Learning to crack & lt; A & gt; PE format of MS-DOS MZ header

PE means that the Protable Executable (PE) file format is something that Microsoft has done. It literally means it can be transplanted, but he hasn't seen how portable it is in practical use, the PE Format draws on the COFF (Common Object File Format) Format in UNIX systems. In addition, PE is compatible with MS-Dos and retains the MS-Dos header. When opened under dos, the system prompts "This Is A win32 program that cannot be run under dos", which is very friendly.
The structure of the MS-DOS MZ header is like this
MS-DOS MZ header
[Cpp] view plaincopy
Typedef struct _ IMAGE_DOS_HEADER {// DOS. EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res [4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2 [10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, * PIMAGE_DOS_HEADER;
The key member is e_lfanew, which points to the Relative Virtual address RAV (Relative Virtual Addresses) of the PE file header in the PE file ), the value of e_magic should be equal to 0x5A4D is the sign of the MS-DOS MZ header, MZ seems to be a programmer name abbreviation, other members are basically useless, some shelling software will modify its members to free up space for their own sections, alternatively, when the gap at the end of the table is insufficient to write a new untable structure, the IMAGE_DOS_HEADE and IMAGE_NT_HEADER are merged.
You can write a small program to output IMAGE_DOS_HEADE.
The IMAGE_DOS_HEADE struct is defined in windows. h.
When the system loads a file in PE format, it first loads the structure IMAGE_DOS_HEADE, and then finds the PE File Header based on the relative offset provided by e_lfanew in the structure.
 
You can directly read the IMAGE_DOS_HEADE struct in C, and write it below.
Read the IMAGE_DOS_HEADE struct from the beginning of the file.
[Cpp] view plaincopy
Fread (& mydosheader, sizeof (mydosheader), 1, p );
The file pointer is moved to the relative offset indicated by e_lfanew, that is, the PE file header.
[Cpp] view plaincopy
Fseek (p, mydosheader. e_lfanew, SEEK_SET );
Read the PE file mark. This PE Signature is a value such as PE \ 0 \ 0, proving that it is in PE format.
[Cpp] view plaincopy
Fread (& sig, 4,1, p );
All the variables in this judgment are constants in windows. h.
The value of IMAGE_NT_SIGNATURE is PE \ 0 \ 0.
The value of IMAGE_DOS_SIGNATURE is MZ.
For specific definitions, go to windows. h.
 
If (mydosheader. e_magic = IMAGE_DOS_SIGNATURE )&&
(Sig = IMAGE_NT_SIGNATURE ))
Printf ("valid PE file/n ");
Else
Printf ("invalid PE file/n ");
Return 0;
The following is a complete program
[Cpp] view plaincopy
# Include "windows. h"
# Include "stdio. h"
 
Int main (int argc, char * argv [])
{
FILE * p;
IMAGE_DOS_HEADER mydosheader;
Unsigned long sig;
 
P = fopen ("test1.exe", "r + B ");
If (p = NULL) return-1;
 
Fread (& mydosheader, sizeof (mydosheader), 1, p );
Fseek (p, mydosheader. e_lfanew, SEEK_SET );
Fread (& sig, 4,1, p );
Fclose (p );
 
Printf ("IMAGE_DOS_HEADER dump:/n ");
Printf ("e_magic: % 04x/n", mydosheader. e_magic );
Printf ("e_cblp: % 04x/n", mydosheader. e_cblp );
Printf ("e_cp: % 04x/n", mydosheader. e_cp );
Printf ("e_crlc: % 04x/n", mydosheader. e_crlc );
Printf ("e_cparhdr: % 04x/n", mydosheader. e_cparhdr );
Printf ("e_minalloc: % 04x/n", mydosheader. e_minalloc );
Printf ("e_maxalloc: % 04x/n", mydosheader. e_maxalloc );
Printf ("e_ss: % 04x/n", mydosheader. e_ss );
Printf ("e_sp: % 04x/n", mydosheader. e_sp );
Printf ("e_csum: % 04x/n", mydosheader. e_csum );
Printf ("e_ip: % 04x/n", mydosheader. e_ip );
Printf ("e_cs: % 04x/n", mydosheader. e_cs );
Printf ("e_lfarlc: % 04x/n", mydosheader. e_lfarlc );
Printf ("e_ovno: % 04x/n", mydosheader. e_ovno );
Printf ("e_res [0]: % 04x/n", mydosheader. e_res [0]);
Printf ("e_oemid: % 04x/n", mydosheader. e_oemid );
Printf ("e_oeminfo: % 04x/n", mydosheader. e_oeminfo );
Printf ("res2 [0]: % 04x/n", mydosheader. e_res2 [0]);
Printf ("lfanew: % 08x/n", mydosheader. e_lfanew );
 
 
If (mydosheader. e_magic = IMAGE_DOS_SIGNATURE )&&
(Sig = IMAGE_NT_SIGNATURE ))
Printf ("valid PE file/n ");
Else
Printf ("invalid PE file/n ");
Return 0;
}