Prerequisities

  1. Make sure that you have dumped binary from memory
  2. (optionally) Fix PE headers if necessary

Unmap

With PE bear

  1. Open PE-bear > Sections > Section Headers
  2. Make sure that VA and VS matches RA and RS, so:
    1. RA[i] = VA[i]
    2. RS[i] = RA[i+1] - RA[i]
    3. RS.reloc = 0
    4. VS[i] = RS[i]
  3. If you see some red blocks it means that PE is probably misalligned, check: Fix misalligned sections

UnmapPE

Fix misalligned sections

Dump1

  1. Open binary in hex editor
  2. Go to the 1st section (on example above to 0x1000)
  3. Section should start in this place, nulls should be before.
  4. Append nulls starting from last null seen before 1st section (0xfdf) to section start address (inconclusive) (0x1000)
  5. Save.
  6. Review in PE Bear:
    1. Sections > Section Headers should no longer be marked as read.
    2. if Section Headers > Image Base is the same as dumped section address (if not, set it to dumped section address).

Dump2