Results 1 to 5 of 5

Thread: How to create one section EXE from a multi section exe

  1. #1
    new_age
    Guest

    Question How to create one section EXE from a multi section exe

    Hello!

    I've unpacked a neolite2 packed exe with procdump. (I've to make some modifications because original neolite2 script settings generate a non working exe under winxp) I removed the .neolite section.

    The unpacked exe has these sections:


    ->Section Header Table
    1. item:
    Name: .text
    VirtualSize: 0x000D3000
    VirtualAddress: 0x00001000
    SizeOfRawData: 0x000D2E94
    PointerToRawData: 0x00001000
    PointerToRelocations: 0x00000000
    PointerToLinenumbers: 0x00000000
    NumberOfRelocations: 0x0000
    NumberOfLinenumbers: 0x0000
    Characteristics: 0xE00000E0
    (CODE, INITIALIZED_DATA, UNINITIALIZED_DATA, EXECUTE, READ, WRITE)

    2. item:
    Name: .rdata
    VirtualSize: 0x00027000
    VirtualAddress: 0x000D4000
    SizeOfRawData: 0x00026670
    PointerToRawData: 0x000D4000
    PointerToRelocations: 0x00000000
    PointerToLinenumbers: 0x00000000
    NumberOfRelocations: 0x0000
    NumberOfLinenumbers: 0x0000
    Characteristics: 0x40000080
    (UNINITIALIZED_DATA, READ)

    3. item:
    Name: .data
    VirtualSize: 0x00014000
    VirtualAddress: 0x000FB000
    SizeOfRawData: 0x0000D29C
    PointerToRawData: 0x000FB000
    PointerToRelocations: 0x00000000
    PointerToLinenumbers: 0x00000000
    NumberOfRelocations: 0x0000
    NumberOfLinenumbers: 0x0000
    Characteristics: 0xC0000040
    (INITIALIZED_DATA, READ, WRITE)

    4. item:
    Name: .rsrc
    VirtualSize: 0x00038000
    VirtualAddress: 0x0010F000
    SizeOfRawData: 0x00037B5C
    PointerToRawData: 0x00109000
    PointerToRelocations: 0x00000000
    PointerToLinenumbers: 0x00000000
    NumberOfRelocations: 0x0000
    NumberOfLinenumbers: 0x0000
    Characteristics: 0x40000040
    (INITIALIZED_DATA, READ)



    So I've saved to disk these sections and added some zero bytes to the each end to get virtualsize each of them.

    I've ripped a delphi 4 compiled exe header and added some zero bytes to the end to get a 1000h file size.

    Then I've copied the header and the sections and get a 147000h filesize.

    With LordPE PE Editor I've modified the Basic PE Header info and set Import Table and Resources dir. info and created a new section (.FUCKIT )



    ->DOS Header
    e_magic: 0x5A4D
    e_cblp: 0x0050
    e_cp: 0x0002
    e_crlc: 0x0000
    e_cparhdr: 0x0004
    e_minalloc: 0x000F
    e_maxalloc: 0xFFFF
    e_ss: 0x0000
    e_sp: 0x00B8
    e_csum: 0x0000
    e_ip: 0x0000
    e_cs: 0x0000
    e_lfarlc: 0x0040
    e_ovno: 0x001A
    e_res: 0x0000000000000000
    e_oemid: 0x0000
    e_oeminfo: 0x0000
    e_res2: 0x0000000000000000000000000000000000000000
    e_lfanew: 0x00000100

    ->File Header
    Machine: 0x014C (I386)
    NumberOfSections: 0x0001
    TimeDateStamp: 0x3E33C24F (GMT: Sun Jan 26 11:11:11 2003)
    PointerToSymbolTable: 0x00000000
    NumberOfSymbols: 0x00000000
    SizeOfOptionalHeader: 0x00E0
    Characteristics: 0x030F
    (RELOCS_STRIPPED)
    (EXECUTABLE_IMAGE)
    (LINE_NUMS_STRIPPED)
    (LOCAL_SYMS_STRIPPED)
    (32BIT_MACHINE)
    (DEBUG_STRIPPED)

    ->Optional Header
    Magic: 0x010B (HDR32_MAGIC)
    MajorLinkerVersion: 0x02
    MinorLinkerVersion: 0x19 -> 2.25
    SizeOfCode: 0x00007400
    SizeOfInitializedData: 0x00002600
    SizeOfUninitializedData: 0x00000000
    AddressOfEntryPoint: 0x000962FE
    BaseOfCode: 0x00096000
    BaseOfData: 0x00001000
    ImageBase: 0x00400000
    SectionAlignment: 0x00001000
    FileAlignment: 0x00001000
    MajorOperatingSystemVersion: 0x0001
    MinorOperatingSystemVersion: 0x0000 -> 1.00
    MajorImageVersion: 0x0000
    MinorImageVersion: 0x0000 -> 0.00
    MajorSubsystemVersion: 0x0004
    MinorSubsystemVersion: 0x0000 -> 4.00
    Win32VersionValue: 0x00000000
    SizeOfImage: 0x00146000
    SizeOfHeaders: 0x00001000
    CheckSum: 0x00155FFF
    Subsystem: 0x0002 (WINDOWS_GUI)
    DllCharacteristics: 0x0000
    SizeOfStackReserve: 0x00100000
    SizeOfStackCommit: 0x00004000
    SizeOfHeapReserve: 0x00100000
    SizeOfHeapCommit: 0x00001000
    LoaderFlags: 0x00000000
    NumberOfRvaAndSizes: 0x00000010

