-
Notifications
You must be signed in to change notification settings - Fork 0
LRRCE executable analysis
Robert Jordan edited this page Oct 27, 2021
·
3 revisions
The following differences have been noted between the LegoRR.exe and LegoRRCE.exe executables.
! IMAGE_FILE_HEADER
# +1 section added for .IIDKing
- 00400086 05 00 dw 5h NumberOfSections
+ 00400086 06 00 dw 6h NumberOfSections! IMAGE_OPTIONAL_HEADER32
# +0x1e00 (increased size of .rsrc)
- 004000a0 00 1A 2d 00 ddw 2D1A00h SizeOfInitializedData
+ 004000a0 00 38 2d 00 ddw 2D3800h SizeOfInitializedData
# +0x3000 (accounts for 0x1000 section alignment)
- 004000d0 00 20 37 00 ddw 372000h SizeOfImage
+ 004000d0 00 50 37 00 ddw 375000h SizeOfImage
# Checksum actually calculated for LRR:CE, while LRR did not have one.
- 004000d8 00 00 00 00 ddw 0h CheckSum
+ 004000d8 b3 3c 0c 00 ddw C3CB3h CheckSum! IMAGE_DATA_DIRECTORY [1] Import Directory
- 00400100 00 f0 36 00 ibo32 36F000h VirtualAddress -> start of .idata
- 00400104 f0 00 00 00 ddw F0h Size
+ 00400100 00 40 37 00 ibo32 374000h VirtualAddress -> start of .IIDKing
+ 00400104 04 01 00 00 ddw 104h Size -> +0x14 for lrrce.dll IMAGE_IMPORT_DESCRIPTOR
! IMAGE_DATA_DIRECTORY [2] Resource Directory
= 00400108 00 10 37 00 ibo32 371000h VirtualAddress
- 0040010c 78 0b 00 00 ddw B78h Size
+ 0040010c 70 28 00 00 ddw 2870h Size! IMAGE_SECTION_HEADER [4] ".rsrc"
= 00400218 2e 72 73 72 63 char[8] ".rsrc" Name
00 00 00
! Misc Misc
# +0x1cf8
- 00400220 78 0b 00 00 ddw B78h PhysicalAddress / VirtualSize
+ 00400220 70 28 00 00 ddw 2870h PhysicalAddress / VirtualSize
= 00400224 00 10 37 00 ibo32 371000h VirtualAddress
# +0x1e00
- 00400228 00 0c 00 00 ddw C00h SizeOfRawData
+ 00400228 00 2a 00 00 ddw 2A00h SizeOfRawData
= 0040022c 00 32 0b 00 ddw B3200h PointerToRawData
! IMAGE_SECTION_HEADER [5] ".IIDKing"
- 00400240 00 00 00 00 00
- 00 00 00
! Misc Misc
- 00400248 00 00 00 00
- 0040024c 00 00 00 00
- 00400250 00 00 00 00
- 00400254 00 00 00 00
- 00400258 00 00 00 00
- 0040025c 00 00 00 00
- 00400260 00 00
- 00400262 00 00
- 00400264 00 00 00 00
+ 00400240 2e 49 49 44 4b char[8] ".IIDKing" Name .IIDKing
+ 69 6e 67
! Misc Misc
+ 00400248 00 02 00 00 ddw 200h PhysicalAddress / VirtualSize
+ 0040024c 00 40 37 00 ibo32 36F148h VirtualAddress
+ 00400250 00 02 00 00 ddw 200h SizeOfRawData
+ 00400254 00 5c 0b 00 ddw B5C00h PointerToRawData
+ 00400258 00 00 00 00 ddw 0h PointerToRelocations
+ 0040025c 00 00 00 00 ddw 0h PointerToLinenumbers
+ 00400260 00 00 dw 0h NumberOfRelocations
+ 00400262 00 00 dw 0h NumberOfLinenumbers
+ 00400264 20 00 00 e0 SectionF E0000020h Characteristics = IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE! IMAGE_RESOURCE_DIRECTORY [1]
= 00771028 00 00 00 00 ddw 0h Characteristics
- 0077102c e0 49 ef 37 ddw 37EF49E0h TimeDateStamp
+ 0077102c 00 00 00 00 ddw 0h TimeDateStamp
= 00771030 00 00 dw 0h MajorVersion
= 00771032 00 00 dw 0h MinorVersion
= 00771034 00 00 dw 0h NumberOfNamedEntries
= 00771036 01 00 dw 1h NumberOfIdEntries
! IMAGE_RESOURCE_DIRECTORY [4]
= 00771070 00 00 00 00 ddw 0h Characteristics
- 00771074 e0 49 ef 37 ddw 37EF49E0h TimeDateStamp
+ 00771074 00 00 00 00 ddw 0h TimeDateStamp
= 00771078 00 00 dw 0h MajorVersion
= 0077107a 00 00 dw 0h MinorVersion
= 0077107c 00 00 dw 0h NumberOfNamedEntries
= 0077107e 01 00 dw 1h NumberOfIdEntries! IMAGE_RESOURCE_DATA_ENTRY [0]
- 007710b8 bc 12 37 00 ddw 3712BCh OffsetToData
- 007710bc a8 08 00 00 ddw 8A8h Size
+ 007710b8 e8 10 37 00 ddw 3710E8h OffsetToData
+ 007710bc a8 25 00 00 ddw 25A8h Size
= 007710c0 00 00 00 00 ddw 0h CodePage
= 007710c4 00 00 00 00 ddw 0h Reserved
! IMAGE_RESOURCE_DATA_ENTRY [1]
- 007710c8 f0 10 37 00 ddw 3710F0h OffsetToData
+ 007710c8 90 36 37 00 ddw 373690h OffsetToData
= 007710cc ca 01 00 00 ddw 1CAh Size
= 007710d0 00 00 00 00 ddw 0h CodePage
= 007710d4 00 00 00 00 ddw 0h Reserved
! IMAGE_RESOURCE_DATA_ENTRY [2]
- 007710d8 64 1b 37 00 ddw 371B64h OffsetToData
+ 007710d8 5c 38 37 00 ddw 37385Ch OffsetToData
= 007710dc 14 00 00 00 ddw 14h Size
= 007710e0 00 00 00 00 ddw 0h CodePage
= 007710e4 00 00 00 00 ddw 0h Reserved- 007710e8 00
- 007710e9 00
- 007710ea 00
- 007710eb 00
- 007710ec 00
- 007710ed 00
- 007710ee 00
- 007710ef 00
# moved, but identical
! Rsrc_Dialog_65_409
- 007710f0 ...........
