!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    FREELY REGISTER YOUR COPY AT MY HOMEPAGE: HOME.T-ONLINE.DE/HOME/ENOCH
                        OR SEND AN E-MAIL TO: hendrix_@gmx.net


                                   INDEX

  How to unpack COMs
    Unpacking
    Terminated to DOS
    Recognition of an unpacked COM
    Convert Dump to COM
  How to unpack EXEs
    Unpacking
    Terminated to DOS
    Unpacked?
    Recognition of an unpacked EXE
    Always make two Dumps
    Convert Dump to EXE


###############################################################################


 HOW TO UNPACK COMs
<==================>
note: some COMs are packed EXEs, so please have a look at the other chapter!

 Unpacking
quick unpacking:           get the /su-value from the list in OPTIONS.TXT!
         GTR /suX abc.com

watch the unpacking:
         GTR /suX /ru- /da+ abc.com

step through it:
         GTR /suX /ru- /da+ /tr+ abc.com

 Terminated to DOS
- You should save the dump, convert it to COM and see if it runs anyways!
- Decrease /su-value for less sensitivity! The Packer may not set up so many
  registers. Some packers set up only 3 registers!

 Recognition of an unpacked COM
- Must: CS=DS=ES=SS=PSP
- Must: SP is near FFFE
- Can : AX=BX=CX=DX=SI=DI=BP=0000 (see OPTIONS.TXT for any specific setups)
- Always have a look at the memory-dump!

 Convert Dump to COM
The utility DUMP2COM will help you extract the COM-file out of the dump.
Before executing the program, GTR filled all memory with $FFFF (65535 decimal).
A common method it is to search for many $FFFFs in a row to determine which
memory the program did not use (maximum extend of the program).
DUMP2COM will copy all bytes to the COM-file until a lot of $FFFFs are found:

                 DUMP2COM 4000 65535 abc.cod abcnew.com

This means when 4000 times $FFFF in a row are found the program declares
this the end of valid code. If you leave out the 65535, DUMP2COM will look
for an 4000-word-array of same value. Of course, if you choose a 'cut' value
far below 4000 it is possible that the program itself may contain some $FFFFs
in a row and the code will be cut on the middle of the program! I have also
experienced packers that fill the memory themselves with 0 to delete
themselves, so better use the generic-word-array method (no search value).


###############################################################################


 HOW TO UNPACK EXEs
<==================>
note: some EXEs are packed COMs, so please have a look at the other chapter!

 Unpacking
quick unpacking:           get the /su-value from the list in OPTIONS.TXT!
         GTR /suX abc.exe

watch the unpacking:
         GTR /suX /ru- /da+ abc.exe

step through it:
         GTR /suX /ru- /da+ /tr+ abc.exe

 Terminated to DOS
- Decrease /su-value for less sensitivity! The Packer may not set up so many
  registers. Some packers set up only 3 registers!

 Unpacked?
The entrypoint-detector will ask you to save. Use different /su-values!
The less the value, the more Requesters, but also the better Chance to
have an unpacked EXE. Have a look at the registers! If a register is printed
in red: this indicates that the value of the register is not set up for
executing a fresh program. Especially when SS or DS is printed in red, you
can assume that no unpacked code is present.

 RECOGNITION OF AN UNPACKED EXE
- Must: DS=ES=PSP
- Must: CS and SS are in range (not printed in red)
- Can : SP has a 'round' value (eg. 200h or 1FEh, but not 124h or even 123h)
- Can : AX=BX=CX=DX=SI=DI=BP=0000 (see OPTIONS.TXT for any specific setup)
- Always have a look at the memory-dump!

 ALWAYS MAKE TWO DUMPS
Rename the dump so it will not be overwritten by the next dump:

		Rename abc.EXD to abc.d1

Because GTR kept track of your actions, you can use the macro-file for
your next unpacking. Start GTR again with /mm+ (program will be higher in
memory, needful for computing the relocations) and /rm+ (Run Macro abc.EXC):

                GTR /suX ... /mm+ /rm+ abc.EXE

If the macro failed, unpack with the only the /mm+ option:

		GTR /suX ... /mm+ abc.EXE

Rename the dump and you will have the raw dumps abc.d1/2:

		Rename abc.EXD to abc.d2


 CONVERT DUMP TO EXE
          automatically:
Use STACKCUT on the two Dumps. Try the zero-Option first! If this does not
work, use without zero-Option. If the Dumps are cut too short, do not use this
Tool on the Dumps (then the stack is not at the end of the dump).

		STACKCUT abc.d1 abc.1 zero
		STACKCUT abc.d2 abc.2 zero

If STACKCUT fails, try using DUMPCUT:
This will look for an 10000 bytes big array of equal words and cut it there:

		DUMPCUT 10000 abc.d1 abc.1
		DUMPCUT 10000 abc.d2 abc.2

Use MAKEEXE to build new EXE (will look for the dumps abc.1 and abc.2):

		MAKEEXE abc.EXE abcnew.EXE

          by hand:
Use a HEX-Editor on the Dumps:
The Memory has been filled up with 0FFFFh, now it is your task to find (guess)
the end of the valid Code. Cut off the tailing 0FFFFh and make both Dumps
of equal length.

		COPY abc.d1 abc.1           (keep abc.d1 as backup!)
		HEXED abc.1
		COPY abc.d2 abc.2
		HEXED abc.2

Use MAKEEXE to build new EXE (will use abc.1 and abc.2):

		MAKEEXE abc.EXE abcnew.EXE

