ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
   ÛÛÛ ÛÛ ÛÛÛ  ÛÛ ÛÛÛßÛÛ ÛÛÛßÛÛ     ÛÛÛßÛÛ ÛÛÛ ÛÛ ßßß ÛÛÛßÛÛ ÛÛÛ    ÛÛÛßÛÜ
   ÛÛÛ ÛÛ ÛÛÛÛ ÛÛ ÛÛÛ ÛÛ ÛÛÛ        ÛÛÛ    ÛÛÛ ÛÛ ÛÛÛ ÛÛÛ    ÛÛÛ    ÛÛÛ ÛÛ
   ²ÛÛ ÛÛ ²ÛÛÛÛÛÛ ²ÛÛßß  ²ÛÛß   ßßß ßßßßÛÛ ²ÛÛßÛÛ ²ÛÛ ²ÛÛß   ²ÛÛ    ²ÛÛ ÛÛ
   ±²Û ÛÛ ±²Û ÛÛÛ ±²Û    ±²Û        ±²Û ÛÛ ±²Û ÛÛ ±²Û ±²Û    ±²Û    ±²Û ÛÛ
   °±²ÛÛÛ °±²  ÛÛ °±²    °±²ÜÛÛ     °±²ÜÛÛ °±² ÛÛ °±² °±²ÜÛÛ °±²ÜÛÛ °±²ÜÛß

	  UNPE-SHiELD v0.14 (C) Copyright 1998 by G-RoM [PC/BS/PNC]
  ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
                           D O C U M E N T A T I O N
  ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

        I.   What is UNPE-SHiELD?
        ~~~~~~~~~~~~~~~~~~~~~~~~~
             UNPE-SHiELD is a program, which decrypts 32-bit Windows
             EXE files "protected" by PE-Shield. The version supported
             are the 0.1á, 0.1b, 0.1c and 0.1d.


        II.  Disclaimer
        ~~~~~~~~~~~~~~~
             I, the author, am *NOT* responsible for any damage caused
             by the use  of UNPE-SHiELD. It  was  tested  with success
             under Windows NT, Windows 95&98 and pure DOS ;).


        III. Usage
        ~~~~~~~~~~
             Using UNPE-SHiELD is very easy:  Just type UNPESH [file]
             and UNPE-SHiELD  will try to remove  the encryption  from
             the file u specified. The progression of the work will be
             displayed on ur screen.

	     To fixup the relocations, run reloc.exe on the file u ran
	     unpesh.exe and not before !!

	     Ex:
		 unpesh taskman.exe
		 reloc  taskman.exe

        IV.  Technical Notes
        ~~~~~~~~~~~~~~~~~~~~
             UNPE-SHiELD was coded under  PURE 32 bits  assembler with
             the use of DOS32 v3.5 services,  which is  on my point of
             view the best DOS-Extender  available for ASM32 coding. I
             didn't do the job in PURE C  coz I think it is useless ;)
	     The work was  achieved  in 3 hours.


        V.    Future Stuff
        ~~~~~~~~~~~~~~~~~~
             þ Remover for any new features of PESHiELD ;)
	     þ Including reloc.exe code in unpesh.exe.

        VI.        History
        ~~~~~~~~~~~~~~~~~~
         V 0.0001 : Lame version, only removed a specific "MTE" version :(
		    Thanx Hann0 to report me what he thought to be a joke.

	 V 0.1à   : (Internal release)
		    Added MTE analyzer.
                    Now any pe-shielded file might be supported. Please
		    report if u got an exe that crash ur PC when uncrypting.

	 V 0.1    : Added universal MTE remover.

	 V 0.11   : Improved MTE detector.
		    Thanx Hann0 for giving me a non working EXE ;)

	 V 0.12   : Added a new check to get real end of crypted infos (0.1b).

	 V 0.13	  : Rewrote the GETorigEIP code To support 0.1c.
		     May rechange soon... I am not satisfied by the way it
		     works and the code I did.
		    Dll unpacking untested & may doesn't work at all.

	 V 0.13b  : (optimisation / reloc support)
		    GetOrigEip rewrote to my convenience ;)
		    Dll unpacking was working perfectly in 0.13 ;)
		    Added Reloc.exe an external tool which allows the relocs
		     to work again.

	 V 0.14   : (0.1d support fix)
		    Modified the GetOrigEIP method
		    Modified a little bit the MtE analyzer.

        VII.   The author
        ~~~~~~~~~~~~~~~~~
             G-RoM is a cracker for several groups and won't give you
             his real info. Don't ask ;)

             iRC: EFNET #CRACKING nick G-RoM.


        VIII.  Personal Greetinx
        ~~~~~~~~~~~~~~~~~~~~~~~~

        RaNDoM  þ PeCRYPT is now 100% bugfree ;) Kewl..even if I never got any
                  pb with it ;) hehehe.

        ANAKiN  þ I played again with ur little modification to MtE. I support
		  ur new modification... Work again ;). There are still some
		  big hole in ur MtE ;) Continue to work on it ;)

		  BTW : what's the interrest to release PECRYPT EXE unpacked ?
		  I don't really understand. A generic unpacker is a thing
		  that might be interresting. We used to unpack EXE when they
		  are crippled/unregistered to change the default status of it
		  but PECRYPT is free & fully fonctionnal. I wait any comment
		  from you about that (EX: ur peshield.exe was never released
		  unpacked.. coz it is fully fonctionnal).

	Stone   þ I really think that ur unWWPACK32 code is good, but we can
		  at least improve The size at the end : It is not hard to
	 	  remove the WWPACK32 unpack object and the code related to.
		  Continue ur interresting work on PE protection. ;)

        Stonehead, Dàrk-Màn, Dark Stalker, KA0T, Marquis, Lord Byte, ACP,
        Misha, TiNoX, SeNSi, Lord Caligo, LGB, KAB, Regor, Hann0 (error
	reporter hehehe), Razzi and lots of others ;)

	Greetings goes to the whole #cracking, uCF, Phrozen Crew, ... All
	groups I know someone in ;)

        PS: The documentation was written in a hurry...