Collaborative RCE Tool Library - PE Executable Editors (including sub-categories)

Tool Updated: CodeDoctor

Thu, 12 Nov 2009 16:24:49 GMT

Listed in categories: Deobfuscation Tools, IDA Extensions, OllyDbg Extensions, Resource Editors, Unpacking Tools

Most recent version:
0.90

Most recent release date:
November 12, 2009

Description:
<nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F

to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B

Tool Updated: CFF Explorer

Tue, 10 Nov 2009 18:26:13 GMT

Listed in categories: .NET Executable Editors, PE Executable Editors

Most recent version:
7.4.0.1

Most recent release date:
November 10, 2009

Description:
The CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable's internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface.

Also, it's the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata's fields and flags. If you're programming something that has to do with .NET metadata, you will need this tool. The resource viewer supports .NET image formats like icons, bitmaps, pngs. You'll be able to analyze .NET files without having to install the .NET framework, this tool has its own functions to access the .NET format.

Also includes a cool new scripting engine!

Tool Updated: Radare

Wed, 04 Nov 2009 09:18:47 GMT

Listed in categories: .NET Disassemblers, Assemblers, Binary Diff Tools, Code Injection Tools, Debuggers, Disassemblers, Hex Editors, Java Disassembler Libraries, Linux Debuggers, Linux Disassemblers, Linux Tools, Memory Dumpers, Memory Patchers, Process Dumpers, Reverse Engineering Frameworks, Ring 3 Debuggers, String Finders, Symbol Retrievers, SysCall Monitoring Tools, Tracers

Most recent version:
1.4.1

Most recent release date:
November 3, 2009

Description:
<nowiki>The radare project aims to provide a complete unix-like toolchain for working with binary files. It currently provides a set of tools to work with x86, arm and java with some ones powerpc.

The core is a raw hexadecimal editor for commandline with scripting features and perl/python extensions that gets extended with IO plugins that hooks the open/read/write/close/system calls.

The debugger and disassembler has a code analysis module for x86, mips, arm and java. This way it's possible to draw graphs using Cairo on a GTK window or store the flow execution of a program on a log file and use the information to diff't against another trace or binary.

The toolchain provides assemblers and disasemblers for x86, arm, mips (Loongson2F), sparc, CSR, m68k, powerpc, msil and java.

The disassembler has been enhaced to handle inline comments, code block detections and flag references (data pointers or so).

The debugger is mainly developed on linux and {Net

Tool Updated: LordPE

Wed, 30 Sep 2009 14:24:12 GMT

Listed in categories: Dump Fixers, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers

Most recent version:
1.41 (Deluxe b)

Most recent release date:
September 30, 2009

Description:
LordPE is a tool e.g. for system programmers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit,...

Main features:

* Task viewer/dumper
* Huge PE editor (with big ImportTable viewer, ...)
* Break'n'Enter (break at the EntryPoint of dll or exe files)
* PE Rebuilder

News:

* The first GUI PE editor in the world supporting the new PE32+ (64bit) format ?! (only editing support - no rebuilding, dumping, comparing etc.)
* New plugin interface added! You can develop LordPE Dump Engines (LDE) now.
Look at \Docs\LDE.tXt for more information.
* Added LDE: IntelliDump which can dump .NET CLR processes
* Added structure lister for SectionHeaderTable, PE headers and DataDirectories (the "L" buttons)
* Added hex edit buttons (the "H" buttons) in the DataDirectoryTable viewer
* Added PE.OptionalHeader.Magic and PE.OptionalHeader.NumberOfRvaAndSizes to the PE editor
* TLSTable DataDirectory is now editable
* Possibility to increment/decrement the number of DataDirectories added
* Etc etc etc...

Tool Updated: ReloX

Sun, 23 Aug 2009 21:48:22 GMT

Listed in categories: Relocation Tools

Most recent version:
1.0

Most recent release date:
August 23, 2009

Description:
The only relocation tool worth its bytes. Perfect for that 'final step' in unpacking those pesky dynamic link libraries.

{ from included readme.txt }

ReloX v1.0 * by MackT/uCF2000 in 2003

Disclaimer:
-----------
This program may crash, or in a worse case it may even reboot your computer, so please use it with caution. (Do not run it 3 hours into an unsaved coding session for example)

I am *NOT* responsible for any damage caused by the use of it.

Purpose:
--------
ReloX is a Win32 relocations rebuilder. It will create a .reloc section from different
based images.

What does it need?
------------------
- At least 2 different based images of a module. The more you have images, the more
your relocations will be reliable.

