Utilities

Resource Editors

Borland Resource Workshop by Borland. 31.I.1999. Borland Resource Workshop 4.5. Let you edit application's resources. In general, a Windows application's resources are separate from the program code, letting you make significant changes to the interface without even opening the file that contains your program code. eXeScope by Toshi. 04.VII.2000. eXeScope 6.00 (460K). Do you want to customize an application ? For example, to change font, to change menu, to change an arrangement of dialog, etc., but do you think that it is impossible because you have not source files? eXeScope can analyze, display various information, and rewrite resources of executable files, that is, EXE, DLL, OCX, etc. without source files. Resource Hacker by Angus Johnson. 13.IX.2000. Resource Hacker 2.5 (421K). News: - Resources can now be deleted. - Bug Fix: Modified applications occasionally displayed the generic executable icon, not the application's icon. FREEWARE utility to view, decompile, modify and compile resources in Win32 executables. Dialogs, menus, and stringtable resource scripts (and also Borland forms) can be edited using the internal editor and immediately recompiled. Resource Builder by SiComponents. 10.XII.1999. Resource Builder 1.0 (1.4M). That was long waited since Borland Resource WorkShop 4.5 is happened. Now you have complete powerful tool for visual building RC scripts and resource files for your applications. Resource Grabber by Richey Fellner. 26.V.2000. Resource Grabber 2.65. The Resource-Grabber will scan the directories and drives on your computer and extract all Bitmaps, Glyphs (button images), Icons, Cursors, Wave sound files, AVI Clips and Cursors it finds inside the programs and DLL files in any directory of your choice. Forget painting all that stuff by yourself; forget hours of searching for Windows-compatible button layouts ... simply use the images that are already on your computer ! The Resource-Grabber will extract them from their "hidden" locations inside DLL and EXE files and give you full access by saving them as regular bitmaps.

Memory dumpers

IczDump by Iczelion. 22.VIII.2000. IczDump 1.0 (84K). IczDump (Iczelion's PE Dumper) is yet another in-memory Portable Executable File dumper. However, it's different in subtle ways from other dumpers: it runs in the same process as the target because it's a DLL. Once the DLL is in a process, it has the same privilege as the the target. QuickDump by defiler. 18.XII.1999. QuickDump v1.0 (32K). QuickDump is an easy to use memory dumper. DumpFX by F2F. 23.VII.2000. DumpFX 1.1 (154K). - allocate memory through a mapping file. - able to fill the memory with a character. - write the memory to a file or load a file to the memory. - search in the memory for bytes. - display the memory. - dump a process through a windowtitle. - process/module killer/dumper. Related links: - ProcDump. - PEditor.

File scanners/analyzers

GetTyp by PHaX. 12.V.2000. 2.56 DOS version (166K). 2.56 Win32 version (194K). - detect 91 archive formats - list 74 archive formats - detect 15 image formats - detect 248 EXE modifier - detect 165 COM modifier - detect 29 EXE/COM compiler - detect 99 PE EXE modifier - detect 18 PE EXE compiler - hugest EXE/COM/PE database - fastest engine - long filename support - updated frequently File Info by M.Hering. 23.VIII.2000. File Info 2.40 (121K). News: - improved keypress function - bugfixed ram alloc. with pklite detection - added: if date/time suspicious then used red color - press "c" and CRC32 will be printed, in list "/c+" - bugfixed a runtime error in analyzer - some small bugfixes in code and layout - ... - Full header information for dos and win eXecutable. - Graphical screen to check file encoding/encrypting. - 9 batchfiles to run externals and file unpacking via typnumbers in this batches available. - Internal file viewer HEX/TXT (no edit!), contains options goto, jump, align, filter and search. - CmdLine parameter for listmode or showmode. File Scanner by SMT. 01.VII.2000. File Scanner 2000.6.24 (130K). News: - pe-header editor - speed-up 32-bit disasm a lot... - pe data directory editor, with quick jumping to import, export, etc... - bugfixes in assembler File Scanner is a freeware program for identifying differrent file formats. Now it can do something more, such as unpacking or decrypting DOS executable files, calculating sizes of directories, handle headers of executables, playing sounds, edit binary files in hex, ascii or asm mode and displaying ANSI pictures. The list of features is still growing... File Analyzer by Vadim Tarasov. 04.VII.2000. File Analyzer v.1.6.01.09.2000 (138K). Source code. News: - Too many news to be listed :) File Analyzer written for files recognition. FA recognize many file packers, compilers, encryptors etc. Also FA can recognize many non-exectable files, for example: archives, graphic files, music modules and much more. FA can also list contents of archives. TYP by Veit Kannegieser. 17.IV.2000. 2000.4.15 Dos32 version. 2000.4.15 Dos version. 2000.4.15 OS/2 version. - Determine archiver, crypter, viruses, compiler, music, images data files, BIOS-chipsets, ... - userfriendly background search - configuration program - DOS, OS/2 EXESCAN by ST!LLS0N. 12.I.1999. EXESCAN 3.21 (70K). EXESCAN is an executable file analyzer which detects the most famous EXE/COM protectors, packers, converters and compilers. PEWizard by ST!LLS0N. 05.VIII.1999. PEWizard 1.1. PEWizard is an Win32 executables' manipulating tool. Includes join, split option (like PEUtils), a disassembler, dumper, header viewer, and PE loader recognizer. Recognizes 21 PE-packers, 4 compilers. dF File Info by AiRWOLF. 29.VII.2000. dF File Info 0.3 (76K). News: - MPEG AUDIO Filetype added. - Fileinfo detects now over 30 different Compiler/Packager/Crypter. - Targa Filetype added. - PE-Import Table added. - RVA to Physical Address Converter. This is only an alpha version...hope you like it. It analyzes a few file formats yet... Gonna be updated every week. File Information by Amon Soft. 07.IX.2000. File Information 4.2 (115K). - Detect more then 60 different packers, encryptors... - Detect more then 45 different compilers, libraries... - Detect 5 'New Headers' and device header - Detect some polymorph cryptors - Auto unpacking by any packers - Exactly detect Pklite version - Detect Borland TLink & Microsoft Link - Find Description in NE,LE,PE files - Auto detect Dos Navigator - Report mode - Masks PE Labs by Latigo. 29.III.2000. PE Labs 1.0 (45K). Displays the most important information about a PE file. Includes full Win32Asm source code. ShowDLL by VoidDweller. 06.VII.1999. ShowDLL 0.093 (11K). Show DLL dependencies of NE, PE, LE and LX files. MuLTi RiPPeR by THE WONDERFUL TEAM. 01.VIII.2000. MuLTi RiPPeR 2.80 (785K). - Multi-purpose File Ripper. In few seconds cleans & clips @ the Right size! Rips from any Demo/Game - Rips over 110 file formats! - Rips 33 libraries! - Local Scan Mode, Full Scan Mode, Fast Scan Mode, Recoursive SCAN. All options are: INI configurables, Generic unpacking system, generic, HackStop remover, Win16/Win32 Resource Decompiler! - Generic resource decompiler. RIP: EXE, DLL, VBX, SCR, CPL, DRV, VXD, OCX. - HEX Viewer, XOR PATTERN Search. Some decription tools with full src. - Delphi, C++ builder executable decompiler. MultiEx by Mr. Mouse. 17.VI.2000. MultiEx. - DOS/WIN98-based multi format file extractor/importer. - Easy-to-use MultiEx Commander acts as file explorer. - Simple scripts enable you to add your own formats. - Already supports approx. 63 games. - No more searching the net for that one extractor for that one game. Ultra Search by vReal. 29.VIII.2000. Ultra Search 1.0 (35K). Ultra Search locates strings and hex numbers in files. The search is performed using one of 8 different methods or combinations of methods. Related links: - UN-PACK.

