Jump to content
Tuts 4 You

Scylla + Overlapped Headers


waliedassar

Recommended Posts

If you try to FIX DUMP an executable with the IMAGE_NT_HEADERS structure overlapping the IMAGE_DOS_HEADER i.e. the e_lfanew field has a value less than or equal to 0x38 (and of course, greater than or equal to 0x2), the resulting executable is rejected by the windows PE loader.

http://uploadpic.org...p?img=BdtSYOk9l

This is due to Scylla moving the IMAGE_NT_HEADERS at offset 0x40 without updating the "e_lfanew" field.

This was tested with Scylla v0.7 beta 7.

Best Regards

Waliedassar

Edited by waliedassar
Link to comment

thank you very much waliedassar.

I didn't even know that this is possible.

Files packed with Spack (by Bagie) used to have overlapped headers.

Link to comment
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...