View Full Version : .rsrc
volodya
June 15th, 2003, 22:12
Hello.
Now I have a small question. Can anyone briefly explain me how come that ALL packers are afraid to touch .rsrc section? What is so special in it? As far as I know only some of them are actually taking icons or some other shit into their own sections. So what stops them from taking EVERYTHING from the .rsrc section elsewhere or change the name of the section?
Thanks in advance.
mark_E
June 16th, 2003, 01:07
There's nothing special about the resource section!
As far as I know most packers PACK the resource section. There are packers which merge sections, rename sections, leave unnamed sections etc etc etc. and you can do this too with a hexeditor as long as you fix the header to suit.
The packers take the icon and version info, or whatever they want, into their own sections solely so that this data is available (i.e. uncompressed) to the O/S. i.e A squashed icon looks like crap in explorer.
At the end of the day it's only unsquashing squashed data.
. . . but don't quote me!
mark_E
volodya
June 16th, 2003, 08:31
Thank you. Now I will try to dig it a little bit by myself.
Nebob
June 16th, 2003, 13:06
The reason you never see .rsrc renamed, is because a MS programmer once used a string compare to identify the section when loading a PE, meaning an executable with a renamed .rsrc would not load!
I think this has been fixed since, but the convention remains for the sake of backwards compatibility.
volodya
June 16th, 2003, 13:51
Well, I renamed the section and explorer.exe was still able to show everything correctly.
But thanks for the nice answer
Aster!x
June 16th, 2003, 16:10
Nebob wrote:Quote:
The reason you never see .rsrc renamed, is because a MS programmer once used a string compare to identify the section when loading a PE, meaning an executable with a renamed .rsrc would not load!
I think this has been fixed since, but the convention remains for the sake of backwards compatibility. |
Very incorrect statement.
You need to look a format of PE files.
cyberheg
June 17th, 2003, 06:31
It's true.
I had a exe file not so long ago which had this problem. If I remember correctly I tracked down the problem down to a ole32 dll file from the standard Win 2k distribution. So while it might be fixed I don't trust it enough. The problem was that a set of typelibs refused to load when the section was renamed hence making the program act weird.
// CyberHeg
bart
June 17th, 2003, 08:08
oleaut32.dll from Win9x
Code:
7FE91E08 lea eax, [ebp+lpNextSection]
7FE91E0B push 40 ; uBytes
7FE91E0D push eax ; lpBuffer
7FE91E0E push [ebp+hFile] ; hFile
7FE91E11 call edi ; _lread
7FE91E13 inc eax
7FE91E14 neg eax
7FE91E16 sbb eax, eax
7FE91E18 and eax, ebx
7FE91E1A add eax, esi
7FE91E1C js short loc_7FE91E99
7FE91E1E lea eax, [ebp+lpNextSection]
7FE91E21 push offset a_rsrc ; '.rsrc',0
7FE91E26 push eax ; lpString1
7FE91E27 call ds:lstrcmpiA
7FE91E2D test eax, eax
7FE91E2F jnz short process_next_section
its called from oleaut's LoadTypeLibEx()
volodya
June 17th, 2003, 14:13
Thank you, man. Excellent answer.
But for now I guess it is not supported any more. Am I right?
Well, let me check it in Win2k. OK, here we go:
.text:77A078C9 lea eax, [ebp+String1]
.text:77A078CC push offset a_rsrc ; lpString2
.text:77A078D1 push eax ; lpString1
.text:77A078D2 call ds:lstrcmpiA
.text:77A078D8 test eax, eax
.text:77A078DA jz short loc_77A078F3
The situation is the same!!! It means that if I'm going to write a packer and if I really worry about compatibility, I shouldn't touch it! Correct?
evaluator
July 31st, 2003, 21:03
while so hardly disassembling m$DLL,
why you not try quick DIRECT test?
make copy of some EXE, rename .rsrc
@ see what happens.
I just tested 2 EXEs under W98se,
all works OK.
Later I will reboot to XP..i'm lasy
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.