How does it work?
-----------------
1) - Select the first based image with the "..." button on the "Original" line.

The imagebase will be put automatically. If it is not right, modify it.

2) - Select the second based image with the "..." button on the "Compare to" line.

The imagebase will be put automatically. If it is not right, modify it.

3) - Click on "Select Sections" to select all sections which contain code for
comparison (default is all).

4) - Click on "Compare" to start comparison between the modules.

The result will be in the list control.

5) - If you have other based images, redo the same thing from 2) for all of them

6) - Click on "Fix PE Module" to select a pe file and fix with the new ".reloc" section.

(no backup needed just like ImpREC(tm))

Limitations
-----------
- It will only support 32 bits relocations of type (3).
(IMAGE_REL_BASED_HIGHLOW : The fixup applies the delta to the 32-bit field at Offset)

Thanks to
---------
Muffin and Snacker for testing.

Greetings to
------------
Michelle Branch, Jackie Chan and Jet Li.

Tool Updated: Explorer Suite

Wed, 19 Aug 2009 15:45:19 GMT

Listed in categories: .NET Executable Editors, .NET Resource Editors, .NET Signature Removers, .NET Tools, Dependency Analyzer Tools, Exe Analyzers, Executable CRC Calculators, Hex Editors, Import Editors, Memory Dumpers, PE Executable Editors, Process Dumpers, Protection Identifiers, Resource Editors

Most recent version:
III

Most recent release date:
August 19, 2009

Description:
A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Features:

* Process Viewer
* Windows Viewer
* PE and Memory Dumper
* Full support for PE32/64
* Special fields description and modification (.NET supported)
* PE Utilities
* PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
* View and modification of .NET internal structures
* Resource Editor (full support for Windows Vista icons)
* Support in the Resource Editor for .NET resources (dumpable as well)
* Hex Editor
* Import Adder
* PE integrity checks
* Extension support
* Visual Studio Extensions Wizard
* Powerful scripting language
* Dependency Walker
* Quick Disassembler (x86, x64)
* Name Unmangler
* Extension support
* File Scanner
* Directory Scanner
* Deep Scan method
* Recursive Scan method
* Multiple results
* Report generation
* Signatures Manager
* Signatures Updater
* Signatures Collisions Checker
* Signatures Retriever

Tool Updated: Dotnet IL Editor (DILE)

Sun, 09 Aug 2009 13:13:28 GMT

Listed in categories: .NET Debuggers, .NET Disassemblers, .NET Executable Editors

Most recent version:
0.2.6

Most recent release date:
September 30, 2007

Description:
Dotnet IL Editor (DILE) is an editor program which helps modifying .NET assemblies. It is intended to be able to disassemble .NET assemblies, modify the IL code, recompile it and run inside a debugger.

Tool Updated: Hiew

Tue, 28 Jul 2009 04:40:07 GMT

Listed in categories: Disassemblers, Hex Editors, PE Executable Editors

Most recent version:
8.02

Most recent release date:
July 26, 2009

Description:
* view and edit files of any length in text, hex, and decode modes
* x86-64 disassembler & assembler
* physical & logical drive view & edit
* support for NE, LE, LX, PE, PE32+ and little-endian ELF executable formats
* support for Netware Loadable Modules like NLM, DSK, LAN,...
* following direct call/jmp instructions in any executable file with one touch
* pattern search in disassembler
* built-in simple 64bit decrypt/crypt system
* built-in powerful 64bit calculator
* block operations: read, write, fill, copy, move, insert, delete, crypt
* multifile search and replace
* keyboard macros
* unicode support
* Hiew Extrenal Module (HEM) support

Tool Updated: IDA Inject

Sun, 19 Jul 2009 05:01:34 GMT

Listed in categories: Code Injection Tools, IDA Extensions

Most recent version:
1.0.3

Most recent release date:
July 18, 2008

Description:
This plugin allows you to inject dlls into a debugged process, either prior to process creation or when the debugger is attached. The injected dll can then do some fancy stuff inside the debugged process.
To realize dll injection before process creation, new import descriptors are added to the image import directory of the debuggee, whereas injection into an already running process is realized via shellcode injection, which in turn loads the dll in question.
In either case, a full path to the dll can be supplied, so it is not necessary for the dll to be in the search path.

Tool Updated: PE Explorer

Sat, 18 Jul 2009 22:11:32 GMT

Listed in categories: Disassemblers, PE Executable Editors, Resource Editors

Most recent version:
1.99 R5 (silent update)

Most recent release date:
July 11, 2009

Description:
PE Explorer provides powerful tools for disassembly and inspection of unknown binaries, modifying the properties of executable files and customizing and translating their resources. Use this product to do reverse engineering, analyze the procedures and libraries an executable uses.

