!e Fix Broken PE

Tools

• PE-Bear
• CFF Explorer
• HxD - hex editor

Troubleshooting

Case 0: Broken headers

Assumtion: you have dumped PE file with broken headers (i. e MZ PE magic bytes are gone).

1. Open dump.bin in hex editor
2. Find reference parameter (use corkami-pics) which is probably not overwritten:
   1. Machine, for 32bit: 4c 01
3. Open good binary (for example unpacker exe) in hex editor:
   1. Find the same reference parameter
   2. Copy all bytes before it
   3. Go back to broken binary
4. Paste bytes into dump.bin into all bytes before refence bytes.
5. Re-allign sections if necessary.

CASE 1: This app can't run on your PC

What it really means: loader can't load it, so you also won't be able to load it into the debugger.

Resolution: manual headers fixing is required

1. Open file wit PE-Bear or CFF explorer
2. Verify the state of binary, if it is in the mapped state (loaded into the process), then you might need to unmap it; otherwise:
3. Review Optional Headers:
   • look for red markings
   • if some address is pointing into to not existing section in Section Headers → null it
4. Review Section Headers:
   • if address is highlighted with red color, then it means that sections are misaligned, you need to review binary in hex editor and start offset of the section manually
   • if size is highlighted with red color, then you might need to shrink it or expand it will i.e null-pad (in hex editor)

NOTE: Additional actions might be required!

If you are modifying size of section which is between other sections, then you might need to modify RA of the next sections!

CASE 2: The application has failed to start because its side-by-side configuration is incorrect

What it really means: Configuration file required to load is malformed.

Resolution: You need to replace configuration with the valid one.

Some binaries are using special configuration files to load binary located in Resources/Configuration Files/1. To fix this issue edit the configuration manually or paste (with i.e hex editor) the default one presented below:

Default configuration.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

CASE 3: program.exe has stopped working

What it really means: System was able to load PE into the memory and execute it, but execution failed for some reason.

Resolution: Analyze the issue with debugger and resolve it.

This is very common error and might indicate:

• misaligned/missing sections;
• programming error, like not handled exception etc;
• other.

To solve it you should open the program with debugger and analyze the conditions which are creating this error. 

Fix misalligned sections

Make sure that you have binary which is:

• dumped,
• with fixed PE headers,
• unmapped.


Auto

With pe_unmapper

Github

# pe_unmapper.exe <in_file>      <base>  <opt: out>
> pe_unmapper.exe _02660000.mem 02660000 payload.dll

Manual

1. Open binary in hex editor
2. Go to the 1st section (on example above to 0x1000)
3. Section should start in this place, nulls should be before.
4. Append nulls starting from last null seen before 1st section (0xfdf) to section start address (inconclusive) (0x1000).
5. Save.
6. Review in PE Bear:
   1. Sections > Section Headers should no longer be marked as read.
   2. if Section Headers > Image Base is the same as dumped section address (if not, set it to dumped section address).