unload the other program
            first and try again.

          Can't allocate necessary memory.
            Boot your machine with less drivers, and try again. If this 
            does'nt help, you are f.....

          Out of stack.
            Your memory is fragmented to much. The DumpEXE has 4 kb of stack 
            and in this case it does'nt seem to be enough. Contact me (BUGSY) 
            and ask for a version with more stack :)
            (I'll send it to you!)

          Can't release memory.
            This error is most likely coursed by the program you are about to
            dump. It is the stack of this program that have been destroyed. 
            Dump the code and boot your PC. (the dumpfile should be okay,
            I hope...)

          Can't make file.
            Ups, a disk error. Check your harddisk with 'chkdsk /f'

          Can't write file, disk full ?.
            Free some disk space, and try again.

          Can't deallocate memory.
            The MCB (memory control block) have been destroyed. Dump the code
            and boot your PC. (again the dumpfile should be okay, I hope...)

          Size is to big, please enter a new one.
            You have entered an invalid size of the program. Max size is
            640 kb. :) Don't you just loooove dos ?...

 Soft-Ice user notice

  If you are using Soft-Ice, the hotkey is disabled. This is because Soft-Ice
  runs in protected mode and have it's own interrupt vector table. To activate
  the exe-dumper, do this at the Soft-Ice command line:
    BPX CS:IP      : So we can return after Int 0FCh has terminated
    GENINT FC      : Start the exe-dumper
    GENINT FC      : Start the exe-dumper again (if you need it)
    BC 0           : Clear the breakpoint set by BPX. The number (here 0) is
                     the name of breakpoint label.

 How to unpack a exefile

  The file named 'unpackme.exe' is a packed exe-file. It is used to illustrate
  how to use this tool, and nothing more. BTW : The file is packed with pklite
  using normal compression.

  I will use Turbo Debugger for this example. The reason I do that is : 
  If you know how to use the ultimate debugger Soft-Ice, you really 
  don't need this introduction, in how to unpack a program with a debugger,
  or do you ?


  If you don't know anything about using a debugger, I advice you to consult
  your debugger's manual.

  Try to start the tutorial program UNPACKME.EXE and look at the text.
  The program tells if it's packed or not.

  REMEMBER : Start DUMPEXE.EXE before proceeding with next step.

  Start debuging unpackme.exe by writing : TD.EXE UNPACKME.EXE

  The picture shown to you, by TD (Turbo Debugger) should look something like
  this :

  []CPU 804861[][]ͻ
    cs:0100B89A05         mov    ax,059A        ax 0000   c=0
    cs:0103 BA4001         mov    dx,0140        bx 0000   z=0
    cs:0106 05EE68         add    ax,68EE        cx 0000   s=0
    cs:0109 3B060200       cmp    ax,[0002]      dx 0000   o=0
    cs:010D 731A           jnb    0129           si 0000   p=0
    cs:010F 2D2000         sub    ax,0020        di 0000   a=0
    cs:0112 FA             cli                   bp 0000   i=1
    cs:0113 8ED0           mov    ss,ax          sp 0200   d=0
    cs:0115 FB             sti                   ds 68DE      
    cs:0116 2D1900         sub    ax,0019        es 68DE      
    cs:0119 8EC0           mov    es,ax          ss 6A35      
    cs:011B 50             push   ax             cs 68DE      
    cs:011C B9C300         mov    cx,00C3        ip 0100      
                 
    ds:0000 CD 20 FF 9F 00 9A F0 FE                     
    ds:0008 1D F0 E0 01 7F 36 AA 01 6   Ķ
    ds:0010 7F 36 7C 02 8C 30 5D 22 6|0]"     ss:0202 0779  
    ds:0018 01 01 01 00 02 FF FF FF       ss:0200F60B  
  

  Start executing the code, until you get to cs:0128, shown below.

  []CPU 804861[][]ͻ
    cs:011C B9C300         mov    cx,00C3        ax 6E4F   c=0
    cs:011F 33FF           xor    di,di          bx 0000   z=1
    cs:0121 57             push   di             cx 0000   s=0
    cs:0122 BE4401         mov    si,0144        dx 0140   o=0
    cs:0125 FC             cld                   si 02CA   p=1
    cs:0126 F3A5           rep movsw             di 0186   a=0
    cs:0128CB             retf                  bp 0000   i=1
    cs:0129 B409           mov    ah,09          sp 01FC   d=0
    cs:012B BA3201         mov    dx,0132        ds 68DE      
    cs:012E CD21           int    21             es 6E4F      
    cs:0130 CD20           int    20             ss 6E68      
    cs:0132 4E             dec    si             cs 68DE      
    cs:0133 6F             outsw                 ip 0128      
                 
    ds:0000 CD 20 FF 9F 00 9A F0 FE                     
    ds:0008 1D F0 E0 01 7F 36 AA 01 6   Ķ
    ds:0010 7F 36 7C 02 8C 30 5D 22 6|0]"     ss:01FE 6E4F  
    ds:0018 01 01 01 00 02 FF FF FF       ss:01FC0000  
  

