Case 0: Broken headers
Assumtion: you have dumped PE file with broken headers (i. e
MZ PEmagic bytes are gone).
- Open dump.bin in hex editor
- Find reference parameter (use corkami-pics) which is probably not overwritten:
Machine, for 32bit:
- Open good binary (for example unpacker exe) in hex editor:
- Find the same reference parameter
- Copy all bytes before it
- Go back to broken binary
- Paste bytes into dump.bin into all bytes before refence bytes.
- Re-allign sections if necessary.
CASE 1: This app can't run on your PC
What it really means: loader can't load it, so you also won't be able to load it into the debugger.
Resolution: manual headers fixing is required
- Open file wit PE-Bear or CFF explorer
- Verify the state of binary, if it is in the mapped state (loaded into the process), then you might need to unmap it; otherwise:
- Review Optional Headers:
- look for red markings
- if some address is pointing into to not existing section in Section Headers → null it
- Review Section Headers:
- if address is highlighted with red color, then it means that sections are misaligned, you need to review binary in hex editor and start offset of the section manually
- if size is highlighted with red color, then you might need to shrink it or expand it will i.e null-pad (in hex editor)
NOTE: Additional actions might be required!
If you are modifying size of section which is between other sections, then you might need to modify RA of the next sections!
CASE 2: The application has failed to start because its side-by-side configuration is incorrect
What it really means: Configuration file required to load is malformed.
Resolution: You need to replace configuration with the valid one.
Some binaries are using special configuration files to load binary located in Resources/Configuration Files/1. To fix this issue edit the configuration manually or paste (with i.e hex editor) the default one presented below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="126.96.36.199" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
CASE 3: program.exe has stopped working
What it really means: System was able to load PE into the memory and execute it, but execution failed for some reason.
Resolution: Analyze the issue with debugger and resolve it.
This is very common error and might indicate:
- misaligned/missing sections;
- programming error, like not handled exception etc;
To solve it you should open the program with debugger and analyze the conditions which are creating this error.
Fix misalligned sections
Make sure that you have binary which is:
- with fixed PE headers,
![ScreenShot 2020-01-20 at 07.34.41](/img/broken-pe/ScreenShot 2020-01-20 at 08.48.16.png)
# pe_unmapper.exe <in_file> <base> <opt: out> > pe_unmapper.exe _02660000.mem 02660000 payload.dll
- Open binary in hex editor
- Go to the 1st section (on example above to
- Section should start in this place, nulls should be before.
- Append nulls starting from last null seen before 1st section (
0xfdf) to section start address (inconclusive) (
- Review in PE Bear:
Section Headersshould no longer be marked as read.
Image Baseis the same as dumped section address (if not, set it to dumped section address).