
           this is release 6 of the winice dumper.

   -----
   news.
   -----

   - source code included as usual, it's a dynamic VxD now, no need to patch
     winice itself (happens runtime). stuff in static code and data segments
     (_STEXT and _SDATA) can be changed, but you must reboot before loading
     the new version.

   - simpler command syntax, PAGEIN is no longer tweaked. each command must
     start with a character that would normally make winice complain about
     an invalid command, suggested prefix is the '/' (forward slash) since it
     is familiar to IRC users already ;-).

   - certain commands need to call win32 API functions whose addresses are
     looked up by using winice's internal symbol tables. for this to work you
     need to have kernel32 and user32 exports loaded into winice (winice.dat).

   - and you thought it was impossible... so we're proud to present the first
     mp3 decoder/player that runs in kernel mode (of win9x in our case) and
     keeps working even if you enter winice. since all this requires direct
     hardware programming, we support non-PCI based SB compatible cards 'only'
     for now.

     anyway, a BIG thank you goes to fOSSiL, who coded this stuff. and no,
     he's NOT gonna do the vcd player ;-)

   - even though the Procdump32 project has officially been declared dead,
     its achievements won't go down the tube: from now on icedump features
     G-RoM's Phoenix v2.0+ engine, along with a new command which lets you
     dump a full PE file directly from icedump, no external tools are needed
     anymore. i think there's not much else to explain what all this means...
     thanks G-RoM ;-)

   - added a tracer engine which is able to trace most of the currently known
     PE wrappers (bleem/pecrypt/pelocknt/peshield/petite/vbox and the rest
     which is less sophisticated). see separate document for details.

   - added a simple tetris for the homo ludens among you.

   - added anti detection code, should protect against most known methods
     (int3/int2f/int41/int68/dr7/createfilea/testdebuginstalled). also there
     is a way to detect illegal ring-0 entry attempts, check out PROTECT for
     more details.

   - added G-RoM's plugin system called Hydra which lets third-party modules
     participate in the import rebuilding process, see the SDK docs for more
     info.

   - icedump performs exports renormalization on several system DLLs which
     remains effective even after icedump has been unloaded.


   ------
   usage.
   ------

   first of all, you have to run icedump.exe from the directory corresponding
   to your winice version to load the dynamic VxD (it's a self-loading VxD
   before you start to look for a separate *.vxd file ;-). if the VxD cannot
   find winice or recognize its version, it will simply not load, no harm
   will be done. if for any reason you simply want to unload the VxD, you
   should execute 'icedump u' and that's it. note that icedump cannot be
   loaded as a static VxD since it does not act on DEVICE_INIT and the like,
   but you can add support for that if you really need it.

   mp3 playing support requires you to run YogaPlay, the GUI for the VxDs that
   are in mp3\bin and which should be copied into windows\system or left in
   YogaPlay's own directory. YogaPlay lets you choose the mp3 files (which are
   eventually uploaded to the VxDs as a playlist, icedump itself doesn't let
   you do that) to be played, and gives you a basic control over playing them.
   if you need anything fancier, go code it yourself, source code for YogaPlay
   is included (courtesy of fOSSiL). inside winice you have to use the /MP3
   command, see the description somewhere below.


   ------------------
   command reference.
   ------------------

        -------------------------------------
        /DUMP <address> [<length> <filename>]
        -------------------------------------

   the good old one, which you should be familiar with. in short, both
   <address> and <length> can be any expressions that winice can evaluate,
   <filename> can specify any drive/path. using <address> alone will simulate
   the old PAGEIN behaviour (i.e. bring in a page, but this one works for all
   possible execution modes unlike the original PAGEIN). attempting to dump
   non-committed memory won't cause a crash, however no other sanity checks
   are made, so be careful, especially when dumping from ring-0 (i.e. when the
   current CS is a ring-0 selector, dumping memory belonging to a ring-0 data
   selector has nothing to do with this). memory read breakpoints over the
   dump area should better be disabled because winice might get confused
   about the re-entry (this holds for all dumping related commands of course).

   for win32 processes you will probably want to use the /BHRAMA or /PEDUMP
   commands since they will rebuild a working PE image. have a look at the
   /OPTION command as well.


        -----------------------------------
        /LOAD <address> <length> <filename>
        -----------------------------------

   load first <length> bytes from <file> at <address>. sort of opposite of
   /DUMP, same rules apply, except that no write breakpoints should be
   active.


        ------------------------------------------
        /BHRAMA <Bhrama dumper server window name>
        ------------------------------------------

   notify Procdump/Bhrama (yeah, the one by G-RoM ;-) to initiate dumping.
   you have to supply the window name only as you can see it in the caption
   bar. now, to make your own life easier, you should assign this to a F key
   in winice.dat:

        F3="/BHRAMA ProcDump32 - Dumper Server;"

   some parameters/flags can be set by /OPTION B, look at them somewhere
   below.

   keep in mind the following when using Procdump/Bhrama:

   1. the Bhrama server's window name can be changed in v1.5.0+ only, this
      raises detectability issues with older versions...

   2. the various Procdump options can be changed in v1.5.0+ only, some of
      them with /OPTION B, others only in Procdump/Bhrama itself.

      for older versions you have to change then reassemble the source code
      or you can try to change it in memory (advanced users will find their
      way there, i'm not going to explain it here).

   3. EIP (and the entry point in the dumped PE image) cannot be specified
      anywhere, instead the current one is used. however only v1.5.0+ will
      properly calculate the entry point from the EIP, for older versions
      you have to substract the image base from the entry point written by
      Procdump and manually update the PE header.

      this is because v1.4.x expects an RVA and i can supply a VA only.
      v1.5.0+ will try to detect this situation and automagically recompute
      the entry point. note, that the current solution will fail if the
      original entry point falls above 0x800000 or so (i.e. for PE images
      over 4 MBytes this may be a problem).

   4. when you issue a /BHRAMA command, winice will temporarily resume
      execution of the entire system (so that you could specify the file
      name for Bhrama), however you are not supposed to (ab)use this fact
      and do anything else besides what you are asked to do (namely, select
      the file name ;-). not observing this simple rule will very easily
      end you up in a system crash... also, try to avoid setting breakpoints
      which may trigger during this period (e.g. those set for APIs, window
      handlers or messages and the like).

   5. the client's stack will be modified since Bhrama is called in the
      client's context, this can potentially be detected by the client...


        ---------------------
        /SUSPENDX <TID>|<PID>
        ---------------------

   suspend specified thread/process AND exit winice. this command is able to
   suspend the current thread or all threads in the current process. note that
   no breakpoints are inserted at the suspended threads' EIPs so when you
   resume such a thread winice will NOT break in. if you want to (and probably
   you do ;-) then you have to manually insert a breakpoint somewhere.

   TID/PID must be valid ring-3 handles, either obfuscated or not (will be
   automagically taken care of). use THREAD/PROC to get them.


        --------------------
        /SUSPEND <TID>|<PID>
        --------------------

   suspend specified thread/process. attempting to suspend the current thread
   or the process owning it will result in an error message but will do no
   harm to the system/winice (in case of a process the other threads will be
   suspended though). note that no breakpoint is inserted at the current EIP
   so when you resume such a thread winice will NOT break in. if you want to
   (and probably you do ;-) then you have to manually insert a breakpoint
   somewhere.

   TID/PID must be valid ring-3 handles, either obfuscated or not (will be
   automagically taken care of). use THREAD/PROC to get them.


        -------------------
        /RESUME <TID>|<PID>
        -------------------

   resume specified thread/process.

   TID/PID must be valid ring-3 handles, either obfuscated or not (will be
   automagically taken care of). use THREAD/PROC to get them.


        -----------
        /KILL <PID>
        -----------

   kill specified process. attempting to kill the current process will result
   in an error message but will do no harm to the system/winice.

   PID must be a valid ring-3 handle, either obfuscated or not (will be
   automagically taken care of). use PROC to get it.


