DOS MZ Exe misidentified as NE exe

Question

DOS MZ Exe misidentified as NE exe

powerbf opened this issue 6 years ago · comments

powerbf commented 6 years ago

OS: Linux Mint 19
Output of 'boomerang-cli --version' boomerang-cli v0.4.0-alpha-114-gfc67dfb2

My DOS MZ EXE was incorrectly identified as an NE EXE because it happens to have reloc table offset = 40h in the header

Steps to reproduce:

boomerang-cli hello.exe

Expected/desired behaviour
Should be identified as DOS MZ exe

Actual behaviour
Identified as NE exe

Additional comments
Checking for reloc table offset = 0x40 is not a realiable way to identify NE Exes.
A more reliable way is to check whether the word at 0x3C contains the offset of a NE header (which starts with the signature 'NE').
Ref: https://www.fileformat.info/format/exe/corion-mz.htm

powerbf · Answer 1 · Sat Dec 08 2018 19:51:32 GMT+0800 (China Standard Time)

Here is my exe and its source code:
hello.zip

powerbf · Answer 2 · Sat Dec 08 2018 20:53:21 GMT+0800 (China Standard Time)

I've raised pull request #147 containing a fix