  The unpacker has copied itself to a location, which is just after the
  unpacked code. Singlestep one instruction, and you will see this :

  []CPU 804861[][]ͻ
    cs:0000FD             std                   ax 6E4F   c=0
    cs:0001 8CDB           mov    bx,ds          bx 0000   z=1
    cs:0003 53             push   bx             cx 0000   s=0
    cs:0004 83C32D         add    bx,002D        dx 0140   o=0
    cs:0007 03DA           add    bx,dx          si 02CA   p=1
    cs:0009 8CCD           mov    bp,cs          di 0186   a=0
    cs:000B 8BC2           mov    ax,dx          bp 0000   i=1
    cs:000D 80E40F         and    ah,0F          sp 0200   d=0
    cs:0010 B104           mov    cl,04          ds 68DE      
    cs:0012 8BF2           mov    si,dx          es 6E4F      
    cs:0014 D3E6           shl    si,cl          ss 6E68      
    cs:0016 8BCE           mov    cx,si          cs 6E4F      
    cs:0018 D1E9           shr    cx,1           ip 0000      
                 
    ds:0000 CD 20 FF 9F 00 9A F0 FE                     
    ds:0008 1D F0 E0 01 7F 36 AA 01 6   Ķ
    ds:0010 7F 36 7C 02 8C 30 5D 22 6|0]"     ss:0202 0000  
    ds:0018 01 01 01 00 02 FF FF FF       ss:02000000  
  

  Press pagedown a couple of times, until you get this :

  []CPU 804861[][]ͻ
    cs:0155 8BD0           mov    dx,ax          ax 0000   c=0
    cs:0157 8BE8           mov    bp,ax          bx 0000   z=1
    cs:0159 8BF0           mov    si,ax          cx 0000   s=0
    cs:015B 8BF8           mov    di,ax          dx 0000   o=0
    cs:015DCB             retf                  si 0000   p=1
    cs:015E 0300           add    ax,[bx+si]     di 0000   a=0
    cs:0160 020A           add    cl,[bp+si]     bp 0000   i=1
    cs:0162 0405           add    al,05          sp 3FFC   d=0
    cs:0164 0000           add    [bx+si],al     ds 68DE      
    cs:0166 0000           add    [bx+si],al     es 68DE      
    cs:0168 0000           add    [bx+si],al     ss 6A98      
    cs:016A 06             push   es             cs 6E4F      
    cs:016B 07             pop    es             ip 015D      
                 
    ds:0000 CD 20 FF 9F 00 9A F0 FE                     
    ds:0008 1D F0 E0 01 7F 36 AA 01 6   Ķ
    ds:0010 7F 36 7C 02 8C 30 5D 22 6|0]"     ss:3FFE 68EE  
    ds:0018 01 01 01 00 02 FF FF FF       ss:3FFC01EA  
  
  Press F4 at location cs:015d, and press F7. That's it. You have 
  now unpacked the test program. If you have done it right your TD
  showes something like this :

  []CPU 804861[][]ͻ
    cs:01EA9A00009569     call   6995:0000      ax 0000   c=0
    cs:01EF 9A0D003369     call   6933:000D      bx 0000   z=1
    cs:01F4 55             push   bp             cx 0000   s=0
    cs:01F5 89E5           mov    bp,sp          dx 0000   o=0
    cs:01F7 B80001         mov    ax,0100        si 0000   p=1
    cs:01FA 9ACD029569     call   6995:02CD      di 0000   a=0
    cs:01FF 81EC0001       sub    sp,0100        bp 0000   i=1
    cs:0203 9ACC013369     call   6933:01CC      sp 4000   d=0
    cs:0208 BF5200         mov    di,0052        ds 68DE      
    cs:020B 1E             push   ds             es 68DE      
    cs:020C 57             push   di             ss 6A98      
    cs:020D 8DBE00FF       lea    di,[bp-0100]   cs 68EE      
    cs:0211 16             push   ss             ip 01EA      
                 
    ds:0000 CD 20 FF 9F 00 9A F0 FE                     
    ds:0008 1D F0 E0 01 7F 36 AA 01 6   Ķ
    ds:0010 7F 36 7C 02 8C 30 5D 22 6|0]"     ss:4002 0000  
    ds:0018 01 01 01 00 02 FF FF FF       ss:40000000  
  

  As you can see there is 2 far calls. Those are direct calls. It means
  that it will make a call to a certain location in memory. If we dump the
  memory used by the test program, we will have a image of the memory. But
  this is not enough to make a new exe file. This is because a exefile is not
  just an image of the memory, like a com file is. So what we need is a second
  dump from a different memory location. This is because of the direct call's.
  By comparing the two dump files, we can find the relocation needed to build
  a new exe file. The information like min/max memory usage is taken from the
  original exe file. But let's get back to the tutorial.

