Points: 80 Solves: 140 Category: Reverse Engineering, warm-up Description:



Home:~$ file cannotberun
cannotberun: MS-DOS executable

It looks like it’s a windows executable. Let’s see what PEiD and exeinfo has to say about it.



CFF Explorer is not displaying anything.


Now let’s try running the executable.


It looks like it’s printing out the DOS stub with a custom message. Well we know enough already to start working on the issue.

The reason why CFF Explorer is not showing any info about the executable is because CFF can not read the PE header. Let’s see why… I would strongly recommend the PE Header Primer read from ARTeam. It’s really the best explanation of the structure of windows executables I’ve ever seen (just read it and save it for re-re-re-read ;)).

Looking at the DOS header using a hex editor we see why CFF Explorer is not displaying any information. The offset of the PE header is totally missing :).


At offset 0x3C, we see a null byte 0x00 which has to actually contain the offset of the start of the PE header :). You can see the PE header starts at hex 0xE8, so let’s patch it. This is also the reason why when the binary is executed it only runs the DOS stub.


CFF Explorer can now read the PE header just fine :).
The binary executes just fine now and it’s functionality is to print the flag :).