Skip to main content
Reverse Engineering

Questions tagged [pe]

Ask Question

a file format for Windows executables, object code, DLLs, and more. Commonly found extensions of PE files include .exe, .dll, .ocx, .sys, and .scr.

253 questions
Newest Active Bountied Unanswered
43 votes
3 answers
28k views

Unpacking binaries in a generic way

I find that more and more often binaries are being packed with exe protectors such as upx, aspack etc. I tried to follow a few tutorials on how to unpack them but the examples are often quite easy ...
Remko's user avatar
Remko
  • 3,283
42 votes
8 answers
82k views

Is there any way to decompile a .NET assembly or program?

Are there any tools available to take an already compiled .dll or .exe file that you know was compiled from C# or Visual Basic and obtain the original source code from it?
APerson's user avatar
APerson
  • 927
40 votes
5 answers
136k views

How do you reverse engineer an EXE "compiled" with PyInstaller

Having recently watched/read a presentation given by Dave Kennedy at DEF CON 20 [PDF], I'd like to know how to decompile a Python script compiled with PyInstaller. In his presentation, he is creating ...
Mick's user avatar
Mick
  • 7,582
22 votes
4 answers
8k views

Check if exe is 64-bit

How to check if Windows executable is 64-bit reading only its binary. Without executing it and not using any tools like the SDK tool dumpbin.exe with the /headers option.
ST3's user avatar
ST3
  • 849
20 votes
10 answers
8k views

Determining if a file is managed code or not

How can I quickly tell if a EXE or DLL I have is managed code or not? I spent some time recently trying to disassemble a file and then later learned through some traces in the code that I could have ...
Jannu's user avatar
Jannu
  • 373
19 votes
4 answers
15k views

Checking if an .exe is actually a .jar wrapped in an .exe

Let's say I have a .jar file and wrap it into a .exe using any number of free utilities out there, like JSmooth. Would it be possible to tell, given just the .exe, if it was generated using one such ...
APerson's user avatar
APerson
  • 927
14 votes
2 answers
10k views

windows - Why is the imagebase default 0x400000?

Having stumbled upon this question (and answer): https://stackoverflow.com/questions/2170843/va-virtual-adress-rva-relative-virtual-address on my quest for understanding Windows' PE format, I'm ...
user4520's user avatar
user4520
  • 595
14 votes
2 answers
609 views

Any way to represent the file-memory relation in a Portable Executable (PE) file?

I am looking for a way to automatically represent the relation between the content of a PE file and how it would be loaded in memory - either an IDA plugin, a combination of pefile script+R/SVG... ...
Ange's user avatar
Ange
  • 6,694
11 votes
3 answers
4k views

Is there any way to get my own image base without calling any WinAPI functions, such as GetModuleHandle?

Is there any way to get the image base of an .exe without calling WinAPI functions (i.e. imported functions) so that it can't be easily viewed in a disassembler/debugger? I've been thinking of ...
Jason's user avatar
Jason
  • 113
10 votes
2 answers
13k views

PE .rdata section contents

According to MSDN, the .rdata section of a PE should contain the debug directory and the description string. I've read elsewhere that it contains read-only program data. Dumping several files, I found ...
asdf's user avatar
asdf
  • 103
10 votes
1 answer
16k views

How .reloc Section is used in PE file?

I have read document pecoff_v83 of Microsoft. In The .reloc section part, I have read: The Fix-Up Table contains entries for all fixups in the image. The Total Fix-Up Data Size in the Optional ...
QChí Nguyễn's user avatar
QChí Nguyễn
  • 323
9 votes
3 answers
10k views

How can one extract the appended data of a Portable Executable?

How do you reliably extract appended data in a Portable Executable?
Ange's user avatar
Ange
  • 6,694
9 votes
1 answer
578 views

Loading Windows executable - unexpected data appended at beginning sections after loading in memory

Few days after asking the question I realised I misinterpreted my original findings. It seems .rdata section on file is copied directly to memory, but then first 36 bytes are overwritten by loader ...
ruby_object's user avatar
ruby_object
  • 293
8 votes
3 answers
2k views

Ripping/pasting code into an executable using Olly

I'm working with some x86 assembly code and I need to rip from one executable and paste that code into another. Originally, I had an executable that was meant to accept two command line parameters and ...
Fewmitz's user avatar
Fewmitz
  • 1,022
8 votes
1 answer
1k views

Can I set entry point at code in PE headers?

If I set something like 0x00000040 (my code is located at this address), then the program crashes with this error: The application was unable to start correctly (0xc000007b) But if I jmp from the ...
edhoklorf's user avatar
edhoklorf
  • 81

15 30 50 per page
1
2 3 4 5
17