Blog literacki, portal erotyczny - seks i humor nie z tej ziemi


ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÛÛÛÛÛÛ» ÛÛÛÛÛÛ» ÛÛÛÛÛÛ» ÛÛÛÛÛÛ» ÛÛÛÛÛÛ» ÛÛ» ÛÛ» ÛÛÛ» ÛÛÛ» ÛÛÛÛÛÛ»
ÛÛÉÍÍÛÛ» ÛÛÉÍÍÛÛ» ÛÛÉÍÍÍÛÛ» ÛÛÉÍÍÍͼ ÛÛÉÍÍÛÛ» ÛÛº ÛÛº ÛÛÛÛ» ÛÛÛÛº ÛÛÉÍÍÛÛ»
ÛÛÛÛÛÛɼ ÛÛÛÛÛÛɼ ÛÛº ÛÛº ÛÛº ÛÛº ÛÛº ÛÛº ÛÛº ÛÛÉÛÛÛÛÉÛÛº ÛÛÛÛÛÛɼ
ÛÛÉÍÍͼ ÛÛÉÍÍÛÛ» ÛÛº ÛÛº ÛÛº ÛÛº ÛÛº ÛÛº ÛÛº ÛÛºÈÛÛɼÛÛº ÛÛÉÍÍͼ
ÛÛº ÛÛº ÛÛº ÈÛÛÛÛÛÛɼ ÈÛÛÛÛÛÛ» ÛÛÛÛÛÛɼ ÈÛÛÛÛÛÛɼ ÛÛº Èͼ ÛÛº ÛÛº
Èͼ Èͼ Èͼ ÈÍÍÍÍͼ ÈÍÍÍÍͼ ÈÍÍÍÍͼ ÈÍÍÍÍͼ Èͼ Èͼ Èͼ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ProcDump version 1.5 (C) G-RoM, Lorian & Stone in 1998, 1999
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
If you expect to print this dox, I suggest you use TERMINAL font with a
height of 9.





Summary


License agreement.......................................... 2

Purpose.................................................... 3

Disclaimer................................................. 3

Requirements............................................... 3

ProcDump Configuration..................................... 4

ProcDump Integrated Process monitor/dumper................. 6

ProcDump integrated PE editor.............................. 7

ProcDump PE/RAW external dump autofix...................... 7

ProcDump unpacker/decryptor................................ 8

ProcDump Bhrama server..................................... 9

Limitations................................................ 10

Credits.................................................... 11

Greetings.................................................. 12



License agreement:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

ProcDump32 is (C) G-RoM, Lorian & Stone 1998,1999.
Plugins are copyrighted by their authors.

You are allowed to use it freely for personnal use. Commercial use
REQUIRES that you first contact us to gain a license. Warez releasing use
implies that YOU MUST state clearly that you used ProcDump32 & its plugins.
This is too easy to use it and claims that you did it by hand. If
you disagree with this... Delete ProcDump32 and design your own code.
Please notice that abusing of this license may involves that public
distribution will be LIMITED OR EVEN STOPPED. We don't think credits is too
much to ask.

Contact informations :

G-RoM : g-rom@innocent.com
Lorian : lorian@gmx.net
Stone : stone@miramax.cbs.dk


Purpose :
ÄÄÄÄÄÄÄÄÄ

ProcDump is brand new type of tool that allows u to Dump, Unpack
some Protected PE files without any need of debugger.

What ProcDump can do :

þ Dump any 32 bits running process/module by using the CodeShot engine.
þ Phoenix engine can restore the Import table & PE header.
þ Phoenix engine can reoptimize a PE file and Dump made with CodeShot.
þ Shiva engine can start & unpack a given PE file (at least it tries !!).
With the help of script language, u can unpack in a few secs well-known
packers and learn to ProcDump how to unpack the others.
þ Alter a given file PE header, kill some object physically.
þ Bhrama server can wait a client send a PID to dump : Client tell to
ProcDump when it is good to dump ;).

Disclaimer :
ÄÄÄÄÄÄÄÄÄÄÄÄ

We, the authors, are *NOT* responsible for any damage caused by the use of
ProcDump. It was tested with success under Windows 95,98 and NT4 & 5.0.

ÚÄÄÄÄÄÄÄ¿
ÚÄ´CAUTIONÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ÀÄÄÄÄÄÄÄÙ ³
³ PROCDUMP32 is a tool help for people who want to unpack/decrypt PE files,³
³PLEASE NOTICE THAT IT IS NOT REALLY INTENDED FOR REAL BEGINNERS. If you are³
³a such person, I recommand that you read CAREFULLY the whole DOCUMENTATION,³
³and to use ONLY the DUMPER & UNPACKER with default OPTIONS. ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

Requirements :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

This program works fine under :

þ Windows 95
þ Windows 98
þ Windows NT 5.0
þ Windows NT 4.0 with restrictions.

A good brain and some knowledge about the PE format and PE layer is required,
if you expect to exploit ProcDump at his full power.

ProcDump Configuration :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Rebuilder options :

þ Recompute object size (DEFAULT ON)

This option allow you to say to ProcDump to use Virtual Size for section
as physical size. This is necessarry for PACKED PE, because the unpacked
size of section is bigger than packed one. You can unselect this option
if you are planning to work against a cryptor.

þ Optimize PE structure (DEFAULT ON)

This option optimize the PE structure according to the object table in
the way to reduce written PE file. If you unselect this option, the PE
file will take more space on disk.

þ Check Header Sections (DEFAULT OFF)

This option check if PE header contains a non paged area. If it found one,
the problem is corrected.

þ Rebuild header (DEFAULT OFF)

This option force PE header section reconstruction. This is usefull if the
protector clear PE header parts.

þ Import rebuilder method :

* No rebuild

Doesn't try at all to locate import section, leave the related import
informations untouched.

* Use import informations (DEFAULT)

Read actual import informations, and use them to recreate a valid import
table.

* Rebuild import table.

Detect import table using heuristical criterea and fixup the import ta-
ble if found.

* Full Import rebuild.

Detect import table, generate a new import section, generate import
function names & ordinals. There is a BIG chance that generated PE runs
perfectly ;). In order to be 100% perfect, RUN PROCDUMP32 From Target di-
rectory in this specific mode.

Unpacker options :

þ Predump method :

* Use external predump

You will need to supply a PE/DUMP file with a Valid import table. Import
Infos will be stamped in generated PE.

* Predump (DEFAULT with delay 0)

ProcDump will do the predump to gain the valid import table.
There are 2 methods :

1) After user input (delay 0).
2) After a given delay (delay >0 in HEX).

þ EIP confirmation (DEFAULT OFF)

When ProcDump reached the original CODE, It can prompt you if u think it is
good or not.

þ Layer confirmation (DEFAULT OFF)

When u validated the EntryPoint, U can say too that there was not only one
protection layer. Generally, U may leave this option unchecked.

þ Ignore Faults (DEFAULT OFF)

When a breakpoint/faults occurs, ProcDump32 normally handles the exception
(Breakpoint most of the time because some protectors relocate their code).
But sometimes, this is source of problems. Some applications indeed create
volontary faults to do some special work. With this option set, ProcDump32
will simply ignore exceptions that are not made by itself. Applications
that create faults volontary will run normally this way ;).

þ Trace API (DEFAULT OFF)

Activate the trace in Ring 0 mode.

PE/Raw loader options :

þ Force raw mode (DEFAULT OFF)

This force ProcDump to consider input file for REBUILD tool as a dump file.
Use only this if ProcDump crash when u try to supply a PE file.

þ Merge code section (DEFAULT OFF)

REBUILDed file will have all the image in a single section. Can be usefull
to analyze some PE loader.

ProcDump Integrated Process monitor/dumper :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

The monitor show you in two arrays, the actual Tasks running on your system.
When tou select a task, the module list attached to this task is shown in 2nd
array. The arrays have contextual menus.