    DataDirectory (16) RVA Size
    ------------- ---------- ----------
    ExportTable 0x00000000 0x00000000
    ImportTable 0x000F7D08 0x00000140 (".FUCKIT")
    Resource 0x0010F000 0x00003000 (".FUCKIT")
    Exception 0x00000000 0x00000000
    Security 0x00000000 0x00000000
    Relocation 0x00000000 0x00000000
    Debug 0x00000000 0x00000000
    Copyright 0x00000000 0x00000000
    GlobalPtr 0x00000000 0x00000000
    TLSTable 0x00000000 0x00000000
    LoadConfig 0x00000000 0x00000000
    BoundImport 0x00000000 0x00000000
    IAT 0x00000000 0x00000000
    DelayImport 0x00000000 0x00000000
    COM 0x00000000 0x00000000
    Reserved 0x00000000 0x00000000





    The created exe file doesn't run. What is the problem?

    NA

    Almost forget the reason: I can't recompress the unpacked exe file. (I've tried a lot of packers/encryptors)
    Last edited by new_age; January 26th, 2003 at 14:20.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    new_age
    Guest
    I've put the resources into another section. (.rsrc) I can run the program but I can not compress. (all compressor fail to compress)

    NA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    run a pe checker on it from protools or the like, and it'll most likely give you a dozen errors. prob some kind of pe misalign.

  4. #4
    new_age
    Guest
    It seems that section characteristics are important for executable compressors (INITIALIZED_DATA vs UNINITIALIZED_DATA). /It seems logical/ I've modified these settings and created a standard(??) section table:


    ->Section Header Table
    1. item:
    Name: .text
    VirtualSize: 0x000D3000
    VirtualAddress: 0x00001000
    SizeOfRawData: 0x000D2E94
    PointerToRawData: 0x00001000
    PointerToRelocations: 0x00000000
    PointerToLinenumbers: 0x00000000
    NumberOfRelocations: 0x0000
    NumberOfLinenumbers: 0x0000
    Characteristics: 0xE0000020
    (CODE, EXECUTE, READ, WRITE)

    2. item:
    Name: .rdata
    VirtualSize: 0x00027000
    VirtualAddress: 0x000D4000
    SizeOfRawData: 0x00026670
    PointerToRawData: 0x000D4000
    PointerToRelocations: 0x00000000
    PointerToLinenumbers: 0x00000000
    NumberOfRelocations: 0x0000
    NumberOfLinenumbers: 0x0000
    Characteristics: 0xC0000040
    (INITIALIZED_DATA, READ, WRITE)

    3. item:
    Name: .data
    VirtualSize: 0x00014000
    VirtualAddress: 0x000FB000
    SizeOfRawData: 0x0000D29C
    PointerToRawData: 0x000FB000
    PointerToRelocations: 0x00000000
    PointerToLinenumbers: 0x00000000
    NumberOfRelocations: 0x0000
    NumberOfLinenumbers: 0x0000
    Characteristics: 0xC0000040
    (INITIALIZED_DATA, READ, WRITE)

    4. item:
    Name: .rsrc
    VirtualSize: 0x00038000
    VirtualAddress: 0x0010F000
    SizeOfRawData: 0x00037B5C
    PointerToRawData: 0x00109000
    PointerToRelocations: 0x00000000
    PointerToLinenumbers: 0x00000000
    NumberOfRelocations: 0x0000
    NumberOfLinenumbers: 0x0000
    Characteristics: 0xC0000040
    (INITIALIZED_DATA, READ, WRITE)


    Now UPX can compress it (I must specify do not compress resources).

    But when I start the compressed exe I get this error:

    The instuction at "0x7ffdf000" referenced memory at "0x80000002". The memory could not be "written".

    Any idea?

    NA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    new_age
    Guest
    Interesting:

    Only aspack can compress and decompress the exe file. All other compressors fail on compress and/or on decompress.

    NA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Strange section within EXE
    By NoLOcKs in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: July 24th, 2007, 01:17
  2. Removing zero section from PE
    By Lamia in forum The Newbie Forum
    Replies: 5
    Last Post: November 10th, 2005, 10:22
  3. can't resize or add new section
    By chitech in forum The Newbie Forum
    Replies: 2
    Last Post: September 4th, 2002, 09:44
  4. How to get section to load right?
    By Lbolt99 in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: April 8th, 2002, 04:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •