IDR - File is not valid PE
Question
I want to reverse old .exe file; I'm 90% sure it is Delphi (class names are being with 'T' => "TCommonDialog")
I can't load file into IDR (becouse it is not valid PE-executable?) jet still .exe works just fine and icon is showing just right.
I was trying to maniupulate header but every time I just corrupt .exe
Header with MZ:
00000000 4d 5a 00 01 01 00 00 00 08 00 10 00 ff ff 08 00 |MZ..............|
00000010 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |........@.......|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000080
Further is longer header, but with NE; I was trying to change it to PE. At this point I don't know what am I doing, I just mess with everything
00000000 4e 45 06 01 17 07 5a 00 00 00 00 00 0a 03 16 00 |NE....Z.........|
00000010 00 20 00 40 0e 00 01 00 00 00 16 00 16 00 0c 00 |. .@............|
00000020 0e 00 40 00 f0 00 9f 06 a9 06 c1 06 71 08 00 00 |..@.........q...|
00000030 0e 00 04 00 00 00 02 00 00 00 00 00 00 00 0a 03 |................|
00000040 e4 36 cc 3d 10 1d cd 3d e5 3a 47 3e 10 1d 47 3e |.6.=...=.:G>..G>|
00000050 d3 3e 6f 3f 10 1d 70 3f d6 42 96 3f 10 1d 97 3f |.>o?..p?.B.?...?|
00000060 d9 46 20 3a 10 1d 21 3a 8f 4a 09 33 10 1d 0a 33 |.F :..!:.J.3...3|
00000070 cd 4d 99 30 10 1d 9a 30 df 50 1c 33 10 1d 1c 33 |.M.0...0.P.3...3|
00000080 17 54 7b 9a 10 1d 7b 9a d3 5d 33 3c 10 1d 33 3c |.T{...{..]3<..3<|
00000090 90 00 17 3a 50 1d 17 3a 57 04 c1 2f 50 1d c1 2f |...:P..:W../P../|
000000a0 5b 07 2c 41 50 1d 2d 41 77 0b b9 66 50 1d ba 66 |[.,AP.-Aw..fP..f|
000000b0 f5 11 28 70 50 1d 28 70 1f 19 cc 22 50 1d cc 22 |..(pP.(p..."P.."|
000000c0 55 1b 00 6f 50 1d 00 6f 6c 22 84 7a 50 1d 85 7a |U..oP..ol".zP..z|
000000d0 45 2a 31 51 50 1d 31 51 65 2f 8d 30 50 0d 8d 30 |E*1QP.1Qe/.0P..0|
000000e0 99 32 c6 1f 50 0d c6 1f eb 34 5d 1f 59 0d 8c 2f |.2..P....4].Y../|
000000f0 04 00 03 80 01 00 00 00 00 00 a9 61 30 00 10 1c |...........a0...|
00000100 01 80 00 00 00 00 0e 80 01 00 00 00 00 00 d9 61 |...............a|
00000110 10 00 10 1c e4 03 00 00 00 00 0a 80 18 00 00 00 |................|
00000120 00 00 e9 61 30 00 30 1c ed 03 00 00 00 00 19 62 |...a0.0........b|
00000130 10 11 30 1c f1 03 00 00 00 00 29 73 80 04 30 1c |..0.......)s..0.|
00000140 fb 03 00 00 00 00 a9 77 40 00 30 1c 04 04 00 00 |.......w@.0.....|
00000150 00 00 e9 77 f0 04 30 1c 11 04 00 00 00 00 d9 7c |...w..0........||
00000160 30 00 30 1c 1c 04 00 00 00 00 09 7d 80 00 30 1c |0.0........}..0.|
00000170 25 04 00 00 00 00 89 7d e0 00 30 1c 39 04 00 00 |%......}..0.9...|
00000180 00 00 69 7e 40 00 30 1c 48 04 00 00 00 00 a9 7e |..i~@.0.H......~|
00000190 c0 01 30 1c 54 04 00 00 00 00 69 80 d0 05 30 1c |..0.T.....i...0.|
000001a0 5b 04 00 00 00 00 39 86 50 00 30 1c 65 04 00 00 |[.....9.P.0.e...|
000001b0 00 00 89 86 60 00 30 1c 72 04 00 00 00 00 e9 86 |....`.0.r.......|
000001c0 50 00 30 1c 80 04 00 00 00 00 39 87 50 00 30 1c |P.0.......9.P.0.|
000001d0 8f 04 00 00 00 00 89 87 40 00 30 1c 9c 04 00 00 |........@.0.....|
000001e0 00 00 c9 87 50 00 30 1c a9 04 00 00 00 00 19 88 |....P.0.........|
000001f0 40 00 30 1c b6 04 00 00 00 00 59 88 50 00 30 1c |@.0.......Y.P.0.|
00000200 c3 04 00 00 00 00 a9 88 50 00 30 1c d1 04 00 00 |........P.0.....|
00000210 00 00 f9 88 50 00 30 1c de 04 00 00 00 00 49 89 |....P.0.......I.|
00000220 40 00 30 1c eb 04 00 00 00 00 89 89 70 01 30 1c |@.0.........p.0.|
00000230 f8 04 00 00 00 00 f9 8a 90 00 30 1c 00 05 00 00 |..........0.....|
00000240 00 00 02 80 17 00 00 00 00 00 89 8b 10 00 30 1c |..............0.|
00000250 05 05 00 00 00 00 99 8b 10 00 30 1c 0d 05 00 00 |..........0.....|
00000260 00 00 a9 8b 10 00 30 1c 18 05 00 00 00 00 b9 8b |......0.........|
00000270 10 00 30 1c 1f 05 00 00 00 00 c9 8b 10 00 30 1c |..0...........0.|
