Got it to output the NT signature ('PE')

larsch · banister · Dec 7, 2017 · Dec 7, 2017 · Dec 7, 2017 · Dec 8, 2017
commit dacf97ad95213fa8fd9badf6dc8a31f591f499ac
diff --git a/Rakefile b/Rakefile
@@ -12,6 +12,17 @@ end
 
 spec.urls.each { |url| url.chomp! }
 
+desc "task for fast iteration"
+task :do_it do
+  sh "rake install_gem" rescue nil
+  sh "gem uninstall ocra"
+  puts "installing the bitch"
+  sh "gem install pkg/ocra-1.4.666.gem"
+  sh "rm hello.exe"  rescue nil
+  sh "ocra hello.rb"
+  sh "./hello.exe"
+end
+
 task :build_stub do
   sh "mingw32-make -C src"
   cp 'src/stub.exe', 'share/ocra/stub.exe'

diff --git a/src/Makefile b/src/Makefile
@@ -3,8 +3,8 @@ OBJS = $(SRCS:.c=.o) stubicon.o
 CC = gcc
 BINDIR = $(CURDIR)/../share/ocra
 
-CFLAGS = -Wall -O0 -ggdb 
-STUB_CFLAGS = -D_CONSOLE $(CFLAGS) -s
+CFLAGS = -Wall -O2 -DWITH_LZMA -Ilzma -s
+STUB_CFLAGS = -D_CONSOLE $(CFLAGS)
 STUBW_CFLAGS = -mwindows $(CFLAGS)
 # -D_MBCS
 
@@ -14,7 +14,7 @@ stubicon.o: stub.rc
 	windres -i $< -o $@
 
 stub.exe: $(OBJS) stub.o
-	$(CC) $(STUB_CFLAGS) stub.o -o stub
+	$(CC) $(STUB_CFLAGS) $(OBJS) stub.o -o stub
 
 stubw.exe: $(OBJS) stubw.o
 	$(CC) $(STUBW_CFLAGS) $(OBJS) stubw.o -o stubw

diff --git a/src/stub.c b/src/stub.c
@@ -366,13 +366,22 @@ int CALLBACK _tWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCm
    return 0;
 }
 
+void ExamineSignature(LPVOID ptr) {
+  PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)ptr;
+  PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((DWORD)dosHeader + (DWORD)dosHeader->e_lfanew);
+  printf("e_lfanew: %lu\n", dosHeader->e_lfanew);
+  printf("NT signature: %s\n", (char*)&ntHeader->Signature);
+}
+
 /**
    Process the image by checking the signature and locating the first
    opcode.
 */
 BOOL ProcessImage(LPVOID ptr, DWORD size)
 {
    LPVOID pSig = ptr + size - 4;
+   ExamineSignature(ptr);
+
    if (memcmp(pSig, Signature, 4) == 0)
    {
       DEBUG("Good signature found.");