Hi
Can some tell me what the difference is between dumping and unpacking??
if i unpack a program with Shrinker1.6 i can open the program but when i push the register button the computer crashes, when i dump it with prodump and press on the program Softice pops up and the computer lockes up :-(

TIA

pupp

Hiya,

This is my somewhat subjective view so don't take it as the only one ;-). I've always distinguished unpacking and dumping by the level of involvement (and to a certain extent) knowledge required by the user.

As far as I'm concerned virtually anyone can 'dump' a program from memory using tools such as ProcDump, IceDump or TRW2000's /PEDUMP etc (and very good these tools are too). Yet as the authors of these tools will probably tell you this is no substitute for doing your PE homework ;-).

'Unpacking' I always interpreted as 'manual' (keyword) unpacking of a packed file, i.e. you trace the unpacker code, you dump the various sections, fix the import table etc, etc, the definition isn't the best since running any unpacker is by default 'unpacking', yet I think this is the majority view.

Dare I also say that learning to unpack by hand by yourself is much more useful than blindly using tools ;-), the authors of these things just can't (sadly) keep up with the neverending latest versions of these packers, and NT compatibility also seems to be a serious problem too, although you can with some work make your tools work for you ;-).

My 2c and some.

Regards

CrackZ.

Thanks CrackZ

my 2 centimes ;-)

i think history starts some 15 or so years ago with MS-DOS and the first .com encryptors (packers came later on the scene, although for our purposes they're almost the same). back then recreating a working executable (.com) amounted to tracing to the original entry point (which as we know is always at cs:100) and then dumping (writing out) the memory content of CS to disk (plus trimming its size to the original if one was able to determine it). at this point dumping and unpacking pretty much meant the same, even when the 'scene' moved to the MZ type .exe encryptors/compressors, besides dumping one had to fix relocations only and got a working executable.

with the advent of windows and its NE and PE type executables the picture became more complex. it was no longer enough to simply dump memory content to disk, one had to reconstruct the internal structures of these files as well (since they have a complex one, unlike .com or the simple MZ .exe). i think it is at this point when people (skilled in the 'art' ;-) started to make the distinction between a 'simple' memory dump and 'full' unpacking (reconstruction).

i'd also say that the tools one uses (or not) for either purpose do not make the difference between the two. speaking for myself, i'm more than happy that i no longer have to manually trace wrappers in order to find the original entry point, yet i still consider the whole process more as unpacking than dumping (well, it also depends on what i do at the OEP, /dump or /pedump ;-). in other words, without having learned it to do the hard way as well, one will always be a mere user (and at times even victim ;-) of said tools, regardless what they were meant to do.