Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / Library / +ORC / Orc pac 2 / FILEZ.ZIP / DMPEXE12.ZIP / DUMPEXE.DOC next >

Wrap

Text File | 1995-05-22 | 25.1 KB | 513 lines

▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ █ █ █ <*> EXEdumper version 1.2 <*> █ █ █ █ by ▄─▄ ▄ ▄─▄ ▄─▄ ▄─▄ ▄─▄ ▄ ▄─▄ ▄─▄ █ █ █ █ █─▄ ▀─▄ █─ ▀─▄ ▀─▄ ▄ █ █ █ █ █ █ █ █ █ █ ▄ █ █ ▄ █ ▄ █ █ █ █ █ █ █ █ ▀▀▀ ▀▀▀ ▀▀▀ ▀▀▀ ▀▀▀ ▀▀▀ ▀ ▀▀▀ ▀ ▀ 1995 █ █ █ █────────────────────────────────────────────────────────────────────────────█ █ Handle Real name Age Profession Group activity █ █────────────────────────────────────────────────────────────────────────────█ █ Bugsy Benjamin Petersen 22 Programmer Coder, organizer █ █ Spawn Michael Skovslund 21 Programmer Coder, gfx █ █ UniSon Henrik Eiriksson 22 Study IFA Music, art █ █ Fading Nimbus Emil Hansen 20 Study HTX Music █ █────────────────────────────────────────────────────────────────────────────█ █ █ ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ INDEX History Introduction Disclaimer Keyboard layout Program dokumentation Soft-Ice user notice How to unpack a exefile Greetings ■ History Version Notice 1.0 Never released to public, only for our beta-testers 1.1 First public release 1.2 Now with Soft-Ice debugger support. Activate with INT FCh ■ Introduction This program is able to unpack ANY exe-file, however this can only be done if it's packed with a exe-packer. Of course it can't be done by inserting a coin into the cryptomate. You have to do something for it. This is where you and your debugger comes in. All you have to do is this : Load the program into your favourite debugger, debug the program until first original instruction, dump the code/data, terminate the program, allocate 4 Kb, reload the program, debug until first original instruc- tion, dump the code/data, terminate the program, deallocate 4 Kb and read MakeExe.Doc If this sounds easy, exit your doc reader, if not, keep on reading. 8+) ■ Disclaimer This software has been tested and found to work properly. OBSESSiON have no responsability whatsoever for any damages caused by use, or misuse, of this software. If you, after a 24 hour test period, wish to continue using this program, you NEED to send me a postcard with your name and address. This is the only way I can see that someone is really using this software. If I don't receive any postcard, I won't update the program. This means : NO MORE UPDATE OR BUG FIXES, IF NO POSTCARD IS SEND TO ME! ■ Keyboard layout Left shift + right shift : Activate the resident part of DumpExe TAB : Jump to next menu block Shift TAB : Jump to previous menu block Arrow up/down : Next/previous menu selection Arrow left/right : Next/previous number in input field ESC : Terminate DumpExe or return to previous state Enter : Confirm selection/input ■ Program documentation Install DumpExe into memory, by starting the file DUMPEXE.EXE. The program will now be resident (TSR) in memory. To activate, press LEFT SHIFT and RIGHT SHIFT at the same time. A menu, the one shown here below, will appear. To return to what you were doing, press ESC. Notice : You cannot start DumpExe by pressing the hotkey while you are at the dos command line. This is because dos says it's busy, or not safe to interrupt, at the present time. If you try to start it anyhow, two beep can be heard from the PC-speaker. This beep sequence can also appear while an attempt have been made inside a debugger, ignore this and try again. ╔═══ Exe-dumper v1.2 CARDWARE 1995 by BUGSY of OBSESSiON [1]╗ ║───────── First file ────────┬───────── Second file ───────║ ║ CS : 0000 [2] │ CS : 0000 [3] ║ ║ IP : 0000 │ IP : 0000 ║ ║ SS : 0000 │ SS : 0000 ║ ║ SP : 0000 │ SP : 0000 ║ ║ PSP : 0000 │ PSP : 0000 ║ ║ Size : 00000 (0) │ Size : 00000 (0) ║ ║ Name : #NoName#.1 │ Name : #NoName#.2 ║ ║─────────────────────────────┼─────────────────────────────║ ║ Dump exe-code [4] │ Dump exe-code [5] ║ ║ Autodetect name │ Autodetect name ║ ║ Autodetect size │ Autodetect size ║ ║─────────────────────────────┴─────────────────────────────║ ║ Allocate 4Kb [6] ║ ║ Auto-Config ║ ║ Reset menu ║ ║ Uninstall ║ ║───────────────────────────── Free 167 kb. Slack 0 kb ─[7]─║ ║ [8] ║ ╚═══════════════════════════════════════════════════════════╝ Overview [1] Copyright text. [2] Data for first filedump, set by the user. [3] -do- for second file. [4] Menu concerning first filedump. [5] -do- for second file. [6] General purpose menu, concerning global use of DumpExe. [7] Information about current memory status. [8] Status message from DumpExe and input prompt from user. Explenation [1] Copyright text. Tells who made this brilliant program. [2] This sub window are used to enter information about the program you want to unpack. You have to fill out ALL fields, for a working copy of the unpacked file. CS : Current code segment IP : Current instruction pointer SS : Current stack segment SP : Current stack pointer PSP : Current program prefix segment Size : Size of program in bytes Name : Name of dump file To change a value, move selector to decided item and press enter. Enter the new value and press enter again. REMARK : All numbers are shown and entered in heximal values. [3] -do- for [2] [4] Menu for processing first unpacked data block. It is use for dumping the code/data block entered in [2] or [3]. Menuitems available are : Dump exe-code : Press this one to dump selected data block. Autodetect name : Make DumpExe autodetect the name of the program it are processing and use it for the dump name. Autodetect size : Used to make the program autodetect the size of the data block. There are too ways to autodetect the size of a program. It can be done by Stack or PSP. The most common way is 'By Stack', because this will give a smaller exefile. [5] -do- for [4] [6] This is a misc. menu, containing rutines for the global use of the exe-dumper. Menuitems available are : Allocate 4Kb : Used to allocate/deallocate a block of 0100h paragraphs or 4 kb. This should be done after first dump and termination, and before reload of the program. Please take a look at the tutorial at the bottom of this document. Auto-Config : Add 0101h to all segment registers in [2] and store them in [3]. It is usefull after preparing for second dump. This only works 9 out 10 packed files. Please notice that CS in [3] matches the one shown by the debugger. If not, you have to enter all values manuelly. Reset menu : Sets all items to there initial value. Uninstall : Use this one to remove DumpExe from memory. [7] Information about current memory status. Free : Amount of free memory. Slack : Amount of memory fragment after allocating 4 kb. [8] Status message from the program and prompt file for user. Here is some of the error messages that can appeare here : No size given. You have to enter how much memory the program shall dump. No memory allocated. You are trying to auto-config file 2, and you have'nt used 'allocate 4KB'. You must manuelly enter the data required to dump Can't auto-config file 2, sorry. You must manuelly enter the data required to dump a program. The PSP-segment is not valid. You are using a function that required a valid PSP segment, entered in [2] or [3]. The PSP-segment for file 1 is not valid. See the above. Can't find name. DumpEXE is not able to find the name of the program you want to dump. The program are using a standard name instead. Can't uninstall, vector hooked by another program. You have loaded another program after this DumpEXE. Unfortunately they have hooked the same interrupt. Unload the other program first and try again. Can't allocate necessary memory. Boot your machine with less drivers, and try again. If this does'nt help, you are f..... Out of stack. Your memory is fragmented to much. The DumpEXE has 4 kb of stack and in this case it does'nt seem to be enough. Contact me (BUGSY) and ask for a version with more stack :) (I'll send it to you!) Can't release memory. This error is most likely coursed by the program you are about to dump. It is the stack of this program that have been destroyed. Dump the code and boot your PC. (the dumpfile should be okay, I hope...) Can't make file. Ups, a disk error. Check your harddisk with 'chkdsk /f' Can't write file, disk full ?. Free some disk space, and try again. Can't deallocate memory. The MCB (memory control block) have been destroyed. Dump the code and boot your PC. (again the dumpfile should be okay, I hope...) Size is to big, please enter a new one. You have entered an invalid size of the program. Max size is 640 kb. :) Don't you just loooove dos ?... ■ Soft-Ice user notice If you are using Soft-Ice, the hotkey is disabled. This is because Soft-Ice runs in protected mode and have it's own interrupt vector table. To activate the exe-dumper, do this at the Soft-Ice command line: BPX CS:IP : So we can return after Int 0FCh has terminated GENINT FC : Start the exe-dumper GENINT FC : Start the exe-dumper again (if you need it) BC 0 : Clear the breakpoint set by BPX. The number (here 0) is the name of breakpoint label. ■ How to unpack a exefile The file named 'unpackme.exe' is a packed exe-file. It is used to illustrate how to use this tool, and nothing more. BTW : The file is packed with pklite using normal compression. I will use Turbo Debugger for this example. The reason I do that is : If you know how to use the ultimate debugger Soft-Ice, you really don't need this introduction, in how to unpack a program with a debugger, or do you ? If you don't know anything about using a debugger, I advice you to consult your debugger's manual. Try to start the tutorial program UNPACKME.EXE and look at the text. The program tells if it's packed or not. REMEMBER : Start DUMPEXE.EXE before proceeding with next step. Start debuging unpackme.exe by writing : TD.EXE UNPACKME.EXE The picture shown to you, by TD (Turbo Debugger) should look something like this : ╔═[■]═CPU 80486═══════════════════════════════╤═══════1═[][]═╗ ║ cs:0100B89A05 mov ax,059A ax 0000 │c=0║ ║ cs:0103 BA4001 mov dx,0140 ■ bx 0000 │z=0║ ║ cs:0106 05EE68 add ax,68EE ▒ cx 0000 │s=0║ ║ cs:0109 3B060200 cmp ax,[0002] ▒ dx 0000 │o=0║ ║ cs:010D 731A jnb 0129 ▒ si 0000 │p=0║ ║ cs:010F 2D2000 sub ax,0020 ▒ di 0000 │a=0║ ║ cs:0112 FA cli ▒ bp 0000 │i=1║ ║ cs:0113 8ED0 mov ss,ax ▒ sp 0200 │d=0║ ║ cs:0115 FB sti ▒ ds 68DE │ ║ ║ cs:0116 2D1900 sub ax,0019 ▒ es 68DE │ ║ ║ cs:0119 8EC0 mov es,ax ▒ ss 6A35 │ ║ ║ cs:011B 50 push ax ▒ cs 68DE │ ║ ║ cs:011C B9C300 mov cx,00C3 ip 0100 │ ║ ╟■▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒┤ │ ║ ║ ds:0000 CD 20 FF 9F 00 9A F0 FE ═ ƒ Ü≡■ │ │ ║ ║ ds:0008 1D F0 E0 01 7F 36 AA 01 ≡α6¬ ├────────────┴───╢ ║ ds:0010 7F 36 7C 02 8C 30 5D 22 6|î0]" │ ss:0202 0779 ║ ║ ds:0018 01 01 01 00 02 FF FF FF │ ss:0200F60B ║ ╚═════════════════════════════════════════════╧═══════════════─┘ Start executing the code, until you get to cs:0128, shown below. ╔═[■]═CPU 80486═══════════════════════════════╤═══════1═[][]═╗ ║ cs:011C B9C300 mov cx,00C3 ax 6E4F │c=0║ ║ cs:011F 33FF xor di,di ■ bx 0000 │z=1║ ║ cs:0121 57 push di ▒ cx 0000 │s=0║ ║ cs:0122 BE4401 mov si,0144 ▒ dx 0140 │o=0║ ║ cs:0125 FC cld ▒ si 02CA │p=1║ ║ cs:0126 F3A5 rep movsw ▒ di 0186 │a=0║ ║ cs:0128CB retf ▒ bp 0000 │i=1║ ║ cs:0129 B409 mov ah,09 ▒ sp 01FC │d=0║ ║ cs:012B BA3201 mov dx,0132 ▒ ds 68DE │ ║ ║ cs:012E CD21 int 21 ▒ es 6E4F │ ║ ║ cs:0130 CD20 int 20 ▒ ss 6E68 │ ║ ║ cs:0132 4E dec si ▒ cs 68DE │ ║ ║ cs:0133 6F outsw ip 0128 │ ║ ╟■▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒┤ │ ║ ║ ds:0000 CD 20 FF 9F 00 9A F0 FE ═ ƒ Ü≡■ │ │ ║ ║ ds:0008 1D F0 E0 01 7F 36 AA 01 ≡α6¬ ├────────────┴───╢ ║ ds:0010 7F 36 7C 02 8C 30 5D 22 6|î0]" │ ss:01FE 6E4F ║ ║ ds:0018 01 01 01 00 02 FF FF FF │ ss:01FC0000 ║ ╚═════════════════════════════════════════════╧═══════════════─┘ The unpacker has copied itself to a location, which is just after the unpacked code. Singlestep one instruction, and you will see this : ╔═[■]═CPU 80486═══════════════════════════════╤═══════1═[][]═╗ ║ cs:0000FD std ax 6E4F │c=0║ ║ cs:0001 8CDB mov bx,ds ■ bx 0000 │z=1║ ║ cs:0003 53 push bx ▒ cx 0000 │s=0║ ║ cs:0004 83C32D add bx,002D ▒ dx 0140 │o=0║ ║ cs:0007 03DA add bx,dx ▒ si 02CA │p=1║ ║ cs:0009 8CCD mov bp,cs ▒ di 0186 │a=0║ ║ cs:000B 8BC2 mov ax,dx ▒ bp 0000 │i=1║ ║ cs:000D 80E40F and ah,0F ▒ sp 0200 │d=0║ ║ cs:0010 B104 mov cl,04 ▒ ds 68DE │ ║ ║ cs:0012 8BF2 mov si,dx ▒ es 6E4F │ ║ ║ cs:0014 D3E6 shl si,cl ▒ ss 6E68 │ ║ ║ cs:0016 8BCE mov cx,si ▒ cs 6E4F │ ║ ║ cs:0018 D1E9 shr cx,1 ip 0000 │ ║ ╟■▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒┤ │ ║ ║ ds:0000 CD 20 FF 9F 00 9A F0 FE ═ ƒ Ü≡■ │ │ ║ ║ ds:0008 1D F0 E0 01 7F 36 AA 01 ≡α6¬ ├────────────┴───╢ ║ ds:0010 7F 36 7C 02 8C 30 5D 22 6|î0]" │ ss:0202 0000 ║ ║ ds:0018 01 01 01 00 02 FF FF FF │ ss:02000000 ║ ╚═════════════════════════════════════════════╧═══════════════─┘ Press pagedown a couple of times, until you get this : ╔═[■]═CPU 80486═══════════════════════════════╤═══════1═[][]═╗ ║ cs:0155 8BD0 mov dx,ax ax 0000 │c=0║ ║ cs:0157 8BE8 mov bp,ax ■ bx 0000 │z=1║ ║ cs:0159 8BF0 mov si,ax ▒ cx 0000 │s=0║ ║ cs:015B 8BF8 mov di,ax ▒ dx 0000 │o=0║ ║ cs:015DCB retf ▒ si 0000 │p=1║ ║ cs:015E 0300 add ax,[bx+si] ▒ di 0000 │a=0║ ║ cs:0160 020A add cl,[bp+si] ▒ bp 0000 │i=1║ ║ cs:0162 0405 add al,05 ▒ sp 3FFC │d=0║ ║ cs:0164 0000 add [bx+si],al ▒ ds 68DE │ ║ ║ cs:0166 0000 add [bx+si],al ▒ es 68DE │ ║ ║ cs:0168 0000 add [bx+si],al ▒ ss 6A98 │ ║ ║ cs:016A 06 push es ▒ cs 6E4F │ ║ ║ cs:016B 07 pop es ip 015D │ ║ ╟■▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒┤ │ ║ ║ ds:0000 CD 20 FF 9F 00 9A F0 FE ═ ƒ Ü≡■ │ │ ║ ║ ds:0008 1D F0 E0 01 7F 36 AA 01 ≡α6¬ ├────────────┴───╢ ║ ds:0010 7F 36 7C 02 8C 30 5D 22 6|î0]" │ ss:3FFE 68EE ║ ║ ds:0018 01 01 01 00 02 FF FF FF │ ss:3FFC01EA ║ ╚═════════════════════════════════════════════╧═══════════════─┘ Press F4 at location cs:015d, and press F7. That's it. You have now unpacked the test program. If you have done it right your TD showes something like this : ╔═[■]═CPU 80486═══════════════════════════════╤═══════1═[][]═╗ ║ cs:01EA9A00009569 call 6995:0000 ax 0000 │c=0║ ║ cs:01EF 9A0D003369 call 6933:000D ■ bx 0000 │z=1║ ║ cs:01F4 55 push bp ▒ cx 0000 │s=0║ ║ cs:01F5 89E5 mov bp,sp ▒ dx 0000 │o=0║ ║ cs:01F7 B80001 mov ax,0100 ▒ si 0000 │p=1║ ║ cs:01FA 9ACD029569 call 6995:02CD ▒ di 0000 │a=0║ ║ cs:01FF 81EC0001 sub sp,0100 ▒ bp 0000 │i=1║ ║ cs:0203 9ACC013369 call 6933:01CC ▒ sp 4000 │d=0║ ║ cs:0208 BF5200 mov di,0052 ▒ ds 68DE │ ║ ║ cs:020B 1E push ds ▒ es 68DE │ ║ ║ cs:020C 57 push di ▒ ss 6A98 │ ║ ║ cs:020D 8DBE00FF lea di,[bp-0100] ▒ cs 68EE │ ║ ║ cs:0211 16 push ss ip 01EA │ ║ ╟■▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒┤ │ ║ ║ ds:0000 CD 20 FF 9F 00 9A F0 FE ═ ƒ Ü≡■ │ │ ║ ║ ds:0008 1D F0 E0 01 7F 36 AA 01 ≡α6¬ ├────────────┴───╢ ║ ds:0010 7F 36 7C 02 8C 30 5D 22 6|î0]" │ ss:4002 0000 ║ ║ ds:0018 01 01 01 00 02 FF FF FF │ ss:40000000 ║ ╚═════════════════════════════════════════════╧═══════════════─┘ As you can see there is 2 far calls. Those are direct calls. It means that it will make a call to a certain location in memory. If we dump the memory used by the test program, we will have a image of the memory. But this is not enough to make a new exe file. This is because a exefile is not just an image of the memory, like a com file is. So what we need is a second dump from a different memory location. This is because of the direct call's. By comparing the two dump files, we can find the relocation needed to build a new exe file. The information like min/max memory usage is taken from the original exe file. But let's get back to the tutorial. Remember the value of SP, DS, ES, SS, CS and IP. Press the two