Hi, I noticed that some exe files contain some stuff right after the dos-stub, it appears to be some DWORDs which slightly differs from each other, terminated by the text 'Rich' right before the last DWORD.

if you don't know what i mean, check for example the calc.exe from winxp. on raw offset 0x80 this stuff starts, and ends at 0xd8. many exefiles do have it, but i wasn't able to see some logical pattern in it.

does someone knows what this stuff is?

thanks in advance.

http://www.woodmann.net/forum/showthread.php?t=5398

http://www.woodmann.net/forum/showthread.php?t=4499

Sadly, the interesting info was deleted from that thread in the other forum. If someone has a copy of it, you are very welcome to post it here anyway.

well, thanks so far. weird stuff anyway, those "disappeared" posts which contained "the truth"

does someone else remember what was written in those posts?

thanks.

Yeah, it was concluded that it was "encrypted" information about several different versions of the compiler, linker and other stuff like that (they also analyzed how to decrypt it). All that data can be safely removed from the exe anyway, and probably should be too, if you want a more "untraceable" executable.

well, i reversed the stuff. is someone still interested, i can write a little article with my results.

Sure, that would be very nice, please post it here.

here we go! feel free to place it on your favourite places on the net, maybe you can make some other people happy with it

Cool, thanks!

>... You can write a very simple tool that will
>zero out the rich structure given an exe file, or patch your linker so that it
>won't get written at all...
>

Link from "other forum" regarding a subj (possible broken link warning!):

_http://board.win32asmcommunity.net/showthread.php?threadid=14699

Linker patch also discussed there.
Neviens.

That's the thread I was referring to above, in which the info was deleted. You can even see that I have posted myself in that thread, asking where the info went. Can you still find any reference to any detailed info about this in that thread? (not that we really need it anymore, now that we have lifewire's nice essay, but anyway )

lifewire, regarding the 0x536e6144 constant, its ASCII equivalent is: ^naD, or if we were to interpret it byte-by-byte in little-endian: Dan^

i would guess as MZ is related to Mark Zbikowski, Dan^ is related to some guy at MS named Dan

nice

Now I got curious... Dan Ruder, Mechanics of Dynamic Linking, Microsoft, MSDN Library 1993, as referenced by patent 6253258 filed by Symantec for "Subclassing system for computer that operates with portable-executable (PE) modules".

Wow, I'm bored

hahaha, yeah, i guess that must be THE Dan