Jump to content
Tuts 4 You

ap0x's Blog

Sign in to follow this  
  • entries
    3
  • comments
    24
  • views
    3,616

Realigner 1.0

Sign in to follow this  
ap0x

1,726 views

I know I mentioned this a while ago here at the forum but I never actually added this to UE. Why? Because it was developed for the company I work for and got payed to do it. But code itself isn't such a big mystery but it is uber cool (TF2 player what 'r gonna do) because it uses only one API to do the realignment and that is because it is needed to be Windows 2000 compliant. And that was then... The same API call definition as in y0da's realign15.dll. This was done to retain compliance with my old unpackers which used y0da's realigner. And now... I added a new API called nicely IsPE32FileValid and you know what it does. But what you don't know is how does it do it. Meaning what is checked. And the answer is.... Everything, and it also checks for Microsoft PECOFF version differences between NT and 9x OSes making some files invalid on 9x . Here is a brief list:

1) Everything said in PECOFF 8.0 (ImageBase, PE32 field data...)

2) Table content (TLS, Imports [also validates by using existing libraries], Resources)

3) Section content, accessibility and file alignment

And there is a much cooler API called FixBrokenPE32File which will NOT be added to Realigner because... Well because it is uber cool and I don't wanna release it just yet. So Realigner comes with two APIs: RealignPE and IsPE32FileValid. And that is it for now. I plan on adding reloc stripping before this little thing gets added to UE. Stay tunned because it could happen very, very soon...

Sign in to follow this  


3 Comments


Recommended Comments

Killboy

Posted

You're posts are always very confusing lol

What I got so far:

You coded a realigner. It uses only one API because it needs to be compliant with Win2k (Why cant you use 2 APIs ? Or 3 ?). It is compliant with yoda's realign.dll. You coded a function to check for a PE file being valid.

It checks version differences and makes PE files invalid (This is very confusing).

Share this comment


Link to comment

Realigner doesn't need to use any APIs to do the realignment and this is only if you use the same realigner model as y0da used (mapping is done by the application and not by the realigner). The only reason it uses that one API is because it is needed for Windows 2000 compliance. Some files are invalid in 9x but valid on NT. This is due to Windows PE loader differences between two systems. These differences are ignored in favor of NT since only few people uses 9x these days. Further more, if the file is valid for 9x and invalid for NT function FixBrokenPE32File fixes these differences making the file valid for NT usage.

Share this comment


Link to comment
Killboy

Posted

Sounds nice :)

Looking forward to UE, sounds like teh uber unpack kit :D

Hurry up ^_^

Share this comment


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...