Quote:
Originally Posted by RedBlkJck
...Try OllyDumpEx. - jack
|
Thanks RedBlkJck for the tip.
I managed to rebuild the PeHeader first before dumping with OllyDumpEx, which is able to read the modified PeHeader successful.
I would have been 100% successful if it were not to be some awkward behaviour of ImpRec and Scylla during the fixing of the dumped file.
For some unknown reasons both programs just decide to change the characteristics of the .rdata which I had set to 40000040 = INITIALIZED_DATA|READ before the dump to C0000040 = INITIALIZED_DATA|READ|WRITE
A fixed PEHeader for the code from the initial post will now like this
Code:
00400110 50 45 00 00>ASCII "PE" ; PE signature (PE)
00400114 4C01 DW 014C ; Machine = IMAGE_FILE_MACHINE_I386
00400116 0500 DW 0005 ; NumberOfSections = 5
00400118 92FF3152 DD 5231FF92 ; TimeDateStamp = 5231FF92
0040011C 00000000 DD 00000000 ; PointerToSymbolTable = 0
00400120 00000000 DD 00000000 ; NumberOfSymbols = 0
00400124 E000 DW 00E0 ; SizeOfOptionalHeader = E0 (224.)
00400126 0301 DW 0103 ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|RELOCS_STRIPPED
00400128 0B01 DW 010B ; MagicNumber = PE32
0040012A 0A DB 0A ; MajorLinkerVersion = A (10.)
0040012B 00 DB 00 ; MinorLinkerVersion = 0
0040012C 00001E00 DD 001E0000 ; SizeOfCode = 1E0000 (1966080.)
00400130 006A2E00 DD 002E6A00 ; SizeOfInitializedData = 2E6A00 (3041792.)
00400134 00000000 DD 00000000 ; SizeOfUninitializedData = 0
00400138 41961A00 DD 001A9641 ; AddressOfEntryPoint = 1A9641
0040013C 00100000 DD 00001000 ; BaseOfCode = 1000
00400140 00101E00 DD 001E1000 ; BaseOfData = 1E1000
00400144 00004000 DD 00400000 ; ImageBase = 400000
00400148 00100000 DD 00001000 ; SectionAlignment = 1000
0040014C 00020000 DD 00000200 ; FileAlignment = 200
00400150 0500 DW 0005 ; MajorOSVersion = 5
00400152 0100 DW 0001 ; MinorOSVersion = 1
00400154 0000 DW 0000 ; MajorImageVersion = 0
00400156 0000 DW 0000 ; MinorImageVersion = 0
00400158 0500 DW 0005 ; MajorSubsystemVersion = 5
0040015A 0100 DW 0001 ; MinorSubsystemVersion = 1
0040015C 00000000 DD 00000000 ; Reserved
00400160 00905200 DD 00529000 ; SizeOfImage = 529000 (5410816.)
00400164 00100000 DD 00001000 ; SizeOfHeaders = 1000 (4096.)
00400168 BE081500 DD 001508BE ; CheckSum = 1508BE
0040016C 0200 DW 0002 ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI
0040016E 0081 DW 8100 ; DLLCharacteristics = 8100
00400170 00001000 DD 00100000 ; SizeOfStackReserve = 100000 (1048576.)
00400174 00100000 DD 00001000 ; SizeOfStackCommit = 1000 (4096.)
00400178 00001000 DD 00100000 ; SizeOfHeapReserve = 100000 (1048576.)
0040017C 00100000 DD 00001000 ; SizeOfHeapCommit = 1000 (4096.)
00400180 00000000 DD 00000000 ; LoaderFlags = 0
00400184 10000000 DD 00000010 ; NumberOfRvaAndSizes = 10 (16.)
00400188 00000000 DD 00000000 ; Export Table address = 0
0040018C 00000000 DD 00000000 ; Export Table size = 0
00400190 00505200 DD 00525000 ; Import Table address = 525000
00400194 7C010000 DD 0000017C ; Import Table size = 17C (380.)
00400198 00A05100 DD 0051A000 ; Resource Table address = 51A000
0040019C E0910000 DD 000091E0 ; Resource Table size = 91E0 (37344.)
004001A0 00000000 DD 00000000 ; Exception Table address = 0
004001A4 00000000 DD 00000000 ; Exception Table size = 0
004001A8 00781400 DD 00147800 ; Certificate File pointer = 147800
004001AC E01B0000 DD 00001BE0 ; Certificate Table size = 1BE0 (7136.)
004001B0 00000000 DD 00000000 ; Relocation Table address = 0
004001B4 00000000 DD 00000000 ; Relocation Table size = 0
004001B8 78465200 DD 00524678 ; Debug Data address = 524678
004001BC 1C000000 DD 0000001C ; Debug Data size = 1C (28.)