        ------------------------
        /SCREENDUMP [<filename>]
        ------------------------

   dump the winice console to a file. note that only the Universal Video Driver
   mode is supported (i.e. in text mode you will get the DOS window's content
   and not that of winice). generally the same rules apply as for the /DUMP
   command. when no <filename> is specified icedump will toggle the
   screendumper between mode 0, 1, 2, 3 and 4 operation.

   in mode 1, the default mode, the attribute byte will be stripped giving
   an ASCII output.

   in mode 0, raw mode, the attribute bytes will also be dumped.

   mode 2 dumps the screen to a HTML file. a utility, ScreenDump clean, is
   provided to convert a raw dump into an ASCII or HTML dump. notes on mode 2:

   - the lines and arrows are replaced with text equivalents.
   - the standalone RAW->HTML converter is in the HTML directory.
   - the Opera browser does not display the dump properly as the table
     elements are too long.

   mode 3 dumps the screen into a LaTeX formatted file. to include the dump in
   your LaTeX document, include the line "\usepackage{icedump}" then either
   copy and paste the dump contents, or include it via an \input command. Note
   that icedump.sty requires you to have the packages: 'amssymb' and 'color'
   (dvips). If these are already in your LaTeX path, then the icedump package
   will use them automatically. You should also put icedump.sty in your LaTeX
   path. An example file can be found in the w9x\latex directory. A standalone
   converter will be available once somebody can be bothered to rip out the
   code from icedump :)

   NOTE: mode 3 is limited to softice console screens with a maximum of 255
   columns.

   mode 4 dumps into an EPS (encapsulated Postscript) formatted file.


        -------------------------
        /PAGEFLAG <addr> pPrWsUcC
        -------------------------

   change page table entry flags for the page specified by <addr>.

        pP: not present/present
        rW: read only/read-write
        sU: supervisor/user
        cC: not committed/committed

   this command directly modifies the PTEs in the page tables, so for the
   virtual address range 0x00000000-0x7FFFFFFF you have to be careful since
   on a context switch the PTEs describing this range will be overwritten and
   won't be restored when the scheduler switches the context back. other PTEs
   describing non-pagelocked pages will suffer the same fate after a page-out
   page-in cycle (or so i think at least). if there's demand for more
   intelligent behaviour, do it yourself ;-).


        ----------------------------------
        /FPU <FPU register number> <value>
        ----------------------------------

   change content of specified <FPU register> to <value>. <FPU register number>
   must be in the range of 0...7 (for ST0...ST7). <value> will be parsed as an
   extended real (80 bits). if there's demand to be able to modify other parts
   of the FPU state (eg. MMX or SSE part), let us know (or do it yourself ;-).


        -------
        /OPTION
        -------

   icedump options menu. allows you to change various icedump parameters. when
   invoked without any parameters it will print out all the options that can
   be set.

        /OPTION N              - toggle screendump expert mode on/off
        /OPTION N F <filename> - alter base filename
        /OPTION N D <number>   - alter current dump number
        /OPTION N V            - show current screendump options

   the expert mode will allow you to perform screendumps with the command
   /SCREENDUMP (i.e. no parameters). icedump will name the file for you
   incrementally. by default, it will save them to c:\default.000,
   c:\default.001 etc.

   you can alter the base filename/path using the /OPTION N F command,
   the current dump number using the /OPTION N D command, view current
   screendump options with /OPTION N V and toggle expert mode on and off
   using /OPTION N.

   by default, the expert mode allows up to 40 characters for the path and
   filename. if you need more, you can easily modify one of the EQUates in the
   source code. you probably want to modify the default name too. make all the
   modifications you need (they are in one place) and recompile with nasm.

   i (Ghiri) will possibly implement an auto-mode for normal dumps.

        /OPTION D              - toggle memdump expert mode on/off
        /OPTION D F <filename> - alter base filename
        /OPTION D D <number>   - alter current dump number
        /OPTION D V            - show current memdump options

   the above four commands have now been implemented for auto-memdump. to use,
   turn on the expert mode and issue the command:

        /DUMP <address> <length>

   notes: when altering the filename, you can specify path and mask. for
   example, if you set the base filename to 'c:\temp\dump-*.dmp', icedump
   will auto-generate filenames like 'c:\temp\dump-001.dmp'. the number of
   positions can be changed by altering an EQUate in the code. make sure
   you have a valid filename.

