Problem with get the first bytes file offset

[black8x]

Hello all !

I got problems with the delphi code how get the first bytes file offset in delphi. It's works correctly which normal files and some packed files. But it returns wrong offset value when a file packed by Dwing WinUpack, FSG...may be the file's pe sections problems. I have been searching this question for a long time and no luck. i found on cracklab.ru a topic like this, correct me if i am wrong, but it has not solve yet.

http://www.cracklab.ru/f/index.php?action=vthread&forum=6&topic=5930&page=0

Here is delphi code i am using. Many thanks in advance and hope you could help me figure out the problems. My apologies for wasting your time.

Best Regards,

GetOffsetFile.rar

Edited August 5, 2010 by black8x

[BoB]

UPack has twisted exe to save bytes, it is not normal exe. Some versions of FSG have first section (lowest by raw offset) at the end of the section headers instead of first, so that also is not normal exe.

Both of these packers also have versions that put the EntryPoint into the headers (not in any section), so the Section Rva calculation will not work.

Anyway, the code is wrong.

function GetEPoffset(filname: string): string;
var I: DWORD;
begin
  if not openpe(filname) then exit;  SetFilePointer(FHandle, PEHeaderOffset + $28, nil, 0);
  ReadFile(FHandle, EntryPointRVA, SizeOf(EntryPointRVA), BytesRead, nil);  SetFilePointer(FHandle, PEHeaderOffset + $F8, nil, 0); // <--- THIS LINE
  for I:= 1 to NumOfSections do
  begin
    ReadFile(FHandle, Section, SizeOf(Section), BytesRead, nil);
    if (EntryPointRVA >= Section.VirtualAddress)
      and (EntryPointRVA < Section.VirtualAddress + Section.VirtualSize) then Break;
  end;
  EntryPointOffset:= EntryPointRVA - Section.VirtualAddress + Section.PhysicalOffset;
  CloseHandle(FHandle);
  result:=IntToHex(EntryPointOffset,8);
end;

This code assumes that the section table is right after full PE headers (Size $F8):

SetFilePointer(FHandle, PEHeaderOffset + $F8, nil, 0);

To get true offset of section table you must check the 'Size of NT Headers' field, SecOffset should be defined as a WORD:

SetFilePointer(FHandle, PEHeaderOffset + $14, nil, 0);
ReadFile(FHandle, SecOffset, 2, BytesRead, nil);
SetFilePointer(FHandle, PEHeaderOffset + SecOffset + 4 + SizeOf(TImageFileHeader), nil, 0);

That would get you to the correct place to read sections at least..

If the offset of the EntryPoint is in the headers, then just use the EntryPoint value as offset, but some versions of UPack will require more work.

Honestly tho, this Unit is coded badly, better to code your own that uses the PE structures instead of fixed offsets, and doesn't read the file all the time (REALLY slow compared to reading from memory)

See the last topic this was asked for a version with less disk reads and use of structures:
/>http://forum.tuts4you.com/index.php?showtopic=23391&view=findpost&p=111373

Edited August 5, 2010 by BoB

[black8x]

Dear BoB !

I would like to thank and appreciate for your help and your hard working on peid plugin projects. I used to use the code basic on your post (rva2offset) on peid forum and use "Pe File Unit" by ErazerZ to get the RVA offset file. I normal think it can get the rva offset of the files which are packed by winupack and fsg as normal files.

Thanks BoB again and i will try to fix it. i do not know if it working correctly but i will try my best ! My apologies for wasting your valuable time.

Best Regards,

Edited August 5, 2010 by black8x

[Nacho_dj]

This can be happening because of a value zero for Section.PhysicalOffset, as many protections use, then this operation would fail:

EntryPointOffset:= EntryPointRVA - Section.VirtualAddress + Section.PhysicalOffset;

You can include a check for that variable to find if it is neither equal zero nor greater than FileSize, preventing a wrong operation.

Best regards

Nacho_dj

[black8x]

Dear Nacho_dj !

Thanks for your helps, i will add a nice check function as you told, do not know if it works perfectly ! My apologies for wasting your time.

Best Regards,

[BoB]

You're welcome, glad you find the plugins useful