þ Full Dumper

The task or module is saved to disk using this name. The dumped file is
reorganized and fixed.

1) Just select a task or a module in the arrays.
2) Click right.
3) Select "Dump (Full)".
4) Select the name of the dump.

þ Partial dumper

The task or module is saved to disk in RAW format : NO Fixup are applied.

1) Just select a task or a module in the arrays.
2) Click right.
3) Select "Dump (Partial)".
4) Choose the range you wish to dump by editing Start & Length fields.
5) Select the name of the dump.

Warning !! I do not recommend that u dump :

þ ProcDump process itself (import trashed anyway).
þ Kernel32.dll process (Access Violation, System Kill).
þ And other system process (Access Violation).

It may result in some obvious crash... U were warned.

þ Kill task

Allow you to suppress a task from your system.

1) Just select the task you wish to kill.
2) Hit OK if you are sure.

WARNING !! Killing KERNEL32.DLL or another system component is equal to
system CRASH !!

þ Process Informations

Will show you PE informations related to selected process such as :

þ Entrypoint.
þ Image size.
þ Image base.
þ PE directory RVA & Size.
þ PE sections informations.

You can save a section to disk too.

þ Refresh list

This option refresh task & module list.

ProcDump integrated PE editor :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

The PE editor allow you to edit an existing PE file and to modify :

þ Entrypoint.
þ Image size.
þ Image base.
þ PE directory RVA & Size.
þ PE sections informations.
þ Save a section to disk.
þ Load a section from disk.

You need to supply the file to edit.

þ To change Entry point, Image Base, Image Size

Just edit the appropriate field(s) and hit OK.

Changes can be applied to PE HEADER only or can be used to Rebuild a new PE
file according to PE infos (ex : if you removed a section, it will be wiped
in new PE ;).

þ To Edit Directory infos

1) Click on Directory button
2) Edit the fields you need.
3) hit ok

þ To alter section informations

1) Click on Section button
2) select a given section
3) click right
4) Select the appropriate action (EDIT or KILL).
5) Hit ok

Warning !! There is no backup made. All modifications apply as soon as you
hit OK on PE header editor dialog box AND NOT on the sub dialog !!

ProcDump PE/RAW external dump autofix :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

This allow you to fix an external Dump or to optimize a given PE file.
Changes are made according to OPTIONS [rebuilder & Loader].

You just need to browse to your target ;).

ProcDump PE unpacker/decryptor :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

This module allow you to TRY to unpack/decrypt PE file.

ÚÄREAD THIS FIRSTÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³
³Preliminary thing you need to know : Due to weird reason (thanx to M$), the³
³rebuilt of a valid PE file requires that the file is not launched with³
³control from ProcDump32 itself : As a direct concequence, ProcDump32 can't³
³guess if your target is initialized and running :(. That's why we have to³
³predump using user confirmation or after a given delay. The goal of predump³
³is to grab an usuable Import section. So, if u wish to use an external pre-³
³dump, that means that u fixed import table by yourself or by using an exis-³
³ting import table, or any other thing BUT with a valid Import Table. ³
³ ³
³IE: You can say the external predump is the file you wish to unpack if you ³
³ are sure that import section is the same (Generally OK for cryptors). ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

Method to unpack/decrypt (AutoPredump):

1) Click the unpack Button.
2) Choose unpacker method : if you don't know the protector name, choose
*unknown*.... but please notice that the processing WILL BE SLOW !!

ÚÄ Options ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³
³IF you check the User Conf. Box, Options will be taken from your actuals³
³settings and no more autoadjusted to the specific packer/protector you³
³chose. ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

3) Select the target.
4) Wait ProcDump request & look nifty output ;).
5) select a name for the unpacked PE file.
6) File is unpacked .... u should try & pray ;)

Please note that you can cancel tracing at any moment.

I do not recommend that u :

þ Enable Softice/NTICE i3here. Unpacker would miss all breakpoints !!!!
þ Run softICE for a few nifty protector that may detect it.

