Log in

View Full Version : How can I make a valid PE ?


The SharK
February 5th, 2002, 09:42
How can I make it a valid PE, so I can disassemble it.
I have been looking at some "solutions" on the
subject, but it didn't work.

ZaiRoN
February 5th, 2002, 10:43
try looking for the size of optional headers

bye,
ZaiRoN

The SharK
February 5th, 2002, 11:02
Quote:
Originally posted by ZaiRoN
try looking for the size of optional headers

bye,
ZaiRoN



I have been looking/modifying them, but I still can't make
the file to disassemable.

I thought that I understood how the PE headers worked, but...
In one solution by Code Inside they wrote that you have to
REMOVE 0x40 bytes from the IMAGE FILE, but then there will
be a problem with the ALIGNMENT, so they wrote that you should
remove another 0x40 bytes to make it work, and it's HERE I GOT
STUCK...

DakienDX
February 5th, 2002, 12:24
Hello The SharK !

It is very simple. The ".code" section overlaps the ".rdata" section. ".code" has a virtual and physical size of 1000h, but after 0D00h the ".rdata" section starts already.

Try setting ".code" virtual and physical size to 0D00h.

CoDe_InSiDe
February 5th, 2002, 14:39
Hi The SharK,

Try to look a little closer at the suggestion ZaiRoN gave you (You already did but appearantly not good enough )

Cya...

CoDe_InSiDe

blackos
February 5th, 2002, 17:44
Hi The Shark ...

Maybe could you use a pretty cool tool called 'LordPE' from Y0da and use "rebuild PE" option ?

bye.

blak.

The SharK
February 5th, 2002, 18:49
Quote:
Originally posted by CoDe_InSiDe
Hi The SharK,

Try to look a little closer at the suggestion ZaiRoN gave you (You already did but appearantly not good enough )

Cya...

CoDe_InSiDe





Hello CoDe_InSiDe !!!

I feel real lame about the PE Header, that I obviously can't
get to disassemble ???
I have used PROCDUMP to look through the sections, and I have
modified them for several days now, without any luck......
I really feel like a lamer.........newbee......???
Can it really be THAT difficult. You say no, but....

CoDe_InSiDe
February 6th, 2002, 06:59
Hi The SharK,

Here read the attached solution (Or have you already read this one? )

Cya...

CoDe_InSiDe

The SharK
February 6th, 2002, 08:30
Quote:
Originally posted by CoDe_InSiDe
Hi The SharK,

Here read the attached solution (Or have you already read this one? )

Cya...

CoDe_InSiDe



I have read it:
1) I go to offset 0x94 and change 0x2001 to 0xE0
2) I go to offset 0x160 and REMOVE 0x40 bytes.
3) I "try to" correct the FILEALIGNMENT, so I place the cursor AFTER THE SECTION HEADERS, i think it's offset 0x1F0 - but i'm not sure.... so here I get stuck...

CoDe_InSiDe
February 6th, 2002, 14:42
Hi The SharK,

Well, it seems you did it correct, you removed those 40h bytes, but have you also placed those 40h bytes back after the Section Table? (I think you mean that with FILEALIGNMENT hehe )
If you haven't done that then that's your problem
IF you placed those bytes back after the Section Table then the CrackMe can be disassembled (Btw the CrackMe is a little Encrypted so maybe better unpack first? )

Cya...

CoDe_InSiDe

vr62001
February 9th, 2002, 23:58
I looked over the crackme, and it is written wrong I believe. The crackme states that you should remove 64 bytes before the section headers, then remove 64 bytes after it too. I believe what he was trying to say was, remove the 64 bytes before it, and then add those 64 bytes after it.

I got it to disassemble just fine, but the program still says it's not a valid win32 exe. The part where it all feel apart for me when it asked me to run serializer.exe and procdump. Since serializer could not run correctly, procdump wouldn't see it.

Lateron it asked me to look at the 16h code at FF0, and it was there. However, the following line was not to be found:

:00401062 EB8C jmp 00400FF0

I don't know if I did something wrong, or the crack is written wrong again. Nonetheless, I'd be glad to see my err if someone could point it out. Thanks

vr62001

CoDe_InSiDe
February 10th, 2002, 09:03
Hi vr62001,

"I looked over the crackme, and it is written wrong I believe. The crackme states that you should remove 64 bytes before the section headers, then remove 64 bytes after it too. I believe what he was trying to say was, remove the 64 bytes before it, and then add those 64 bytes after it."

You mean the Tutorial? and yes indeed you're right, hehe i never noticed that

"I got it to disassemble just fine, but the program still says it's not a valid win32 exe."

On what OS did you try to run the file?
Most of my CrackMe's only run on Win98SE

Cya...

CoDe_InSiDe

The SharK
February 14th, 2002, 16:51
Thanks all for you replies, it sure helps alot to have you guys
around !