View Full Version : question about some stuff in exe header
wired
May 17th, 2004, 13:03
Hi, I noticed that some exe files contain some stuff right after the dos-stub, it appears to be some DWORDs which slightly differs from each other, terminated by the text 'Rich' right before the last DWORD.
if you don't know what i mean, check for example the calc.exe from winxp. on raw offset 0x80 this stuff starts, and ends at 0xd8. many exefiles do have it, but i wasn't able to see some logical pattern in it.
does someone knows what this stuff is?
thanks in advance.
dELTA
May 17th, 2004, 13:18
http://www.woodmann.net/forum/showthread.php?t=5398
http://www.woodmann.net/forum/showthread.php?t=4499
Sadly, the interesting info was deleted from that thread in the other forum.

If someone has a copy of it, you are very welcome to post it here anyway.
wired
May 17th, 2004, 16:26
well, thanks so far. weird stuff anyway, those "disappeared" posts which contained "the truth"
does someone else remember what was written in those posts?
thanks.
dELTA
May 17th, 2004, 18:09
Yeah, it was concluded that it was "encrypted" information about several different versions of the compiler, linker and other stuff like that (they also analyzed how to decrypt it). All that data can be safely removed from the exe anyway, and probably should be too, if you want a more "untraceable" executable.
lifewire
July 16th, 2004, 08:44
well, i reversed the stuff. is someone still interested, i can write a little article with my results.
dELTA
July 16th, 2004, 09:03
Sure, that would be very nice, please post it here.
lifewire
July 18th, 2004, 06:21
here we go! feel free to place it on your favourite places on the net, maybe you can make some other people happy with it

dELTA
July 18th, 2004, 07:10
Cool, thanks!

neviens
July 18th, 2004, 11:05
>... You can write a very simple tool that will
>zero out the rich structure given an exe file, or patch your linker so that it
>won't get written at all...
>
Link from "other forum" regarding a subj (possible broken link warning!):
_http://board.win32asmcommunity.net/showthread.php?threadid=14699
Linker patch also discussed there.
Neviens.
dELTA
July 18th, 2004, 13:55
That's the thread I was referring to above, in which the info was deleted. You can even see that I have posted myself in that thread, asking where the info went. Can you still find any reference to any detailed info about this in that thread? (not that we really need it anymore, now that we have lifewire's nice essay, but anyway

)
disavowed
July 26th, 2004, 22:26
lifewire, regarding the 0x536e6144 constant, its ASCII equivalent is: ^naD, or if we were to interpret it byte-by-byte in little-endian: Dan^
i would guess as MZ is related to Mark Zbikowski, Dan^ is related to some guy at MS named Dan
lifewire
July 27th, 2004, 05:57
nice

Silver
July 27th, 2004, 13:01
Now I got curious... Dan Ruder, Mechanics of Dynamic Linking, Microsoft, MSDN Library 1993, as referenced by patent 6253258 filed by Symantec for "Subclassing system for computer that operates with portable-executable (PE) modules".
Wow, I'm bored

lifewire
July 27th, 2004, 13:36
hahaha, yeah, i guess that must be THE Dan

Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.