Exeinfo PE - ver.0.0.5.

4
EXE Ripper – exe file encoded with
Base64 encoding

Example of usage

1. Download program : DePass Micro - http://kvsoft.at.ua

 ( file is packed with Aspack )
Only for example

2. Unpack with : FFI v1.4 or other Aspack Unpacker

1
3. Open unpacked file with Exeinfo Pe and run EXE PE Ripper

4. EXE Ripper result :

5. Open file : DePass_Micro_unpacked01~Rip.exe.b64 with Exeinfo Pe

for info how to decode file to -> Windows executable

2
6. Now you must download bde64.exe from :
http://aluigi.altervista.org/mytoolz.htm
( real link : http://aluigi.altervista.org/mytoolz/bde64.zip )

Easy click on internet icon :

7. Decode with bde64.exe tool

3
8. Unpacked.exe file it’s a real Windows PE executable fie.
( but this is Window DLL library file )

Result : static unpacked Win DLL library file.

If file is malware you are safe.

This document was created for beginners.

A.S.L ( c ) 2019

www.exeinfo.xn.pl

4
 Exeinfo PE
OPTION - set EP to 1000h

how this work

Exeinfo PE don’t use Deep scan only Normal scan.

1. If exeinfo detect exe sticker

2. try use OPTION : set EP to 1000h

3. Maybe detect another protector like this :

that's all
Exeinfo PE – unprotect exe file from overlay ( xor method )
Protected with - "SkD Undetectabler 2.exe"

( instruction for lamers only )

1. Protect exe

2. Recycling original exe - via Overlay uncrypter XOR

3. File saved to undetected2-uprot.exe

Work with files crypted only one XOR byte method.

You don’t need enter xor byte value.
SkD Undetectabler 2 used only for example.

A.S.L
 EXEinfo PE v.0.0.1.9 C - added Resource analysis
- example file packed with Fearz packer 0.3 ( BIG resource size ) hidden data for extract

- standard installer like Installshield or Inno setup ( Small resources ) data in overlay
 Exeinfo PE - ver.0.0.5.0
Program GUI main window info ,
mouse click Buttons

only some Buttons / items description

1. If you move mouse on this item you get information from exe header
( file alignment and section alignment )

1
 2. EP Section – you can Enter Offset and view Entry Point offset + your offset
( Disassemble or Hexadecimal view , example 20h offset )

Result - disassemble view :

If you press Space Bar key = Hex view :

2
3. [ Image is 32 bit executable ] – if you click here you see : File Characteristics

4. [ First bytes ] – disassemble Entry Point area bytes.

3
5. View file offset at : 0000

6. [ N ] Button – for .NET executable files

( work only on .NET compiled executable files !!! )

Left mouse button click : ( .NET header view )

4
 Right mouse button click : ( External tools runner for .NET files )

7. [ Overlay ] – if exist overlay data at the end of the file , you can peek
Hexadecimal view

8. [ Date ] – if you one move mouse on item , you see : decoded date

5
But , if you click 2 x left mouse button , you see Date and Time :

9. [ Scan / t ] – You can scan with external signatures , required userdb.txt

file. As result you see : two signatures - [ Borland Delphi …] on exe files.
More signatures are ignored , maximum two result signatures.
( If you open non exe file Exeinfo Pe run trid.exe binary detector. )

10. [ www ] – internet website grabbed from Diagnose and Lamer Info
items

Example screen :

6
 11. [ Digital signature ] – if file has digital signature you can see :

Red medal - . If not , icon has gray color :

Click on icon , result is ( compare size from exe header and from digital signature ) :

Click OK

You see file propriety and you can check digital sig infos.

7
12. [ I ] – Version Info / Manifest view

Left mouse button click : ( view Version info from Resources *if exist )

Right mouse button click : ( view Manifest *if exist )

8
13. [Open File Dialog]

Left mouse button click : ( open system File dialog )

Right mouse button click : ( Run Multi File scan + change directory to
opened file ! – important if you dropped file via : Drag & Drop )

9
This information describes only Basic functions of Main window ( ~ 50% )

You can press F1 key for Help

This document was created for beginner users.

