Log in

View Full Version : Detecting whether the EXE is in PE format

binarycoder2k
May 1st, 2007, 01:28
I have a particular EXE which I want to reverse engineer.

1. How can I find out whether it is in the PE format ?
2. Also, how can I find out whether the EXE has anti-debugging protection and how to bypass them ?
esther
May 1st, 2007, 01:33
READ THE FAQ FAQ FAQ FAQ !!!!!!!!1
whyIII
May 1st, 2007, 02:34
There are many stuffs you can find by "search" engine. Step by step, you will finally answer your questions by yourself.
binarycoder2k
May 1st, 2007, 04:11
Actually I had read the FAQ, but I was not sure that what I am referring to as "format" is technically called "packing" (even now I am not sure !)

Do you mean that PE IDENTIFER will do the job ?
Silkut
May 1st, 2007, 04:23
Yes, this tool could detect any packer signature inside an exe (if it knows this signature). You need to read some PE documentation, some links are in the FAQ, some links are in this forum.
blabberer
May 1st, 2007, 05:08
how can you find it is pe format

read this several times and then several more times till you have it almost by heart

http://win32assembly.online.fr/files/pe1.zip

then downlaod this
and read and experiment with this package several more times till you turn your fingers numb and your eyes bleary

http://win32assembly.online.fr/files/pe-tuts.zip

and then open the exe in question with some hexeditor
look through and come with some question that you cant understand
binarycoder2k
May 1st, 2007, 07:21
I downloaded PEiD v0.94 and scanned the EXE.
PEiD gave the result as Nothing Found *
I chose all 3 modes: Normal scan, Deep scan, Hardcore scan.
Now what am I supposed to do ?
binarycoder2k
May 1st, 2007, 07:27
The first few bytes of the EXE are: 55,8B,EC,83.
autarky
May 1st, 2007, 09:33
Quote:
[Originally Posted by binarycoder2k;65308]The first few bytes of the EXE are: 55,8B,EC,83.


If those are the first four bytes of the file (and there is no MZ header), then it is either some corrupt executable or chunk of some executable code, or possibly an MS-DOS COM executable (though that would be unusual). That code is the initialisation of a stack frame for a function.
LLXX
May 2nd, 2007, 03:48
...and even the 83 isn't certain. 55 8b ec is though, standard stack frame setup.
fr33ke
May 2nd, 2007, 04:36
83 is probably the start of 83 EC ?? = SUB (E)SP, BYTE ??
blabberer
May 2nd, 2007, 05:10
83 is also part of prologue

Code:


00401000 >    55            PUSH    EBP

00401001      8BEC          MOV     EBP, ESP

00401003      83EC 44       SUB     ESP, 44
LLXX
May 3rd, 2007, 02:03
A lot of compilers directly use ESP+xx to access stuff on the stack, use of EBP was a holdover from the old days of x86 when BP+xx was the only feasible addressing mode for it.

In addition to that, pushes and pops are also common even in compiler-generated code. For certain compilers are getting better at code generation, though they are still far behind the efficiency of a good Asm programmer (brain).