Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 05-14-2018, 10:30
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 147 Times in 74 Posts
dosprog Reputation: 17
PE_OVL.HEM PlugIn for HIEW32

PE_OVL.HEM PlugIn for HIEW32
for Strip/Add/Save/Goto overlay of PE-EXE file.

Logic:
Quote:
If PE-EXE contains the overlay
then select:
-Strip overlay
-Append or replace overlay from file
-Save overlay to file
else
-Append overlay from file
Plugin Actions Menu:
Quote:
Overlay:
- Strip
- Add
- Save
- Goto
See ->Start Post <-



Last edited by dosprog; 06-09-2018 at 15:22.
Reply With Quote
The Following 2 Users Say Thank You to dosprog For This Useful Post:
Indigo (07-19-2019), MarcElBichon (05-30-2018)
  #17  
Old 05-14-2018, 15:23
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 147 Times in 74 Posts
dosprog Reputation: 17
Note about using HEM-plugins

Not only everyone(c) knows that you can speed up
the launch of Plug-Ins using the "hemkeys.ini" file.
For example:
Quote:
[HemKeys 7.45]
c: crack
w: pe_rwe
o: pe_ovl
t: pe_tails
h: pe_hints
v: peverify
e: peentrypointhere
a: checksum
g: goto

Last edited by dosprog; 05-29-2018 at 07:19.
Reply With Quote
The Following 3 Users Say Thank You to dosprog For This Useful Post:
an0rma1 (05-18-2018), Indigo (07-19-2019), tonyweb (05-14-2018)
  #18  
Old 05-29-2018, 18:20
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 147 Times in 74 Posts
dosprog Reputation: 17
Goto.HEM - PlugIn for HIEW32

GOTO.HEM - HEM-PlugIn for locate some positions in MZ-PE-EXE file.

Menu available:
Quote:
Goto MZ:
========
MZ relocs
MZ relocs END

Goto PE:
========
MZ Header ...
PE Header
PE Characteristics
PE Directories
PE Directories END
PE Obj Table
PE Obj Table END
PE Overlay
See ->Start Post <-



Last edited by dosprog; 06-09-2018 at 15:23.
Reply With Quote
The Following 5 Users Say Thank You to dosprog For This Useful Post:
Indigo (07-19-2019), kienmanowar (05-30-2018), MarcElBichon (05-30-2018), niculaita (05-30-2018), zeuscane (05-30-2018)
  #19  
Old 06-09-2018, 15:28
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 147 Times in 74 Posts
dosprog Reputation: 17
Updated 5 PlugIns for manipulate with PE-EXE.
(Now if file opened in Hiew is not PE, then PE_xxxx PligIns not listed in Hiew32 PlugIns Menu).

Updated full PlugIns archive.

See ->Start Post <-
Reply With Quote
The Following User Says Thank You to dosprog For This Useful Post:
Indigo (07-19-2019)
  #20  
Old 06-12-2018, 11:11
agoo agoo is offline
Friend
 
Join Date: Dec 2014
Posts: 129
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 13
Thanks Rcvd at 25 Times in 21 Posts
agoo Reputation: 0
Quote:
Originally Posted by an0rma1 View Post
I found this: https://github.com/lallousx86/pyhiew

And an example able to retrieve results from virustotal: https://github.com/matrosov/pyHiew/blob/master/vt_check.py
Be aware of some malware in this site I found a while ago.
Reply With Quote
The Following User Says Thank You to agoo For This Useful Post:
Indigo (07-19-2019)
  #21  
Old 06-13-2018, 18:11
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,126
Rept. Given: 334
Rept. Rcvd 228 Times in 119 Posts
Thanks Given: 265
Thanks Rcvd at 538 Times in 299 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
you say malware found @github?
how come... or maybe it started to happen after MS bought GH by 7 500 000 000 usd?
Reply With Quote
The Following User Says Thank You to sendersu For This Useful Post:
Indigo (07-19-2019)
  #22  
Old 06-14-2018, 17:42
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 147 Times in 74 Posts
dosprog Reputation: 17
) sendersu, he got little excited
Reply With Quote
The Following User Says Thank You to dosprog For This Useful Post:
Indigo (07-19-2019)
  #23  
Old 06-23-2018, 09:54
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 147 Times in 74 Posts
dosprog Reputation: 17
Goto.HEM - PlugIn for HIEW32 (updated)

Goto.HEM - added new option "Goto PE CheckSum".

