--------------------Using EliCZ's Dumper for DOS executables--------------------


  Before using EliCZ's Dumper for DOS executables save all documents and close
            all devices and applications which you don't need to use!

--------------------------------------------------------------------------------



PTU     = Program To Unpack
BPX     = BreakPoint on eXecute
BPMW?   = BreakPoint on Memory Write   
BPMA?   = BreakPoint on Memory Access
?=B,W,D = Byte, Word, Doubleword


0) Start machine 
1) Select Microsoft Windows from OS Loader menu
1a) Play your favourite MP3
1b) Start your favourite Windows game
2) Start FAR (Eugene Roshal)
2a) Edit AUTOEXEC.BAT and add ;C:\EliCZ\EDump to PATH
2b) Define File Association:  DOS executables
    Mask *.EXE,*.COM 
    View command C:\HIEW\HIEW.EXE !.!    (SEN, Hacker's View) 
    Edit command EDump-MZ.EXE !.!
2c) If you want, update EDump-MZ.exe and EDtup.exe to work with EDump-MZ.exf
3) Start PTU
   if Crashed then EndWork
   if YouDon'tHave AMD then LetItBe else Start F1-fix.exe 
4) Start PTU
   if Crashed then EndWork, LetItBe
5) EDtup.exe  
5a) Change Signum of EDump to your birthdate 
5b) SET EMPTY  to every field
6) PTU is on writable medium, and folder doesn't contain both PTU.COM and 
   PTU.EXE
7) EDump-MZ PTU (cursor on PTU and press F4)
   if Crashed then EndWork, Eat 1000, GoTo 7  or LetItBe

EndWork:
   Press Control+Alt+Del
         Select Winoldap and press End Task
         Wait for Dialog (~20 seconds)
         End Task
         Run EDump-MZ (not from FAR) without parameters to recover the system

WhenCrash:
   * memory contains some patterns from previous protected programs --> 
     terminate FAR, run FAR 
   * file can't run under Windows 95 --> LetItBe
   * EDump was detected via INT 3 --> change Signum of EDump
   * EDump-MZ.exe was detected via memory (RAM, VRAM) content --> rename it,
     try to change some bytes in EDump-MZ.exe or ask me for the source
   * unknown cause --> LetItBe and let me know about it

--------------------------------------------------------------------------------

         EDumping protected .COM or .EXE_beginning_at_PSP+00010H:00H

0) EDtup.exe
0a) Estimate Dump size, Keep last 005H dumps (less or more, what you want)
0b) SET  BPX  ON  PSP+00010H:00H   BASE  PSP+00010H:00H
    SET EMPTY to every other field
    (sometimes is useful SET BPMBW ON  PSP+00010H:00H   BASE  PSP+00010H:00H)
0c) Apply
1) EDump-MZ  PTU
   Wait.. (play the game)
   if Crashed then EndWork, GoTo WhenCrash
2) EDview (green screen)
   SELECT Dump you like with LeftArrow or RightArrow
   Look at Dump content: PageUp,PageDown,Home,End,UpArrow,DownArrow
   Change Text/Hex View via F7, Change Full/Text View via F6
3) Selecting dump
3a) Selecting .COM
   PSP=CS=DS=ES=SS, IP=0100, SP>FFF5
   Press F3 (SaveCOM) to produce edumped.com
3b) Selecting .EXE
   PSP=DS=ES, CS=0000..0010, IP=0??0, (SP=???0)
   Press F4 (SaveEXE) to produce edumped.exe
   or
   Press F5 (SaveBIG), when you've got "Images not compatible!" message or
   edumped.exe was too small, to produce edumped.exe
4) HIEW edumped.com or edumped.exe (Cursor on edumped.??? and press F3)
   and reduce file size 

--------
Example:  UpStop95 (Szaszi,UpStop.exe,19192) EDumpin'  (California Dreamin')

