Results 1 to 3 of 3

Thread: What is the data between the DOS-stub-code and the PE-header in MASM-linked files?

  1. #1
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5

    What is the data between the DOS-stub-code and the PE-header in MASM-linked files?

    I'm experimenting with building my own exe-files and dll-files, and the only bytes in an exe-file that I cannot find any info about is the data that the MASM linker always seems to put between the DOS stub code and the PE-header. I know that this data is not part of the exe-format itself (in files produced by other linkers, e.g. Delphi, this area is zeroed) but it would still be really interesting to know what kind of data MASM stores here?

    I have noticed that the data is practically identical between different exe-files produced with MASM (only one byte in it has been observed to change) and it also always seems to include the string "Rich".

    MASM outputs different data (and even different size of this data) when producing a dll file and when producing an exe file though.


    This is a normal MASM DOS-stub code:

    Code:
    push    cs
    pop     ds
    mov     dx, 0Eh
    mov     ah, 9
    int     21h             ; DOS - PRINT STRING
                            ; DS : DX -> string terminated by "$"
    mov     ax, 4C01h
    int     21h             ; DOS - 2+ - QUIT WITH EXIT CODE (EXIT)
    
    000E_string:
        "This program cannot be run in DOS mode.", 2Eh, 0Dh, 0Dh, 0Ah, "$"
    Directly after it comes this data I'm talking about, before the PE-header.



    In my MASM exe-files it is the following:
    Code:
    00000070   <end of stub string here>   00 00 00 00 00 00 00            .......
    00000080   5D 17 1D DB 19 76 73 88  19 76 73 88 19 76 73 88   ]..Û.vsˆ.vsˆ.vsˆ
    00000090   19 76 73 88 0D 76 73 88  E5 56 61 88 18 76 73 88   .vsˆ.vsˆċVaˆ.vsˆ
    000000A0   52 69 63 68 19 76 73 88  00 00 00 00 00 00 00 00   Rich.vsˆ........
    000000B0   <PE-header begins here>
    In my MASM dll-files it is the following:
    Code:
    00000070   <end of stub string here>   00 00 00 00 00 00 00            .......
    00000080   71 D4 F7 DB 35 B5 99 88  35 B5 99 88 35 B5 99 88   qÔ÷Û5µ™ˆ5µ™ˆ5µ™ˆ
    00000090   C9 95 8B 88 34 B5 99 88  BB AA 8A 88 34 B5 99 88   ɕ‹ˆ4µ™ˆğŞŠˆ4µ™ˆ
    000000A0   52 69 63 68 35 B5 99 88  00 00 00 00 00 00 00 00   Rich5µ™ˆ........
    000000B0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
    000000C0   <PE-header begins here>
    It would be really interesting to know what kind of info that MASM "hides" in this data. Does anyone have any idea whatsoever?

    Thanks!

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    Boy, Talk about resurrection of old Threads! I think this one gets the prize, although it does solve a question that has kept dELTA from sleeping since 2003.



    Regards,
    JMI

Similar Threads

  1. using filestreams to store data..or code as data?
    By BanMe in forum The Newbie Forum
    Replies: 7
    Last Post: August 8th, 2009, 21:58
  2. Getting address data from exe files
    By Intruder in forum The Newbie Forum
    Replies: 63
    Last Post: May 5th, 2006, 16:07
  3. SafeKey's *.FST data files format
    By forestkon in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: April 14th, 2006, 00:52
  4. Game data files cracking
    By highfly in forum The Newbie Forum
    Replies: 3
    Last Post: February 6th, 2004, 20:17
  5. compressed data in files?
    By Aquatic in forum The Newbie Forum
    Replies: 10
    Last Post: February 26th, 2003, 17:38

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •