
		    MakePE version 1.30 (C) G-RoM in 1998

		      GTR95/SoftICE/TRW Dump rebuilder


Purpose :


  MakePE is a PE structure  rebuilder. From a dump, made with ProcDump(TM) or
with GTR95(TM)  or one you did under SoftICE (TM), it will try to rebuild the
PE header, import section (when possible) and can reoptimize your dump to re-
duce it. It can load too a standard PE file and will try to reduce it if you
used the '-s' switch.

Syntax :


 MakePE <PE file to rebuild> [options]

it will generate a PE file called fileout.exe

Options :


  -a  : Recompute object size

   This option allow you to say to MakePE to use Virtual Size for section
   as physical size. This is necessarry for PACKED PE, because the unpacked
   size of section is bigger than packed one. You can unselect this option
   if you are planning to work against a cryptor.

  -s  : Optimize PE structure

   This option optimize the PE structure according to the object table  in
   the way to  reduce written  PE file. If you select  this option, the PE
   file will take less space on disk.

  -ix : Import rebuilder method :

   * 0 : No rebuild

     Doesn't try at all to locate import section, leave the related import
     informations untouched.

   * 1 : Use import informations

     Read actual import informations, and use them to recreate a valid import
     table.

   * 2 : Rebuild import table.

     Detect import table using heuristical criterea and fixup the import ta-
     ble if found.

   * 3 : Full Import rebuild.

     Detect import table, generate a new import section, generate import
     function names & ordinals. There is a BIG chance that generated PE runs
     perfectly ;). REQUIRES a DLL List (see option -l).


  -l<file> : Load Dll List informations.

   This option is required if u wish to use the Import rebuilding method n3.
   The file must contains the dll list that were attached to this memory dump.

   The file format is really easy :

    One dll name (without any fucking path) by line.

   U can take a look at the file DLLLIST.SAM if u have a small doubt ;). The
   external tool ModList can help you to do a such file. Just launch it like
   that :  ModList >mylist. Then Edit mylist and remove all the  unnecessary
   output (stuff other than DLL list of ur targetted process !).

  -f  : Force raw mode

   This force MakePE to consider input file for REBUILD tool as a dump file.
   Use only this if MakePE crash when u try to supply a PE file.

  -m  : Merge code section

   REBUILDed file will have all the image in a single section. Can be usefull
   to analyze some PE loader.

  -kx : Kill sections from Nx

   Remove Sections starting with x one. Can be usefull to remove unpacker,
   Decryptor relative loader/datas OR to strip .DEBUG object for example.

  -v  :  Show internal code version.

Informations :


 PE rebuilder code : 91Kb
 Main Code	   : 12Kb

 MakePE was originaly designed as test code for ProcDump. But, regarding some
needs I had and the fact that my friend Hendrix needed a such tool, I finally
improved it. MakePE complete ProcDump32 and vice-versa ;).

History :


1.0  : First version, same as the ProcDump beta 2-1 engine.
1.01 : Added the PE structure shrinker.
1.02 : Added an universal PE loader.
1.03 : Added the import skip option.
1.04 : Fixed a major bug in PE loader
       Fixed a major bug Structure shrinker.
       Added a little check for virtual size of ZERO.
1.05 : Added Merge Section option code coz of Hendrix request.
1.06 : Enhanced a buffer size.
       Set to zero the space between section.
1.07 : Added an option for PE loader (RAW mode).
1.08 : Added a Fake Reloc Pointer in MZ header COZ IDA LOADER IS STUPID !!!.
       Added a Section Remover after a given one.
       Enhanced the File Type detection (PE/RAW detector).
1.08a: Enhanced PE loader [Section Size AutoChoice].
1.09 : Fixed a little bug in Import By Ordinal routine.
       Added a TLS section skipper.
1.10 : Enhanced PE loader again.
1.20 : Use same technology as ProcDump 1.2.0
       Added Load of DLL list.
       Added two external tools.
       Added a PE header section optimizer to avoid non pageable area.
       Quit properly if there is no import table at all (Ie: Data DLL).
1.25 : Use same technology as ProcDump 1.2.5 [EXPERIMENTAL VXD].
       Fixed GetProcOrd Code.
       Fixed Name Scanner.
       Fixed Load DLL pb with a few DLLs.
1.30 : New PE optimizer code.
       Added Section Size Optimizer.
       Changed Banner Stamp method.
