# DOS 2.0-compatible .EXE header # all that you see here seems to be boilerplate for PE files # except for the offset to PE header which can vary # I shortened the boilerplate DOS error message to 'nfw' # 0x5a4d is exe file signature # 0x0090 is size of used area of final 512-byte block # 0x0003 is supposedly size of file including header, this is of course bogus # 0x0000 is number of relocatable items # 0x0004 is size of header, in 16-byte "paragraphs" # 0x0000 is "min. number of 16-byte paragraphs needed above program" # 0xffff is "max. number (ditto above)" # 0x0000 is displacement of stack segment in module rel. to start of program 00000000 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ.............. # 0x00b8 is contents of SP register at entry (???) # 0x0000 is checksum (obviously not used) # 0x0000 is contents of IP register at entry # 0x0000 is displacement of code module relative to start of file # 0x0040 is offset to first relocation item in file (???) 00000010 b800 0000 0000 0000 4000 0000 0000 0000 8.......@....... 00000020 0000 0000 0000 0000 0000 0000 0000 0000 ................ # offset to the PE header 00000030 0000 0000 0000 0000 0000 0000 8000 0000 ................ # DOS stub program # 0b4e:0000 0e push cs # 0b4e:0001 1f pop ds # 0b4e:0002 ba0e00 mov dx,000e # 0b4e:0005 b409 mov ah,09 # 0b4e:0007 cd21 int 21 # 0b4e:0009 b8014c mov ax,4c # 0b4e:000c cd21 int 21 # 0b4e:000e 546869... db "nfw\r\n$" # 00000040 0e1f ba0e 00b4 09cd 21b8 014c cd21 6e66 ..:..4.M!8.LM!nf 00000050 770d 0a24 0000 0000 0000 0000 0000 0000 00000060 0000 0000 0000 0000 0000 0000 0000 0000 00000070 0000 0000 0000 0000 0000 0000 0000 0000 # PE header # PE\0\0 is the signature stamp # 014c is the CPU type, 80386 # 1 is the number of objects (in following section) # 0xab4c 0x38ff is the time/date stamp, probably same as unix, e.g.: # 0x38ff4cab = 956279628 = Apr. 20 2000 # following dword is reserved 00000080 5045 0000 4c01 0100 4cab ff38 0000 0000 PE..L...L+.8.... # first dword is reserved # 0xe, 14, is supposedly the number of bytes remaining in the NT # header beyond the next (flags) field # 0x010f is the flags field. flags: # 0001 program image # 0002 image is executable # 0004 ??? # 0008 ??? # 0100 ??? # 0200 fixed location (don't load if image base not available) # ??? (PE.pdf shows reserved) = 0x0b01 # linker major = 0x3702 (???) # linker minor = 0x0600 (???) # reserved = 0x0000 00000090 0000 0000 e000 0f01 0b01 0237 0006 0000 ....`......7.... # ??? (PE.pdf shows reserved) = 0x00000004 # ??? (PE.pdf shows reserved) = 0x00000002 # entrypoint = 0x00001000 (relative to image base, so 0x00401000) # ??? (PE.pdf shows reserved) = 0x00001000 000000a0 0004 0000 0002 0000 0010 0000 0010 0000 ................ # ??? (PE.pdf shows reserved) = 0x00000020 # image base = 0x00400000 # object align (section alignment) = 0x00001000 # file alignment = 0x00000200 000000b0 0020 0000 0000 4000 0010 0000 0002 0000 . ....@......... # os major = 0x0004 # os minor = 0x0000 # image version (user) major = 0x0001 # image version (user) minor = 0x0000 # subsys major = 0x0004 # subsys minor = 0x0000 # next dword reserved (objdump shows as win32version) = 0x00000000 000000c0 0400 0000 0100 0000 0400 0000 0000 0000 ................ # size of image = 0x00002000 # size of headers = 0x00000200 # checksum = 0x00000000 # subsystem = 0x0003 (Windows CUI) (Character User Interface) # DLL flags = 0x0000 000000d0 0020 0000 0002 0000 0000 0000 0300 0000 .P.............. # stack reserve size = 0x02000000 # stack commit size = 0x00001000 # heap reserve size = 0x00100000 # heap commit size = 0x00001000 000000e0 0000 0002 0010 0000 0000 1000 0010 0000 ................ # reserved (objdump says "loader flags"): 0x00000000 # interesting rva/sizes: 0x00000010 # export directory [.edata or whereever we found it]: 0x00000000 0x00000000 000000f0 0000 0000 1000 0000 0000 0000 0000 0000 ................ # import directory [parts of .idata]: 0x00000000 size: 0x00000000 # resource directory [.rsrc]: 0x00000000 0x00000000 00000100 0000 0000 0000 0000 0000 0000 0000 0000 .@..d........... # all following are zeroes: # exception directory [.pdata] # security directory 00000110 0000 0000 0000 0000 0000 0000 0000 0000 ................ # fixup table rva (base relocation directory) [.reloc] # debug directory 00000120 0000 0000 0000 0000 0000 0000 0000 0000 ................ # image description rva (description directory) # machine specific rva (special directory) 00000130 0000 0000 0000 0000 0000 0000 0000 0000 ................ # thread storage directory [.tls] # load configuration directory 00000140 0000 0000 0000 0000 0000 0000 0000 0000 ................ # bound import directory # import address table directory 00000150 0000 0000 0000 0000 0000 0000 0000 0000 ................ # delay import directory # reserved 00000160 0000 0000 0000 0000 0000 0000 0000 0000 ................ # reserved # object table (objdump: "sections"): # object table entry: # object name 8 chars zero-padded at end # virtual size dword - if different from physical size will be zero-padded # rva (relative virtual address) dword # physical size dword # physical offset # reserved (3 dwords) # object flags (PE.pdf shows 9 hex digits, so can't trust it) # .text: # virtual size: 0x200 rva: 0x1000 phys size: 0x200 offset: 0x200 00000170 0000 0000 0000 0000 2e74 6578 7400 0000 .........text... 00000180 0002 0000 0010 0000 0002 0000 0002 0000 8............... # flags: 0x60000020 code, executable, readable # (objdump shows CONTENTS, ALLOC, LOAD, READONLY, CODE) 00000190 0000 0000 0000 0000 0000 0000 2000 0060 ............ ..` 000001a0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001b0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001c0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001d0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001e0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001f0 0000 0000 0000 0000 0000 0000 0000 0000 ................ # now for the actual .text section data: #00401000 <.text>: # 401000: 31 c0 xorl %eax, %eax # 401002: ff c0 incl %eax # 401004: ff c0 incl %eax # 401006: 90 nop (0x90) or int 3 (0xcc) # 401007: c3 ret 00000200 31c0 ffc0 ffc0 90c3 # ignore the offset numbers below, this is just padding copied from above 00000200 0000 0000 0000 0000 ................ 00000210 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000220 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000230 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000240 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000250 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000260 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000270 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000280 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000290 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000002a0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000002b0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000002c0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000002d0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000002e0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000002f0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000300 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000310 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000320 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000330 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000340 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000350 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000360 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000370 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000380 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000390 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000003a0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000003b0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000003c0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000003d0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000003e0 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000003f0 0000 0000 0000 0000 0000 0000 0000 0000 ................