Author Topic: PE64-Header modification -> CreateWindowExA return 0  (Read 6732 times)

phaap

  • Guest
PE64-Header modification -> CreateWindowExA return 0
« on: June 05, 2012, 11:44:12 PM »
Hello,
after i erased the dos-stub and the 'rich-edit-header' and adapted the rva's, offsets, header- and filesize in all headers and tables/directories, createwindowexa returns always 0 - that seems the problem - no error message from windows and ida-debugger loads the executable without an error, too... ...also the alignment is the same(0x10) - the unmodified executable works fine(returns a hwnd and shows the window too)
have someone an idea?!?
greets phaap

qWord

  • Member
  • *****
  • Posts: 1472
  • The base type of a type is the type itself
    • SmplMath macros
Re: PE64-Header modification -> CreateWindowExA return 0
« Reply #1 on: June 05, 2012, 11:54:41 PM »
have someone an idea?!?
yes, do not modify the executable :idea:
MREAL macros - when you need floating point arithmetic while assembling!

dedndave

  • Member
  • *****
  • Posts: 8751
  • Still using Abacus 2.0
    • DednDave
Re: PE64-Header modification -> CreateWindowExA return 0
« Reply #2 on: June 06, 2012, 12:00:49 AM »
 :biggrin:

Patient: Doc, it hurts when i do "this".
Doctor: Then, don't do "that".

you could always try GetLastError

phaap

  • Guest
Re: PE64-Header modification -> CreateWindowExA return 0
« Reply #3 on: June 06, 2012, 12:42:24 AM »
thanks for replies!
i know that modifying the pe-header(s) aren't the proper way  :biggrin:
...but this fact doesn't keep me away to do that  ::)
...yes dedndave, to call getlasterror also was my next idea - but i've to compile the sourcecode AND modify the executable by HAND via HexEditor  :icon_eek: - don't know if easier or possible at all to do that with 'cff explorer' from explorer suite (i'm not familiar with the capabilities) just use it to check the exec after modification.
furthermore i still did the same succesfully without this kind of 'error' even with nearly the same sourcecode.
but it seems i've to do the job and add 'getlasterror' - i'll report the result later this day...
regards phaap

phaap

  • Guest
Re: PE64-Header modification -> CreateWindowExA return 0
« Reply #4 on: June 06, 2012, 12:49:23 AM »
[content removed]
« Last Edit: June 06, 2012, 05:15:32 AM by BogdanOntanu »

qWord

  • Member
  • *****
  • Posts: 1472
  • The base type of a type is the type itself
    • SmplMath macros
Re: PE64-Header modification -> CreateWindowExA return 0
« Reply #5 on: June 06, 2012, 12:56:47 AM »
So?
What are your intentions?
MREAL macros - when you need floating point arithmetic while assembling!

dedndave

  • Member
  • *****
  • Posts: 8751
  • Still using Abacus 2.0
    • DednDave
Re: PE64-Header modification -> CreateWindowExA return 0
« Reply #6 on: June 06, 2012, 01:07:20 AM »
i don't think his intentions matter

http://masm32.com/board/index.php?topic=4.msg5#msg5

ragdog

  • Member
  • ****
  • Posts: 554
Re: PE64-Header modification -> CreateWindowExA return 0
« Reply #7 on: June 06, 2012, 02:17:48 AM »
Hi

You erase Dos Header and Microsoft Rich Signature? you Erase it not you over write it with Null bytes
And why erase it?? the filesize is same ::)

For Erase the Microsoft Rich Signature over write it not with Null bytes you can patch the linker

The Microsoft Rich Signature is a Double-Word key with xor encryption for store linker data

« Last Edit: June 06, 2012, 04:14:27 AM by ragdog »

phaap

  • Guest
Re: PE64-Header modification -> CreateWindowExA return 0
« Reply #8 on: June 06, 2012, 04:28:41 AM »
thanks for replies!
i solved the problem - no, the filesize is NOT the same - cause i don't overwrite it, i delete the stuff - small dos-stub is now located in the dos-header - not the same, but clear enough for dos-users  :eusa_boohoo:

@ragdog: can you tell me what you mean with 'patch the linker'?!?

@dedndave: why you linked me to the rules of the forum?!?

regards phaap

BogdanOntanu

  • Global Moderator
  • Member
  • *****
  • Posts: 62
    • Solar_OS, Solar_Asm and HE RTS Game
Re: PE64-Header modification -> CreateWindowExA return 0
« Reply #9 on: June 06, 2012, 05:20:54 AM »
Because The Rules of the forums DO NOT allow for such stuff ...

Quote
...
but there will be no viral or trojan technology allowed including technical data under the guise of AV technology, no cracking and similar activities in the guise of "Reverse Engineering", no hacking techniques or related technology
...

Now... please explain me what is the purpose of changing the PE headers this way ...eh?   :greensml:
Ambition is a lame excuse for the ones not brave enough to be lazy, www.oby.ro