Quote:
|
What you can do is change both your Relocation RVA and Size to 0, then in your PE Characteristics, set the Relocation Stripped flag
|
Hey, I've never had thought of this! But, since it's empty anyway, why not kill it completely?
Quote:
|
Needless to say, I have a different solution than yours; not to say that mine is a better solution, but it is different.
|
Perhaps simply setting the TlsTable entry in the Directory Table to 230000?
Considering the Tls Table, I think there is nothing else to fix.
Quote:
|
Reread my description of what the .data section is. There are more things relocated in that section that the Relocation table and TLS table.
|
I've done that (good advice, by the way!) and I must admit that my eyes got it, but my brain must have been on holiday
As you've stated, ASPR also transfered some resources to the .data section...
So the first thing I've done was to study the structure of the resource tree. After I've understood what it's all about, I've used ResourceHacker to take a closer look at all the resources. By this way it became obvious that perhaps Icon Group, VersionInfo and the last resource "24" need a relocation.
So I walked the resource tree and found out that data for all three goups really is in the .data section. I've managed to relocate them back to the .rsrc section, but sweet Jesus, if I thought putting the IAT table back in place was tedious, I for sure don't know an adequate word to describe this piece of work
Now my question is: Do you know of any tool that I can use to browse the resource tree of an app and that shows at each node to address where this node is stored? I've tried ResHacker (doesn't work) and PE Explorer (can read all resources but doesn't show addresses; also I can't use it to "repack" the resources).
Any hint would be appreciated, since I believe that that should be the last thing to do before .data can be deleted.
Regards
Wurstgote