Questions tagged [pe]
a file format for Windows executables, object code, DLLs, and more. Commonly found extensions of PE files include .exe, .dll, .ocx, .sys, and .scr.
253
questions
0
votes
0
answers
39
views
Why mov empty block to register?
Why MOV a bunch of 00s to register?
I have seen these empty blocks a lot of times being referenced this way.
- 1
0
votes
0
answers
22
views
Dumping all import symbols from x64dbg
I want to export the symbol addresses from all loaded modules in x64dbg. I know I can do this DLL-by-DLL from the Symbols tab (click on one module > right click in table > Copy > Export Table)...
0
votes
2
answers
83
views
Does a Windows MSI/installer function similarly to a portable file in PE format?
I'm trying to determine whether a Windows MSI or installer .exe is considered the same as a portable file .exe in the Portable Executable (PE) format, or if it's considered a dropper. What are the ...
- 113
2
votes
2
answers
105
views
Tracing all functions in executable conditionally, to find function of interest
I would like to alter the behavior of some executable (in my case, a videogame). One way of doing this is to hook function calls (e.g., a function like Player::ReceiveDamage) and adjust parameters/...
- 125
0
votes
0
answers
45
views
How do I force IDA to reload PE Header and/or segments?
Introduction
I started analyzing an exe, added many comments, structs, byte patches, etc.
After 2 months of working on this file I used CFF Explorer to add a new section at the end of it called "....
- 1
1
vote
1
answer
86
views
Ghidra not displaying member function call
On lines 67, 70 and 77 ghidra makes a call to what I assume is a member function, but it does not show me which member function. Why is that?
Example from line 70:
(**(code **)(*(longlong *)metaStream ...
- 13
0
votes
0
answers
40
views
How to embed PE files to another PE files
So what I want to do basically is what BDFproxy does on the go, I want to modify a file (on the disk) to embed another PE in it and have both working, it does not matter if they work concurrently or ...
0
votes
0
answers
54
views
Executable Opcodes of Windows Image File Seem Offset from My Calculations
Background:
I'm trying to manually disassemble a practice executable file for practice.
https://github.com/stryker2k2/dbg-demo/blob/master/assem/assem_0x00.asm
Issue:
When I take a look at what I ...
3
votes
2
answers
297
views
Inspect executable binary similarity
I've found a company in China selling a software that is clearly a copy of my own work. For context, this is actually a physical product that comes with a Ubuntu computer and the software pre-...
- 131
0
votes
1
answer
151
views
How to convert variable to struct member in IDA?
I'm working on a windows program which is walking PEB Ldr list. the related types are as follows:
struct LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks; // offset = 0, size = 0x10
...
- 3
0
votes
0
answers
42
views
Exe self-modifies strings searched in debugger
I'm studying a Windows binary file and while searching for some string I noticed the EXE modifies the searched string, e.g., if I search "This is a string", it's modified to "his is a ...
- 1
2
votes
2
answers
202
views
How can I extract *.c file hidden in an executable file (SkiFree)
I am a person interested of old games (MS DOS and 16 bit Windows only) and programming. In 2020, I saw an article about hacking SkiFree somewhere on the internet and soon as I followed the ...
- 31
0
votes
0
answers
78
views
Pe file import binding
I'm learning a bit about PE files. The thing I've struggling a bit now it the First Thunk and Original First Thunk fields. To understand the difference between them I've read this post and that ...
- 115
1
vote
0
answers
155
views
Inject a MessageBox to the PE file
I'd like to patch some Windows PE file to show just simple MessageBox. Taking into account that the PE in question doesn't import the MessageBoxA function if I'm right that all i need to do is to add ...
- 115
0
votes
0
answers
40
views
How to change playing music behavior in a game from playing music through cd-player to playing music through mp3 files?
I have an old game from the 2000s, and as we know the old games were playing the background music through the CD which means the music files were tracks in the game CD instead of MP3 files as usual ...
- 269
0
votes
1
answer
113
views
Create exe that jumps directly into main()-function from C
I am using x64dbg to explore image files on Windows. After the computer finishes prowling ntdll.dll it jumps to OptionalHeader.AddressOfEntryPoint.
But this is not my main()-function.
What is this ...
- 3
4
votes
1
answer
108
views
PE ImageBase presence in PDB
Is ImageBase of a PE binary present in its PDB or can it only be retrieved from the binary?
I have studied both Microsoft's PDB sources and LLVM docs without much luck finding it.
In the DBI stream ...
- 579
4
votes
1
answer
108
views
Unexpected value present in IMAGE_THUNK_DATA array
I am attempting to understand the PE File Format and I have come across an unexpected value in the IMAGE_THUNK_DATA Array.
Here are the file details:
MD5: d82d3e003eb5c728d584e22ce7f36fbf
File Name: ...
2
votes
0
answers
85
views
The execution is not at AddressOfEntryPoint after patching .text section bytes
I have a shellcode and want to inject my shellcode into a PE file (a simple compiled c program that prints Hello World on the screen) . My shellcode size is 0x2a1 and the .text section of my PE file ...
1
vote
0
answers
24
views
How to find executable code in PE-file [duplicate]
Please help me to find out how to locate the start and the end of executable code in Windows PE-file.
Which adresses in header of PE can tell me to locate what I find? Thanks!
- 121
2
votes
0
answers
128
views
List of unsolved problems of reverse engineering
Decided to write out a list of still unsolved fundamental problems in the field of reverse engineering.
This means that today - there is no easy solution to these problems, or problems that can only ...
user42316
2
votes
0
answers
157
views
statically placing hooks on PE file's IAT
recently I started writing my own PE library for C++, and wanted to implement static IAT/EAT hooking, (basically hooking by patching the file instead of hooking at runtime), I managed to successfully ...
- 21
2
votes
1
answer
153
views
What are latest research in reverse engineering?
I am searching research papers related to reverse engineering between 2020 and 2022 but did not found good papers with latest research in the direction of reverse engineering.
So, what are the latest ...
2
votes
0
answers
58
views
How to obtain import name from disassembled assembly
I'm trying to create my own tools for reverse engineering PE. I have some assembly codes that I fetched from a clone of objdump for a program. Sometimes I see call instructions such as :
callq *...
- 21
1
vote
0
answers
20
views
How to use IDA pro to convert a batch of binary PE files into assembly code? [duplicate]
I have a batch of binary PE files, and I want to convert them into assembly code using IDA pro. Do you know IDA command/plugin to automatically convert all of them?
- 113
1
vote
0
answers
40
views
Is it possible for different dynamic memory addresses to share the same offset value?
I am currently using cheat engine to hack a game. I used the pointer scanner to find some pointers to the pistol ammo memory location. I then went to look for pointers to the shotgun ammo memory ...
- 131
0
votes
1
answer
698
views
PE FILE section read in C
I need to read PE file. I need to search word in PE file. Search is required to cover only the sections with the “executable” flag. And I need to specify the section where the word found. How can I do ...
- 9
0
votes
1
answer
213
views
What is the size of a security cookie in PE file?
I know that pointer to the security cookie in Load Configuration Directory is 4 bytes long for 32-bit exe and 8 bytes long for 64-bit one (source), but what is the size of the security cookie itself?
...
2
votes
0
answers
85
views
Where can I find these compilers given in the Rich Header of a system BIOS file?
I am working on a project which deals with the BIOS file of a well known manufacturer.
I recovered the file from the disk partition which stores and uses the file in case BIOS is corrupted or its ...
- 461
1
vote
0
answers
65
views
Wrong access .data segment
Preface
I'm a PHP programmer, in my spare time I've been doing reverse work. Achieved good progress in the analysis game. But there was a big problem on my way. And now, more than ever, i need the ...
- 11
1
vote
0
answers
114
views
In IDA is there a way to load the PE headers after the initial loading?
This question is loosely related to this one. So I know of manual loading and how to achieve loading the PE headers using it.
But suppose I have already worked on an IDB for a while and realize that ...
- 10.9k
1
vote
1
answer
269
views
Why is Visual Studio compiling my EXE file with an entry point that is not in the file?
So I am trying to open my test app EXE file in ollydbg to study the assembly, the stack, registers and all that stuff for educational purposes and it gives me this message saying that the entry point ...
- 11
1
vote
0
answers
225
views
What does the "Hint" entry in the PE import section mean?