- 007712ba 00
- 007712bb 00
# old icon
! Rsrc_Icon_1_809
- 007712bc ...........
# old group icon info
! Rsrc_GroupIcon_71_809
- 00771b64 ...........
- 00771b78 00
- 00771b79 00
- ...
- 00771bff 00
# end of section
# new icon
! Rsrc_Icon_1_809
+ 007710e8 ...........
# moved, but identical
! Rsrc_Dialog_65_409
+ 00773690 ...........
+ 0077385a 00
+ 0077385b 00
# updated group icon info
! Rsrc_GroupIcon_71_809
+ 0077385c ...........
+ 00773870 00
+ 00773871 00
+ ...
+ 007739ff 00
# end of section# 00771b64 -> 0077385c
! Rsrc_GroupIcon_71_809
! GRPICONDIR GroupIcon Header
= 0077385c 00 00 dw 0h idReserved
= 0077385e 01 00 dw 1h idType
= 00773860 01 00 dw 1h idCount
! GRPICOND GroupIcon Entry
- 00771b6a 20 db 20h bWidth
- 00771b6b 20 db 20h bHeight
+ 00773862 30 db 30h bWidth
+ 00773863 30 db 30h bHeight
= 00773864 00 db 0h bColorCount
= 00773865 00 db 0h bReserved
= 00773866 01 00 dw 1h wPlanes
- 00771b70 08 00 dw 8h wBitCount
- 00771b72 a8 08 00 00 ddw 8A8h dwBytesInResource
+ 00773868 20 00 dw 20h wBitCount
+ 0077386a a8 25 00 00 ddw 25A8h dwBytesInResource
= 0077386e 01 00 dw 1h nIdThis section half-replaces .idata as the new directory that contains import descriptors, this is done to maintain the original .idata section structure for import data, while extending the import descriptors to include lrrce.dll.
# everything before here is identical to .idata import descriptors
! IMAGE_IMPORT_DESCRIPTOR [11] LRRCE.DLL
+ 007740dc 04 41 37 00 ddw 374104h OriginalFirstThunk
+ 007740e0 00 00 00 00 ddw 0h TimeDateStamp
+ 007740e4 00 00 00 00 ddw 0h ForwarderChain
+ 007740e8 14 41 37 00 ddw 374114h Name
+ 007740ec 0c 41 37 00 ddw 37410Ch FirstThunk
# end of IMAGE_IMPORT_DESCRIPTOR's
= 007740f0 00 00 00 00 ddw 0h
= 007740f4 00 00 00 00 ddw 0h
= 007740f8 00 00 00 00 ddw 0h
= 007740fc 00 00 00 00 ddw 0h
= 00774100 00 00 00 00 ddw 0h
# LRRCE.DLL IMPORTS
! IMAGE_IMPORT_DESCRIPTOR - ORIGINAL FIRST THUNK
+ 00774104 1f 41 37 00 ddw 37411Fh IMAGE_THUNK_DATA32
+ 00774108 00 ?? 00h
+ 00774109 00 ?? 00h
+ 0077410a 00 ?? 00h
+ 0077410b 00 ?? 00h
! IMAGE_IMPORT_DESCRIPTOR - FIRST THUNK
# void __cdecl Dummy(void)
# void <VOID> <RETURN>
# 0 Dummy <<not bound>>
+ 0077410c 1f 41 37 00 addr LRRCE.DLL::Dummy
+ 00774110 00 ?? 00h
+ 00774111 00 ?? 00h
+ 00774112 00 ?? 00h
+ 00774113 00 ?? 00h
! IMAGE_IMPORT_DESCRIPTOR - DLL NAME
+ 00774114 6c 72 72 ds "lrrce.dll"
+ 63 65 2e
+ 64 6c 6c 00
+ 0077411e 00 ?? 00h
! IMAGE_IMPORT_BY_NAME
+ 0077411f 00 00 dw 0h Hint
+ 00774121 44 75 6d ds "Dummy" Name
+ 6d 79 00
+ 00774127 00 ?? 00h
+ ...
+ 007741ff 00
# end of section