Menu available:
Quote:
Goto MZ:
========
MZ relocs
MZ relocs END

Goto PE:
========
MZ Header ...
PE Header
PE Characteristics
PE CheckSum <-------NEW OPTION----
PE Directories
PE Directories END
PE Obj Table
PE Obj Table END
PE Overlay
See ->Start Post <-

Last edited by dosprog; 06-27-2018 at 08:00.
Reply With Quote
The Following 2 Users Say Thank You to dosprog For This Useful Post:
Indigo (07-19-2019), p4r4d0x (06-27-2018)
  #24  
Old 01-07-2019, 19:10
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 147 Times in 74 Posts
dosprog Reputation: 17
Happy NY 2 all

@Jupiter,
test, please, HEM-plugin KBD_CYR.HEM with new version 8.66, if possible
- because in leaked vmprotected version it doesn't works.
Reply With Quote
The Following 2 Users Say Thank You to dosprog For This Useful Post:
Indigo (07-19-2019), niculaita (01-08-2019)
  #25  
Old 01-08-2019, 03:47
chessgod101's Avatar
chessgod101 chessgod101 is offline
Co-Administrator
 
Join Date: Jan 2011
Location: United States
Posts: 535
Rept. Given: 2,226
Rept. Rcvd 692 Times in 220 Posts
Thanks Given: 711
Thanks Rcvd at 945 Times in 186 Posts
chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699 chessgod101 Reputation: 500-699
@dosprog, The plugin loads in my legal copy. This is the output for characters a-z on an English keyboard.
Code:
https://i.imgur.com/SMnal27.png
__________________
"As the island of our knowledge grows, so does the shore of our ignorance." John Wheeler
Reply With Quote
The Following 3 Users Say Thank You to chessgod101 For This Useful Post:
dosprog (01-08-2019), Indigo (07-19-2019), niculaita (01-08-2019)
  #26  
Old 05-26-2020, 18:37
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 147 Times in 74 Posts
dosprog Reputation: 17
New plugins released 2020:

--> BASE64.HEM <-- (17 apr 2020) - HEM-PlugIn produces BASE64 string for marked block (16Mb max.)

--> SECTOR.HEM <-- (18 apr 2020) - HEM-PlugIn for write sector(s) of disk to a file (256 sectors max.).

--> PE_SPLIT.HEM <-- (24 apr 2020) - HEM-Plugin - Split & Join 32-bit PE-file. (Prototype is --> PEU <-- by A.Quincey,1998)

--> BL_FILE.HEM <-- (26 apr 2020) - HEM-PlugIn writes selected block to a file with HEX-address as filename.


Last edited by dosprog; 05-26-2020 at 19:03.
Reply With Quote
The Following User Gave Reputation+1 to dosprog For This Useful Post:
MarcElBichon (05-26-2020)
  #27  
Old 05-26-2020, 19:12
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 147 Times in 74 Posts
dosprog Reputation: 17
--> PE_TIME.HEM <-- (23 apr 2020) - HEM-Plugin - PE-file LinkTime<-> FileTime.
Reply With Quote
  #28  
Old 06-27-2020, 15:51
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 357
Rept. Given: 143
Rept. Rcvd 24 Times in 13 Posts
Thanks Given: 188
Thanks Rcvd at 157 Times in 50 Posts
TQN Reputation: 24
Another excellent HEM plugin by Tavis Ormandy, view data structures in Kaitai format:
https://github.com/taviso/kiewtai
Reply With Quote
The Following 2 Users Say Thank You to TQN For This Useful Post:
niculaita (06-27-2020), p4r4d0x (06-28-2020)
  #29  
Old 09-10-2020, 11:13
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 147 Times in 74 Posts
dosprog Reputation: 17
Updated PlugIn MBYTE2.HEM
- Added "Raw" Option.
- Fixed "Asm" transtation (removed invalid comma at EOL)

Now converted bytes :

C-code:
Quote:
#define MB_BUF_SIZE 0x6
unsigned char marked_bytes[MB_BUF_SIZE] = {
0x48, 0x49, 0x45, 0x57, 0x33, 0x32
};

Asm-code:
Quote:
;MB_BUF_SIZE equ 06h
marked_bytes label byte ;{
db 048h, 049h, 045h, 057h, 033h, 032h
;}
Raw-bytes:
Quote:
48 49 45 57 33 32
Download: MBYTES2.HEM

Last edited by dosprog; 09-10-2020 at 22:03.
Reply With Quote
The Following User Gave Reputation+1 to dosprog For This Useful Post:
MarcElBichon (09-10-2020)
  #30  
Old 10-08-2020, 08:54
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 114
Rept. Given: 0
Rept. Rcvd 17 Times in 16 Posts
Thanks Given: 33
Thanks Rcvd at 147 Times in 74 Posts
dosprog Reputation: 17
Updated PlugIn MBYTE2.HEM
- Fixed "Asm" translation (missing ending 2 symbols)

Download:MBYTES2.HEM

Last edited by dosprog; 10-08-2020 at 22:06.
Reply With Quote
The Following User Says Thank You to dosprog For This Useful Post:
MarcElBichon (10-08-2020)
Reply

Tags
hem, hiew

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 21:34.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )