I've been messing around with the PE file format and I seam to have created a file with 2 entry points, both are listed as an entry point in win32dam but when running the app the origonal one is used. So dissasembling dosen't show where process realy begins. How can it be possible for a file to have 2 entry points and how can I get rid of one?
Posted on 2003-11-05 13:30:43 by ENF
How did you set 2 entrypoint? What did you use to do it? Hexeditor or what?
Posted on 2003-11-05 22:20:17 by roticv
Yes I hex edited it.
The program is definatly starting at the origonal address but disassembly begins at new entry point.
Posted on 2003-11-05 22:49:51 by ENF
So what did you edit? which field of what structure of the pe format?
Posted on 2003-11-05 23:09:50 by roticv
I edited OptionalHeader.AddressOfEntryPoint after adding a new section but I think I may have found the problem, 2 sections with the same virtual addres. I think windows loaded one section and then it was over written by the next, so the dissasembler could see a section couldn't been seen in memory.
Posted on 2003-11-06 00:08:27 by ENF