-
-
DT_FixRes English Help
-
发表于: 2005-3-21 22:11
-
Completed.
原文
简介:
很多被加壳的 PE 文件在脱壳以后,往往该 PE 文件的资源部分无法用某些资源查看器进行
查看、修改。这其中的主要原因是由于很多加壳程序将部分资源(如 Icon、Version
Information) 从资源节 (resource section) 移到了壳增加的节里,这导致很多资源查看器不能
正确识别分布在两个节里的资源(顺便说一下,PE Explorer 基本能识别大部分这种情况的资
源),DT_FixRes 是一个 PE 文件资源修复、重建引擎,它可以将分布在多个节里的资源重新移
到一个资源节里,并且对资源进行了完全优化,修复后的资源不含有任何垃圾数据,如同资源编
译器的编译效果,可以媲美未加壳前的原始资源。通过本引擎修复、重建脱壳后的 PE 文件资源,
可以让所有资源查看器能够对资源部分进行查看、修改。使用者须通过编程方式在自己的程序中
使用该引擎。该引擎特别适合进行软件汉化工作的朋友。
声明:
1.您可以免费使用该引擎,如果您发布了使用该引擎的程序,请在相关说明中注明该引擎的版
权信息,以表示支持作者的辛勤劳动;
2.本软件是安全的,但是作者不承诺对任何由于使用本软件而引起的损失或者伤害负责。
使用说明:
本引擎以动态链接库(dll)形式实现,该 dll 共输出五个函数,函数按功能分为两大类。
第一类:PE 文件资源修复功能。修复后,引擎会无条件地为 PE 文件增加一个资源节,会导致文
件体积变大,该功能适合进行简单修复脱壳后 PE 资源部分。
<1> 输出函数 FixResFromFile
C 形式函数原型:
BOOL __stdcall FixResFromFile(const char* PEFile, char* ErrBuff);
Delphi 形式函数原型:
function FixResFromFile(const AFileName: PChar; ErrMsg: PChar): Boolean; stdcall;
参数说明:
PEFile --- 指向你需要进行资源修正的 PE 文件路径指针;
ErrBuff --- 指向一块至少具有 80 个字节空间的 Buffer 指针,在执行该函数返回错误时,接收
错误消息。
该函数适用任何 Win32 平台的编程语言去调用。
<2> 输出函数 FixResFromStream
Delphi 形式函数原型:
function FixResFromStream(AStream: TMemoryStream; ErrMsg: PChar): Boolean;
参数说明:
AStream 为 PE 映象的内存流,其他说明同 <1> 。
此函数对写注册机的朋友特别适用,当你将 dump 出来的 PE 内存映象保存到硬盘之前,你可以先
进行资源修复,通过对内存流的操作,可以减少代码工作量。注意:该函数仅适用于 Delphi 语言。
第二类:导出重建后的资源节功能。由于不同的加壳程序对原始 PE 文件的结构改变的千差万别,
导致对脱壳文件的 PE 结构优化方案也是千差万别的,因此很难在一个程序里完成对所有
脱壳类型的 PE 结构优化,引擎将机会留给用户自己。作为使用者,你可能知道如何脱某
种类型的壳以及如何优化脱壳后的 PE 结构,那么你也就可能需要将修复后的资源节加载
在你认为更合适的 RVA 地址起始处。该功能接口能满足你的这个定制需要,由于该功能的
相对复杂性,要求使用者对 PE 结构必须十分属性,因此本功能仅适合高级用户使用。
<1> 输出函数 DumpResFromFile
C 形式函数原型:
BOOL __stdcall DumpResFromFile(const char* PEFile, char* ResFile,
DWORD NewRVA, DWord FileAlign, char* ErrBuff);
Delphi 形式函数原型:
function DumpResFromFile(const PEFile: PChar; const ResFile: PChar;
NewRVA: DWord; FileAlign: DWord; ErrMsg: PChar): Boolean; stdcall;
参数说明:
PEFile --- 指向你需要进行资源修正的 PE 文件路径指针;
ResFile --- 指向你需要导出的资源节的保存文件路径;
NewRVA --- 你希望修复后的 PE 文件资源的加载 RVA 地址,即 resouce data directroy 的
virtual address。该地址应该大于 0x1000,并且应该是 DWORD 边界对齐,建议是
0x1000 的倍数。
FileAlign --- 资源节的文件对齐方式,值只能是 0x200 或者 0x1000。
ErrBuff --- 指向一块至少具有 80 个字节空间的 Buffer 指针,在执行该函数返回错误时,接收
错误消息。
该函数适用任何 Win32 平台的编程语言去调用。
<2> 输出函数 DumpResFromStream
Delphi 形式函数原型:
function DumpResFromStream(PEStream: TMemoryStream; const ResFile: string;
NewRVA: DWord; FileAlign: DWord; ErrMsg: PChar): Boolean;
参数说明:
PEStream 为 PE 映象的内存流,其他说明同 <1> 。
通过对内存流的操作,可以减少代码工作量。注意:该函数仅适用于 Delphi 语言。
<3> 输出函数 DumpResFromStreamEx
Delphi 形式函数原型:
