hi there,
i was trying to dump wisdec.exe which is packed with shrinker 3.4 . well i changed the shrinker0 segments charactristics to e0000020 and loaded the exe with symbol loader and traced the OEP(call [ebp-20],the shrinker way of jumping to OEP) .but the problem is that when i dump the program, the dumped exe still contained the shrinker segments,only the size of the exe increased from 250 to 608k.

well i tried using icedump's /DUMP 400000 98000, /BHRAMA and plain ProcDump to dump the exe, but no luck.can somebody plz tell me what i am doing wrong.

----
exe=wisdec.exe,packed with shrinker 3.4
OEP=004560ec
base=400000
size of image=00098000
----

BTW, while dumping i found that really strange things were happening. when i ran wisdec.exe , i found that its shrinker segments automatically disappeared and instead there were CODE and DATA segments.really strange...

it was only later that i found it was due to SirCam ;) but now that i have got rid of it, i am still not able to cleanly dump it.

neone ... ????

Hello himanshu !

I'm not familiar with Shrinker 3.4, but as far as I know it's a normal packer without anti-debugging code.

Since it's a packer, it packs a file and it's nothing special if a packed file is 250kb and the unpacked 650kb. ;)

You should find at first the place where the Import Section is unpacked in memory, but still original, and dump it to disk.
Then you should trace until the jump to the OEP (Call [EBP-20h] according to you) and freeze the program there. You can do it either with ICEDump (Win9X) or by placing an "JMP EIP" at the memory location and exiting SoftICE.
No you can dump the process with ProcDump or similar, insert the previously dumped Import Section, change the OEP and fix the import pointer. (You remeber what [EBP-20h] contained, do you?)
You can of course rename the Shrinker section names if you like, but that doesn't interact with the unpacked program's ability to run.