This document was prepared by me for an computer experiment report. Many different source were examined and amassed. If you catch any blunder information, please mail me and i’ll correct it (ilkayaktas@gmail.com). I’ll expect your comments
An executable file is a file which is used to perform various functions or operations on a computer. Unlike a data file, an executable file cannot generally be read because it has been compiled. On an IBM compatible computer, common executable files are .BAT, .COM, .EXE, and .BIN. Depending on the Operating System and its setup, there can also be several other types of executable files.
An executable file, also called an executable or a binary, is the ready‐to‐run (i.e., executable) form of a program. A program is a sequence of instructions understandable by a computerʹs CPU (central processing unit) that indicates which operations the computer should perform on a set of data.
An executable is a file that contains a program ‐ that is, a particular kind of file that is capable of being executed or run as a program in the computer. In a Disk Operating System or Windows operating system, an executable file usually has a file name extension of .bat, .com, or .exe. An executable file or a group of them are sometimes referred to as binaries as in ʺIʹll download the binaries to youʺ since the file format of an executable is a solid sequence of binary values that cannot be easily read by anyone (unlike that of, for example, an ASCII text file which can be easily examined for information as it travels from one computer to another).
Executable files consist of instructions that have been translated from their original source code into machine code, also called machine language or object code through the use of a specialized program called a compiler so that the CPU can usethem directly and without further translation. Machine code consists entirely of zeros and ones, which represent the off and on states of the CPU logic circuits and memory cells.
In operating systems in which the type of file is indicated by appending an extention after its name, executables are indicated by extensions such as .exe, .com or .bin. Such extensions are generally not necessary in Unix‐like operating systems.
A file whose name ends in ʺ.exeʺ is really a program that when ʺopenedʺ ‐ that is, selected by putting your mouse over the file name and then initiated by double‐clicking your mouse, for example ‐ causes the operating system to run the program.
Execution is the process of running a program or the carrying out of the operation called for by an instruction.
• To execute a file in MS–DOS and numerous other command line operating systems, type the name of the executable file and press enter.
• Other command line operating systems such as Linux or UNIX may require the user to type a period and a forward slash in front of the file name, for example “./myfile” would execute the executable file named “myfile”.
• To execute a file in Microsoft Windows double-click the file.
• To execute a file in other GUI operating systems commonly a single or double-click will execute the file.
The table above shows some extensions which is used as a executable file. But some of them is not executable file, they are interpretable files. “Common Column” shows them.
Details of Exe File with A Program
Executable files have a special binary format. If any two exe file is openned by a hex editor, it’s comprehended that the first bytes are resembled. Here is the header of executable file. Each bytes on header segment has a special meaning. The table below shows the meaning byte by byte.
0: 4D 5A 3A 00 06 00 01 00 20 00 0D 00 FF FF 88 00
10: 80 00 00 00 00 00 00 00 22 00 00 00 01 00 FB 20
20: 72 6A 01 00 00 00 00 00 00 00 00 00 00 00 00 00
Note: all multi-byte values are stored LSB (Least Significant Bit ) first. One block is 512 bytes, one paragraph is 16 bytes.
00h – 01h bytes are ʺmagic numberʺ, used to assert that this file is indeed an object file. It is defined in util.Version.exeMagicNumber. 0×4d, 0×5a. The first byte of the file is 0×4d and the second is 0×5a. The equivalent of these numbers are letter ‘M’ and ‘Z’. These are not haphazardly letters. Mark Zibilosky, who is one of Microsoft’s founders (like Bill Gates), has found out the exe files and given his names head letters.
02h – 03h bytes are the number of bytes in the last block of the program that are actually used. If this value is zero, that means the entire last block is used (i.e. the effective value is 512).
04h – 05h bytes are number of blocks in the file that are part of the EXE file. If [02‐03] is non‐zero, only that much of the last block is used.
06h – 07h bytes are number of relocation entries stored after the header. May be zero.
08h – 09h bytes are the most important part of header because they may show the start of code segment after a calculation. They are the number of paragraphs in the header. The programʹs data begins just after the header, and this field can be used to calculate the appropriate file offset. The header includes the relocation entries. Note that some OSs and/or programs may fail if the header is not a multiple of 512 bytes. The offset of the beginning of the EXE data is computed like this:
start = header_paragraphs * 16L;
In my program, it’s shown that the 08h + 09h is 20h. According to formula the start of code segment is;
20h * 16d = 20h * Ah = 200h.
After the 200h address i can reach my code segment.
Ah – Bh bytes indicate the number of paragraphs of additional memory that the program will need. This is the equivalent of the BSS size in a Unix program. The program canʹt be loaded if there isnʹt at least this much memory available to it.
Ch – Dh byets are maximum number of paragraphs of additional memory. Normally, the OS reserves all the remaining conventional memory for your program, but you can limit it with this field.
Eh – Fh bytes are relative value of the stack segment. This value is added to the segment the program was loaded at, and the result is used to initialize the SS register.
10h – 11h bytes are the initial value of SP register.
12h – 13h bytes are word checksum. If set properly, the 16‐bit sum of all words in the file should be zero. Usually, this isnʹt filled in.
14h – 15h bytes are the initial value of IP register.
16h – 17h bytes are the initial value of CS register, relative to the segment the program was loaded at.
18h – 19h bytes are the offset of the first relocation item in file.
20h – 21h bytes indicates the overlay number. Normally zero, meaning that it’s the main program.
The header file continues until the beginning of code segment. The data segment replace to the end of code segment.
How to Access Asm Code and Binary Code: Analyzing Method
Another detail on this page is to access the asm code and binary notation of executable. So far, we have talked about how to examine assembly code or binary code of
any exe file, but wasn’t mentioned how to access these codes. There different program may be used to access asm codes and binary codes. First one is the TextPad.exe. This program reads the executable file as a text file and show results on the format of hexadecimal numbers. Figure 3 and Figure 4 shows a part of TextPad screenshot. Leftmost column is the address, middle columns are data in exe file and the rightmost column is the equivalent of data bytes. Second one is the HexEditor (HackMan Disassembler). This program reads any executable file and the shows the programs asm codes. It converts the machine language to asm language. The Key.asm shows the main program and a procedure on my program. Third one is the DCC_OO. This program simplifies our jop. Because it shows the asm codes also C codes. I have chosen TextPad and HacMan Disassembler during my experiment. I think it’s required to understand the cracking.
A New Executable File Format: Portable Executable (PE)
After executable files are examined i think it’s necessary to talk about portable executable file format. Microsoft Introduced a new executable file format with Windows NT. This format is called the Portable Executable (PE) format because it is supposed to be portable across all 32‐bit operating systems by Microsoft. The same PE format executable can be executed on any version of Windows NT, Windows 95, and Win32s. Also, the same format is used for executables for Windows NT running on processors other than Intel x86, such as MIPS, Alpha, and Power PC. The 32‐bit DLLs and Windows NT device drivers also follow the same PE format.
It is helpful to understand the PE file format because PE files are almost identical on disk and in RAM. Learning about the PE format is also helpful for understanding many operating system concepts. For example, how operating system loader works to support dynamic linking of DLL functions, the data structures involved in dynamic linking such as import table, export table, and so on.
ilkay Aktaş
ilkayaktas@gmail.com