function DumpResFromStreamEx(PEStream: TMemoryStream; ResStream: TMemoryStream;
NewRVA: DWord; FileAlign: DWord; ErrMsg: PChar): Boolean;
此函数对写注册机的朋友特别适用,当你将 dump 出来的 PE 内存映象保存到硬盘之前,你可能需
要进行 PE 结构的优化,在优化之前很可能需要导出重建的资源节。通过对内存流的操作,可以减
少代码工作量。注意:该函数仅适用于 Delphi 语言。
特别提示:引擎只在正确 PE 格式的基础上修复、重建 PE 资源,因此应用以上五个函数之前请保
证被操作文件或者内存流均具有正确的 PE 格式,否则可能造成不可预期的错误。
调用范例(Delphi 语言):
procedure FixResDemo;
type
TFixPERes = function(const AFileName: PChar; ErrBuff: PChar): Boolean; stdcall;
var
ErrBuff: array[1..80] of Char;
Handle: THandle;
FixPERes: TFixPERes;
begin
Handle := LoadLibrary('DT_FixRes.dll');
if Handle <> 0 then
begin
@FixPERes := GetProcAddress(Handle, 'FixResFromFile');
if @FixPERes <> nil then
if not FixPERes(PChar('ur PE file'), @ErrBuff) then
ShowMessage(ErrBuff);
FreeLibrary(Handle);
end;
end;
其他:
我写了一个测试该引擎的 Demo,请与该引擎 dll 放在同一文件目录下测试,发现 bug 请发信通
知我。
dREAMtHEATER
2005-03-20
E-mail:NoteXPad@163.com
http://dREAMtHEATER.yeah.net
Translator:
cyclotron/TT
Introduction:
It is a common problem in packed PE files that after unpacking, their resources cannot be viewed or modified by some resource explorers. The main reason for this is that many packers/protectors move the uncompressable resources(eg. Icon,Version information) into the appended section, while most of the resource explorers cannot recognize correctly the resources distributed in two separate sections(except PE explorer, by the way). DT_FixRes is a professional resource rebuilding engine for PE files, capable of recollecting the resources in different sections into a single one, optimizing structures and removing junks if any. Comparable to resource compilers, DT_FixRes restores the resource structures on an almost perfect basis. PE files, when fixed by DT_FixRes, expose the resources to all the resource explorers for free view or modification.
The functions of DT_FixRes are accessible to programmers and especially to software localizers through specific intefaces.
Disclaimers:
1.DT_FixRes is free for use, subject to the inclusion of copyrights for support to the author.
2.DT_FixRes is presumbly safe to use, but the author holds no responsibility for any damages possibly caused by the engine.
Instructions:
The engine of DT_FixRes is implemented as a dll, exporting five functions in all, sorted into two types.
1st Type: Restoration of PE resources. When done, the engine will unconditionally append a resource section to the PE file, resulting in an increase in size. These functions apply to simple restoration of unpacked PE files.
