{"id":3152,"date":"2015-08-15T12:30:29","date_gmt":"2015-08-15T12:30:29","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3152"},"modified":"2015-08-15T12:33:19","modified_gmt":"2015-08-15T12:33:19","slug":"two-pe-tools-you-might-have-never-heard-of-now-you-do","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/08\/15\/two-pe-tools-you-might-have-never-heard-of-now-you-do\/","title":{"rendered":"Two PE tools you might have never heard of. Now you do."},"content":{"rendered":"

There are tones of PE tools out there and lots of them are rehashing the very same ideas over and over again. It is easy to find numerous PE viewers, PE editors, PE dumpers, PE identification tools and so on and so forth. It is sad to see that many of them rarely reach quality and usability levels as the good-ol’ LordPE, PE Tools, or PEiD.<\/p>\n

Still, there are gems out there that are not very popular, yet it is really worth having them at hand during reverse engineering sessions.<\/p>\n

Here are two of them:<\/p>\n

Extensive File Dumper<\/h4>\n

Pretty much everyone heard of IDA Pro and Hex-Rays Decompiler.<\/p>\n

But how many heard of Extensive File Dumper<\/a>?<\/p>\n

The tool is freely available online on the Hex-Rays web page.<\/p>\n

Go and grab it.<\/p>\n

It is one of not so many dumping tools that supports crazy number of file formats – as per the Hex-Rays page:<\/p>\n

EXE, NE, LE, LX, PE, NLM, XCOFF, COFF, OMF, DBG, PRC, PEF, OS9, N64, PSX, EPOC, AR, AMIGA, ELF, ECOFF, HP SOM, GEOS, OLE2, AIF, AOF, AOUT, PE+, OMF166, MachO, XE\/XBE, JPG, CIFF, TMOBJ, MRW, TIFF, MPG, CWLIB XCP.DAT, WMF, DSO, PDB<\/p>\n

Notably, this is one of not so many tools available on Windows platform that parses Mac executable files – anyone wanting to view the internal info of Mac executables typically uses ‘otool’ on Mac. Being able to view similar info on Windows is really handy.<\/p>\n

To spice things up, it is a multiplatform tool and Hex-Rays distributes it in 3 versions (refer to folders win<\/em>, mac<\/em>, linux<\/em> inside efd.zip)<\/p>\n

Example:<\/p>\n

efd.exe showing info on the efd (MAC version)<\/p>\n

\"efd_1\"<\/a><\/p>\n

\"efd_2\"<\/a><\/p>\n

\"efd_3\"<\/a><\/p>\n

Detect It Easy a.k.a. DIE<\/h4>\n

This is an awesome compiler\/packer detector available on http:\/\/ntinfo.biz\/<\/a>.<\/p>\n

The reason why it stands out?<\/p>\n

Here are a couple:<\/p>\n