Features include:

* Working with PE files - exe, dll, sys, drv, bpl, dpl, cpl, ocx and more.
* The ability to open a broken or packed file in Safe mode.
* Support for custom plug-ins to perform any startup processing.
* Collecting the full information contained in the file header.
* Checksum computing and modification.
* Review and editing Data Directories.
* Review of all the sections and info about their location and size.
* Review of contents of section as Raw Data - up to 16 view windows.
* Extracting and deleting sections.
* Section header recalculation.
* Section Editor to modify and repair the damaged section headers.
* Resource Editor to view and modify almost any kind of resources.
* Saving changes to disk as a new file image.
* Full info on exported and imported functions. Review of contents of the base relocation table.
* Quick Function Syntax Lookup. Syntax Description Editor.
* Source code and package information analyzer. Dependency Scanner.
* Built-in Disassembler.
* Customize GUI elements of your favorite Windows programs
* Special support for Delphi applications
* Automatic UPX and Upack unpacking

See multiple screenshots at: http://www.heaventools.com/scrshots.htm

Tool Updated: Detours

Sat, 18 Jul 2009 21:01:22 GMT

Listed in categories: API Monitoring Tools, Code Injection Tools

Most recent version:
2.1.216

Most recent release date:
November 10, 2008

Description:
Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code.

Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.

Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.

We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry.

Detours 2.1 is now available. Detours 2.1 includes the following new features:

* Complete documentation of the Detours API.
* Transactional model for attaching and detaching detours.
* Support for updating peer threads when attaching or detaching detours.
* Unification of dynamic and static detours into a single API.
* Support for detection of detoured processes.
* Significant robustness improvements in APIs that start a process with a DLL containing detour functions.
* New APIs to copy payloads into target processes.
* Support for 64-bit code on x64 and IA64 processors (available in Professional edition only).
* Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7).

Tool Added: Code Snippet Creator (Iczelion)

Wed, 17 Jun 2009 11:54:13 GMT

Listed in categories: Code Injection Tools, Code Snippet Creators

Most recent version:
1.05 (build 2)

Most recent release date:
January 13, 2001

Description:
Code Snippet Creator is designed specifically for advanced crackers/assembly programmers who want to create custom code snippets in assembly language.

The features of this utility:
· Can generate code snippets and save them as binary files
· Support both TASM and MASM
· Provide simple integrated PE editor to edit the target file you want to patch
· Can patch the code snippet into a target PE file both as a new section and as an addition to an existing section (or PE header)
· You can use ANY functions that the target imports in your snippet! This utility will fix the calls for you.

Tool Updated: RDG Packer Detector

Sat, 25 Apr 2009 19:27:16 GMT

Listed in categories: Compiler Identifiers, Entropy Analyzers, PE EXE Signature Tools, Packer Identifier Signatures, Packer Identifiers

Most recent version:
0.6.6

Most recent release date:
April 15, 2009

Description:
RDG Packer Detector is a detector packers, Cryptors, Compilers,
Packers Scrambler,Joiners,Installers.

-Holds Fast detection system..
-Has detection system Powerful Analyzing the complete file, allowing the detection of Muli-packers in several cases.
-You can create your own Signatures detection.
-Holds Crypto-Graphic Analyzer.
-Allows you to calculate the checksum of a file.
-Allows you to calculate the Entropy, reporting if the program looked at the compressed, encrypted or not.
-OEP-Detector (Original Point of Entry) of a program.
-You can Check and download and you always signaturas.RDG Packer Detector will be updated.
-Plug-ins Loader..
-Signatures converter.
-Detector distortive Entry Point.
-De-Binder an extractor attachments.
-System Improved heuristic.

What's New! v0.6.6

-New Interface!

-Fast Mode Detection and Mode Powerful Improved!
-Super base signatures Updated!
-Heuristic detection of Binders
-Detection and Extraction Overlay!
-Check and Auto-Update of signatures!
-Super Fast Detection of MD5 Hash!
-Support for Multiple Plug-ins for both RDG Packer Detector and other detectors!
-Detection of Multiple-MPG formats, GIF, RAR, ZIP, MP3 etc..
-Detection and removal of attachments!

