
	homepage: http://home.t-online.de/home/enoch
	e-mail  : hendrix_@gmx.net


				GTR 1.Df/Dt

				Users Guide


-I) Disclaimer

GTR might work on a 386+ with 2+MB. You use GTR on your own risc.


0) Basics

To understand GTR and use it, you need to be familiar with programming.
If you do not understand one of the following terms, there is no need to
read this manual any further. Inform yourself and come back!
Assembler, segment, offset, CS, EAX, COM-file, EXE-file, relocation, PSP.


I) What is GTR for?

First of all, GTR is what I call an "unpacker", that is a program that is
able to remove "security envelopes" from other programs. These envelopes
are used to prevent people from looking at the program by encoding the
program. When you start these programs the envelope will decode the program
and start it.


II) How does GTR do its job?

GTR means GenericTRacer, it is a program that takes control of your beloved
MSDOS. When GTR is loaded and active it monitors all action -and that on a
very low level. That is why it is called a "tracer": When you tell GTR to
monitor a program it will execute it step-by-step ("tracing"). Every
single instruction is checked for special behaviors. After the envelope
has decoded the program it will execute it. There are certain conventions
for programs that have to be met when you start-up a program. GTR will
look for these conditions and tell you. Conditions are
-when executing a COM-file:
 must  : PSP=CS=DS=SS , IP=0100
 should: SP>=F000 , PSP=ES
 can   : 0=AX=BX=..=SI=DI=BP
-when executing an EXE-file:
 must  : PSP<=CS,SS,DS,ES
 should: SP=xx00 (aligned) , PSP=DS=ES
 can   : 0=AX=BX=..=SI=DI=BP
GTR will display values that do not match these criteria in red, matching
registers are shown in white.


III) Booting into realmode

It is necessary to boot into realmode to execute GTR. Any extended-memory-
manager like EMM386 sets up a protected-mode environment. To make a realmode
bootdisk do this:
-"SYS A:" to make the disk bootable
-"COPY *.* A:" to copy GTR to disk
-"EDIT A:\AUTOEXEC.BAT and CONFIG.SYS" to adapt to your windows95/98 dirs
Or create a start-up menu, remember to use "COMMAND.COM /P" to stop
execution of AUTOEXEC.BAT.


IV) Starting GTR

To launch GTR use "GTR /go". You are now in a protected-mode environment
but GTR will not catch all anti-debugging-tricks  -it is not in secure-mode.
Check if there is any extended memory left: "MEM". If there is some left use
"GETXMEM" to allocate it all. Now no other program will try to access memory
above the "1MB-border".


V) Unpacking a program

First of all you need to know what type of file the unpacked program
will be. If you are sure it was written in any high-level-language
you are sure it is an EXE-file. Cracks, Patches or other little programs
are probably written in assembler and linked as COM-files. Remember that
protectors can convert EXEs into COMs, and COMs into EXEs!
To start the unpacking you need to tell GTR to go into "secure-mode":
"PREP CE4" is the most used command for this. CE means "look for Com and
Exe-file execution", the 4 stands for "give alert when 4 out of 9 conditions
are met". GTR is now waiting for the protected program to be executed.
You can verify this by the flashing "****" at the top-left corner of
your screen.
Now execute the program: "TEST"
Seconds later you will be prompted "Unpacked?" shown in the top-right corner
of GTRs screen. Have a look at the big memory-dump-window on the left. It is
setup to display the data at PSP:0100... and it looks all messed up! This
program is not unpacked yet, so press "C" to continue. Again you will be
asked "Unpacked?" several times, but the window just shows scrambled eggs.
Finally you can read parts of texts. You can be sure that the waiting is
over soon. After pressing "C" a couple of times you have a clear text
in the memory-dump-window. This is a good indicator for an unpacked program.
You see PSP=DS=ES, even 0=CX=DX. Have a look at the IP. It is not 0100 so
we know it is an EXE-file. To save a copy of the program, press "S" and
voil, the display at the left bottom indicates that a rawdump has been
made to memory. You are sure that the program is unpacked and you verify
this by pressing "C" to continue. Now the program should be executed...
and it does! Whenever you think the program is unpacked you need to make
a dump.
Since we deal with an EXE-file we have to make at least two dumps to
calculate the relocations. We must force relocation by using "EAT1K".
GTR is still in secure-mode, we must tell GTR that the unpacking is over.
There are two ways to do so:
1) Press "scroll-lock" and GTR pops up. Press "Q" for "quit to DOS" which
   will exit any running program by executing "int21h,4ch"
2) Press "scroll-lock", go to the "O"ptions-menu, choose "S" to toggle the
   "Sec"ure-mode flag, e"X"it the options-menu
Then "C"ontinue.
Repeat the procedure above. You do not have to execute the unpacked program
again, press "Q" to abort it or even exit.


VI) Exit GTR and creation of unpacked files

To exit GTR, press "scroll-lock" and choose exit ("backspace"). GTR will
save following files to disk:
-"EXECLOG.BIN", the execution log: all int-calls and port-accesses are logged
 in this file. To make a readable text from it, use "KLARTEXT" which
 will create "EXECLOG.TXT".
-"DUMPx.DMP" are MakeEXE-styled dump-files. You can also work with
 MakeEXE from the "DumpEXE-package by Bugsy" on the dumps. Get it from my
 homepage.
-"DUMPx.COM" Every dump with IP=0100 is saved as a COM-file
-"DUMPx.EXE" If GTR finds two matching dumps (same IP, same stackframe)
 it will create an EXE-file by finding the relocations.
When you are lucky, the created files will work :)


VII) No luck

If they do not work, you need to reduce the "sensibility" of GTR, meaning
you might look for "3 out of 9 conditions". If this does not help, look for
a specific unpacker.


VIII) How does GTR do its job? More detailled

Setting up a protected-mode environment is not hard. First you need to
map the memory. Then make an IDT, GDT, and TSS and you are done.
COM-entries are easy to detect: PSP=CS=DS(=ES), IP=0100, SP>=F000.
It is a bit harder with EXE-files. GTR has to intercept the FAR-call from
the envelope to the EXE-entry.


IX) "GTR is hard to use" vs. "GTR is handy"

GTR is just a tool that makes all the tracing for you. You do not have to
worry about the anti-debug-traps. It does, like you, look for IP=0100 or
a FAR-call. So you do not have to learn how to use a debugger, how to
defeat breakpoints, how to emulate PIC-reprogramming...
GTR is hard to use because of the many options it has. There is no
automation for many of those. In this manual I described the basic usage
that is needed to unpack most of the protectors. All you need to do is
look out for red and white registers and for readable text inside the
memory-dump. (I thought that is easy enough.) There is no way I make
a commandline-thingy from it.


X) Personal view of GTR

I wrote GTR because I wanted see the protectors fall. From the beginning
I was convinced by Lost Soul^UCFs approach of tracing programs. Anything
can be emulated, like: prefetch-queue, control-registers, debug-regs,
PIC-reprogramming, slower CPU, keyboard-port, CMOS realtime-clock, flag-
register, interrupt-control-register, ... Luckily I started writing
GTR when the whole development of protectors began. Please be sure to
check your protector with GTR before releasing it. I think it is no use
to spread useless programs -for what purpose? To insult others? I love to
read the DOCs :) The reason I took the HS-mainprog as the test-prog is not
because I hate Mr. Roth, what I do not do. It is just the latest protector
I have.




I would love to add the macro-option back to GTR before I release
the source, is that okay with yall?
