Dissemblers that can split the exe files

[Sergiu FUNIERU]

Let's say I have one exe, that contains:
- data
- code
- menu

Is there a disassembler that can split the exe file into 3 separate sections (data, code, menu)?
Let's say I want to change only one item name inside a menu, and not adding something else. I want to be able to simply repack the 3 sections to create the new exe. I'm not talking here about reassembling the code, simply to put it back. To simplify, the new item name will have the same number of letters as the old one.

An example from editing an avi:
I open an .avi file, I mark the beginning and the end of the sequence I want, then I choose "Direct copy - no re compression" for both audio and video. I get a new avi, with the same video and audio quality as the original one. Also, the process is very fast.

The disassemblers I've seen so far insist on disassembling and combining everything into a hard to recomplile listing.

[dedndave]

disassmbling data is the hard part
the disassembler has a hard time discerning data types
and, if the code says:

        mov     eax,40010000h

the disassembler has no way of knowing if that is an address of some data, or just a binary value

[Sergiu FUNIERU]

I want instead of something like this:
Disassembly of File: INDEX.exe

T.DateStamp = 4B847FD0: Tue Feb 23 17:24:32 2010
Code Offset = 00000200, Code Size = 00000200
Data Offset = 00000400, Data Size = 00000200

Number of Objects = 0003 (dec), Imagebase = 00400000h

   Object01:  AUTO    RVA: 00001000 Offset: 00000200 Size: 00000200 Flags: 60000020
   Object02:  .idata  RVA: 00002000 Offset: 00000400 Size: 00000200 Flags: C0000040
   Object03:  .reloc  RVA: 00003000 Offset: 00000600 Size: 00000200 Flags: 42000040

to have 2 files, called .idata and .reloc, for instance. Would be this possible?

[dedndave]

for that, you do not need a disassembler
all that information is in the PE file header
you want a PE editor or viewer
PEedit and PEdump come to mind, but i forget where to get them
but, you know what to search for   :bg

[Sergiu FUNIERU]

for that, you do not need a disassembler
all that information is in the PE file header
you want a PE editor or viewer
PEedit and PEdump come to mind, but i forget where to get them
but, you know what to search for   :bg

Thank you for the names. It's easy to look when you know what to search for.

I hope they are able to make back the exe file.

[dedndave]

they don't modify the EXE unless you want them to
they just spill it's contents

if you search the forum, Hutch posted a PE/Coff format PDF document about a month ago
it explains the layout of the PE file header

[Sergiu FUNIERU]

they don't modify the EXE unless you want them to
they just spill it's contents

I wanted to say that I hope they are able to create back a new exe from the modified parts. So, if index1.exe is split into part1, part2, and part3, and I modify part 2 into part2a, the program to know to create a new file, index2.exe from part1, part2a and part3.

[dedndave]

oh - i see
if you want to split them up into pieces and put them back together, you may want to use a hex editor
or - better yet - write a simple program to do it for you (a good learning experience)

for a hex editor, i use Mael Horz's HxD program

[Sergiu FUNIERU]

oh - i see
if you want to split them up into pieces and put them back together, you may want to use a hex editor

When I asked the original question, I used a simplified situation. If I use a hex editor, and I delete some items, I'm not sure that the exe file will be executable any more. I have to manually update the header.

or - better yet - write a simple program to do it for you (a good learning experience)

Yes, that is definitely a good idea. I always ask first before starting to do this kind of thing  because I hate to reinvent the wheel. On the other hand, someone told me that if you create a hovercraft you need no wheels.  :wink

[BlackVortex]

All PE Editors can do this, but I suggest to use CFF Explorer , free from www.ntcore.com/exsuite.php

It can dump sections to disk and many more stuff.

[clive]

I want instead of something like this:
Disassembly of File: INDEX.exe

T.DateStamp = 4B847FD0: Tue Feb 23 17:24:32 2010
Code Offset = 00000200, Code Size = 00000200
Data Offset = 00000400, Data Size = 00000200

Number of Objects = 0003 (dec), Imagebase = 00400000h

   Object01:  AUTO    RVA: 00001000 Offset: 00000200 Size: 00000200 Flags: 60000020
   Object02:  .idata  RVA: 00002000 Offset: 00000400 Size: 00000200 Flags: C0000040
   Object03:  .reloc  RVA: 00003000 Offset: 00000600 Size: 00000200 Flags: 42000040

to have 2 files, called .idata and .reloc, for instance. Would be this possible?

Isn't this a hugely trivial exercise in FILEIO? The structures involved are simple and well defined (WINNT.H). A few 100 lines of C at most, the kind of throw away thing that doesn't really reach the level of reinventing the wheel. Plus you might gain some useful insight into how the files are structured for when you want to stitch them back together.

You're getting ahead of yourself here. Start by modifying the data in place, changing the structures and linkage is a lot more complicated to get right than you might imagine.

DumpPE has a -resource option to spit out resource data, and a -reloc option to spit out the fixup data. Still most current applications have the fixups striped so figuring out what is an address and what is a arbitrary constant gets to be more fun. Especially things like jump/switch tables.

-Clive