I noticed that unpacking under NT is not that easy coz of some system hooks
on a few functions. I didn't checked if it was due to NTICE or if that's NT
itself that hooks those APIs. However, If you run both systems and that un-
packing is not working under NT, try under 9x.

Bhrama Server :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Bhrama is a server that allows clients loto instruct when to dump a given
task. The allowed possibilities are :

þ Dump Service (1) :

Bhrama will grab the Entrypoint, the PID & Dump options. Then will ask you
for a filename to save the dump.

þ Partial Dump Service (2) :

Bhrama will grab the PID & Dump options. Then will ask you for a filename
to save the dump.

On the Bhrama dialog box you will see two check boxes :

þ User conf. :

ProcDump will ignore uploaded Options & will use instead the one already
defined in Options Dialog box. Such option is usefull if you use IceDump
(C) The Owl if u need non default option set in.

þ AutoFix PE :

If non checked, ProcDump will dump the task in RAW mode. No PE rebuilding
will be done. This mode was intended for me to debug... but who knows ;).

For details about plugins/clients code, check the bhrama SDK.

ProcDump actual limitations :
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

* What ProcDump can't do (yet ?):

þ Restore a working DAtA section in Dump mode.
þ Restore REAL eip in dump mode.
þ Restore Packed Relocs (several converters have to be coded).
þ Unpack a DLL (it's possible but... I need time ;)).
þ Dump a 16 bit process (DOS or WIN 16 bit applications => Size 0 in array).
-> for DOS apps, use Softice, cup386,TR or GTR.
-> win16 apps.... who cares of those ? ;)

To be done :
ÄÄÄÄÄÄÄÄÄÄÄÄ

þ Protectors/Packers detector for auto unpacking (project)
þ Reloc Table scanner & rebuilder. (project)
þ Module unpacker. (project)
þ Implement an API breakpoint system. (project)

These points are in development... Any help would be appreciated.

Especially if u can code :

þ A reloc detector/rebuilder - I wait even ideas ;).

Credits :
ÄÄÄÄÄÄÄÄÄ

Project Coordinator : G-RoM

Ideas:

Tracer engine (orig): Stone
Tracer enhancement : G-RoM
Tracer Ring 0 (W9X) : Stone
Tracer Enhancement : G-RoM with help of Hendr!x & The Owl !
Tracer Ring 0 (WNT) : Lorian
Bhrama Server : Stone
Rebuilder : G-RoM
Low level fighter : Stone :)
Interface design : Riz la+

Coding :

Shiva engine : G-RoM
Shiva engine ][ (9x): Stone with some additions from G-RoM.
Shiva engine ][ (NT): Lorian
Bhrama engine : Stone and G-RoM.
Bhrama Client (asm) : Stone with clean up & addition by G-RoM.
Bhrama Client (C) : CyndiG.
CodeShot engine : G-RoM
Phoenix engine : G-RoM
Interface lame code : G-RoM

Various :

Artworks : ZeCreator & Riz la+
This lame dox : G-RoM

How to Contact :

G-RoM : G-RoM@innocent.com
Lorian : lorian@gmx.net
Stone : Stone@miramax.cbs.dk
Riz la+ : GOD@WINDOWS.GUI.ASM32.ELITE.CODER.COM
ZeCreator : GOD@GRAPHICS.DESIGNER.COM

Please note that we don't mail ProcDump32 , We can "eventually" answer to
unpacking problem. I precise eventually Coz I already got mails from people
who didn't read the dox at all and asked stupids questions. I (G-RoM) won't
explain either how I designed ProcDump32 engine. Don't ask for source code
either : Even if you saw Stone in coding team, that doesn't mean all his
advanced work is for PUBLIC. Moreover, MY CODE is not !! We spent too much
time on it to make it public ;).

MAJOR POINT : don't mail us to ask TUTORS, we don't have the time to write
some. In the same idea, don't contact us to ask HOW to write scripts.

