Read WriteSECTION HEADER #4
.h477w81 name
8C virtual size
7000 virtual address (00407000 to 0040708B)
200 size of raw data
3A00 file pointer to raw data (00003A00 to 00003BFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read WriteSummary1000 .data
4000 .h3mf85n
1000 .h477w81
1000 .rdataListing 11.5 (continued)The /HEADERSoptions provides you with a lot more details on the pro-
gram. For example, it is easy to see that section #1, .h3mf85n, is the code sec-
tion. It is specified as Code, and the program’s entry point resides in it (the
entry point is at 404232 and .h3mf85nstarts at 401000 and ends at 4042FF,
so the entry point is clearly inside this section). The other oddly named sec-
tion, .h477w81appears to be a small data section, probably containing some
variables. It’s also worth mentioning that the subsystem flag equal 3. This
identifies a Windows CUI (console user interface) program, and Windows will
automatically create a console window for this program as soon as it is started.
All of those oddly named sections indicate that the program is possible
packed in some way. Packers have a way of creating special sections that con-
tain the packed code or the unpacking code. It is a good idea to run the pro-
gram in PEiD to see if it is packed with a known packer. PEiD is a program that
can identify popular executable signatures and show whether an executable
has been packed by one of the popular executable packers or copy protection
products. PEiD can be downloaded from http://peid.has.it/. Figure
11.14 shows PEiD’s output when it is fed with Defender.EXE.
Unfortunately, PEiD reports “Nothing found,” so you can safely assume
that Defender is either not packed or that it is packed with an unknown
packer. Let’s proceed to start disassembling the program and figuring out
where that “Sorry... Bad key, try again.” message is coming from.376 Chapter 11