Results 1 to 10 of 10

Thread: Edit PE Optional header

  1. #1

    Edit PE Optional header

    I am looking for a program that will let you change some of the values in the PE Optional Header.

    Is there a program available?

    Thanks

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    Is there a program available
    are you sure you mean what you ask ?

    google says it has About 2,240,000 results for editing pe header

    though there is no program that explicitly states i can edit only optional header
    every pe header editing programs claims to have the ability to edit optional header as well

    didnt lordpe,studpe, cffexplorer, ollydbg , hxd, hiew xxd 010 ..........
    all that is shown in first google page help you ?

    do they refuse to edit optional header ?

    shall we sue them all in a class / mass / whatever action suit ?

  3. #3
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    ...and besides Google, Woodmann's Collaborative RCE Tool Library comes into help!
    http://www.woodmann.com/collaborative/tools/index.php/Category:PE_Executable_Editors
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  4. #4

    As Above...

    Har, Har!!!

    Have Phun
    Blame Microsoft, get l337 !!

  5. #5
    I used CFF Explorer to do the editing.

    This no longer works in Olly or IDA.

    BoNus: Another small trick to block debuggers and Dasm's

    Load the bug.exe in Olly.What?Cannot be loaded.Try to see it's contents in WinDasm.What?
    Cannot see the API calls.Now check the header using a hex editor,and see those two values:

    LoaderFlags: EDABDDCA
    NumberOfRvaAndSizes: BBDCBDFA

    Well,because of those two values that are false,the tools are being confused.Change them
    to LoaderFlags=0 and NumberOfRvaAndSizes=10h (common values for almost all exe's) and the exe
    loads just fine in Olly and Dasm now shows the API calls.File was not packed or any other
    kind protected as u may have assumed at first.This works by changing BOTH of them.

  6. #6
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by mint77 View Post
    Try to see it's contents in WinDasm.What? Cannot see the API calls.
    WHAT?! Do you mean to tell us that a 15 year old tool doesn't work correctly when handling a binary injected with junk data?? I don't believe it!!

  7. #7
    Try PPEE (puppy) it's robust against malformed PE files.

    http://www.woodmann.com/collaborative/tools/index.php/PPEE_(puppy)

  8. #8
    You are misunderstanding my post.

    Do some more research. :-)

    I found something that confuses the newest Olly.

  9. #9
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    Er, that trick (LoaderFlags/NumberOfRvaAndSizes) first surfaced here in SOTM 33 back in 2004, at least.

    Do some more research. :-)

    http://old.honeynet.org/scans/scan33/

  10. #10

    Old code

    You are right, it was a bit old.

Similar Threads

  1. Edit strings with IDA Pro 5.2
    By nekkro-kvlt in forum The Newbie Forum
    Replies: 10
    Last Post: June 11th, 2009, 07:08
  2. Edit Time Hasp HL
    By papo1123 in forum The Newbie Forum
    Replies: 5
    Last Post: March 23rd, 2007, 21:12
  3. Cool Edit Pro Demo?? or Cool Edit???
    By crUsAdEr in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: February 14th, 2002, 16:57
  4. Help with Ultra Edit ver 7.20a
    By xOptiMus in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: December 15th, 2000, 12:23
  5. Help with Ultra Edit ver 7.20a
    By xOptiMus in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: December 14th, 2000, 18:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •