PE version patcher

Ficko · July 08, 2010, 09:02:52 AM

Some of you guys are propable aware of the fact that if you generate an executable with "Link.exe" - I think - above version 9.0 your executable will be refused by
OS Windows 2000 - and may by others as well -

This is due to the improper OS versioning in the PE header - too high -

"Link" has a switch to overwrite this number but intentionally - I suppose ::) - broken by MS.

I use this tool http://www.korosoft.net/programs/?year=2008 "PE Version patcher" to patch the executable.

However there is no source and like any other such utility you risk some unwanted trojans.

So the assignment: :bg

I think the program is ridiculously simple for some who knows a little about PE headers. - Not me :wink -

Maybe in "JJ" MASM Basic is just 3 commands

Code Select


LoadPEheader "C:\My.exe"
PatchPEheader
SavePEheader "C:\My.exe"

:green2

I guess would be great if someone could post a somewhat equivalent prg to above with source. ::) :P

gwapo · July 08, 2010, 09:34:33 AM

You can use /VERSION:major[.minor] linker option.

Ficko · July 08, 2010, 09:44:20 AM

Quote from: gwapo on July 08, 2010, 09:34:33 AM
You can use /VERSION:major[.minor] linker option.

Try it like I sad dosn't work. :toothy

And you may wanna patch something you do not have the source, like the linker itself. :bg

gwapo · July 08, 2010, 09:50:01 AM

Quote from: Ficko on July 08, 2010, 09:44:20 AM
Quote from: gwapo on July 08, 2010, 09:34:33 AM
You can use /VERSION:major[.minor] linker option.

Try it like I sad dosn't work. :toothy

It's working for me :bg
I'm using: "Microsoft (R) Incremental Linker Version 10.00.30319.01"
Probably they've already fixed it with the linker version I'm using.

Ficko · July 08, 2010, 10:05:14 AM

I think you are talking about the "Image Version".

That info is useless.

The OS by loading the exe is checking only the "Operating System Version" info - sofar I know - ::)

evlncrn8 · July 08, 2010, 10:20:06 AM

totally correct, it checks the windows version (4.0 = 2k if i remember right) NOT the linker version,
could also be caused by an api used which is present in xp but not 2k etc..

jj2007 · July 08, 2010, 12:00:12 PM

Quote from: Ficko on July 08, 2010, 09:02:52 AM
Maybe in "JJ" MASM Basic is just 3 commands

At least 4...

Code Select

include \masm32\MasmBasic\MasmBasic.inc
	Init
	Open "U", #1, CL$()  ; open commandline arg for updating
	Seek #1, 123
	Print #1:2, Chr$(97, 0)  ; inserts "a" and a nullbyte at pos 123
	Close
	Exit
end start

Ficko · July 08, 2010, 01:07:22 PM

Holly Sh.*?! I was just kidding. :clap:

I wonder this really works in every case ?! ::)

Ghandi · July 08, 2010, 02:31:31 PM

I'm sorry, but there is a little more involved with editing a PE32 header unless you are using precalculated offsets for patching. The most common method i have seen is to either map the file or read it into memory and taking this as the base address as well as a pointer to a structure named IMAGE_DOS_HEADER, adding the e_lfanew member of this structure to the base address yields the offset of the PE header (IMAGE_NT_HEADERS).

Another way i've seen is to use SetFilePointer and ReadFile:

1. Open file handle and read first 2 bytes of file, confirm they're 'MZ'
2. Set file pointer - SetFilePointer,hFile,3Ch,0,FILE_BEGIN
3. Read 4 bytes - e_lfanew
4. Set file pointer - SetFilePointer,hFile,e_lfanew,0,FILE_BEGIN
5. Read 4 bytes, confirm they're 'PE',0,0
6. Set file pointer - SetFilePointer,hFile,offset_of_desired_member - 4,0,FILE_CURRENT
7. Write desired data
8. Close file handle

HR,
Ghandi

gwapo · July 08, 2010, 03:17:33 PM

The one he is looking is in Optional Header at offset C0h (Major OS version) and C2h (Minor OS version) respectively. As I said earlier, I was able to set these values with 4.0 using the linker option /VERSION:4.0
If you don't trust MS linker, then use Pelle's linker (polink.exe), it's included in MASM32 distribution as well.

jj2007 · July 08, 2010, 06:00:35 PM

Quote from: gwapo on July 08, 2010, 03:17:33 PM
The one he is looking is in Optional Header at offset C0h (Major OS version) and C2h (Minor OS version) respectively.

With polink, the /version switch sets C4h and C6h for me - major and minor image versions. Same for link 9.0, but at offsets FC and FE...

qWord · July 08, 2010, 06:19:20 PM

maybe also interesting: CFF Explorer

gwapo · July 08, 2010, 06:27:38 PM

Quote from: jj2007 on July 08, 2010, 06:00:35 PM
With polink, the /version switch sets C4h and C6h for me - major and minor image versions. Same for link 9.0, but at offsets FC and FE...

You're right, /VERSION is for image version, and not for OS version. Thanks for correcting me :toothy

clive · July 08, 2010, 07:25:40 PM

Perhaps you want

Code Select

/SUBSYSTEM:WINDOWS,4.00 or

Code Select

/SUBSYSTEM:CONSOLE,4.00

Ficko · July 09, 2010, 07:22:58 AM

Quote from: clive on July 08, 2010, 07:25:40 PM
Perhaps you want
Code Select Expand
/SUBSYSTEM:WINDOWS,4.00 or
Code Select Expand
/SUBSYSTEM:CONSOLE,4.00

Quote
LINK : warning LNK4010: invalid subsystem version number 4.00; default subsystem version assumed

That what I was talking about above MS "intentionally" crippled the linker. ::)
Prehabs they want to prevent something else like not to try run .NET 3.0 on Windows 2000 or god knows.

Quote from: qWord on July 08, 2010, 06:19:20 PM
maybe also interesting: CFF Explorer

Nice finding! :U

News:

PE version patcher