<1> Export Function Name: FixResFromFile
-Prototype for C
BOOL __stdcall FixResFromFile(const char* PEFile, char* ErrBuff);
-Prototype for Delphi
function FixResFromFile(const AFileName: PChar; ErrMsg: PChar): Boolean; stdcall;
Arguments Specifications:
PEFile --- Pointer to the path of the PE file whose resource is to be fixed;
ErrBuff --- Pointer to buffer with the size of at least 80 bytes, for the reception for error messages.
This function is compatible with all Win32 platforms.
<2> Export Function Name: FixResFromStream
-Prototype for Delphi
function FixResFromStream(AStream: TMemoryStream; ErrMsg: PChar): Boolean;
Arguments Specifications:
AStream represents the memory stream of the PE image. Refer to (1) for the others.
This function is especially applicable to keygen makers. You may fix the resources by operating the memory stream for a reduction on customized code before dumping the PE image onto your harddisk. Note that it is exclusively compatible with Delphi.
2nd Type: Export of restored resource section. There are various schemes of optimization for dumped PE files due to diversified modifications made to the original PE files by different packers/protectors. The engine provides an oppurtunity to the programmers that they can make customed optimization to the dumped PE files. As the caller, you may be quite acquainted with the best optimization scheme for the specific packer/protector as well as the best starting RVA to load the resource section into. So this function is prepared for the customed requirement. Note that the user should be familiar with PE stuctures on account of the relative complexity of this function. Advanced users only.
<1> Export Function Name: DumpResFromFile
-Prototype for C
BOOL __stdcall DumpResFromFile(const char* PEFile, char* ResFile,
DWORD NewRVA, DWord FileAlign, char* ErrBuff);
-Prototype for Delphi
function DumpResFromFile(const PEFile: PChar; const ResFile: PChar;
NewRVA: DWord; FileAlign: DWord; ErrMsg: PChar): Boolean; stdcall;
Arguments Specifications:
PEFile --- Pointer to the path of the PE file whose resource is to be fixed;
ResFile --- Pointer to the path of the exported resource section;
NewRVA --- RVA for the PE file to load resource section into, or the virtual address of resource data directory;
FileAlign --- File alignment of the resource section, 0x200 or 0x1000 exclusively;
ErrBuff --- Pointer to buffer with the size of at least 80 bytes, for the reception for error messages.
This function is compatible with all Win32 platforms.
<2> Export Function Name: DumpResFromStream
-Prototype for Delphi
function DumpResFromStream(PEStream: TMemoryStream; const ResFile: string;
NewRVA: DWord; FileAlign: DWord; ErrMsg: PChar): Boolean;
Arguments Specifications:
AStream represents the memory stream of the PE image. Refer to (1) for the others.
<3> Export Function Name: DumpResFromStreamEx
-Prototype for Delphi
function DumpResFromStreamEx(PEStream: TMemoryStream; ResStream: TMemoryStream;
NewRVA: DWord; FileAlign: DWord; ErrMsg: PChar): Boolean;
This function is especially applicable to keygen makers. You may fix the resources by operating the memory stream for a reduction on customized code before dumping the PE image onto your harddisk. Note that it is exclusively compatible with Delphi.
Special tips:
The engine restores only the resource of a correctly structured PE file so that please make sure of the validity of the target PE file before calling any of the above five functions. Otherwise, it may result in unexpectable errors.
Demo for Delphi:
procedure FixResDemo;
type
TFixPERes = function(const AFileName: PChar; ErrBuff: PChar): Boolean; stdcall;
var
ErrBuff: array[1..80] of Char;
Handle: THandle;
FixPERes: TFixPERes;
begin
Handle := LoadLibrary('DT_FixRes.dll');
if Handle <> 0 then
begin
@FixPERes := GetProcAddress(Handle, 'FixResFromFile');
if @FixPERes <> nil then
if not FixPERes(PChar('ur PE file'), @ErrBuff) then
ShowMessage(ErrBuff);
FreeLibrary(Handle);
end;
end;
Others:
I wrote a demo to test the engine, which located in the same directory as the dll did. Please feel free to inform me of the bugs if any.
dREAMtHEATER
2005-03-20
E-mail:NoteXPad@163.com
http://dREAMtHEATER.yeah.net
To dREAMtHEATER:
You show too much favour to Delphi.