I)   EDtup: size 00FFB0H, keep last 00AH   
          SET  BPX  ON  PSP+00010H:00H   BASE  PSP+00010H:00H
          SET BPMBW ON  PSP+00010H:00H   BASE  PSP+00010H:00H
          SET BPMBA ON  PSP+00008H:00H   BASE  PSP+00010H:00H
          SET EMPTY ON  ABS+00000H:00H   BASE  ABS+00000H:00H
          (default settings)
II)  EDump-MZ UpStop.exe
III) EDview:
     Dump contains texts, but IP,SP and other registers aren't pretty (it was
     UpStop command line analysing) (This is Jack talking)
     LeftArrow (PrevDump)
     Dump contains texts, IP=0000,SP=???0, other registers=0000
      -> this must be the right dump
      press F4 (SaveEXE)
     EDumped.exe has size 20233 bytes
     HIEW Edumped.exe, Hex view, F8 (View header), F4 (Image), 
      Control+F5 (Base), Control+F5 once again (This) or enter *0,
      Estimate image end: 0D 0A 1A XX
       XX has offset 00003905 - dump size
IV)  Reducing file size
     a) HIEW: cursor on XX, press F3 (Edit), press F10 (Trunc), press Y
        press F8 (View header), press F3 (Edit), press F2 (Pages),
        press F9 (Update), ren EDumped.exe UpStopU.exe, Enjoy
        (unpacked UpStop may not crypt properly!)
     better is:
     b) EDtup: size 003905H, keep last 001H   
          SET  BPX  ON  PSP+00010H:00H   BASE  PSP+00010H:00H
          SET EMPTY ON  PSP+00010H:00H   BASE  PSP+00010H:00H
          SET EMPTY ON  PSP+00008H:00H   BASE  PSP+00010H:00H
          SET EMPTY ON  ABS+00000H:00H   BASE  ABS+00000H:00H
        EDump-MZ UpStop.exe, SaveEXE, ren EDumped.exe UpStopU.exe, Enjoy

     *) Determining the last byte of an original image (Advanced EDumping):
        EDtup: size 0?????H, keep last 0??H   
          SET  BPX  ON  PSP+00010H:00H   BASE  PSP+00010H:00H
          SET EMPTY ON  PSP+00010H:00H   BASE  PSP+00010H:00H
          SET EMPTY ON  PSP+00008H:00H   BASE  PSP+00010H:00H
          SET BPMBW ON  PSP+003A0H:04H   BASE  PSP+00010H:00H
          (bpmbw on last byte which probably belongs to an original image,
          390H+10H:4)
        EDump-MZ UpStop.exe
        EDview: Locate BPX Dump which you've selected (above) and
          watch all PREVIOUS dumps: if dump doesn't belong to BPX then
           if CS doesn't belong to command.com (or dos kernel)
            (usually when PSP_from_BPX == PSP_from_BPMW) then "remember" this
            dump  else size is probably smaller than estimated
        EDtup: size 0?????H, keep last 0??H   
          SET  BPX  ON  PSP+00010H:00H   BASE  PSP+00010H:00H
          SET EMPTY ON  PSP+00010H:00H   BASE  PSP+00010H:00H
          SET EMPTY ON  PSP+00008H:00H   BASE  PSP+00010H:00H
          SET BPMBW ON  PSP+003A0H:05H   BASE  PSP+00010H:00H
          (bpmbw on first byte which probably doesn't belong to original image)
        EDump-MZ UpStop.exe
        EDview: Locate BPX Dump which you've selected (above) and
          watch all PREVIOUS dumps: if exists dump which doesn't belong to BPX
           or to command.com (or dos kernel) then byte at image offset 3905H
           probably belongs to an original image else original image size COULD
           be 3905H


--------------------------------------------------------------------------------

             EDumping protected  .EXE_beginning_at_PSP+0????H:0?H

0) EDtup.exe
0a) Estimate Dump size, Keep last 020H dumps (or less)
0b) SET  BPX  ON  PSP+00010H:00H   BASE  PSP+00010H:00H
    SET BPMBW ON  PSP+00010H:00H   BASE  PSP+00010H:00H
    SET BPMBA ON  PSP+00008H:00H   BASE  PSP+00010H:00H
    SET ????? ON  PSP+0????H:0?H   BASE  PSP+00010H:00H
   -select some memory place, which PTU reads from or writes to
    (that's why BPMBA on CmdLine)
   -you may also try:  
    SET  BPX  ON  I21+00000H:00H   BASE  PSP+00010H:00H 
    or
    SET  BPX  ON  I10+00000H:00H   BASE  PSP+00010H:00H 
0c) Apply
1) EDump-MZ  PTU
   Wait.. (be patient, play the game)
   if Crashed then EndWork, GoTo WhenCrash
2) EDview (green screen)
   SELECT Dump you like with LeftArrow or RightArrow
   Look at Dump content: PageUp,PageDown,Home,End,UpArrow,DownArrow
   Change Text/Hex View via F7, Change Full/Text View via F6
3) Selecting .EXE
   (SP=???0)
   Press F2 (SaveNOW) to produce edumped?.now  (you may do it on more dumps)
   Put down registers and Press F5 (SaveBIG) to produce edumped.exe
4) Analyzing dump
4a) Analyzing edumped?.now
    HIEW edumped?.now
    try to find EntryPoint of original program (experience) ....case a)
    try to find RETF, JMP FAR, JMP ????:???? instructions   ....case b)
    put down offset of instruction ..SSSSS
4aa) CCCC=SSSSS DIV 010H + 010H, I=SSSSS MOD 010H  (12345H -> 01244H : 05H)
     EDtup.exe
     SET  BPX  ON  PSP+0CCCCH:0IH   BASE  PSP+00010H:00H
     SET EMPTY to every other field
4ab) EDump-MZ PTU
     Wait..
     if Crashed then EndWork, GoTo WhenCrash
4ac) EDview (green screen)
     in case a) SaveEXE or SaveBIG and reduce file size of edumped.exe in HIEW
     in case b) GoTo 2

