Quote:
Originally posted by Wurstgote
The first thing that I've tried out to get rid of dispensable sections was to open the unpacked app in a hex editor and take a look at the different sections as indicated by ROffset in the PE Editor of LordPE.
By this way I've found out that for example .adata contains no 'real' data but instead it consists of 4096 (=0x1000) zeros (that's exactly its virtual and raw size). I think, because of this, the whole section can be deleted. So I've wiped the corresponding section header and adjusted the next section's (.mackt) ROffset from 313000 to 312000. With the hex editor I've erased the afore mentioned 4096 bytes and safed the resulting file.
Next I've opened the resulting file again with PE Editor and changed SizeOfImage from 316000 to 315000, hoping that would do the trick.
Guess what? It didn't work 
|
Note that there are three extra sections in this particular app (assuming you have fixed the IAT using ImpRec in the normal manner): .data, .adata, and .mackt. In other words, everything after the resource section (this has been the case in every ASPR'd app I have seen).