A.S.L ( c ) 2018

www.exeinfo.xn.pl

10
 Exeinfo PE - ver.0.0.4.2

.PDB file name readed from exe file

Many installers use on Exe Header ( Load Config ) area PDB file name.

It is useful if you try detect : INSTALLER TYPE.

If .pdb file name not found on this area you can use new search :
“ Tools Menu / Registry Call scanner … RSDS “.

See screenshot :

1
 - Search Result – show you all “.pdb ” file names.

- This search you can use if on Header GUI window no string result found.

2
Info : added on ver.0.0.4.2 final

A.S.L ( c ) 2016

www.exeinfo.xn.pl

3
 Exeinfo PE - ver.0.0.4.9
How to retrive jpg picture from saved
file - pseudo jpg – real html file
( www: http://photobucked.com )

If you save jpg picture to disk and can’t see this picture ,
please check this file with Exeinfo Pe.

I. Example : you saved file : !997yj7.jpg clicked on picture.

- But file is not a jpeg picture , this is html file !

If you need retrive real jpg picture you must use :

Ripper ( http: / ftp – address inside )

1
 - Now Click : CTRL + Right Mouse Button to open selected line - link

II. Your internet Browser open link : http://i54.photobucked.com/album......jpg

Now you can view picture on your browser.
If you need save picture don’t use : save picture as ( file is protected – saved file
is html not jpg picture ).
You must click : Show info about picture , later click save selected picture.

Info : Tested with Firefox Browser

A.S.L ( c ) 2018

www.exeinfo.xn.pl

2
 Exeinfo PE - ver.0.0.3.6
Usage example :

How to open Ripped www site

from exe or data file : .

This example show you how to Open any “www “ address ripped from
executable or data file – via one Mouse click.

1. Open any exe/dll or binary data file with Exeinfo Pe.

2. Mouse click on RIP Menu – search www …

1
 3. Now - press CTRL Key and click Right Mouse Button on any line with
www , http , https , ftp address.

4. Now - Exeinfo Open your default browser with this address

*Ripper support – http ( Ascii & Unicode ) , ftp , https ( Ascii characters )

A.S.L ( c ) 2014

www.exeinfo.xn.pl

2
 Exeinfo PE - 10 hints

1. Executable file detection 4 types - ( EXE 32bit , EXE 64 bit , DLL32 , DLL 64bit )

PEID , RDG , Die.exe don’t detect 64 bit exe files .

2. Memory Status : ( HINT on Form )

- Phisical RAM memory

- Phisical free memory
- 123 MB – max BUFFER size ( version 0.0.1.6 C ) bigger file not work
- xxx MB – phisical exe size on disk

3. If file has overlay data ( on mouse move HINT is active )

1
http://www.neevia.com
version
trial
Converter
Personal
Neevia
by
Created
http://www.neevia.com
version
trial
Converter
Personal
Neevia
by
Created
Mouse click on “ Overlay : ” - view overlay data ( start bytes only )

4.

2
http://www.neevia.com
version
trial
Converter
Personal
Neevia
by
Created
 Exeinfo PE - ver.0.0.3.2
Ext_detector.dll v.0.5.0
Example :
How to use Universal Ripper

For example we RIP packed DLL file ( aPlib algorithm ) from Test.exe protected with
- Enigma Virtual Box v.5.80 .

1. Open Test.exe file , Click RIP menu – UNIVERSAL Ripper

2. Enter “M8Z” string and click OK.

3. Ripper search for data and create file Test_001~rip.M8Z .

1
4. You can open Test_001~rip.M8Z file with Exeinfo Pe.

5. If You need unpacked DLL , please use appack.exe d <packed_file>

form www.smspower.org .

Ps. Universal Ripper support Hex Binary search mode.

For Hex use “ # “ character as first .

Example :

A.S.L ( c ) 2012

www.exeinfo.xwp.pl

2
 Exeinfo PE - hints

Example of use - .xml script file RIPPER_

1. You can rip xml file from Zylom Game Wrapper

2. You can rip Manifest file from exe ( example : notepad.exe )

Required version 0.0.2.8 – 2010.12.07

1
 Exeinfo PE - ver.0.0.3.4
Example :

How to use :
internal Zlib Unpacker !

This example show you how to unpack .zlib file Ripped via Exeinfo PE .

On disk we have “File_name_0001-Rip$.zlib “ or “File_name_0002-Rip$.zlib “ …

1. Open this file with Exeinfo Pe.

2. Click on Tools Button Menu

1
 3. And you have unpacked zlib file*** with .UNP extension !.
You must analyse this file and rename to correct extension .bin or .exe .

*** - if file is not zlib archive , you can see : Depacking Error

HINT : If you have zlib file don’t use zlib ripper for unpacking !!!

Free packer / unpacker ( Win32 ver.) for zlib files – www.asl-soft.xn.pl

A.S.L ( c ) 2014

www.exeinfo.xn.pl

2
 Exeinfo PE - ver.0.0.3.5
Example :

How to check Big exe files :

( two methods )

This example show you how to analyse exe files longer then
Exeinfo Pe buffer ( limit 96 MB) .

I. F11 - key method ( dangerous Exeinfo Pe - can crash )

1. Open this file with Exeinfo Pe.

2. Press F11 Key on your keyboard

1
3. If detector not crash , you have better Diagnose

II. Method Two - Copy part of file

( work only if file has Big overlay – not work if section sizes Big )

1. On File Menu use Copy – part of a Big file …

2. Enter 50 value ( 50 hex = 80 MB real file size )

2
3. Now you can reanalyze file
( *on this exe file not work – Big section size , added only for method example )

Bye.

A.S.L ( c ) 2014

www.exeinfo.xn.pl

3
 Exeinfo PE - ver.0.0.3.6
Usage example :

How to check - files are identical or not

We can check fast - two or more files are identical or not.

I. Method one :

- open file and Right mouse click on “S” Button.

- please remember end of showed - checksums !

Open next file and click again RMB “S” Button

- If end of checksums are not identical files are different.

1
II. Method two :

If you need compare more then two files , you can use Multiple file
scanner mode ( F2 key on main Form ).

- Copy all files to one directory

- open first file
- press F2 key – Multiple file mode
- press F12 key – this open small pulldown Menu
- Select – crypto – MD5 for compare files
- Press START SCAN - Button

Identical files are identical checksums.

* Max file size = 96MB

* On Multiple mode I don't calculate exe stub checksum , only whole file.

A.S.L ( c ) 2014

www.exeinfo.xn.pl

2
 Exeinfo PE - ver.0.0.3.9
example :
Install Shield v.15 – v.19
How to detect precisely version.

We can detect corrected version using internal Exe PE Ripper.

I. open any exe file created with Install Shield v.1x

- Exeinfo detect : Install Shield 2009 v15 Pro / v16 / v17 …

We can check file with other detectors ( Die & PiD ) :

- Detect it Easy v. 0.97 – VERSION NOT DETECTED

1
 - Protection iD v.0.6.6.7 – Detect Wrong Version : 4.0

II. We detect version using internal EXE Ripper

1. open exe file again

2. click on Ripper menu – EXE PE inside EXE

3. As ripper result you have - in this example : nsmlinstall-x8601~Rip.dll file

in directory and one exe file , not important for us.

4. Now you must open this ripped DLL file with Exeinfo PE

2
 5. Click on : VERSION INFO Button

6. And you can see corrected version used Install Shield.

Info : Only for inquisitive people

A.S.L ( c ) 2015

www.exeinfo.xn.pl