4b) Analyzing edumped.exe (from point 3)
    Turbo Debugger (Borland,TD.exe): TD edumped.exe
    (set up registers that you've put down)
    in case that dump was selected for BPMBA on CmdLine, you should
    see accessing instruction above current instruction
    try to trace it until you reach something like EntryPoint
    TD:   cs:ip    lodsb         ; it was accessing instruction (SI=80H)
             ip+1  or  al,al     ; you are here
                   ....
                   retf          ; trace 

          EntryPoint:
                   CALL  AAAA:BBBB
                   CALL  CCCC:DDDD  ; it was call to procedure which analyzed
                                    ; command line
            FromRet:
                   .....         ; you are here 

    SSSSS = (EntryPointCS-PSP) * 010H + EntryPointIP
    GoTo 4aa)

--------
Example:  HackStop 1.18b80 (ROSE,hs386.exe,21238) EDumpin'

I) EDtup: (default settings)
II)  EDump-MZ hs386.exe
III) EDview:
     Dump contains texts, but SP and other registers aren't pretty
     LeftArrow (PrevDump)
     Dump contains texts, registers same as above
     with LeftArrow (PrevDump) select dump with highest # where aren't texts
     present (IP=019C) (image was in reconstruction)
     Press F5(SaveBIG)
     EDumped.exe has size about 655?? bytes
IV)  Analysing in Turbo Debugger: TD edumped.exe
      IP points to push bx   ,look above - stosw (the first Word of original?
     image was reconstructed by this instruction)
      Follow execution (use Control+F on jumps) you'll find:
     21F jmp  cs:far [bp+0F89]  - hm.. BP is needed, press Control+N on this
     instruction, go to registers window on eax register, enter (cs-es)*10+IP,
      SSSSS=eax=0758F (-> 758:F), leave TD
      EDtup:
          SET  BPX  ON  PSP+00758H:0FH   BASE  PSP+00010H:00H
          SET EMPTY ON  PSP+00010H:00H   BASE  PSP+00010H:00H
          SET EMPTY ON  PSP+00008H:00H   BASE  PSP+00010H:00H
          SET EMPTY ON  ABS+00000H:00H   BASE  ABS+00000H:00H
      EDump-MZ hs386.exe
      EDview: put down BP (F1E8), SaveBIG
      TD edumped.exe , update BP register, trace until you reach retf
       1x trace , you are now on instruction:
       (sp=0400)
       mov  ax,WXYZ
       mov  ds,ax
       ... it looks like original program's begin
      SSSSS=03007, segment ordering is code,data,stack so estimate original
       image size via stack (in es is PSP) .. 
      dump size = (ss-es-10H)*10H  = 007200H
      EDtup:  set dump size
          SET  BPX  ON  PSP+00300H:07H   BASE  PSP+00010H:00H
          SET EMPTY ON  PSP+00010H:00H   BASE  PSP+00010H:00H
          SET EMPTY ON  PSP+00008H:00H   BASE  PSP+00010H:00H
          SET EMPTY ON  ABS+00000H:00H   BASE  ABS+00000H:00H
      EDump-MZ hs386.exe, SaveEXE, ren EDumped.exe hs386U.exe, Enjoy

     *) Determine_last_byte analysis gives size = 007270H
        (autopatching loop in future stack)

--------------------------------------------------------------------------------

         EDumping protected  .COM or .EXE_beginning_at_PSP+0????H:0?H
                                with PSPShift

    you're trying to unpack  c:\files\filexx.exe
-1) If you have protector with which was file protected:
    COPY  Start.exe          c:\files\start0.exe
    filename and path must have the same length
    COPY  Start.exe          c:\files\start1.exe
    protector  start1.exe
    run  c:\files\start0.exe (with specified path) , put down  CS  .. oCS
    run  c:\files\start1.exe (with specified path) , put down  CS  .. nCS
    PPPP=nCS-oCS+010H   ; it depends on path and filename length