错误难免,麻烦各位指教
原文
简介:
很多被加壳的 PE 文件在脱壳以后,往往该 PE 文件的资源部分无法用某些资源查看器进行
查看、修改。这其中的主要原因是由于很多加壳程序将部分资源(如 Icon、Version
Information) 从资源节 (resource section) 移到了壳增加的节里,这导致很多资源查看器不能
正确识别分布在两个节里的资源(顺便说一下,PE Explorer 基本能识别大部分这种情况的资
源),DT_FixRes 是一个 PE 文件资源修复、重建引擎,它可以将分布在多个节里的资源重新移
到一个资源节里,并且对资源进行了完全优化,修复后的资源不含有任何垃圾数据,如同资源编
译器的编译效果,可以媲美未加壳前的原始资源。通过本引擎修复、重建脱壳后的 PE 文件资源,
可以让所有资源查看器能够对资源部分进行查看、修改。使用者须通过编程方式在自己的程序中
使用该引擎。该引擎特别适合进行软件汉化工作的朋友。
声明:
1.您可以免费使用该引擎,如果您发布了使用该引擎的程序,请在相关说明中注明该引擎的版
权信息,以表示支持作者的辛勤劳动;
2.本软件是安全的,但是作者不承诺对任何由于使用本软件而引起的损失或者伤害负责。
使用说明:
本引擎以动态链接库(dll)形式实现,该 dll 共输出五个函数,函数按功能分为两大类。
第一类:PE 文件资源修复功能。修复后,引擎会无条件地为 PE 文件增加一个资源节,会导致文
件体积变大,该功能适合进行简单修复脱壳后 PE 资源部分。
<1> 输出函数 FixResFromFile
C 形式函数原型:
BOOL __stdcall FixResFromFile(const char* PEFile, char* ErrBuff);
Delphi 形式函数原型:
function FixResFromFile(const AFileName: PChar; ErrMsg: PChar): Boolean; stdcall;
参数说明:
PEFile --- 指向你需要进行资源修正的 PE 文件路径指针;
ErrBuff --- 指向一块至少具有 80 个字节空间的 Buffer 指针,在执行该函数返回错误时,接收
错误消息。
该函数适用任何 Win32 平台的编程语言去调用。
<2> 输出函数 FixResFromStream
Delphi 形式函数原型:
function FixResFromStream(AStream: TMemoryStream; ErrMsg: PChar): Boolean;
参数说明:
AStream 为 PE 映象的内存流,其他说明同 <1> 。
此函数对写注册机的朋友特别适用,当你将 dump 出来的 PE 内存映象保存到硬盘之前,你可以先
进行资源修复,通过对内存流的操作,可以减少代码工作量。注意:该函数仅适用于 Delphi 语言。
第二类:导出重建后的资源节功能。由于不同的加壳程序对原始 PE 文件的结构改变的千差万别,
导致对脱壳文件的 PE 结构优化方案也是千差万别的,因此很难在一个程序里完成对所有
脱壳类型的 PE 结构优化,引擎将机会留给用户自己。作为使用者,你可能知道如何脱某
种类型的壳以及如何优化脱壳后的 PE 结构,那么你也就可能需要将修复后的资源节加载
在你认为更合适的 RVA 地址起始处。该功能接口能满足你的这个定制需要,由于该功能的
相对复杂性,要求使用者对 PE 结构必须十分属性,因此本功能仅适合高级用户使用。
<1> 输出函数 DumpResFromFile
C 形式函数原型:
BOOL __stdcall DumpResFromFile(const char* PEFile, char* ResFile,
DWORD NewRVA, DWord FileAlign, char* ErrBuff);
Delphi 形式函数原型:
function DumpResFromFile(const PEFile: PChar; const ResFile: PChar;
NewRVA: DWord; FileAlign: DWord; ErrMsg: PChar): Boolean; stdcall;
参数说明:
PEFile --- 指向你需要进行资源修正的 PE 文件路径指针;
ResFile --- 指向你需要导出的资源节的保存文件路径;
NewRVA --- 你希望修复后的 PE 文件资源的加载 RVA 地址,即 resouce data directroy 的
virtual address。该地址应该大于 0x1000,并且应该是 DWORD 边界对齐,建议是
0x1000 的倍数。
FileAlign --- 资源节的文件对齐方式,值只能是 0x200 或者 0x1000。
ErrBuff --- 指向一块至少具有 80 个字节空间的 Buffer 指针,在执行该函数返回错误时,接收
错误消息。
该函数适用任何 Win32 平台的编程语言去调用。
<2> 输出函数 DumpResFromStream
Delphi 形式函数原型:
function DumpResFromStream(PEStream: TMemoryStream; const ResFile: string;
NewRVA: DWord; FileAlign: DWord; ErrMsg: PChar): Boolean;
参数说明:
PEStream 为 PE 映象的内存流,其他说明同 <1> 。
通过对内存流的操作,可以减少代码工作量。注意:该函数仅适用于 Delphi 语言。
<3> 输出函数 DumpResFromStreamEx
Delphi 形式函数原型:
function DumpResFromStreamEx(PEStream: TMemoryStream; ResStream: TMemoryStream;
