Get PE Loader - By Net Walker!
Version 1.1 - May / 1998 / Brazil
First Public Version.
lnwalker@hotmail.com

	Some months ago I had no copy of IDA.  I know W32Dasm is not the best dissassembler, but it is graphical and very easy to use.
The problem was that W32Dasm does not disassembles code such as those from appended viral or packer routines.  For example, if you try to disassemble a file protected by PE-Crypt32 you will not get the code responsible for doing the decryption (I call this a "Loader").  I coded a very simple program that extracts such a Loader and builds a "one-object" simple PE exe file.  This file (HOST.EXE) can be disassembled using W32dasm.  GetLoad extract two kind of "Loaders":  
1) Complete appended objects working as Loader, such as those attached by Boza virus, PE-Shield, Stone PE-Crypter and others;
2) Loaders inside "normal" objects, such as those from PE-Crypt32.

	There is another type of Loader (used by old .COM virus) but since I have not seen that in any PE protected/infected file, I didnt implemented it.

	After "extraction" you will have a file - HOST.EXE - this can be disassembled and used to study virii and protector routines.  I will upgrade it soon to a "dynamic extractor" where you can execute a file and extract its Loader directely from the memory.  This would be usefull to analyse self-modifying virus or packer routines.  Actually, I plan to include this on NWDebugger (my simple debugger).


GetLoad Instructions:

I	- Choose a file (type or browse throught your directories);
II	- Check "Adjust Host Image Base" if you want the address of the disassembled lists matching the same address of the original file.
III	- Click "Extract" to build HOST.EXE (at the same directory as the original file) with the file's Loader.


Please, send any bugs or suggestions to lnwalker@hotmail.com.

If occurs that anyone becomes interested :) on the source-codes (TASM 5.0), I'll send without problems.