Try  normal EDumping .EXE (above)
if it was not successful:

0) EDtup.exe
0a) Estimate Dump size, Keep last 020H dumps (or less)
0b) SET  BPX  ON  PSP+0PPPPH:00H   BASE  PSP+0PPPPH:00H
    SET BPMBW ON  PSP+0PPPPH:00H   BASE  PSP+0PPPPH:00H
    SET BPMBA ON  PSP+00008H:00H   BASE  PSP+0PPPPH:00H
    SET ????? ON  PSP+0????H:0?H   BASE  PSP+0PPPPH:00H
   -select some memory place, which PTU reads from or writes to
    (that's why I use BPMBA on CmdLine)
   -you may also try:  
    SET  BPX  ON  I21+00000:00H   BASE  PSP+0PPPPH:00H 
    or
    SET  BPX  ON  I10+00000:00H   BASE  PSP+0PPPPH:00H 
   -you may also try  BASE PSP+00010H and then use SaveBIG
0c) Apply
1) EDump-MZ  c:\files\filexx.exe  (with specified path) 
   Wait.. (be patient, play the game)
   if Crashed then EndWork, GoTo WhenCrash
 GoTo  2)

--------
Example:  Start.exe protected with CryEXE 4.0 (Iosco)

-    COPY Start.exe C:\TEMP
-    CryEXE Start.exe
-    ren Crypted.exe Stars.exe      ;the same file name length

I)   C:\TEMP\START.EXE              ;path presence is crucial
      put down tCS
II)  C:\TEMP\STARS.EXE              ;path presence is crucial
      put down sCS, IP

III) PPPP=(sCS-tCS+10H), KLMNO=(sCS-tCS+10H)*10H + IP   ;for CryEXE is PSPShift
      about 18??H

IV)  EDtup:
      SET  BPX  ON  PSP+0KLMNH:0OH   BASE  PSP+0PPPPH:00H
      SET EMPTY ON  PSP+00010H:00H   BASE  PSP+00000H:00H
      SET EMPTY ON  PSP+00008H:00H   BASE  PSP+00000H:00H
      SET EMPTY ON  ABS+00000H:00H   BASE  ABS+00000H:00H

V)   EDump-MZ C:\TEMP\STARS.EXE      ;path presence is crucial
VI)  EDview:
      Press F4 (SaveEXE) to produce EDumped.exe

--------
Example:  Start.exe protected with FSE V0.6+ (ZeNiX)

    BTW:  Here is PSPShift artificial (I think it's not compatible with
          some memory operations, apply FSE on LZEXEd file)

-    USE  EDump-MZ.exf  module

-    FSE  Start.exe Stars.exe   ;file name lengths must be equal

I)   START.EXE                  ;path not needed
      put down tCS
II)  STARS.EXE                  ;path not needed
      put down sCS, IP

III) PPPP=(sCS-tCS+10H), KLMNO=(sCS-tCS+10H)*10H + IP   ;for FSE V0.6+ is 
     PSPShift always 00075H

IV)  EDtup:
      SET  BPX  ON  PSP+0KLMNH:0OH   BASE  PSP+0PPPPH:00H
      SET EMPTY ON  PSP+00010H:00H   BASE  PSP+00000H:00H
      SET EMPTY ON  PSP+00008H:00H   BASE  PSP+00000H:00H
      SET EMPTY ON  ABS+00000H:00H   BASE  ABS+00000H:00H

V)   EDump-MZ STARS.EXE         ;path not needed
VI)  EDview:
      Press F4 (SaveEXE) to produce EDumped.exe

--------------------------------------------------------------------------------

   Result of your job should be BPX adress (plus BPM if needed) and file size

--------------------------------------------------------------------------------
                                Known Anomalies

Last dump is sometimes missing when edumping crackstopped files, so repeat
 dumping procedure until you succeed.  (Probably bug in EDump)

AMD K6+ list of files that you don't try to edump (because of EliCZ's Effect):
 crackstop.exe, fse.exe (versions below 0.6+), unpackme.exe (from UpStop95),
 erp.exe, ds-crped .COMs will show SP=0000 (because of pop ax) instead of 
 SP=FFFE, ...


-END of Trainspotting.txt-------------------------------------------------------

Addendum: You can EDump executables, which cannot run in Win9x by running Emu4W9x
from 9xEDK. Then you can unpack for example Gardian Angel, Mask, ...