        /OPTION B

   print out the current state of options for /BHRAMA.

        /OPTION B rR           - Recompute PE Object size on/off
        /OPTION B sS           - PE structure Reorganize on/off
        /OPTION B hH           - Restore PE header on/off
        /OPTION B [0..3]       - Import mode [0..3]

   These are the potential options u wish to set for ProcDump/Bhrama. These
   options won't apply in ProcDump if the checkbox 'User conf.' is set.

        /OPTION P

   print out the current state of options for /PEDUMP.

        /OPTION P vV           - Update PE Virtual Object size on/off
        /OPTION P pP           - Update PE Physical Object size on/off
        /OPTION P oO           - PE structure Reorganize on/off
        /OPTION P bB           - Automatic PE Header rebuilding on/off
        /OPTION P I[0..4]      - Import mode [0..4]
        /OPTION P H[0..7]      - PE Header reload mode [0..7]
        /OPTION P cC           - Import caving attempt on/off
	/OPTION P aA           - Use alternative scanner on/off
	/OPTION P R[0..2]      - Code scanner mode [0..2]
	/OPTION P gG           - Glue/Coagulate resources
	/OPTION P fF           - Attempt to detect old relocation table
	/OPTION P xX           - Reduce MZ/PE to the maximum

   These are the Phoenix v2.x internal options. The rebuild PE header option
   only recomputes RVA offset nothing more.

   Alternative scanner is a faster IAT scanner (ala ProcDump but enhanced).
   It is enabled by default because of its speed on huge PE images. Both
   scanners work accurately in most cases but shit happens, so feel free to
   try both of them :).

   Import rebuilder method (Bhrama/Phoenix):

   * 0 : No rebuild

     Doesn't try at all to locate import section, leaves the related import
     information untouched.

   * 1 : Use import information

     Read actual import information, and use them to recreate a valid import
     table.

   * 2 : Rebuild import table.

     Detect import table and fix it up if found.

   * 3 : Full Import rebuild (DEFAULT).

     Detect import table, generate a new import section, generate import
     function names & ordinals.

   * 4 : Full Import rebuild with external plugin's help.

     Use plugin to detect/fix import address table, generate a new import
     section, generate import function names & ordinals. If no plugins are
     in memory, act as mode 3. See Hydra SDK for more information.

   PE Header reload mode: certain schemes may destroy/alter some fields
   of the PE header so you have the chance to reload a valid one from the
   original executable file.

   * 0 : No reload (DEFAULT).
   * 1 : Reload ImageSize only.
   * 2 : Reload Section information.
   * 3 : Reload both.
   * 4 : Reload whole PE header.
   * 5 : Reload whole PE header but ImageSize.
   * 6 : Reload whole PE header but Section information.
   * 7 : Reload whole PE header but both of the above.

   Code Scanner mode : By default when trying to detect IAT, we scan the code
   section using information from the PE Header. It appears however that
   sometimes those fields are unreliable, and hence these extra settings.

   * 0 : Use header.
   * 1 : Use 1st section infos (DEFAULT).
   * 2 : Use whole Image as range (this MAY result in false positives, beware).

   The settings are getting bigger and bigger, but well that's for flexibility
   in the rebuild process (Isn't it Owl ? :).

        /OPTION T

   print out the current state of options for the tracer engine.

        /OPTION T lL           - Print last but one address before break off/on
        /OPTION T bB           - Print branch addresses off/on
        /OPTION T aA           - Print all traced addresses off/on'
        /OPTION T pP           - Trace new threads in the same process off/on
        /OPTION T cC           - Trace threads in child processes off/on
        /OPTION T nN           - Break on new threads off/on
        /OPTION T eE           - Emulate NT win32 selectors off/on

   see the separate documentation on the tracer engine to understand what these
   flags do. the defaults are LbaPcne.