  Remember the value of SP, DS, ES, SS, CS and IP. Press the two shift keys, 
  and enter the values in there corresponding location in [2]. You will
  probably notice that there is no field for ES, this is because that the
  initial value of ES points to the PSP, so write the value of ES at the PSP
  field.

  It is time to tell DumpExe the size of the memory block that we want to dump.
  Use TAB until you get to [4]. Press enter at 'Autodetect size'. There are 
  two ways of getting the size. One is by using the stack, the other is 
  'by PSP'. The one that you should use (99 % of the times) is 'by stack'.
  Press S, and the size have been put into size field. Press enter at 
  'Autodetect name', and the name have been put into the name field. Now it's
  time to dump memory. This is done by pressing enter at 'Dump exe-code'. It 
  will probably do it so fast that you won't notice that a process message will
  appear. 

  Press ESC and press F9 in TD. The program has now terminated, and it's 
  time to allocate a 4KB memory block. Start DumpExe again, and press enter 
  at 'Allocate 4Kb'. The menu will change to Deallocate 4Kb. Press ESC, and
  reload our program by pressing F2. Start debuging like you did the first
  time. When you have reached the first instruction of the original code,
  enter all information like CS, SS.... in [3]. To make this this easyer, 
  there is a 'Auto-Config' botton. It will set up all values in [3] by using
  the those you have entered in [2]. Dump the code, and we are almost done.
  Again terminate your program, by pressing F9 in TD. Start DumpExe again,
  and press enter at 'Deallocate 4Kb'. Exit your debugger.

  Run the MakeExe program with parameteres : First dump, second dump,
                                             original exefile, new filename.

  or like this : MAKEEXE.EXE unpackme.1 unpackme.2 unpackme.exe unpacked.exe

  The MakeExe program compares the two memory dump and builds a new exe file
  of the information found in the original exe files exeheader.

  After MakeExe has build a new exe file, the screen would look like this :

           Exe-maker  v1.2 CARDWARE 1995 by BUGSY of OBSESSiON

           Read exeinfo : ooo
           Make new exefile.
           Make temp file.

           Process dump files   : o
           Number of relocation : 004Bh
           Add zero code        : oooo
           Size of EXE-header   : 00170h
           Write code           : o
           Write new exeheader.
           All done !

  If the message 'End of valid code detected at ...' shows up, just press 'N'

  This message means that MakeExe has detected, that the two dumps does not 
  contain valid code/data anymore. Normally one would answer 'No', to whether
  MakeExe should continue or not. If you answer 'yes', the current position 
  would be concidered as a relocation in the exe header. But in special cases,
  where the unpacked exe file is smallere than the packed, one should say 
  yes. Even if MakeExe ask more that one time. But as I said, only in special 
  cases.

  I think this would be enough for you to continue on your own. If you have
  any questions about the use of these programs, feel free to contact me.

  You can get in touch with me by :

    Writing a letter to :
      Benjamin Petersen
      Nybrovej 304, F-48
      DK-2800 Lyngby
      Denmark

    E-Mail me at :
      ben@ktas.dk

    Call me at :
      +45 45 974-348

[BUGSY/OBSESSiON]

 Greetings

  My greetings goes to (no order) :

    Spawn/OBSESSiON            : Thanks for the menu system in this production!
    Darkman/VLAD               : Thanks for your help about TSR detection.
    Ping (pingelingelater)     : Thanks for proofreading this documentation.
    Sheap/s!p                  : Are you reading those Asm books I gave you ?
    Motion Man/DOM             : Thanks for a nice ratio.
    HiTech                     : Never put a bug into a bottle of coca cola!
    Zteel/Difussion            : Go nuke that SD....
    Bionic/ECR/STH             : Nice txt in 'UD OG SE MED DSB'.....
    Zero God                   : Still working on that Delta sound packer ?
    Jazz                       : Sorry, but I'd quit smoking. NOOOOT!
    Sketz/Silente PC           : No more logos for 'the top BBS', sad...
    Drake/DOM                  : Thanks for the Soft-Ice tip!
    and all I did'nt remember  : Sorry, kill us in our next life.

    A great welcome to our two new musicians : Fading Nimbus and Unison.
    Keep up the good work guys, you have really proofed yourselfs.