004001C0 00000000 DD 00000000 ; Architecture Data address = 0
004001C4 00000000 DD 00000000 ; Architecture Data size = 0
004001C8 00000000 DD 00000000 ; Global Ptr address = 0
004001CC 00000000 DD 00000000 ; Must be 0
004001D0 00000000 DD 00000000 ; TLS Table address = 0
004001D4 00000000 DD 00000000 ; TLS Table size = 0
004001D8 00000000 DD 00000000 ; Load Config Table address = 0
004001DC 00000000 DD 00000000 ; Load Config Table size = 0
004001E0 00000000 DD 00000000 ; Bound Import Table address = 0
004001E4 00000000 DD 00000000 ; Bound Import Table size = 0
004001E8 00000000 DD 00000000 ; Import Address Table address = 0
004001EC 00000000 DD 00000000 ; Import Address Table size = 0
004001F0 88673000 DD 00306788 ; Delay Import Descriptor address = 306788
004001F4 E0000000 DD 000000E0 ; Delay Import Descriptor size = E0 (224.)
004001F8 00000000 DD 00000000 ; COM+ Runtime Header address = 0
004001FC 00000000 DD 00000000 ; Import Address Table size = 0
00400200 00000000 DD 00000000 ; Reserved
00400204 00000000 DD 00000000 ; Reserved
00400208 2E 74 65 78>ASCII ".text" ; SECTION
00400210 00001E00 DD 001E0000 ; VirtualSize = 1E0000 (1966080.)
00400214 00100000 DD 00001000 ; VirtualAddress = 1000
00400218 00001E00 DD 001E0000 ; SizeOfRawData = 1E0000 (1966080.)
0040021C 00100000 DD 00001000 ; PointerToRawData = 1000
00400220 00000000 DD 00000000 ; PointerToRelocations = 0
00400224 00000000 DD 00000000 ; PointerToLineNumbers = 0
00400228 0000 DW 0000 ; NumberOfRelocations = 0
0040022A 0000 DW 0000 ; NumberOfLineNumbers = 0
0040022C 200000E0 DD E0000020 ; Characteristics = CODE|EXECUTE|READ|WRITE
00400230 2E 72 64 61>ASCII ".rdata" ; SECTION
00400238 00702E00 DD 002E7000 ; VirtualSize = 2E7000 (3043328.)
0040023C 00101E00 DD 001E1000 ; VirtualAddress = 1E1000
00400240 00702E00 DD 002E7000 ; SizeOfRawData = 2E7000 (3043328.)
00400244 00101E00 DD 001E1000 ; PointerToRawData = 1E1000
00400248 00000000 DD 00000000 ; PointerToRelocations = 0
0040024C 00000000 DD 00000000 ; PointerToLineNumbers = 0
00400250 0000 DW 0000 ; NumberOfRelocations = 0
00400252 0000 DW 0000 ; NumberOfLineNumbers = 0
00400254 400000C0 DD C0000040 ; Characteristics = INITIALIZED_DATA|READ|WRITE <--Modified by ImpRec or Scylla when fixing the dump
00400258 2E 6D 64 61>ASCII ".mdata" ; SECTION
00400260 00200500 DD 00052000 ; VirtualSize = 52000 (335872.)
00400264 00804C00 DD 004C8000 ; VirtualAddress = 4C8000
00400268 00200500 DD 00052000 ; SizeOfRawData = 52000 (335872.)
0040026C 00804C00 DD 004C8000 ; PointerToRawData = 4C8000
00400270 00000000 DD 00000000 ; PointerToRelocations = 0
00400274 00000000 DD 00000000 ; PointerToLineNumbers = 0
00400278 0000 DW 0000 ; NumberOfRelocations = 0
0040027A 0000 DW 0000 ; NumberOfLineNumbers = 0
0040027C 40000042 DD 42000040 ; Characteristics = INITIALIZED_DATA|DISCARDABLE|READ
00400280 2E 72 73 72>ASCII ".rsrc" ; SECTION
00400288 00B00000 DD 0000B000 ; VirtualSize = B000 (45056.)
0040028C 00A05100 DD 0051A000 ; VirtualAddress = 51A000
00400290 00B00000 DD 0000B000 ; SizeOfRawData = B000 (45056.)
00400294 00A05100 DD 0051A000 ; PointerToRawData = 51A000
00400298 00000000 DD 00000000 ; PointerToRelocations = 0
0040029C 00000000 DD 00000000 ; PointerToLineNumbers = 0
004002A0 0000 DW 0000 ; NumberOfRelocations = 0
004002A2 0000 DW 0000 ; NumberOfLineNumbers = 0
004002A4 200000E0 DD E0000020 ; Characteristics = CODE|EXECUTE|READ|WRITE
004002A8 2E 6D 61 63>ASCII ".mackt" ; SECTION
004002B0 00400000 DD 00004000 ; VirtualSize = 4000 (16384.)
004002B4 00505200 DD 00525000 ; VirtualAddress = 525000
004002B8 00400000 DD 00004000 ; SizeOfRawData = 4000 (16384.)
004002BC 00505200 DD 00525000 ; PointerToRawData = 525000
004002C0 00000000 DD 00000000 ; PointerToRelocations = 0
004002C4 00000000 DD 00000000 ; PointerToLineNumbers = 0
004002C8 0000 DW 0000 ; NumberOfRelocations = 0
004002CA 0000 DW 0000 ; NumberOfLineNumbers = 0
004002CC 600000E0 DD E0000060 ; Characteristics = CODE|INITIALIZED_DATA|EXECUTE|READ|WRITE
The .rdata was ripped from the .text section and the .mdata is the overlay to the .rsrc section.
Continue...