Software slimming method after shelling

Recently, I have practiced shelling. I will use the 98 notepad with Armadillo 3.10 shelling for the test. 52 K --> the file size reaches 588 K after the 324K shelling, which is more than 10 times the size before shelling, so I want to lose weight, check the essence of snow, and cannot find this content. Learning the PE file structure, so I tried it myself.

First look at the sections of the files before shelling

Recommended address: 0x00400000
----------------------------------------------------------
Section name section area size virtual address Raw _ SIZE Raw _ offset section Property
----------------------------------------------------------
. Text limit 3fd4 00001000 00004000 00001000 60000020
. Data 0000084C 00005000 00001000 00005000 C0000040
. Idata 00000E02 00006000 00001000 00006000 40000040
. Rsrc 20174fb8 00007000 00005000 00007000 40000040
. Reloc 00000AC6 limit c000 00001000 limit c000 42000040

After shelling:
Recommended address: 0x00400000
----------------------------------------------------------
Section name section area size virtual address Raw _ SIZE Raw _ offset section Property
----------------------------------------------------------
. Text limit 3fd4 00001000 00000000 00000000 60000020
. Data 0000084C 00005000 00000000 00000000 C0000040
. Idata upload 5e02 00006000 00000000 00000000 40000040
. Reloc 00000AC6 ipvc000 00000000 00000000 42000040
. Text1 00020000 rjd000 00014000 00001000 E0000020
. Adata 00010000 0002D000 00005000 00015000 E0000020
. Data1 00010000 0003D000 00006000 0001A000 C0000040
. Reloc1 00010000 0004D000 00002000 00020000 42000040
. Pdata 00030000 0005D000 0002A000 00022000 C0000040
. Rsrc 00005000 0008D000 00005000 0004C000 40000040

FILE Section Table after shelling:
Recommended address: 0x00400000
----------------------------------------------------------
Section name section area size virtual address Raw _ SIZE Raw _ offset section Property
----------------------------------------------------------
. Text limit 3fd4 00001000 limit 3fd4 00001000 60000020
. Data 0000084C 00005000 0000084C 00005000 C0000040
. Idata upload 5e02 00006000 255.5e02 00006000 C0000040
. Reloc 00000AC6 limit c000 00000AC6 limit c000 42000040
. Text1 00020000 0000D000 00020000 0000D000 E0000020
. Adata 00010000 0002D000 00010000 0002D000 E0000020
. Data1 00010000 0003D000 00010000 0003D000 C0000040
. Reloc1 00010000 0004D000 00010000 0004D000 42000040
. Pdata 00030000 0005D000 00030000 0005D000 C0000040
. Rsrc 00005000 0008D000 00005000 0008D000 40000040
. MACT 00001000 00092000 00001000 00092000 E0000060

Here, the. rsrc section is the file resource section, and the. MACT section is the newly added section when imprec fixes the input table.

It is easy to find useful sections only
----------------------------------------------------------
Section name section area size virtual address Raw _ SIZE Raw _ offset section Property
----------------------------------------------------------
. Text limit 3fd4 00001000 limit 3fd4 00001000 60000020
. Data 0000084C 00005000 0000084C 00005000 C0000040
. Idata upload 5e02 00006000 255.5e02 00006000 C0000040
. Rsrc 00005000 0008D000 00005000 0008D000 40000040
. MACT 00001000 00092000 00001000 00092000 E0000060
Other sections are useless Spam left after shelling, so we only need to delete them to achieve our weight loss effect. Of course, the sections to be deleted for specific shells are also different. Let's analyze the specific issues ,.

Let's go!

Step 1: delete from the Section Table
The starting position of the following sections. The Raw values of these sections are from ipvc000 to 0008D000-1.
In LordPE PE Edit, right-click these nodes and select "wipe section header" to delete these sections from the section table.

Step 2: delete a file
HexWorkshop open the file, select the offset c000 to 0008D000-1, and then delete it by del.

Step 3: Adjust the table attributes
You can only delete the content in the Section Table project and file. You must set the section attribute.

You can use programming to adjust the RVA of the Resource Section so that the RVA offset is equal to the file offset, Which is troublesome. In addition, there is a lot of information about the input table in.
We use a simple method to change its file offset without moving its RVA address.
In PE Edit, click sections, select. rsrc, right-click edit section header
Because the Raw offset at the beginning of the deleted section is invalid c000, the Raw Offset at the beginning of the section in the. rsrc section is invalid c000.

The Raw _ offset of section. MACT under. rsrc =. rsrc section Raw _ Offset +. rsrc section Raw _ size = rjc000 + 00005000 =

00011000
Therefore, the Raw _ offset of the. MACT section is 00011000.

If we try it now, we will report that it is not a valid win32 program.
Adjust the size of the. idata section above the. rsrc Section to ensure that the VA address of the adjacent section is continuous.
(. Rsrc section virtual address 0008D000)-(. idata section virtual address 00006000) = 00087000
Therefore, set the size of the. idata section to 00087000.

Step 4: adjust the data directory table attributes
Because we have deleted the. reloc section, we need to clear the Relocation Table 0 in the data directory Table. Of course this step is not necessary,
This section is basically not used in exe files.

Save and test it. Is it OK? 588 K --> 72 K, although a little bigger than the original 52K, it is already satisfactory.