Using IfEqual

Log Out | Topics | Search Moderators | Edit Profile

Author Message   Victor Havin Username: vhavin Registered: N/A Posted on Saturday, Aug 25, 2007 - 0:13:    In the template below the statement IfEqual "Magic number" 267 always returns false. I tried different variations, like IfEqual "Magic number" 10B IfEqual "Magic number" "10B" IfEqual "Magic number" "0B 10" etc. However, no matter what I try, I am getting syntax error or FALSE. Basically it always opts to the PE32+ section. What am I doing wrong? Your help is greatly appreciated. --Victor template "PE File Headers" description "PE File" applies_to file fixed_start 0 requires 0x00 "4D 5A" // MZ begin goto 0x3C hexadecimal uint16 "Offset to header" goto "Offset to header" char[2] "PE" hex 2 "00" hexadecimal uint16 "Machine" uint16 "Number of sections" UNIXDateTime "TimeStamp" hexadecimal uint32 "Symbol table" uint32 "Number of symbols" uint16 "Optional" hexadecimal uint16 "Characteristics" IfEqual Optional 0 section "No optional header" endsection Else section "Optional header" hexadecimal uint16 "Magic number" byte "Major Linker Version" byte "Minor Linker Version" uint32 "Size of code" uint32 "Size of initialized data" uint32 "Sizeof uninitialized data" hexadecimal uint32 "Entry point" hexadecimal uint32 "Base of code" IfEqual "Magic number" 267 section "PE32" hexadecimal uint32 "Base of data" // ... etc ... endsection Else section "PE32+" // ... etc ... endsection EndIf endsection EndIf end   Stefan Fleischmann Username: admin Registered: 1-2001 Posted on Saturday, Aug 25, 2007 - 0:31:    If conditions cannot be nested, unfortunately, as mentioned in the program help and in the user manual.   Victor Havin Username: vhavin Registered: N/A Posted on Saturday, Aug 25, 2007 - 2:46:    Thank you Stefan, I promise to read the help next time Somehow it didn't occur to me such a severe limitation can exist. Any plans to fix it in the future? Thanks again, --Victor   Victor Havin Username: vhavin Registered: N/A Posted on Saturday, Aug 25, 2007 - 3:07:    I removed the outer if condition. Still no luck. The condition is false again even though the data field contains 267. Did I do something wrong again? The complete template source is attached below. --Victor template "PE File Headers" description "PE32+ File" applies_to file fixed_start 0 requires 0x00 "4D 5A" // MZ begin goto 0x3C hexadecimal uint16 "Offset to header" goto "Offset to header" char[2] "PE" hex 2 "00" hexadecimal uint16 "Machine" uint16 "Number of sections" UNIXDateTime "TimeStamp" hexadecimal uint32 "Symbol table" uint32 "Number of symbols" uint16 "Optional" hexadecimal uint16 "Characteristics" section "Optional Header" uint16 "Magic number" byte "Major Linker Version" byte "Minor Linker Version" uint32 "Size of code" uint32 "Size of initialized data" uint32 "Sizeof uninitialized data" hexadecimal uint32 "Entry point" hexadecimal uint32 "Base of code" IfEqual "Magic number" 267 section "PE32" hexadecimal uint32 "Base of data" hexadecimal uint32 "Image base" uint32 "Section alignment" uint32 "File alignment" uint16 "Major OS version" uint16 "Minor OS version" uint16 "Major image version" uint16 "Minor image version" uint16 "Major subsystem version" uint16 "Minor subsystem version" uint32 "Win32 Version" uint32 "Size of image" uint32 "Size of headers" hexadecimal uint32 "Checksum" hexadecimal uint16 "Subsystem" hexadecimal uint16 "Dll characteristics" uint32 "Stack reserve" uint32 "Stack commit" uint32 "Heap reserve" uint32 "Heap commit" hexadecimal uint32 "LoaderFlags" uint32 "Number of Directories" endsection Else section "PE32+" hexadecimal int64 "Image base" uint32 "Section alignment" uint32 "File alignment" uint16 "Major OS version" uint16 "Minor OS version" uint16 "Major image version" uint16 "Minor image version" uint16 "Major subsystem version" uint16 "Minor subsystem version" uint32 "Win32 Version" uint32 "Size of image" uint32 "Size of headers" hexadecimal uint32 "Checksum" hexadecimal uint16 "Subsystem" hexadecimal uint16 "Dll characteristics" int64 "Stack reserve" int64 "Stack commit" int64 "Heap reserve" int64 "Heap commit" hexadecimal uint32 "LoaderFlags" uint32 "Number of Directories" endsection EndIf section "Export Table" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "Import Table" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "Resource Table" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "Exception Table" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "Certificate Table" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "Relocation Table" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "Debug" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "Architecture" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "Global Ptr" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "TLS Table" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "Load Config Table" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "Bound Import" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "IAT" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "Delay Import Descriptor" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "CLR Runtime" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection section "Reserved" hexadecimal int32 "RVA" hexadecimal int32 "Size" endsection endsection section "Sections" { char[8] "Name" hexadecimal uint32 "VirtualSize" hexadecimal uint32 "VirtualAddress" hexadecimal uint32 "SizeOfRawData" hexadecimal uint32 "PointerToRawData" hexadecimal uint32 "PointerToRelocations" hexadecimal uint32 "PointerToLineNumbers" hexadecimal uint16 "NumberOfRelocations" hexadecimal uint16 "NumberOfLineNumbers" hexadecimal uint32 "Characteristics" }[Number of sections] endsection end   Stefan Fleischmann Username: admin Registered: 1-2001 Posted on Saturday, Aug 25, 2007 - 16:40:    Support for nested If conditions is not planned at the moment. I tried your exact template here on a PE .exe file, where the magic number was 267, and it successfully branched into the PE32 section.   Victor Havin Username: vhavin Registered: N/A Posted on Sunday, Aug 26, 2007 - 7:49:    Interesting. I am using version 11.9 SR2. Is it possible the problem is version specific? --Victor   Stefan Fleischmann Username: admin Registered: 1-2001 Posted on Sunday, Aug 26, 2007 - 11:04:    Could be, yes, that's why I already sent you a link to v12.7, which was your last free update.