Jump to content
Tuts 4 You

Scylla + Overlapped Headers


Recommended Posts

If you try to FIX DUMP an executable with the IMAGE_NT_HEADERS structure overlapping the IMAGE_DOS_HEADER i.e. the e_lfanew field has a value less than or equal to 0x38 (and of course, greater than or equal to 0x2), the resulting executable is rejected by the windows PE loader.


This is due to Scylla moving the IMAGE_NT_HEADERS at offset 0x40 without updating the "e_lfanew" field.

This was tested with Scylla v0.7 beta 7.

Best Regards


Edited by waliedassar
Link to comment

thank you very much waliedassar.

I didn't even know that this is possible.

Files packed with Spack (by Bagie) used to have overlapped headers.

Link to comment
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...