Let's say I have one exe, that contains:
- data
- code
- menu
Is there a disassembler that can split the exe file into 3 separate sections (data, code, menu)?
Let's say I want to change only one item name inside a menu, and not adding something else. I want to be able to simply repack the 3 sections to create the new exe. I'm not talking here about reassembling the code, simply to put it back. To simplify, the new item name will have the same number of letters as the old one.
An example from editing an avi:
I open an .avi file, I mark the beginning and the end of the sequence I want, then I choose "Direct copy - no re compression" for both audio and video. I get a new avi, with the same video and audio quality as the original one. Also, the process is very fast.
The disassemblers I've seen so far insist on disassembling and combining everything into a hard to recomplile listing.
disassmbling data is the hard part
the disassembler has a hard time discerning data types
and, if the code says:
mov eax,40010000h
the disassembler has no way of knowing if that is an address of some data, or just a binary value
I want instead of something like this:
Disassembly of File: INDEX.exe
T.DateStamp = 4B847FD0: Tue Feb 23 17:24:32 2010
Code Offset = 00000200, Code Size = 00000200
Data Offset = 00000400, Data Size = 00000200
Number of Objects = 0003 (dec), Imagebase = 00400000h
Object01: AUTO RVA: 00001000 Offset: 00000200 Size: 00000200 Flags: 60000020
Object02: .idata RVA: 00002000 Offset: 00000400 Size: 00000200 Flags: C0000040
Object03: .reloc RVA: 00003000 Offset: 00000600 Size: 00000200 Flags: 42000040
to have 2 files, called .idata and .reloc, for instance. Would be this possible?
for that, you do not need a disassembler
all that information is in the PE file header
you want a PE editor or viewer
PEedit and PEdump come to mind, but i forget where to get them
but, you know what to search for :bg
Quote from: dedndave on February 23, 2010, 07:56:25 PM
for that, you do not need a disassembler
all that information is in the PE file header
you want a PE editor or viewer
PEedit and PEdump come to mind, but i forget where to get them
but, you know what to search for :bg
Thank you for the names. It's easy to look when you know what to search for.
I hope they are able to make back the exe file.
they don't modify the EXE unless you want them to
they just spill it's contents
if you search the forum, Hutch posted a PE/Coff format PDF document about a month ago
it explains the layout of the PE file header
Quote from: dedndave on February 23, 2010, 08:02:21 PM
they don't modify the EXE unless you want them to
they just spill it's contents
I wanted to say that I hope they are able to create back a new exe from the modified parts. So, if index1.exe is split into part1, part2, and part3, and I modify part 2 into part2a, the program to know to create a new file, index2.exe from part1, part2a and part3.
oh - i see
if you want to split them up into pieces and put them back together, you may want to use a hex editor
or - better yet - write a simple program to do it for you (a good learning experience)
for a hex editor, i use Mael Horz's HxD program
Quote from: dedndave on February 23, 2010, 08:23:27 PM
oh - i see
if you want to split them up into pieces and put them back together, you may want to use a hex editor
When I asked the original question, I used a simplified situation. If I use a hex editor, and I delete some items, I'm not sure that the exe file will be executable any more. I have to manually update the header.
Quote from: dedndave on February 23, 2010, 08:23:27 PMor - better yet - write a simple program to do it for you (a good learning experience)
Yes, that is definitely a good idea. I always ask first before starting to do this kind of thing because I hate to reinvent the wheel. On the other hand, someone told me that if you create a hovercraft you need no wheels. :wink
All PE Editors can do this, but I suggest to use CFF Explorer , free from www.ntcore.com/exsuite.php
It can dump sections to disk and many more stuff.
Quote from: Sergiu FUNIERU on February 23, 2010, 07:50:03 PM
I want instead of something like this:
Disassembly of File: INDEX.exe
T.DateStamp = 4B847FD0: Tue Feb 23 17:24:32 2010
Code Offset = 00000200, Code Size = 00000200
Data Offset = 00000400, Data Size = 00000200
Number of Objects = 0003 (dec), Imagebase = 00400000h
Object01: AUTO RVA: 00001000 Offset: 00000200 Size: 00000200 Flags: 60000020
Object02: .idata RVA: 00002000 Offset: 00000400 Size: 00000200 Flags: C0000040
Object03: .reloc RVA: 00003000 Offset: 00000600 Size: 00000200 Flags: 42000040
to have 2 files, called .idata and .reloc, for instance. Would be this possible?
Isn't this a hugely trivial exercise in FILEIO? The structures involved are simple and well defined (WINNT.H). A few 100 lines of C at most, the kind of throw away thing that doesn't really reach the level of reinventing the wheel. Plus you might gain some useful insight into how the files are structured for when you want to stitch them back together.
You're getting ahead of yourself here. Start by modifying the data in place, changing the structures and linkage is a lot more complicated to get right than you might imagine.
DumpPE has a -resource option to spit out resource data, and a -reloc option to spit out the fixup data. Still most current applications have the fixups striped so figuring out what is an address and what is a arbitrary constant gets to be more fun. Especially things like jump/switch tables.
-Clive