In a ctf there was a rev PE challenge where it appeared in the deassembly as if the programm was calling functions from the ADVAPI32 but instead called some different code because the import table was ...
- 11
1
vote
0
answers
135
views
How to locate executable section
How to locate executable section in PE file?
Is there any of typical way to locate executable section in any PE file?
- 121
0
votes
0
answers
272
views
How can i reconstruct a full PE from a memory injected PE that only has IAT + sections content?
I have a injected PE (kernel mode rootkit to be exact) that only has the IAT table, which basically only stores the addresses of some kernel functions in an array which is referenced inside its code, ...
- 518
1
vote
2
answers
468
views
How do I find where in the code a particular Windows Resource is used?
I'm trying to reverse engineer a Windows program. Using PE Editor, I find that the string in question - which I'm interested in - has got id 2820. The string is in this format: "Some text, some ...
- 111
-1
votes
2
answers
977
views
Parse offset to PE struct
Im trying make my idb beautier. I want to parse the offset to PE structure. Here is some example:
I want to parse (module + 60) to (module_base->e_lfanew) but when i change the type of module_base ...
- 67
0
votes
2
answers
849
views
What is the data on the start of .rdata segment?
I've been doing some reverse engineering lately trying to improve my skills and came across the following bytes on the start of .rdata segment.
Filename: C:/cygwin64/bin/xkbcomp.exe
Bytes:
70 D3 FD FF ...
- 13
0
votes
1
answer
2k
views
How to check for a valid PE file?
How can I check if a file is a valid PE file? What programs I should use for such a check? Can I use PEiD or DiE tool to check it? Also, do I need to unpack the sample prior to checking?
0
votes
2
answers
1k
views
Why are certain functions from kernel32.dll always imported?
I've been noticing this for a while. Functions like IsDebuggerPresent and GetModuleHandle are always present in a binary's import directory structure. I assume is the Window's dynamic linker, but ...
- 99
2
votes
1
answer
1k
views
Change manifest file using ResourceHacker CLI
I want to automate some manifest file changes (change requestedExecutionLevel level to requireAdministator from asInvoker) so I have to use ResourceHacker CLI.
I have managed to extract the resources ...
- 21
0
votes
1
answer
203
views
What is imagebase word means used in Lena151 RE tutorial?
In part 3 of lena RE tutorial, i see a word : imagebase
Can anyone tell me more about this and better meaning of this word?
- 89
1
vote
1
answer
820
views
Disassembly call function offset from RIP
I am writing a program where I map an .exe PE file in memory and I "dissect" it.
I am disassembling the .text section of the target executable, using the distorm disassembler.
CALL ...
- 31
0
votes
1
answer
152
views
Why a single "nop" crashed the game?
I hope answer to my question is not game/app specific and can be answered in communities like this.
So, I tried to use some internal functions of a game, like pick a target. No malicious intentions, ...
-1
votes
1
answer
175
views
PE Self Injection Not Working
I'm working on different PE Injection technique. I want to inject PE file into virtual memory of the current executable. After that, I want to execute the injected PE file, I wrote an injection code, ...
0
votes
2
answers
84
views
how do i use the text like in pe files?
I extracted pe file from another pe file and I saved it.
I want it execute but when I saved file computer sees it like text file. Altough my actual file starting with "4d 5a" computer sees ...
0
votes
1
answer
104
views
Expanding .data section at particular area
I have a program which creates a hard-coded number of objects. I patched the binary so that now it can attempt to create more objects than the limit allows, however when it does it allocates them to ...
- 61
0
votes
1
answer
2k
views
idb file and IDA
I've just received from a friend a *.idb file concerning the pe file i'd like to disassemble in IDA. What the file is and how can i load/use it with the exe linked with it in IDA?
- 115
0
votes
0
answers
58
views
IDAPython NtCreateFile
Let's say I want to print the filenames on every call to NtCreateFile
(With %any% exe loaded in IDA )
The first problem is to get the ntdll!NtCreateFile address
Tried to do it like this ...
- 1
0
votes
2
answers
719
views
Pe file code starting address
When i load an exe in the IDA the assembled code always starts at 00401000 address. Does it mean that in pe files the code always starts at that specific address?
- 115