        -------------
        /CD [<track>]
        -------------

   control your cd-rom, without parameters it will stop playing the CD,
   otherwise it will attempt to play the specified track. this command can be
   invoked from all ring-3 execution modes.

   volume has to be set outside winice, but you know who to bug for support,
   don't you ;-)


        --------------
        /MP3 <0,n,+,->
        --------------

   control the mp3 VxDs (you should have started YogaPlay first and loaded
   a tracklist). '0' stops playing, 'n' (a playlist index, counted from 1)
   will play the specified track, '+' and '-' will skip to the next and
   previous track respectively.


        ------------------------------------
        /PEDUMP <imagebase> <EIP> <filename>
        ------------------------------------

   dump the current win32 process or a dll in its address space to a valid
   PE file. <imagebase> can be fished out from the MAP32 output, the rest
   should be obvious. look at /OPTION P to see what internal flags can be
   set.

   a tip: an easy way to get rid of wrappers that reside in the last few
   sections is to decrease the 'number of sections' and the 'imagesize' fields
   appropriately before dumping. of course this will work only if no critical
   information is stored in these sections (e.g. resources).

   Note 1 : EIP is a RVA one :).
   Note 2 : U MUST BE IN A WIN32 CONTEXT IN ORDER TO USE THIS.
   Note 3 : at <imagebase> a valid PE header is expected, if something is
            not right, either fix it by hand in memory or even better, reload
            the original header (or parts), consult /OPTION P H for details
   Note 4 : No need to try to fetch me (G-RoM) for whatever u want, it is as
            is, nothing more. No update promised.
   Note 5 : Sometimes it is useful to patch PE header CodeBase to first
            section RVA or IAT scanner may fail (set to 0x1000 usually)


        ----------------------
        /HYDRA [<plugin name>]
        ----------------------

   specify plugin to be used during subsequent import rebuilds by PEDUMP (it
   has to be a valid filename, i.e. extension included). if no name is given,
   PEDUMP will not use any plugin until told otherwise. default search path
   for plugin lookup is the current directory and %windir%/system/hydra.


        -----------------------------------------
        /TRACE [<R0TCB> [<low EIP> [<high EIP>]]]
        -----------------------------------------

   control the tracer engine. note that this command cannot be used to trace
   the current thread, use /TRACEX for that. also look at /OPTION T to see
   what internal flags can be set.

        /TRACE

   print out the R0TCBs of all traced threads.

        /TRACE <R0TCB>

   stop tracing the thread whose ring-0 Thread Control Block is <R0TCB>. use
   the THREAD command to get it.

        /TRACE <R0TCB> <low EIP>

   start tracing the thread whose ring-0 Thread Control Block is <R0TCB>. use
   the THREAD command to get it. if the thread was already being traced, only
   the target range for EIP will be updated.

   tracing will stop and pop up winice if the thread's EIP reaches <low EIP>
   (technically the engine will look for a 1 byte long range by setting
   <high EIP> to the same value). this also means that EIP must be exactly
   this value in order to trigger winice to pop up, i.e. if it lies in the
   middle of an instruction, it will not trigger.

        /TRACE <R0TCB> <low EIP> <high EIP>

   start tracing the thread whose ring-0 Thread Control Block is <R0TCB>. use
   the THREAD command to get it. if the thread was already being traced, only
   the target range for EIP will be updated (however, keep in mind that if
   <low EIP> > <high EIP>, i.e. the range is invalid, then instead of updating
   the range, the engine will simply stop tracing the thread. this is how the
   stop command is implemented by the way).

   tracing will stop and pop up winice if the thread's EIP falls into a range
   specified by <low EIP> and <high EIP> (bounds inclusive).


        ------------------------------
        /TRACEX <low EIP> [<high EIP>]
        ------------------------------

   control the tracer engine AND exit winice. note that this command can be
   used to trace the current thread only, use /TRACE for other threads. also
   look at /OPTION T to see what internal flags can be set.

        /TRACEX <low EIP>

   start tracing the current thread. note, that whenever winice pops up in
   a context of a traced thread, you must exit winice via /TRACEX if you
   want to continue tracing. this is because on a normal 'X' winice erases
   EFLAGS.T and the tracer engine effectively loses control over it in the
   given thread's context.

   tracing will stop and pop up winice if the thread's EIP reaches <low EIP>.
   this means that EIP must be exactly this value in order to trigger winice
   to pop up, i.e. if it lies in the middle of an instruction, it will not
   trigger.

        /TRACEX <low EIP> <high EIP>

   start tracing the current thread. same note applies as above.

   tracing will stop and pop up winice if the thread's EIP falls into a range
   specified by <low EIP> and <high EIP> (bounds inclusive). note that there
   is no check for the validity of the range, so having <low EIP> > <high EIP>
   will simply start tracing the thread but will never make winice pop up
   (unless the range is changed later, see /TRACE for details).


        ----------------
        /BREAKR3 <R0TCB>
        ----------------

   instruct winice to break into the specified thread when it gets scheduled
   next time. note that this command will exit winice. <R0TCB> must be a valid
   ring-0 Thread Control Block.


        -----------------
        /TETRIS [<delay>]
        -----------------

   start tetris in the winice window. <delay> is measured in millisecs (default
   value is 200), and it is the delay in the main loop (the lower the delay
   the faster the game). there appears to be a bug in winice which prevents it
   from successfully calibrating its own internal delay loop (you can see a
   message right at the very beginning of the winice history buffer, provided
   it is big enough to hold all the messages during bootup), in this case the
   default delay value will be too big, feel free to choose your own. users of
   winice v4.05 and newer can explicitly specify their CPU's speed via the
   CPUSPEED keyword in winice.dat (e.g. CPUSPEED=700 for a 700 MHz monster).

   control: left/right arrow shifts block left/right,
            up arrow rotates block,
            down arrow makes block fall faster,
            escape quits game (should you get bored ;-)

   the score system honors completed lines (and implicitly the speed you did
   them at). after every 8 completed lines <delay> is decreased by 1.


        -------------------
        /RDMSR <MSR number>
        -------------------

   read machine specific register and print edx:eax. reading invalid MSRs will
   result in an error message.


        ---------------------------------
        /WRMSR <MSR number> <eax> [<edx>]
        ---------------------------------

   write <edx>:<eax> into the machine specific register. writing to invalid
   MSRs will result in an error message. <edx> is optional, treated as 0 when
   not specified.


        -----------------
        /PROTECT [ON|OFF]
        -----------------

   control access to critical system resources such as the GDT and the System
   VM's IDT and LDT which are normally left accessible under win9x to normal
   (ring-3) apps. when on, winice will be brought up at any read/write attempt
   to the GDT and the System VM's IDT, or a write attempt to the System VM's
   LDT, or whenever a win32 thread attempts to change its own CPL to ring-0
   via context manipulation (typically by putting a DPL=0 code selector into
   its own CS register). when invoked without parameters it will print out the
   current status (on/off).


        -----------------------
        /ALLOC <address> <size>
        -----------------------

   allocate memory in a win32 process's context (since it directly calls
   VirtualAlloc it cannot be used in any other context, much like BHRAMA).
   if no error occurs, the return value indicates a page aligned address
   that must be used with FREE later.


        ---------------
        /FREE <address>
        ---------------

   free a previously ALLOCated memory area. it can only be used in a win32
   process context since it calls VirtualFree directly (similar to ALLOC).
   <address> must be the return value from ALLOC.


