Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-15-2003, 16:31
atest
 
Posts: n/a
Question How to reduce the size of dumped exe

As a test, I use Armadillo to protect a exe(24K), then unpack it,
dump the exe, but this one is bigger than the original(348K).
there are several sections:
1000 .data
20000 .data1
1000 .mackt
20000 .pdata
1000 .rdata
2000 .rsrc
1000 .text
10000 .text1
and I think maybe the .data1 & .pdata section could be removed.
I tried PE explorer, PETools to remove the section, but always get corrupted EXE. Is there any good tools?
or other method to reduce the file size?
thanks
Reply With Quote
  #2  
Old 09-15-2003, 20:16
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
i think you shoud use LordPe by y0da and select Rebuild PE
Reply With Quote
  #3  
Old 09-16-2003, 02:10
K3nny's Avatar
K3nny K3nny is offline
VIP
 
Join Date: Jul 2003
Posts: 106
Rept. Given: 26
Rept. Rcvd 13 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 1 Time in 1 Post
K3nny Reputation: 13
yeah...and don't forget check DUMPFiX...
Reply With Quote
  #4  
Old 09-17-2003, 16:31
atest
 
Posts: n/a
Quote:
Originally posted by MaRKuS-DJM
i think you shoud use LordPe by y0da and select Rebuild PE
Well, it works sometimes
but when I want to fix a big exe it report no sufficient memory and doesn't work.
Reply With Quote
  #5  
Old 09-28-2003, 17:13
amitophia
 
Posts: n/a
You can remove this sections manually


You have to remove this section from section list in PE-header an move up ther sections to fill up the gaps, so it would be like this (but you shouldn't change header size)

1000 .data
1000 .mackt
1000 .rdata
2000 .rsrc
1000 .text
10000 .tex1
Then you'll have to correct the Phys Address and RVA's.
If this sections were placed at the end of file.
This is needed only for sections that goes after removed sections. So If section .pdata were 600 phys bytes long (for example) then all other sections phys addresses will reduce by 600 bytes in the "removed" version.
The RVA's need to be corrected to fill the RVA gaps (because win2k and XP (maybe, NT) don't allow the holes betweebn sections)
So you have to increase RVA size of sections to the beginning of next section.

Last edited by amitophia; 09-29-2003 at 05:41.
Reply With Quote
  #6  
Old 09-28-2003, 18:41
Squidge's Avatar
Squidge Squidge is offline
Drunken Squirrel
 
Join Date: Oct 2002
Posts: 412
Rept. Given: 4
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
Squidge Reputation: 9
Don't forget that if you do remove sections and then move the other sections to fill the gaps, then you'll also need to relocate the data inside any section which contains RVA's, such as import sections, resource, etc.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Instruction Size visu General Discussion 9 05-16-2005 18:23
10 lines code dumped themida pll823 General Discussion 3 04-23-2005 17:36
Dumped File / DLL Missing rf1911 General Discussion 7 08-24-2003 06:19


All times are GMT +8. The time now is 19:51.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )