PDA

View Full Version : Detecting whether the EXE is in PE format

binarycoder2k
05-01-2007, 02:28 AM
I have a particular EXE which I want to reverse engineer.

1. How can I find out whether it is in the PE format ?
2. Also, how can I find out whether the EXE has anti-debugging protection and how to bypass them ?
esther
05-01-2007, 02:33 AM
READ THE FAQ FAQ FAQ FAQ !!!!!!!!1
whyIII
05-01-2007, 03:34 AM
There are many stuffs you can find by "search" engine. Step by step, you will finally answer your questions by yourself.
binarycoder2k
05-01-2007, 05:11 AM
Actually I had read the FAQ, but I was not sure that what I am referring to as "format" is technically called "packing" (even now I am not sure !)

Do you mean that PE IDENTIFER will do the job ?
Silkut
05-01-2007, 05:23 AM
Yes, this tool could detect any packer signature inside an exe (if it knows this signature). You need to read some PE documentation, some links are in the FAQ, some links are in this forum.
blabberer
05-01-2007, 06:08 AM
how can you find it is pe format

read this several times and then several more times till you have it almost by heart

http://win32assembly.online.fr/files/pe1.zip

then downlaod this
and read and experiment with this package several more times till you turn your fingers numb and your eyes bleary

http://win32assembly.online.fr/files/pe-tuts.zip

and then open the exe in question with some hexeditor
look through and come with some question that you cant understand
binarycoder2k
05-01-2007, 08:21 AM
I downloaded PEiD v0.94 and scanned the EXE.
PEiD gave the result as Nothing Found *
I chose all 3 modes: Normal scan, Deep scan, Hardcore scan.
Now what am I supposed to do ?
binarycoder2k
05-01-2007, 08:27 AM
The first few bytes of the EXE are: 55,8B,EC,83.
autarky
05-01-2007, 10:33 AM
Quote:
[Originally Posted by binarycoder2k;65308]The first few bytes of the EXE are: 55,8B,EC,83.


If those are the first four bytes of the file (and there is no MZ header), then it is either some corrupt executable or chunk of some executable code, or possibly an MS-DOS COM executable (though that would be unusual). That code is the initialisation of a stack frame for a function.
LLXX
05-02-2007, 04:48 AM
...and even the 83 isn't certain. 55 8b ec is though, standard stack frame setup.
fr33ke
05-02-2007, 05:36 AM
83 is probably the start of 83 EC ?? = SUB (E)SP, BYTE ??
blabberer
05-02-2007, 06:10 AM
83 is also part of prologue

Code:


00401000 >    55            PUSH    EBP

00401001      8BEC          MOV     EBP, ESP

00401003      83EC 44       SUB     ESP, 44
LLXX
05-03-2007, 03:03 AM
A lot of compilers directly use ESP+xx to access stuff on the stack, use of EBP was a holdover from the old days of x86 when BP+xx was the only feasible addressing mode for it.

In addition to that, pushes and pops are also common even in compiler-generated code. For certain compilers are getting better at code generation, though they are still far behind the efficiency of a good Asm programmer (brain).