Regardless of this, I can answer to technical problems u may encounter with
PE format handling, unpacking/protecting. But I suggest you analyze fucking
Well PE format DOX before to mail us about such thing. Unless you are ready
to pay for my technical assistance, in this case any stupid question can be
asked ;). [I doubt a company will contact me... but who knows].

=>

If (question==TOO_STUPID)³If (question=TOO_STUPID) ³cmp question, TOO_STUPID
{ ³then begin ³jnz reply
NO_ANSWER(); ³ NO_ANSWER ; ³call NO_ANSWER
MOVE_TO_RECYLE_BIN();³ MOVE_TO_RECYLE_BIN;³call MOVE_TO_RECYLE_BIN
} ³ end; ³call exitprocess, 0
³ ³reply :

Greetings from G-RoM (packed version ;):
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Pedro : Good works with all your release ;) Keep on finding such holes ;).

NetWalker: Thanx for the dox & for the others infos. Good luck with ur actual
stuff ;).

Bunter : That fucking TimeZone pb suxxx !! Argghh !! Please move closer to
Europe ;).

The Owl : Dumper rulez !! I'll try to keep avoiding you to update it too
often :).

Iceman.ro: Thank you for ur support. I'll check a lot the Suspend & resume
thread in IceDump ;).
Liu
TaoTao : TRW rulez !!! Very good debugger ! Awesome piece of code !!!!
Waiting with impatience for your next improvements ;).

Lorian : Hummmm... really sad we haven't enough time to code all ours ideas.
Bah... We do what we can ;).

Stone : Hummm... We are so much busy we don't meet that often in IRC. Bah
each time we talk that's kinda interresting and innovative even ;).
Keep on thinking/coding this way ;).

BeoWulf : Nice work on PE. Keep on working on it... As always major pb is the
Time... Damn.

VTec : Thanx for all ur reports... I code so much bugs ;).

Random : Humm.. long time not updated this greetings. What should I write ?
Ah yes... Good luck with chicks ;)

Acpizer : Continue ur work with the Win console and, start to work on Ring 0
hardware breakpoint ;). It will kick ass when it will be done. Can
u try a idle a bit less ?? ;).

Marquis : Tssskk... no new PELock until this summer ? Oh you are lazier or
busier than I am ;). Anyway, good luck ;)

Jammer : U were the precursor... Thanx for ur support ;)

J0B : Deshrink rulez !! However try to fix shinker34 crap ;) Good luck !

Killa : Nice GUI.... Never forget that NT has weird things & reactions ;).
I may ask you one day how to do tooltips... if I can't find ;).

Hendrix : Thank you very much for the help !! I appreciated a lot !!

Iceman.de: Good luck with your PECRYPTOR.... U will need much ;).

LordByte : Shrinker 3.4 on ur crap can't be killed... really dunno why I'll
grab it and check... You are getting boring as beta tester ;).

MrNop : You are in suspend mode those days and u plan to resume in Septem-
ber : Are you sure that's good for you ? ;) Enjoy your holidays !!

Riz la+ : Interface in ASM32 rule like da hell !!! Your skill in this domain
is fucking awesome... I may think about CatchNewTCB ;).

Ryder : I hope it helped you quite much ;). If you find again a cryptor,
tell me.

Devil : Keep on cracking with a such Class ;).

Miramax : Trainers Rulezzzzzz !!! Design too !! Hey seems my virus is kinda
under controllllllllllllllllllll................. (shit!!)

Protector
Coders : I suggest that you really think about something nice & compatible.
Never forget that we are under an instable OS ;). Never forget too
that If your code run, It can be defeated/unpacked/uncrypted. So I
suggest you really think of the other side too... How would you do
to unpack/decrypt ;).

BetaTeam : Thanx for all bugs report guys ! Without ur test, ProcDump32 would
not be as efficient as it is.

hiho to : #bs2000, #real, #ukc
Other groups I am in, Groups I were in,
NuMega technologies (Softice owns !!),
guys & girls I may know somewhere in the world ;).
  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • qualintaka.pev.pl
    •