        --------------------
        /CLIP <Cmd> [<Args>]
        --------------------

   transfers data between winice and Windows clipboard. It can only be used
   in a Win32 process context since it calls a number of API functions
   (clipboard access / memory allocation / memory lock).
   All operations work with CF_TEXT clipboard format - you don't want to
   paste JPEG images into winice, do you? :-)

   Following commands can be used:

   /CLIP G         - copy content of Windows clipboard into winice clipboard
   /CLIP P         - print content of Windows clipboard into winice console
   /CLIP S [<Arg>] - set Windows clipboard to given value
   /CLIP A [<Arg>] - append given value to Windows clipboard

   For commands S and A, argument Arg controls what will be transferred into
   Windows clipboard. It can be one of the following:

   <empty>    - content of winice clipboard will be put to Windows clipboard
                e.g.  /CLIP S
   <value>    - evaluated argument (dword, in hex) will be stored in clipboard
                e.g.  /CLIP S edx
   <string>   - string (i.e. content of the quotes) will be used
                e.g.  /CLIP S 'new clipboard content :-)'
   <addr len> - block of memory <len> bytes long, starting from <addr>
                will be transferred to Windows clipboard
                e.g.  /CLIP S edi 10
   <addr 0>   - again, block of memory starting from <addr> will be copied.
                However, the length is not explicitly given:
                <addr> is supposed to point at a string; the whole string is
                transferred (i.e. up to the terminating null character).
                e.g.  /CLIP S edi 0

   If you want to know why the particular letters G/P/S/A were chosen...
   they were meant as "Get", "Set" (Store?), "Print" (Paste?) and "Append".
   You can use the commands even in this form: /CLIP SET 'Blablabla'


        ------------------------------
        /HASPCODE <pwd1> <pwd2> <seed>
        ------------------------------

   fill EAX through EDX with response codes in response to a given seed (as per
   HaspCode()). Suggested usage time is directly after call to hasp() service 2,
   this command relies on your remembering the appropriate parameters.


        -------------------
        /FDUMP <RVA> <file>
        -------------------

   Dump current win32 process and all attached memory blocks to disk. Produced
   EXE will automatically reload all DLLs and memory blocks. Be careful, the
   produced files are OS dependant, DLL version dependant. In fact, the only
   person able to reload those later is the guy who dumped them. However pro-
   duced file can be examined by a third party eventually. We guarantee nothing
   at all regarding this command and it is meant to be used for analysis
   purpose and that's all. You were warned... so don't complain later.

   RVA is Entrypoint u wish to be set in produced EXE of name <file>.


        --------------
        /PBPM [ON|OFF]
        --------------

   protects your bpm's from getting erased.
   well PBPM is an easy to use bpm protector embedded into icedump!
   the idea was to hook _vwin32_set/get_thread_context and keep track of the
   modifications made to drX by the users program, it's working "per thread"
   which means that it monitors each thread, imagine that someone uses drX
   to store a decryption key in it, running now under 2 or even more threads
   which decrypt parts of the threads using drX values...


        -----
        /HELP
        -----

   print out usage info.


   -----
   todo.
   -----

   1. two-way symbol transfer between IDA and SoftICE

   2. script language, a'la procdump

   3. vcd player... just kidding ;-)


   -----
   cast.
   -----

   since there're some people wondering about who's who in this game, let's
   tell you about what to blame on whom ;-)

   CrackZ:
      - /HASPCODE

   ^DAEMON^:
      - PBPM

   fOSSiL:
      - raw->html converter for /SCREENDUMP
      - optimized /OPTION, /SCREENDUMP
      - /CD
      - vxdn.inc, winddk.inc
      - mp3 player (VxDs, mp3 decoder, YogaPlay)

   Ghiribizzo:
      - /SCREENDUMP
      - /OPTION
      - raw->LaTeX converter for /SCREENDUMP

   G-RoM:
      - /PEDUMP (CodeShot/Phoenix/Hydra engines)
      - Exports normalization (k32.asm)
      - /FDUMP (Ymir engine)
      - some cleanup in the parser and help

   Ice:
      - all thread related stuff (/SUSPEND, /SUSPENDX, /RESUME)
      - nticedump

   igNorAMUS:
      - macros for LaTeX mode dump
      - EPS output for /SCREENDUMP
      - /CLIP

   The Owl:
      - maintainer, at least for the time being


   ------------------
   thanks and greets.
   ------------------

   the icedump team thanks everyone who contributed to the project or otherwise
   inspired us to make this happen, that means all users as well ;-).
