ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ MakePE version 1.30 (C) G-RoM in 1998 GTR95/SoftICE/TRW Dump rebuilder ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Purpose : ÄÄÄÄÄÄÄÄÄ MakePE is a PE structure rebuilder. From a dump, made with ProcDump(TM) or with GTR95(TM) or one you did under SoftICE (TM), it will try to rebuild the PE header, import section (when possible) and can reoptimize your dump to re- duce it. It can load too a standard PE file and will try to reduce it if you used the '-s' switch. Syntax : ÄÄÄÄÄÄÄÄ MakePE [options] it will generate a PE file called fileout.exe Options : ÄÄÄÄÄÄÄÄÄ þ -a : Recompute object size This option allow you to say to MakePE to use Virtual Size for section as physical size. This is necessarry for PACKED PE, because the unpacked size of section is bigger than packed one. You can unselect this option if you are planning to work against a cryptor. þ -s : Optimize PE structure This option optimize the PE structure according to the object table in the way to reduce written PE file. If you select this option, the PE file will take less space on disk. þ -ix : Import rebuilder method : * 0 : No rebuild Doesn't try at all to locate import section, leave the related import informations untouched. * 1 : Use import informations Read actual import informations, and use them to recreate a valid import table. * 2 : Rebuild import table. Detect import table using heuristical criterea and fixup the import ta- ble if found. * 3 : Full Import rebuild. Detect import table, generate a new import section, generate import function names & ordinals. There is a BIG chance that generated PE runs perfectly ;). REQUIRES a DLL List (see option -l). þ -l : Load Dll List informations. This option is required if u wish to use the Import rebuilding method nø3. The file must contains the dll list that were attached to this memory dump. The file format is really easy : One dll name (without any fucking path) by line. U can take a look at the file DLLLIST.SAM if u have a small doubt ;). The external tool ModList can help you to do a such file. Just launch it like that : ModList >mylist. Then Edit mylist and remove all the unnecessary output (stuff other than DLL list of ur targetted process !). þ -f : Force raw mode This force MakePE to consider input file for REBUILD tool as a dump file. Use only this if MakePE crash when u try to supply a PE file. þ -m : Merge code section REBUILDed file will have all the image in a single section. Can be usefull to analyze some PE loader. þ -kx : Kill sections from Nøx Remove Sections starting with x one. Can be usefull to remove unpacker, Decryptor relative loader/datas OR to strip .DEBUG object for example. þ -v : Show internal code version. Informations : ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PE rebuilder code : 91Kb Main Code : 12Kb MakePE was originaly designed as test code for ProcDump. But, regarding some needs I had and the fact that my friend Hendrix needed a such tool, I finally improved it. MakePE complete ProcDump32 and vice-versa ;). History : ÄÄÄÄÄÄÄÄÄ 1.0 : First version, same as the ProcDump beta 2-1 engine. 1.01 : Added the PE structure shrinker. 1.02 : Added an universal PE loader. 1.03 : Added the import skip option. 1.04 : Fixed a major bug in PE loader Fixed a major bug Structure shrinker. Added a little check for virtual size of ZERO. 1.05 : Added Merge Section option code coz of Hendrix request. 1.06 : Enhanced a buffer size. Set to zero the space between section. 1.07 : Added an option for PE loader (RAW mode). 1.08 : Added a Fake Reloc Pointer in MZ header COZ IDA LOADER IS STUPID !!!. Added a Section Remover after a given one. Enhanced the File Type detection (PE/RAW detector). 1.08a: Enhanced PE loader [Section Size AutoChoice]. 1.09 : Fixed a little bug in Import By Ordinal routine. Added a TLS section skipper. 1.10 : Enhanced PE loader again. 1.20 : Use same technology as ProcDump 1.2.0 Added Load of DLL list. Added two external tools. Added a PE header section optimizer to avoid non pageable area. Quit properly if there is no import table at all (Ie: Data DLL). 1.25 : Use same technology as ProcDump 1.2.5 [EXPERIMENTAL VXD]. Fixed GetProcOrd Code. Fixed Name Scanner. Fixed Load DLL pb with a few DLLs. 1.30 : New PE optimizer code. Added Section Size Optimizer. Changed Banner Stamp method.