shift keys, and enter the values in there corresponding location in [2]. You will probably notice that there is no field for ES, this is because that the initial value of ES points to the PSP, so write the value of ES at the PSP field. It is time to tell DumpExe the size of the memory block that we want to dump. Use TAB until you get to [4]. Press enter at 'Autodetect size'. There are two ways of getting the size. One is by using the stack, the other is 'by PSP'. The one that you should use (99 % of the times) is 'by stack'. Press S, and the size have been put into size field. Press enter at 'Autodetect name', and the name have been put into the name field. Now it's time to dump memory. This is done by pressing enter at 'Dump exe-code'. It will probably do it so fast that you won't notice that a process message will appear. Press ESC and press F9 in TD. The program has now terminated, and it's time to allocate a 4KB memory block. Start DumpExe again, and press enter at 'Allocate 4Kb'. The menu will change to Deallocate 4Kb. Press ESC, and reload our program by pressing F2. Start debuging like you did the first time. When you have reached the first instruction of the original code, enter all information like CS, SS.... in [3]. To make this this easyer, there is a 'Auto-Config' botton. It will set up all values in [3] by using the those you have entered in [2]. Dump the code, and we are almost done. Again terminate your program, by pressing F9 in TD. Start DumpExe again, and press enter at 'Deallocate 4Kb'. Exit your debugger. Run the MakeExe program with parameteres : First dump, second dump, original exefile, new filename. or like this : MAKEEXE.EXE unpackme.1 unpackme.2 unpackme.exe unpacked.exe The MakeExe program compares the two memory dump and builds a new exe file of the information found in the original exe files exeheader. After MakeExe has build a new exe file, the screen would look like this : Exe-maker v1.2 CARDWARE 1995 by BUGSY of OBSESSiON Read exeinfo : ooo Make new exefile. Make temp file. Process dump files : o Number of relocation : 004Bh Add zero code : oooo Size of EXE-header : 00170h Write code : o Write new exeheader. All done ! If the message 'End of valid code detected at ...' shows up, just press 'N' This message means that MakeExe has detected, that the two dumps does not contain valid code/data anymore. Normally one would answer 'No', to whether MakeExe should continue or not. If you answer 'yes', the current position would be concidered as a relocation in the exe header. But in special cases, where the unpacked exe file is smallere than the packed, one should say yes. Even if MakeExe ask more that one time. But as I said, only in special cases. I think this would be enough for you to continue on your own. If you have any questions about the use of these programs, feel free to contact me. You can get in touch with me by : Writing a letter to : Benjamin Petersen Nybrovej 304, F-48 DK-2800 Lyngby Denmark E-Mail me at : ben@ktas.dk Call me at : +45 45 974-348 [BUGSY/OBSESSiON] ■ Greetings My greetings goes to (no order) : Spawn/OBSESSiON : Thanks for the menu system in this production! Darkman/VLAD : Thanks for your help about TSR detection. Ping (pingelingelater) : Thanks for proofreading this documentation. Sheap/s!p : Are you reading those Asm books I gave you ? Motion Man/DOM : Thanks for a nice ratio. HiTech : Never put a bug into a bottle of coca cola! Zteel/Difussion : Go nuke that SD.... Bionic/ECR/STH : Nice txt in 'UD OG SE MED DSB'..... Zero God : Still working on that Delta sound packer ? Jazz : Sorry, but I'd quit smoking. NOOOOT! Sketz/Silente PC : No more logos for 'the top BBS', sad... Drake/DOM : Thanks for the Soft-Ice tip! and all I did'nt remember : Sorry, kill us in our next life. A great welcome to our two new musicians : Fading Nimbus and Unison. Keep up the good work guys, you have really proofed yourselfs.