Board view
Mix viewJPE and UPET improvements (Announce)
> PE v1.17 fixes the infamous bug found by DOS386. Also adds a few
> new options concerning codeview symbolic debugging info.
COOL, the import bug seems fixed. But there is 1 bug left (see below) 
I'm now using JPE when referring to Japheth's tool and UPET as a preliminary name for mine 
My tool also got spectacular improvements:
![[image]](http://img138.imageshack.us/img138/7066/x1helont.png)
- More rigid stub parsing and new errors supported (see ^^^ shot)
- The "Machine" is now getting decrypted (see ^^^ shot, and this field is inherently faulty again, it says "80386" even for the MPLAYER from 2009-12 using CMOVNTQ 
)
- More validity checks in PE structures (see ^^^ shot, incredible how many bugs one can have in a "Hello World" program 
BTW, it is supposed (as author boasts ...) to work in NT but for me it securely fails in both ME and XP )
![[image]](http://img138.imageshack.us/img138/5573/x2ntvdm.png)
- The directory listing is heavily superior to JPE (see ^^^ shot), and the next victim of my rigid validity checks is the [in]famous NTVDM.EXE ... check the invalid entry at index 11
![[image]](http://img138.imageshack.us/img138/6991/x3jped.png)
- PX Sigi is of course also recognized, but the evil thing is the corrupt relox entry in the sectional header of your "PED.EXE" (see ^^^ shot, your BUG ... also IDECHECK is affected by this)
![[image]](http://img138.imageshack.us/img138/8366/x4ne.png)
- NE files (obsolete as hell) are also recognized (but not yet supported, see ^^^ shot)
![[image]](http://img138.imageshack.us/img138/7853/x5dgjpp.png)
- Also DGJPP files are recognized, of course no bad /STUBSIZE hack is required (see ^^^ shot)
![[image]](http://img138.imageshack.us/img138/3442/x6osama2.png)
- And LX (see ^^^ shot) 
![[image]](http://img138.imageshack.us/img138/8030/x7xxx64.png)
- Not even PE64 (see ^^^ shot) can break it
Opening file: "ntoskrnl.exe "
GetFileSizeEx: 2'189'184 = $0021'6780
Reading .... Done !
MZ Sigi: "MZ. "
MZ stub Size : $0000'0490
MZ header Size: $0000'0040
--------------------------------
.
.... ...!..L.!This program canno
t be run in DOS mode....$
.<i.J]..J]..J]...RZ.M]..J]...]..
--------------------------------
Next Level Sigi (PE) position: $0000'00D8
Next Level Sigi: "PE " recognized as PE
Follow Up Sigi : " " (invalid)
ERROR: Stub size <> Next Level position
CRITICAL ERROR: Macro$oft linker detected
CRITICAL ERROR: Stub ''hint'' is faulty
Machine: $0000'014C - I80386 (believe with care)
Number of sexions: 21
Size of Optional Header: $0000'00E0
Characterum: $0000'010E
Baseball address : $0040'0000
Memory alignment : $0000'0080
File alignment : $0000'0080
Image size : $0021'6780
Submarine system : 1 - Ring0 driver
Directory entries: $0000'0010 (content see below sections)
Sections:
no ---name--- exact-size rva-indeed file-posit attributes
00 ".text " $0007'2511 $0000'0580 $0000'0580 $6800'0020
01 "POOLMI " $0000'12B3 $0007'2B00 $0007'2B00 $6800'0020
02 "MISYSPTE" $0000'0700 $0007'3E00 $0007'3E00 $6800'0020
03 "POOLCODE" $0000'15A0 $0007'4500 $0007'4500 $6800'0020
04 ".data " $0001'6DA0 $0007'5B00 $0007'5B00 $C800'0040
05 "PAGE " $000F'A0CC $0008'C900 $0008'C900 $6000'0020
06 "PAGELK " $0000'E3B9 $0018'6A00 $0018'6A00 $6000'0020
07 "PAGEVRFY" $0000'F1CD $0019'4E00 $0019'4E00 $6000'0020
08 "PAGEWMI " $0000'17E0 $001A'4000 $001A'4000 $6000'0020
09 "PAGEKD " $0000'4052 $001A'5800 $001A'5800 $6000'0020
10 "PAGESPEC" $0000'0C43 $001A'9880 $001A'9880 $6000'0020
11 "PAGEHDLS" $0000'1DD8 $001A'A500 $001A'A500 $6000'0020
12 ".edata " $0000'B5A2 $001A'C300 $001A'C300 $4000'0040
13 "PAGEDATA" $0000'1558 $001B'7900 $001B'7900 $C000'0040
14 "PAGEKD " $0000'C021 $001B'8E80 $001B'8E80 $C000'0040
15 "PAGECONS" $0000'018C $001C'4F00 $001C'4F00 $C000'0040
16 "PAGEVRFC" $0000'3449 $001C'5100 $001C'5100 $4000'0040
17 "PAGEVRFD" $0000'0648 $001C'8580 $001C'8580 $C000'0040
18 "INIT " $0002'D938 $001C'8C00 $001C'8C00 $E200'0020
19 ".rsrc " $0001'0708 $001F'6580 $001F'6580 $4000'0040
20 ".reloc " $0000'FA5C $0020'6D00 $0020'6D00 $4200'0040
PE Directory block: size = $80 Byte's, file position = $0000'0150
Entries (target: RVA, size, file position) :
00 Export $001A'C300, $0000'B5A2, $001A'C300 in sexion 12 (exact)
01 Import $001F'5C34, $0000'0050, $001F'5C34 in sexion 18 (inexact)
02 Resour $001F'6580, $0001'0708, $001F'6580 in sexion 19 (exact)
03 Excep? (unused)
04 Secur? (unused)
05 Relox $0020'6D00, $0000'FA5C, $0020'6D00 in sexion 20 (exact)
06 Debug $0007'2A30, $0000'0038, $0007'2A30 in sexion 00 (inexact)
07 CopRig (unused)
08 MipGP? (unused)
09 Tls? (unused)
10 LConf? $0005'3828, $0000'0040, $0005'3828 in sexion 00 (inexact)
11 BouIm? (unused)
12 IAT $0000'0580, $0000'0154, $0000'0580 in sexion 00 (exact)
13 ?????? (unused)
14 ?????? (unused)
15 ?????? (unused)
Export block found and valid
RVA, size, file position: $001A'C300, $0000'B5A2, $001A'C300
DLL name RVA: $001A'FD3E , string: "ntoskrnl.exe"
Amount of named exports: 1'487 = $0000'05CF
0 "CcCanIWrite"
- Fortunately it crashes in processing the export details, otherwise this post would be further 6'000 lines bigger
---
This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***
Complete thread:
- new PE v1.16 - Japheth, 11.07.2009, 17:42 (Announce)
![[Board]](img/board_d.gif "Open in board view")
![[Mix]](img/mix_d.gif "Open in mix view")
- | new PE v1.16 | new BUG | - DOS386, 30.11.2009, 08:09
- | new PE v1.16 | new BUG | - Rugxulo, 02.12.2009, 00:19
- | new PE v1.16 | new BUG | - Japheth, 02.12.2009, 09:59
- | new PE v1.16 | new BUG | new competitor - DOS386, 23.12.2009, 09:17
- | new PE v1.16 | new BUG | new competitor - Japheth, 23.12.2009, 21:41
- | new PE v1.16 | new BUG | new competitor - DOS386, 24.12.2009, 09:26
- | new PE v1.16 | new BUG | new competitor - Japheth, 23.12.2009, 21:41
- | new PE v1.17 | BUG fixed | - Japheth, 13.01.2010, 22:02
- JPE and UPET improvements - DOS386, 27.01.2010, 13:08
- JPE and UPET improvements - Japheth, 27.01.2010, 17:25
- Fixed it !!! But next time, don't let morons write specific - DOS386, 15.02.2010, 09:03
- Fixed it !!! But next time, don't let morons write specific - Japheth, 17.02.2010, 08:24
- hex numbers / ordinals / hijack's - DOS386, 18.02.2010, 09:10
- Fixed it !!! But next time, don't let morons write specific - Japheth, 17.02.2010, 08:24
- UPET improvements about Exports - DOS386, 15.02.2010, 09:16
- Fixed it !!! But next time, don't let morons write specific - DOS386, 15.02.2010, 09:03
- JPE and UPET improvements - Japheth, 27.01.2010, 17:25
- My high-end Sigi evaluator - DOS386, 27.01.2010, 13:17
- JPE and UPET improvements - DOS386, 27.01.2010, 13:08
- | new PE v1.16 | new BUG | - Rugxulo, 02.12.2009, 00:19
- new PE v1.23 | 2013-Jun-20 - DOS386, 24.06.2013, 16:43
- new PE v1.23 | 2013-Jun-20 - Rugxulo, 24.06.2013, 19:12
- new PE v1.16 - Rugxulo, 24.06.2013, 20:56
- new PE v1.23 + OBJCONV 2.18 - DOS386, 25.06.2013, 09:39
- new PE v1.23 + OBJCONV 2.18 - Rugxulo, 11.08.2013, 04:21
- new PE v1.24 + OBJCONV 2.31 - Rugxulo, 14.11.2013, 00:00
- old PE v1.24 + new OBJCONV 2.32 - DOS386, 04.12.2013, 12:05
- new PE v1.24 + OBJCONV 2.31 - Rugxulo, 14.11.2013, 00:00
- new PE v1.23 + OBJCONV 2.18 - Rugxulo, 11.08.2013, 04:21
- new PE v1.23 + OBJCONV 2.18 - DOS386, 25.06.2013, 09:39
- | new PE v1.16 | new BUG | - DOS386, 30.11.2009, 08:09
