I think this is somewhat related to unpacking so I post here.

I would like to remove code from dumped exe, which after unwraping is no longer needed (armadillo junk).
Now, I don't know what to do to change all references to data which is AFTER this sections. I can remove .text1, .data1, .pdata which I suspect are armadillos sections. Unfortunetly the last is followed by .rsrc and of course I would like to keep it .

Are there any tools to find all references to this section and substract given value or something?

a quick work around for this that doesn't require any knowledge about the rsrc would be to add the virtual size of the section u wish to remove to the section right before. Strip this section & modify raw offsets of the sections that follow the stripped one..

I might be missing a couple details.. but that should give u a general idea.

Thanks, it will do.

However it still takes memory space.
Further improving of this exe would be nice but that's better than nothing

hxxp://www.reversing.net.ru/tools/062002/resrebld.zip
Mmm, resources rebuilder by me =)
can move resources to new rva, no english doc, sorry
use: resrebld.exe my_dump.exe new_res.bin -a:0x2000 -r:0xA000
-a:0x2000 - align output data to 0x2000 bytes, just for easy paste to dump
-r:0xA000 - recalc all rva in resource section to 0xA000 (new .rsrc section rva)
and you get new_res.bin with coagulated resources section prepaired for attaching to dump as new section with rva==a000h

Thanks, now it's fully optimised Uses 1.5MB less of virtual memory on startup

With each year that passes, my brain seems to use 1.5 mb less virtual memory on startup. Only now I can't remember why that happens. What were we talking about?


Regards,