The parser writes additional data to the file.
It mainly resolves the PE File Header, locates the overlay location, and writes the file. The common application scenario is that in crackme, crackme itself has a piece of encrypted additional data, parse its own additional data during the crackme operation, and then decrypt the data ....
Code retention:
// Parse your PE file TCHAR szModuleFile [MAX_PATH] = {0};: GetModuleFileName (NULL, szModuleFile, MAX_PATH); HANDLE hFile =: CreateFile (szModuleFile, 0X80000000, 0X1, NULL, 0x3, 0x80, NULL); if (! HFile) {AfxMessageBox ("create file error"); return;} DWORD dwFileSize = 0; dwFileSize =: GetFileSize (hFile, NULL); if (! DwFileSize) {AfxMessageBox ("GetFileSize error"); return;} TCHAR * pBuffer = new TCHAR [dwFileSize + 1]; DWORD dwReadBytes = 0; BOOL bSuc =: ReadFile (hFile, pBuffer, dwFileSize, & dwReadBytes, NULL); if (! BSuc) {AfxMessageBox ("read file error"); return;} IMAGE_DOS_HEADER * pDosHead = (IMAGE_DOS_HEADER *) pBuffer; IMAGE_NT_HEADERS * pNtHeader; // obtain the PE file header. pNtHeader = (IMAGE_NT_HEADERS *) (char *) pDosHead + pDosHead-> e_lfanew); WORD wNumOfSection = pNtHeader-> FileHeader. numberOfSections; // DWORD dwTemp = wNumOfSection * (sizeof (IMAGE_SECTION_HEADER)/sizeof (DWORD); WORD wSizeOfOptionalHeader = pNtHeader-> FileHea Der. sizeOfOptionalHeader; DWORD * pOverLay; DWORD * character; DWORD * pLastSectionPhyAddress, * pLastSectionPhySize; character = (DWORD *) (char *) pNtHeader + sizeof (IMAGE_NT_HEADERS) + (wNumOfSection-1) * sizeof (IMAGE_SECTION_HEADER) + sizeof (BYTE) * IMAGE_SIZEOF_SHORT_NAME); pLastSectionVirualAddress = pLastSectionVirualSize + 1; pLastSectionPhyAddres S = California + 2; pLastSectionPhySize = pLastSectionVirualSize + 3; DWORD dw1 = * pLastSectionPhyAddress; DWORD dw2 = * pLastSectionPhySize; pOverLay = (DWORD *) (dw1 + dw2 + pBuffer ); DWORD dwOverlaySize = dwFileSize-(dw1 + dw2); HANDLE hOutFile =: CreateFile ("C: \ Users \ Administrator \ Desktop \ crackme.exe. overlay ", GENERIC_WRITE, file_1__read, NULL, CREATE_NEW, NULL, NULL); if (! HOutFile) {return;} DWORD dwWritten = 0;: WriteFile (hOutFile, pOverLay, dwOverlaySize, & dwWritten, NULL);: CloseHandle (hOutFile); if (char *) pOverLay = 0x0) {AfxMessageBox ("the first byte of additional data is 0"); return ;}: free (pBuffer);: CloseHandle (hFile );