Tool Updated: Rebel.NET

Thu, 19 Feb 2009 14:14:55 GMT

Listed in categories: .NET Code Injection Tools, .NET Executable Editors

Most recent version:
1.3.0.1

Most recent release date:
February 19, 2009

Description:
Rebel.NET is a rebuilding tool for .NET assemblies which is capable of adding and replacing methods and streams.

It's possible to replace only a limited number of methods or every method contained in a .NET assembly. The simplicity of Rebel.NET consists in the replacing process: one can choose what to replace. For instance, one may choose to replace only the method code, instead of its signature or method header.

The interface of Rebel.NET is quite a simple one. As input it requires a .NET assembly to be rebuilded and a Rebel.NET rebuilding file. The Rebel.NET file contains the data that has to be replaced in the original assembly.

Rebel.NET can also create a Rebel.NET file from a given assembly. This is a key functionality, since some times the data of the original assembly has to be processed first to produce a Rebel.NET file for the rebuilding of the assembly. This sort of "report" feature can also be used to analyze the methods of an assembly, since reading the original data from a .NET assembly isn't as easy as reading a Rebel.NET file. It's possible to choose what should be contained in the Rebel.NET file.

All the Rebel.NET features can used through command line, which comes very handy when an automated rebuilding process is needed.

Rebel.NET is, mainly, a very solid base to overcome every .NET protection and to re-create a fully decompilable .NET assembly. As such, Rebel.NET has to be considered a research project, not an encouragement to violate licensing terms.

Tool Updated: NW PE Builder

Wed, 18 Feb 2009 02:31:15 GMT

Listed in categories: PE Executable Editors

Most recent version:
0.7

Most recent release date:
February 16, 2009

Description:
Simple and easy to use PE Editor.

Tool Updated: DynamoRIO

Sun, 02 Nov 2008 05:32:07 GMT

Listed in categories: Code Injection Tools

Most recent version:
0.9.4 (beta)

Most recent release date:
February 26, 2005

Description:
The DynamoRIO Collaboration - Dynamo from Hewlett-Packard Laboratories + RIO (Runtime Introspection and Optimization) from MIT's Laboratory for Computer Science.

The DynamoRIO dynamic code modification system, joint work between Hewlett-Packard and MIT, is being released as a binary package with an interface for both dynamic instrumentation and optimization. The system is based on Dynamo from Hewlett-Packard Laboratories. It operates on unmodified native binaries and requires no special hardware or operating system support. It is implemented for both IA-32 Windows and Linux, and is capable of running large desktop applications.

The system's release was announced at a PLDI tutorial on June 16, 2002, titled "On the Run - Building Dynamic Program Modifiers for Optimization, Introspection and Security." Here is the tutorial abstract:

In the new world of software, which heavily utilizes dynamic class loading, DLLs and interconnected components, the power and reach of static analysis is diminishing. An exciting new paradigm of dynamic program optimization, improving the performance of a program while it is being executed, is emerging. In this tutorial, we will describe intricacies of building a dynamic optimizer, explore novel application areas such as program introspection and security, and provide details of building your own dynamic code modifier using DynamoRIO. DynamoRIO, a joint development between HP Labs and MIT, is a powerful dynamic code modification infrastructure capable of running existing binaries such as Microsoft Office Suite. It runs on both Windows and Linux environments. We are offering a free release of DynamoRIO for non-commercial use. A copy of the DynamoRIO release, which includes the binary and a powerful API, will be provided to the attendees.

Tool Added: PunchIt

Thu, 02 Oct 2008 15:06:39 GMT

Listed in categories: Code Injection Tools, GUI Manipulation Tools, Resource Editors

Most recent version:
1.1

Most recent release date:
October 2nd 2008

Description:
It is a program useful to automatically inject into ANY application your sound and music. The music will be played in background when the program runs as before.

The tool comes with a tutorial explaining how it works, trick and useful hints found coding it, and of its sources ..

Get the tutorial here:

http://arteam.accessroot.com/tutorials.html?fid=200

and the tool here

http://arteam.accessroot.com/releases.html?fid=25

Release notes of version 1.1
+ minor updates to improve stability
+ updated bass audio module v2.4.1
+ updated PECompact2 Student Build v2.94.1
+ (*new) Incorporates source Icon in distribution file (if exists)

I admit the Icon changing routine is a bit lame, but works even if it only takes
1st icon entry for MainIcon group of source executable.
I modded program so that PECompact2 doesn't compress resources allowing anyone
to change the Icon in the output file to whatever they would like using a 3rd party
tool (i.e. reshacker, Icon Exe changer, etc.)

Please test and report any probs. As is usually the case, if you choose a packed / protected
source executable, you may run into problems compressing and should choose the non compress
option. This is not a fault of the application, but a limitation imposed by compressor programs
such as PECompact2 (Student build) v1.94.1 (latest).

Tool Added: Nucleus Framework

Mon, 15 Sep 2008 21:29:27 GMT

Listed in categories: Code Injection Tools

Most recent version:
1.0.0028.1059

Most recent release date:
August 18, 2008

Description:
Today i decided that it's a good day for the initial release of my nucleus framework.

What you can do with it:

- Inject a specified DLL to a targets' address space

That's it. Extremely minimal usage for the first release but who cares
Would be nice if some would test it and tell me if it works.

USAGE: nucleus <switches> target.exe

--help, --h, -help, -h

display usage help. also displayed if no parameter is selected

--log, --l, -log, -l <logging mode>

select logging mode. 1 = LOG_MODE_STDOUT - log to stdout
2 = LOG_MODE_FILE - log to file
4 = LOG_MODE_NOLOG - log disabled
mode 1 and 2 can be used in combination(expl. 3 for stdout and file
together). if no logging mode selected 1 is default

Tool Added: Comrade's PE Tools

Mon, 04 Aug 2008 00:21:41 GMT

Listed in categories: Code Injection Tools, Import Editors, PE Executable Editors

Most recent version:

Most recent release date:
July 31, 2008

Description:
* Inject Tool

Inject is a tool that injects a DLL into a running process. Its command-line usage is as follows:

1. Inject C:\hook.dll into pid 1234: inject.exe 1234 C:\hook.dll
2. Inject C:\hook.dll into process notepad.exe (if multiple notepads are running, then whichever one is picked is undefined): inject.exe -p *notepad.exe C:\hook.dll
3. Inject C:\hook.dll into running process C:\myprogram.exe: inject.exe -p C:\myprogram.exe C:\hook.dll
4. Inject C:\hook.dll into process with a window named "Untitled - Notepad": inject.exe -w "Untitled - Notepad" C:\hook.dll
5. Inject C:\hook.dll into process with a window class Notepad: inject.exe -c Notepad C:\hook.dll

Note that in all uses, you should specify the full path to the injected DLL.

* Loader Tool

Loader is a tool that injects a DLL before launching a process. Its command-line usage is as follows:

1. Load notepad.exe and inject C:\hook.dll into it: loader.exe notepad.exe C:\hook.dll

Note that you should specify the full path to the injected DLL.

* Patch Tool

Patch is a tool that adds a new section to the executable. The new section becomes the new entrypoint, and contains code to load a particular DLL, and then jump back to the original entrypoint. This can be used to create static patches that behave similar to the Loader tool.
The tool's command-line usage is as follows:

1. Patch original.exe to load C:\hook.dll before execution; save the patched executable to patched.exe: patch.exe original.exe patched.exe C:\hook.dll

* Reimport Tool

Reimport is a tool that redirects certain entries of an executable's import table to another DLL. For example, running reimport.exe game.exe newgame.exe nocd.dll kernel32.dll::GetDriveTypeA kernel32.dll::CreateFileA kernel32.dll::GetVolumeInformation will create a copy of game.exe into newgame.exe, with the above 3 API functions rerouted to nocd.dll, instead of kernel32.dll. That means newgame.exe would import GetDriveTypeA, CreateFileA, and GetVolumeInformation from nocd.dll instead of kernel32.dll.

Tool Added: ResFixer

Fri, 01 Aug 2008 00:21:30 GMT

Listed in categories: Resource Editors

Most recent version:
1.0 beta 1

Most recent release date:
2003

Description:
ResFixer v 1.0 beta 1 by seeQ

1. Introduction
*****************
This program resolves a situation when you want to remove unnecessary code from dumped exe, which after unwrapping is no longer needed. ResFixer - is a resource rebuilder which tries to restore the resource section (.rsrc). As you know many protectors/packers move some of resources (Icon, Icon Group, Version inf) to it's own section. In this case you can't remove protectors/packers section(s) after dumping.

2. Usage
*****************
Method 1 - Completely copies resources section from an entrance file, then finishes gluing the displaced resources and corrects resource tree.
Method 2 - Tries completely reconstruct section on the basis of a tree.

3. Tip's
*****************
1. In programs written on Delphi watch for TLS (native place rdata).
2. Do not forget that resources in file should lay directly from beginning of unique section with name ".rsrc", because differently programs can crash under some build's Win9x and resource viewer's.
3. It is also possible to remove Reloc's from EXE.

4. Bugs
*******************
The program does not check if the file is unpacked.