I have a Windows 7 computer. I heard that Window’s executables use the PE format. I was trying to understand how executables are assembled so I opened one up in a hex editor. They start with the heading “MZ” so that the computer knows it is a .exe file. Most of it isn’t english. I also noticed that in my specific file it had 3 “chunks” of 96 NULL characters. Two of them were close to the beginning, and one was at the end. This is what it looks like:
BrokenLink
This code uses the FASM assembler.
This is the code before it was compiled:
BrokenLink
So my question is, how are executables “Put together”. What is up with the endless NULL characters. Also, how come when you edit the hex code of a file and ADD a byte the data is “corrupted”, but how come when you just CHANGE a byte, it is fine.
Thanks so mcuh!!!
Christian
The format used by Windows is Microsoft’s Portable Executable format. To find out more you can read the specification of the file.
Portable Executables follow a certain standard. You can not just change bytes because you will cause the file to break the standard.
Hence, adding bytes at arbitrary places likely to corrupt the format. For example, PE files are composed of sections. These sections have a certain size which is defined in the section headers. The section header itself is a certain size with specific fields at specific offsets. Suppose you just add a byte to a section or section header, you are likely corrupting the file by moving fields to offsets they are not expected to be or making it so a section is not the size it was originally defined to be.
Changing a byte will change a value somewhere. Even then it is possible for you to mess things up. If you have a specific goal in mind, you should state it and we can probably point you in a better direction to pursue it.