Hello,
after i erased the dos-stub and the 'rich-edit-header' and adapted the rva's, offsets, header- and filesize in all headers and tables/directories, createwindowexa returns always 0 - that seems the problem - no error message from windows and ida-debugger loads the executable without an error, too... ...also the alignment is the same(0x10) - the unmodified executable works fine(returns a hwnd and shows the window too)
have someone an idea?!?
greets phaap
Quote from: phaap on June 05, 2012, 11:44:12 PMhave someone an idea?!?
yes, do not modify the executable :idea:
:biggrin:
Patient: Doc, it hurts when i do "this".
Doctor: Then, don't do "that".
you could always try GetLastError
thanks for replies!
i know that modifying the pe-header(s) aren't the proper way :biggrin:
...but this fact doesn't keep me away to do that ::)
...yes dedndave, to call getlasterror also was my next idea - but i've to compile the sourcecode AND modify the executable by HAND via HexEditor :icon_eek: - don't know if easier or possible at all to do that with 'cff explorer' from explorer suite (i'm not familiar with the capabilities) just use it to check the exec after modification.
furthermore i still did the same succesfully without this kind of 'error' even with nearly the same sourcecode.
but it seems i've to do the job and add 'getlasterror' - i'll report the result later this day...
regards phaap
[content removed]
So?
What are your intentions?
i don't think his intentions matter
http://masm32.com/board/index.php?topic=4.msg5#msg5 (http://masm32.com/board/index.php?topic=4.msg5#msg5)
Hi
You erase Dos Header and Microsoft Rich Signature? you Erase it not you over write it with Null bytes
And why erase it?? the filesize is same ::)
For Erase the Microsoft Rich Signature over write it not with Null bytes you can patch the linker
The Microsoft Rich Signature is a Double-Word key with xor encryption for store linker data
thanks for replies!
i solved the problem - no, the filesize is NOT the same - cause i don't overwrite it, i delete the stuff - small dos-stub is now located in the dos-header - not the same, but clear enough for dos-users :eusa_boohoo:
@ragdog: can you tell me what you mean with 'patch the linker'?!?
@dedndave: why you linked me to the rules of the forum?!?
regards phaap
Because The Rules of the forums DO NOT allow for such stuff ...
Quote
...
but there will be no viral or trojan technology allowed including technical data under the guise of AV technology, no cracking and similar activities in the guise of "Reverse Engineering", no hacking techniques or related technology
...
Now... please explain me what is the purpose of changing the PE headers this way ...eh? :greensml: