Open exe program code. How to open .dll or .EXE file in resource editor

*** ALL WRITTEN USE FOR EDUCATIONAL PURPOSES ONLY! ***

-Tools-
OLLYDBG
The application into which we will insert our code.
This will NOTEPAD.EXE.
It is advisable to make a copy of the file.
It's all

-Start-
Our goal is to paste our code into Notepad.EXE.
We will paste a simple MessageBox to launch Notepad.
Let's run Notebook and make sure it starts up fine.

If you are sure that this is original Notepad.exe, open it in Olly.
The following window will appear:

In order to insert our code, we need a place for this in the program code.
In exe files, there are many CodeCaves... These are bytes ( DB 00).
You just need to scroll the program code a little below the beginning, and you will see CodeCave:

A piece with a red rectangle is highlighted. CodeCave"amy?
Here you can insert any code, and your program will not be cured.
If you know the API function to call MessageBox just skip these lines.

***** BEGIN QUOTE FROM WIN32 PROGRAMMER'S MANUAL

The MessageBox function creates, displays, and operates a message box.
The message box contains an application-defined message and title,
plus any combination of predefined icons and push buttons.

Int MessageBox (
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // style of message box
);

***** END QUOTE FROM WIN32 PROGRAMMER'S MANUAL

Click to Expand ...

That's all there is to know about MessageBox.
Let's do something with CodeCaves.
In order to use MessageBox, we need to create the text that we will output to
MessageBox... In the next picture, I have highlighted a couple of lines with CodeCaves and
showed the menu BinaryEdit for you (it will be useful to us).

If you pressed Binary => Edit or (CTRL + E) you will see the following window.
Just fill in the top field the same way I did.
Click OK and you will see the modified code (highlighted in red):
Press CTRL + A now to re-parse the code.
OK! Now, if you want to make the title of the message different, duplicate this line
(this is like the second parameter of the procedure call).

-A bit of assembler-

It's time for ASM a
Here's a good example!

PUSH 0; BUTTONS =<ТОЛЬКО КНОПКА OK>
PUSH 1008751; CAPTION = OUR ADDRESS "INJECTED NOTEPAD"
PUSH 1008751; MESSAGE = SAME.
PUSH 0; ICON =<БЕЗ ИКОНКИ>
CALL MessageBoxA; Calling MessageBoxA with the specified parameters.

Click to Expand ...

These lines introduced in Ollie will look like this:

Do you see the arrow ?! IT IS VERY IMPORTANT!
After all, if we just run the program, then nothing will happen. Why?
Because our little procedure is not called anywhere yet!
You need to write down the address of its beginning, i.e. address " PUSH 0", because we need to make a jump
to our procedure and go back
Fine. Now go back to the beginning of the program ( C button on the toolbar Ollie, or as in the picture).

Now we are on the very first line to be executed.
Do you still remember that our goal is to insert your own code?
Then we'll continue!
Select a couple of lines from the beginning and copy them to the clipboard.

Paste them into any text reactor - they will be useful to us again.
Go back to the beginning of the program.
(In the picture above it is PUSH 70).
Double clicking on this line will show us the following window.
You need to enter into it " JMP<адрес PUSH 0, который мы записывали ранее> "
Press the Assemble button and the program code will change again, i.e. changes are highlighted in red.

Look at the red rectangle! We need to jump to this address upon completion of our code.
But if we jump here after the injection, the program will be executed as if without it.
So there is one more thing to do!
Compare the new beginning of the program with the old one that we copied into a text editor.
You will see that two lines have been rewritten! But we need them for normal operation.
programs without errors. Find the lines that have been overwritten.
In my case, it was the following code:

PUSH 70
PUSH NOTEPAD.01001898

Click to Expand ...

Click on the first line of code (our JMP) and press ENTER.
You will be taken to the inserted MessageBox call code!
After CALL MessageBoxA we will need to insert these two lines AND jump back!

THAT'S ALL!
(It is easy to check if the jump is working correctly - Click on it ENTER!)
To save our "modified" Notepad, follow the steps as in the picture:
Then click Copy all... In the window that appears, you need to right-click,
select menu item Save File and save under a new name. Run the file:

The added function must be called not directly, as it is written in the article, but in a slightly different way.

First, after adding the procedure to the imports, you need to know it FT (FirstThunk "IAT")... It is displayed here:

Remember it!(I will name it TrueAdress)​

Now let's move on to the place where we will write our code ( Code caves).
Now let's add the correct call to our function MessageBoxA... To do this, write:

JMP [[B] TrueAdress]

If Olly automatically detects new code as a procedure call - very, very good! It means that it will be easier further. If not, then you miscalculated the import address. Check back!
Write down the address of this JMP(I will name it TrueCall).

Now we do everything as in the article (inserting lines, PUSH, etc.), but instead of:

Call MessageBoxA

you need to write:

Call [B] TrueCall

The rest remains the same.

Click to Expand ...

Sometimes CODE.EXE and other EXE system errors can be related to problems in the Windows registry. Several programs can share the same CODE.EXE file, but when these programs are uninstalled or changed sometimes orphaned (invalid) EXE registry entries are left behind.

Basically, this means that while the actual path to the file may have changed, its incorrect former location is still recorded in the Windows registry. When Windows tries looking up these incorrect file references (file locations on your PC), CODE.EXE errors can occur. In addition, malware infection may have corrupted the registry entries associated with Game Cracker. Thus, these invalid EXE registry entries need to be repaired to fix the root of the problem.

Manually editing the Windows registry to remove invalid CODE.EXE keys is not recommended unless you are PC service professional. Errors made while editing the registry can cause your PC to malfunction and cause irreparable damage to your operating system. In fact, even a single comma in the wrong place can prevent your computer from booting!

Because of this risk, we highly recommend using a trusted registry cleaner such as %% product %% (Developed by Microsoft Gold Certified Partner) to scan and repair any CODE.EXE-related registry problems. Using a registry cleaner automates the process of finding invalid registry entries, missing file references (like the one causing your CODE.EXE error), and broken links within the registry. Before each scan, a backup is automatically created, allowing you to undo any changes with one click and protecting you from possible damage to your computer. The best part is that fixing registry errors can dramatically improve system speed and performance.

A warning: Unless you are an experienced PC user, we do NOT recommend manually editing the Windows Registry. Incorrect use of Registry Editor can lead to serious problems and require you to reinstall Windows. We do not guarantee that problems resulting from improper use of Registry Editor can be corrected. Your use of the Registry Editor is at your own risk.

To manually repair your Windows registry, first you need to create a backup by exporting a portion of the registry related to CODE.EXE (eg.Game Cracker):

1. Click on the button Begin.
2. Enter " command" v search bar ... DO NOT PRESS YET ENTER!
3. Holding the keys CTRL-Shift on the keyboard, press ENTER.
4. A dialog box for access will be displayed.
5. Click on Yes.
6. The black box opens with a blinking cursor.
7. Enter " regedit" and press ENTER.
8. In the Registry Editor, select the CODE.EXE-related key (eg.Game Cracker) you want to back up.
9. On the menu File choose Export.
10. In the list Save to select the folder where you want to save the Game Cracker backup key.
11. In field File name type a name for your backup file such as "Game Cracker Backup".
12. Make sure in the box Export range value selected Selected branch.
13. Click on Save.
14. The file will be saved with the extension .reg.
15. You now have a backup of your CODE.EXE-related registry entry.

The next steps for manually editing the registry will not be described in this article, as they can most likely damage your system. If you would like more information on manually editing the registry, please see the links below.

With help Resource Tuner you can open executable files like .EXE, .DLL, .OCX, screensavers (.SCR) and many more. Once you open the file, you gain access to the file's resources and can replace icons, cursors, and graphics in various formats, change strings in menus, dialog boxes, and other user interface elements.

However, it should be borne in mind that the resources in the executable file are separated from the program code, and by changing the program interface, you do not get access to the program code. Using the resource editor, you can change the control elements of the program. You cannot change the program code using the resource editor.

For more serious changes (which, however, will not lead to anything good without sufficient experience in programming applications for Windows), we recommend using PE Explorer (editor for the structure of PE files) or FlexHex (hex editor for binary files).

Opening an EXE or DLL file in Resource Tuner

Supports several ways to open files. To open the file for viewing and editing, click the button Open File on the toolbar or select the command File > Open from the menu. The drop-down menu next to the button on the toolbar gives you quick access to a list of recently opened files. The same list can be obtained with the command File > Recent Files from the program menu. The number of files in the list is configured in the dialog Customize.

You can also open a file with Resource Tuner directly from Windows Explorer by right-clicking on the file and choosing Open with Resource Tuner from the context menu.

Or you can simply drag and drop the file icon from Windows Explorer onto the Resource Tuner icon on the desktop or onto the Resource Tuner window.

You can also open the file from the command line.
For example: restuner.exe filename.exe

When opening a file, Resource Tuner performs several automatic operations: it unpacks the file if it detects that it was packed using UPX, then it checks the structure and resources of the file for possible errors, and finally rebuilds the damaged resources in accordance with the specification of the executable file format.

Errors when opening a file

If an error occurs when opening a file, it is most likely for three reasons: the file is protected, the file is 16-bit, or it is not an executable file at all.

1. Error: The file is damaged, compressed by a packer or protected by a protector.

The chances are high that the file is compressed to reduce its size. There are dozens of packers and protectors for executable files, and new ones appear all the time. Resource Tuner supports unpacking only one, but the most common packer - UPX. The rest of the packers are not supported, and you will have to unpack the file yourself before you can open the file for viewing or editing.

This situation is not considered as a program error. We are not going to fight the attempts of other authors of programs to protect their creations from hacking, nor to support the unpacking of several dozen different packers, among which there are both commercial products and homemade products.

2. Error: The file is identified as a 16-bit NE Executable. This format is not supported!

Our programs only work with 32- and 64-bit PE files. The NE format (short for "New Executable") is a 16-bit application format inherited from older versions of Windows 3.xx. With the advent of Windows 95, this format is considered obsolete and not used, although it can be executed on modern platforms from Microsoft. We do not support 16-bit files, and we do not intend to support them.

3. Error: The file is not an EXE or DLL file. Generally!

Resource Tuner detects a file not by extension. If you rename the extension of the executable file, say, fix .EXE to .TXT or remove the extension altogether, Resource Tuner cannot be fooled by this: the program analyzes the file header inside the file when opening a file, but does not look at the extension at all.

Therefore, if the Resource Tuner tells you that the file is not executable, then it is so. If for some reason someone supplied a text file in the game with the extension .DLL, then the file does not cease to be a text file and does not become a dynamic library. Don't be fooled by the file extension.

Which files do not make sense to open in the resource editor

Despite the fact that Resource Tuner is designed to open and edit any 32- / 64-bit executable files, there are some types of EXE files in which resources are practically absent.

1. Files created with Visual Basic.

In such files, there is nothing in the resources section, except for the icon and version information. Lines and dialogues in programs written in visual BASIC are stored in their own closed format, and the standard resource section is not used in them.

2. Files.EXE in gigabytes or more.

Since Resource Tuner is a 32-bit program, there are natural limitations for placing an image of an opened file in virtual memory within the first gigabyte. A file of gigabytes or more simply won't fit there.

3. Self-extracting archives in the form of EXE files.

In such files, there is nothing in the resources, except for the icon and version information, or it may not be. In fact, this is archived data, provided with a subroutine for unpacking.

4. Installers of other programs.

In such files, there is nothing in the resources, except for the icon and version information. They are very similar to item 3. The installer file can be thought of as a container that contains another .EXE file in compressed form and a subroutine to extract it. In addition, programs for creating installers use different algorithms to store archived data inside themselves.

Download your free trial!

Resource Tuner works on all Windows versions
from 2000 and XP to 8 and 10.

Minimum system requirements:
Intel Pentium® or AMD K5 166 MHz processor
16 MB RAM

It is impossible to open the source code if we tried to ensure security for this (especially if it is a proprietary thing).

But there are ways to fully or partially expose the code.

• IDA Pro is the best free hacker, some macros may allow you to reverse the code. But not always. Borland products open up especially well.
• Hiew.Exe is a very small free utility that allows you to edit your code in assembly language. You can edit text and integer constants. You can even use it to "translate" the program into another language, erase the name of the company, etc.
• If there is a PDB file, or debug-info is attached to the file, then the code can be obtained in the development environment (if debug-info is complete) can rarely be used. You cannot get the source code, but you can get "line numbers and source names", as well as the names / values ​​of all constants, local variables, avoid "fragmentation of functions" and also get classes with class stuffing (almost all structures except the program text) that will greatly simplify the understanding of the program. For some libraries (dll), pdb files can be downloaded separately. It is unlikely that a self-respecting company will leak the pdb of its worthwhile product.
• Debug info, there is DebugInfo information embedded in the exe. If there is such information, and the corresponding utility (for example, Borland Delphi is compiled and available), then you can do something similar to the previous point. But a self-respecting company is unlikely to make such a "stupid" mistake (similar to pdb).
• If the file is written in C # it can be almost completely viewed in codes using disSharp (such programs "include" only mscorlib in the import table and that's it). DisSharp disassembles some parts of the program poorly, but its paid version or the paid version of similar utilities may reveal the code better.
• If the file is written in FoxPro, clipper and other similar byte-code languages, it is expanded by special utilities (Refox for example).
• The utility exescope.exe ResourceHacker.exe and its similar utilities allow you to view the header, connected libraries (using them you can understand what the program is written on) and edit the program resources (resource-forms, including delphi, icons, pictures, tables of resource lines).
• If you know how the code was created, I think there are special utilities that can open it (they are paid and inaccessible).

Again, this is on condition that there is no code packer (then you need to first apply a depacker), an encryptor / self-modifying code. If not broken by an obfuscator so do not unravel. The larger the code, the harder it is to figure it out.

P.S. Personally, my opinion is that everything is revealed and hacked, but it takes a lot, a lot of time. Perhaps a year or more (it depends on experience and tools, there are no good tools in the public domain).