News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

PE64-Header modification -> CreateWindowExA return 0

Started by phaap, June 05, 2012, 11:44:12 PM

Previous topic - Next topic

phaap

Hello,
after i erased the dos-stub and the 'rich-edit-header' and adapted the rva's, offsets, header- and filesize in all headers and tables/directories, createwindowexa returns always 0 - that seems the problem - no error message from windows and ida-debugger loads the executable without an error, too... ...also the alignment is the same(0x10) - the unmodified executable works fine(returns a hwnd and shows the window too)
have someone an idea?!?
greets phaap

qWord

MREAL macros - when you need floating point arithmetic while assembling!

dedndave

 :biggrin:

Patient: Doc, it hurts when i do "this".
Doctor: Then, don't do "that".

you could always try GetLastError

phaap

thanks for replies!
i know that modifying the pe-header(s) aren't the proper way  :biggrin:
...but this fact doesn't keep me away to do that  ::)
...yes dedndave, to call getlasterror also was my next idea - but i've to compile the sourcecode AND modify the executable by HAND via HexEditor  :icon_eek: - don't know if easier or possible at all to do that with 'cff explorer' from explorer suite (i'm not familiar with the capabilities) just use it to check the exec after modification.
furthermore i still did the same succesfully without this kind of 'error' even with nearly the same sourcecode.
but it seems i've to do the job and add 'getlasterror' - i'll report the result later this day...
regards phaap

phaap

#4
[content removed]

qWord

MREAL macros - when you need floating point arithmetic while assembling!


ragdog

Hi

You erase Dos Header and Microsoft Rich Signature? you Erase it not you over write it with Null bytes
And why erase it?? the filesize is same ::)

For Erase the Microsoft Rich Signature over write it not with Null bytes you can patch the linker

The Microsoft Rich Signature is a Double-Word key with xor encryption for store linker data


phaap

thanks for replies!
i solved the problem - no, the filesize is NOT the same - cause i don't overwrite it, i delete the stuff - small dos-stub is now located in the dos-header - not the same, but clear enough for dos-users  :eusa_boohoo:

@ragdog: can you tell me what you mean with 'patch the linker'?!?

@dedndave: why you linked me to the rules of the forum?!?

regards phaap

BogdanOntanu

Because The Rules of the forums DO NOT allow for such stuff ...

Quote
...
but there will be no viral or trojan technology allowed including technical data under the guise of AV technology, no cracking and similar activities in the guise of "Reverse Engineering", no hacking techniques or related technology
...

Now... please explain me what is the purpose of changing the PE headers this way ...eh?   :greensml:
Ambition is a lame excuse for the ones not brave enough to be lazy, www.oby.ro