00000280 29 05 00 00 00 00 d9 8b 10 00 30 1c 33 05 00 00 |).........0.3...|
00000290 00 00 e9 8b 10 00 30 0c 3c 05 00 00 00 00 f9 8b |......0.<.......|
000002a0 10 00 30 0c 45 05 00 00 00 00 09 8c 10 00 30 1c |..0.E.........0.|
000002b0 4c 05 00 00 00 00 19 8c 10 00 30 1c 51 05 00 00 |L.........0.Q...|
000002c0 00 00 29 8c 10 00 30 1c 57 05 00 00 00 00 39 8c |..)...0.W.....9.|
000002d0 10 00 30 1c 5c 05 00 00 00 00 49 8c 10 00 30 1c |..0.\.....I...0.|
000002e0 63 05 00 00 00 00 59 8c 20 00 30 1c 68 05 00 00 |c.....Y. .0.h...|
000002f0 00 00 79 8c 20 00 30 1c 6f 05 00 00 00 00 99 8c |..y. .0.o.......|
00000300 20 00 30 1c 74 05 00 00 00 00 b9 8c 20 00 30 1c | .0.t....... .0.|
00000310 79 05 00 00 00 00 d9 8c 20 00 30 1c 7f 05 00 00 |y....... .0.....|
00000320 00 00 f9 8c 20 00 30 1c 88 05 00 00 00 00 19 8d |.... .0.........|
00000330 20 00 30 1c 90 05 00 00 00 00 39 8d 20 00 30 1c | .0.......9. .0.|
00000340 98 05 00 00 00 00 59 8d 20 00 30 1c 9e 05 00 00 |......Y. .0.....|
00000350 00 00 79 8d 20 00 30 1c a6 05 00 00 00 00 01 80 |..y. .0.........|
00000360 06 00 00 00 00 00 99 8d 20 00 30 1c 01 80 00 00 |........ .0.....|
00000370 00 00 c9 8d 20 00 30 1c 02 80 00 00 00 00 f9 8d |.... .0.........|
00000380 20 00 30 1c 03 80 00 00 00 00 29 8e 20 00 10 1c | .0.......). ...|
00000390 04 80 00 00 00 00 59 8e 20 00 10 1c 05 80 00 00 |......Y. .......|
000003a0 00 00 89 8e 20 00 30 1c 06 80 00 00 00 00 0c 80 |.... .0.........|
000003b0 06 00 00 00 00 00 b9 8d 10 00 30 1c fb ff 00 00 |..........0.....|
000003c0 00 00 e9 8d 10 00 30 1c fc ff 00 00 00 00 19 8e |......0.........|
000003d0 10 00 30 1c fd ff 00 00 00 00 49 8e 10 00 30 1c |..0.......I...0.|
000003e0 fe ff 00 00 00 00 79 8e 10 00 30 1c ff ff 00 00 |......y...0.....|
000003f0 00 00 a9 8e 10 00 30 1c fa ff 00 00 00 00 06 80 |......0.........|
00000400 11 00 00 00 00 00 b9 8e 20 00 30 1c 01 8f 00 00 |........ .0.....|
00000410 00 00 d9 8e 20 00 30 1c 02 8f 00 00 00 00 f9 8e |.... .0.........|
00000420 20 00 30 1c 03 8f 00 00 00 00 19 8f 20 00 30 1c | .0......... .0.|
00000430 04 8f 00 00 00 00 39 8f 20 00 30 1c 05 8f 00 00 |......9. .0.....|
00000440 00 00 59 8f 20 00 30 1c 06 8f 00 00 00 00 79 8f |..Y. .0.......y.|
00000450 20 00 30 1c 07 8f 00 00 00 00 99 8f 10 00 30 1c | .0...........0.|
00000460 08 8f 00 00 00 00 a9 8f 10 00 30 1c 09 8f 00 00 |..........0.....|
00000470 00 00 b9 8f 20 00 30 1c 0a 8f 00 00 00 00 d9 8f |.... .0.........|
00000480 20 00 30 1c 0b 8f 00 00 00 00 f9 8f 20 00 30 1c | .0......... .0.|
00000490 f9 8f 00 00 00 00 19 90 20 00 30 1c fa 8f 00 00 |........ .0.....|
000004a0 00 00 39 90 10 00 30 1c fb 8f 00 00 00 00 49 90 |..9...0.......I.|
000004b0 10 00 30 1c fd 8f 00 00 00 00 59 90 10 00 30 1c |..0.......Y...0.|
000004c0 fe 8f 00 00 00 00 69 90 10 00 30 1c ff 8f 00 00 |......i...0.....|
000004d0
1 answers
solution1
4 ACCPTED 2016-07-12 06:39:41
If you look at the information provided by fileformat.info , you'll see that this is very likely an NE executable. These also start with MZ , but the rest is different.
Reading the bytes at offsets 0000000C and 0000000D , this is probably a Windows 3.x Protected Mode program. If it is made with Delphi, that can only have been Delphi 1, which did not produce PE executables, but 16 bit Windows executables instead.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
PE/COFF file extensions
No .BSS in PE file
PE file opcodes
PE file section RVA calculation
PE File sections - SizeOfRawData or VirtualSize
what is CheckSum for in the PE header file?
PE file - what's missing?
Calculating the file offset of a entry point in a PE file
Remove DOS stub from a PE file
How does a PE file get mapped into memory?
Related Tags