OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: October 16, 2007 19:05 CDT by bodzcount .

some cryptors have increased the data section to about 30mg but only about 10kb are neccessary. when i cut the rest off in the pe header by setting VSize of that section to ie FFFF the exe doesnt run anymore.

Do VSize and RSize have to be the same? Or does RSize have to be always smaller than VSize?

regards!

ero		October 17, 2007 02:32.03 CDT
First make sure that nothing important has been left out by truncating the section. Is it all empty (except for those 10kb) or does it contain code spread over its whole area? To the best of my knowldege there are no specific limitations regarding VSize and RSize. Actually any combination is possible. RSize can be larger than VSize if the RSize is aligned but the VSize isn't. (Producing a difference of up to a few hundred bytes) On the other hand VSize can be larger than RSize if the contents, or part of them, will be loaded/generated at run time. But, RSize and VSize should both be large enough to fit the contents of the section in the PE image and memory, respectively.

varun79		October 17, 2007 03:56.34 CDT
Please take care of section alignment as by increasing or decreasing the Vsize the section should not be overwritten in memory. What message is displayed when executable fail to run?

ravinc30		October 17, 2007 05:19.06 CDT
Take care of the sections following the data section, VAs need to be updated. The packers put such big size in the data section to avoid loadng the application in debuggers.

bodzcount		October 17, 2007 06:34.00 CDT
yes, the packer increased the data section. The weird thing is, that i managed to to it with PETools function "Rebuild PE Header", but I don't know why it works now :( PETools has set the RSizes and ROffsets to very odd values but the VOffsets to values that obey alignment. I tried changing section size in very small apps too, didnt work. I will try a little bit more today, maybe increasing just the VSize of a section, see if it works :)

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit