ding Posted May 31, 2020 Posted May 31, 2020 (edited) Hello , I started working on my own PE parsing tool in assembly language (MASM) and am using RadASM as my main IDE. assume edi:ptr IMAGE_DOS_HEADER lea eax,[edi].e_magic invoke SendMessage,hEdit,WM_SETTEXT,0,eax This line of code suppose to output the following : " MZ ", it does for some executables exept Delphi executables it shows "MZP" instead. The question here is that what (e_cblp) byte is doing here ? as far as i know e_magic field is just a word sized. e_magic = $5A4D am really confused right now ! Edited May 31, 2020 by ding
kao Posted May 31, 2020 Posted May 31, 2020 That field has no meaning for Windows (PE) executables. You can put whatever you like there. It's a part of DOS EXE header. You can find unofficial DOS EXE specifications for example, here: http://www.delorie.com/djgpp/doc/exe/ or here http://www.textfiles.com/programming/FORMATS/exefs.pro.
ding Posted May 31, 2020 Author Posted May 31, 2020 43 minutes ago, kao said: That field has no meaning for Windows (PE) executables. You can put whatever you like there. It's a part of DOS EXE header. You can find unofficial DOS EXE specifications for example, here: http://www.delorie.com/djgpp/doc/exe/ or here http://www.textfiles.com/programming/FORMATS/exefs.pro. Hi kao, Am not sure what do you mean by "You can put whatever you like there" , if you change the "MZ" signature the executable won't run. I switched to hex view : this displays ($4D5A) = MZ , I guess this is good since all other values will be displayed in hex too ! assume edi:ptr IMAGE_DOS_HEADER xor eax,eax mov ax,word ptr [edi].e_magic mov tmp,ax invoke wsprintf,addr szBuffer,addr magic,tmp
kao Posted May 31, 2020 Posted May 31, 2020 To clarify - I meant the "e_cblp" field you were asking about. You can put any value in it. "e_magic" of course has to be "MZ". 1
LCF-AT Posted May 31, 2020 Posted May 31, 2020 Hi, you dont need to parse the ASCII strings like "MZ" with each other.Just read the hex values and use them to compare it with any other values you did read in hex from any other file etc. You can use CFF Explorer to see whole PE infos at once.Maybe you wanna do or handle it like that too etc. greetz 1
ding Posted May 31, 2020 Author Posted May 31, 2020 (edited) 1 hour ago, LCF-AT said: Hi, you dont need to parse the ASCII strings like "MZ" with each other.Just read the hex values and use them to compare it with any other values you did read in hex from any other file etc. You can use CFF Explorer to see whole PE infos at once.Maybe you wanna do or handle it like that too etc. greetz Hi LCF, Happy to see you here Am actually Fascinated with "CFF Explorer" although it's complicated and time consuming to write something similar , however I have the energy to start workign on it. Regards, Edited May 31, 2020 by ding
ToMKoL Posted June 1, 2020 Posted June 1, 2020 (edited) On 5/31/2020 at 3:40 PM, ding said: assume edi:ptr IMAGE_DOS_HEADER lea eax,[edi].e_magic invoke SendMessage,hEdit,WM_SETTEXT,0,eax This line of code suppose to output the following : " MZ ", it does for some executables exept Delphi executables it shows "MZP" instead. Your assumption is wrong. You're displaying string. So it will display whatever there is till null terminator byte. If You would put there "Hello world" it would display it and it wouldn't matter that Your exe would be invalid. Edited June 1, 2020 by ToMKoL
ding Posted June 1, 2020 Author Posted June 1, 2020 3 minutes ago, ToMKoL said: Your assumption is wrong. You're displaying string. So it will display whatever there is till null terminator byte. If You would put there "Hello world" it would display it and it wouldn't matter that Your exe would be invalid. It's string formated using "wsprintf" so it will display the ascii representation of the first two bytes 4D 5A (am not using it) I performed a check for the MZ signature in this case when it founds 00 01 instead of 4D 5A it will notify the user that the file is not a valid executable. cmp word ptr [edi].e_magic,IMAGE_DOS_SIGNATURE jnz Error
Teddy Rogers Posted June 1, 2020 Posted June 1, 2020 It seems like you may be trying to reinvent the wheel. The PE Format is well documented in the Windows Dev Center. You can use Windows API's to map, parse, verify and manipulate PE files... Ted.
ding Posted June 1, 2020 Author Posted June 1, 2020 (edited) 8 hours ago, Teddy Rogers said: It seems like you may be trying to reinvent the wheel. The PE Format is well documented in the Windows Dev Center. You can use Windows API's to map, parse, verify and manipulate PE files... Ted. Hi Ted, Am not trying to reinvent the wheel , I want to apply what I've learned in Goppit's tutorial and to learn more about assembly language . ☺️ 3 hours ago, Bartosz Wójcik said: Read the f******g documentation right Hi Bartosz , nice to see you here As I said before it's all about knowledge , am not interesed in ready PE Parsers ... I've already read Goppit's tutorial why should I read the documentation again ? (masm32/include/windows.inc) + "win32api.HLP" is all what I need for the moment. Greetz Edited June 1, 2020 by ding
Teddy Rogers Posted June 3, 2020 Posted June 3, 2020 On 6/2/2020 at 4:55 AM, ding said: Am not trying to reinvent the wheel , I want to apply what I've learned in Goppit's tutorial and to learn more about assembly language . ☺️ All good. Wanted to be sure you knew the documentation existed and there are Windows API's to help speed up development. I just realised Portable Executable Format (PE) category in Downloads should have had quite a bit of information on this topic. I have not yet uploaded the files. Will try to do it over the weekend, there will likely be some useful information for you there... Ted.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now