NewRVA: DWord; FileAlign: DWord; ErrMsg: PChar): Boolean;
此函数对写注册机的朋友特别适用,当你将 dump 出来的 PE 内存映象保存到硬盘之前,你可能需
要进行 PE 结构的优化,在优化之前很可能需要导出重建的资源节。通过对内存流的操作,可以减
少代码工作量。注意:该函数仅适用于 Delphi 语言。
特别提示:引擎只在正确 PE 格式的基础上修复、重建 PE 资源,因此应用以上五个函数之前请保
证被操作文件或者内存流均具有正确的 PE 格式,否则可能造成不可预期的错误。
调用范例(Delphi 语言):
procedure FixResDemo;
type
TFixPERes = function(const AFileName: PChar; ErrBuff: PChar): Boolean; stdcall;
var
ErrBuff: array[1..80] of Char;
Handle: THandle;
FixPERes: TFixPERes;
begin
Handle := LoadLibrary('DT_FixRes.dll');
if Handle <> 0 then
begin
@FixPERes := GetProcAddress(Handle, 'FixResFromFile');
if @FixPERes <> nil then
if not FixPERes(PChar('ur PE file'), @ErrBuff) then
ShowMessage(ErrBuff);
FreeLibrary(Handle);
end;
end;
其他:
我写了一个测试该引擎的 Demo,请与该引擎 dll 放在同一文件目录下测试,发现 bug 请发信通
知我。
dREAMtHEATER
2005-03-20
E-mail:NoteXPad@163.com
http://dREAMtHEATER.yeah.net
Translator:
cyclotron/TT
Introduction:
It is a common problem in packed PE files that after unpacking, their resources cannot be viewed or modified by some resource explorers. The main reason for this is that many packers/protectors move the uncompressable resources(eg. Icon,Version information) into the appended section, while most of the resource explorers cannot recognize correctly the resources distributed in two separate sections(except PE explorer, by the way). DT_FixRes is a professional resource rebuilding engine for PE files, capable of recollecting the resources in different sections into a single one, optimizing structures and removing junks if any. Comparable to resource compilers, DT_FixRes restores the resource structures on an almost perfect basis. PE files, when fixed by DT_FixRes, expose the resources to all the resource explorers for free view or modification.
The functions of DT_FixRes are accessible to programmers and especially to software localizers through specific intefaces.
Disclaimers:
1.DT_FixRes is free for use, subject to the inclusion of copyrights for support to the author.
2.DT_FixRes is presumbly safe to use, but the author holds no responsibility for any damages possibly caused by the engine.
Instructions:
The engine of DT_FixRes is implemented as a dll, exporting five functions in all, sorted into two types.
1st Type: Restoration of PE resources. When done, the engine will unconditionally append a resource section to the PE file, resulting in an increase in size. These functions apply to simple restoration of unpacked PE files.
<1> Export Function Name: FixResFromFile
-Prototype for C
BOOL __stdcall FixResFromFile(const char* PEFile, char* ErrBuff);
-Prototype for Delphi
function FixResFromFile(const AFileName: PChar; ErrMsg: PChar): Boolean; stdcall;
Arguments Specifications:
PEFile --- Pointer to the path of the PE file whose resource is to be fixed;
ErrBuff --- Pointer to buffer with the size of at least 80 bytes, for the reception for error messages.
This function is compatible with all Win32 platforms.
<2> Export Function Name: FixResFromStream
-Prototype for Delphi
function FixResFromStream(AStream: TMemoryStream; ErrMsg: PChar): Boolean;
Arguments Specifications:
AStream represents the memory stream of the PE image. Refer to (1) for the others.
This function is especially applicable to keygen makers. You may fix the resources by operating the memory stream for a reduction on customized code before dumping the PE image onto your harddisk. Note that it is exclusively compatible with Delphi.
2nd Type: Export of restored resource section. There are various schemes of optimization for dumped PE files due to diversified modifications made to the original PE files by different packers/protectors. The engine provides an oppurtunity to the programmers that they can make customed optimization to the dumped PE files. As the caller, you may be quite acquainted with the best optimization scheme for the specific packer/protector as well as the best starting RVA to load the resource section into. So this function is prepared for the customed requirement. Note that the user should be familiar with PE stuctures on account of the relative complexity of this function. Advanced users only.
<1> Export Function Name: DumpResFromFile
-Prototype for C
BOOL __stdcall DumpResFromFile(const char* PEFile, char* ResFile,
DWORD NewRVA, DWord FileAlign, char* ErrBuff);
-Prototype for Delphi
function DumpResFromFile(const PEFile: PChar; const ResFile: PChar;
NewRVA: DWord; FileAlign: DWord; ErrMsg: PChar): Boolean; stdcall;
Arguments Specifications:
PEFile --- Pointer to the path of the PE file whose resource is to be fixed;
ResFile --- Pointer to the path of the exported resource section;
NewRVA --- RVA for the PE file to load resource section into, or the virtual address of resource data directory;
FileAlign --- File alignment of the resource section, 0x200 or 0x1000 exclusively;
ErrBuff --- Pointer to buffer with the size of at least 80 bytes, for the reception for error messages.
This function is compatible with all Win32 platforms.
<2> Export Function Name: DumpResFromStream
-Prototype for Delphi
function DumpResFromStream(PEStream: TMemoryStream; const ResFile: string;
NewRVA: DWord; FileAlign: DWord; ErrMsg: PChar): Boolean;
Arguments Specifications:
AStream represents the memory stream of the PE image. Refer to (1) for the others.
<3> Export Function Name: DumpResFromStreamEx
-Prototype for Delphi
function DumpResFromStreamEx(PEStream: TMemoryStream; ResStream: TMemoryStream;
NewRVA: DWord; FileAlign: DWord; ErrMsg: PChar): Boolean;
This function is especially applicable to keygen makers. You may fix the resources by operating the memory stream for a reduction on customized code before dumping the PE image onto your harddisk. Note that it is exclusively compatible with Delphi.
Special tips:
The engine restores only the resource of a correctly structured PE file so that please make sure of the validity of the target PE file before calling any of the above five functions. Otherwise, it may result in unexpectable errors.
Demo for Delphi:
procedure FixResDemo;
type
TFixPERes = function(const AFileName: PChar; ErrBuff: PChar): Boolean; stdcall;
var
ErrBuff: array[1..80] of Char;
Handle: THandle;
FixPERes: TFixPERes;
begin
Handle := LoadLibrary('DT_FixRes.dll');
if Handle <> 0 then
begin
@FixPERes := GetProcAddress(Handle, 'FixResFromFile');
if @FixPERes <> nil then
if not FixPERes(PChar('ur PE file'), @ErrBuff) then
ShowMessage(ErrBuff);
FreeLibrary(Handle);
end;
end;
Others:
I wrote a demo to test the engine, which located in the same directory as the dll did. Please feel free to inform me of the bugs if any.
dREAMtHEATER
2005-03-20
E-mail:NoteXPad@163.com
http://dREAMtHEATER.yeah.net
To dREAMtHEATER:
You show too much favour to Delphi.
错误难免,麻烦各位指教
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