Exe checksum/stub/aligners

PESum by eGIS!/CORE. 12.I.1999. PESum v0.02 (51K). PESum will check if a PE file has a correct checksum in its header. If it does not have, PESum will compute the checksum and update the PE file. Virogen's PE Realigner by Virogen. 06.VI.1999. Virogen's PE Realigner v0.41 (10K). News: - Fixes minor bug in cases where section physical size is left unaligned by compilers such as LCC. - makes PE exe/dlls smaller. - removes unnecessary padding from PEs. - removes unncesssary padding from object table. - stores new corrrect checksum. - does not alter date/time or file attributes. Wipe.Reloc by crayzee. 02.XII.1999. Wipe.Reloc 1.33 (11K). News: - fixed a bug which prevented the files from running under WinNT. This utility makes PE files smaller by aligning them (like virogen's vgalign) and (if processing a non-DLL PE) by removing the .reloc section. That section is added by TLINK32 to the EXE PE files but is not needed there, because all EXEs are loaded to their original image base. It also removes empty waste above and below PE headers and at the end of the file, sets the correct PE checksum and finally recovers the previous times of the file. TinyStub by crayzee. 22.VIII.1999. TinyStub 1.1 (5K). This tiny utility is for replacing the PE file's dos stub. It doesn't really make the file smaller, but after aligning it with my wipe.reloc its size can be slightly decreased. CheckSum Corrector by Mr Crimson. 10.I.2000. CheckSum Corrector v1.0 (6K). This program calculate the checksum of PE files and optionally updates its value in the header. SetCSUM by Collake Software. 11.VIII.2000. SetCSUM 1.01 (22K). This simple, console mode utility will verify, and optionally set, the correct checksum of Portable Executables (win32 EXE,DLL,OCX,SCR,etc..). This checksum is required to be accurate for NT device drivers and some system DLLs. C++ source included. STUBEXE by VoidDweller. 04.VII.1999. STUBEXE 1.055 (18K). - support MZ, PE, LE (beta NE) - optimizes stubs (minimum as could be) - optimizes zero pages, object table - detects & destroys header of packers - DO NOT PACK files. Related links: - PEditor.

Exe rebuilders

MakePE by G-RoM. 23.VI.1999. MakePE 1.30 (27K). News: - New PE optimizer code. - Added Section Size Optimizer. - Changed Banner Stamp method. MakePE is a PE structure rebuilder. From a dump, made with ProcDump(TM) or with GTR95(TM) or one you did under SoftICE (TM), it will try to rebuild the PE header, import section (when possible) and can reoptimize your dump to reduce it. It can load too a standard PE file and will try to reduce it if you used the '-s' switch. PE Rebuilder by TiTi & Virogen. 19.X.1999. PE Rebuilder v0.96b. News: - Added the 'Super-Align' function - Added the 'Wipe .reloc section' function - File Size Decrease percentage indicator in the report dialog - Some minor code fixes - Added the little logo (crucial change :P) This tool is totally free for use and MUST be freely distributed. It has been made for 2 different aims: - To reduce PE files physical size to its minimum (without compression). This is done by realigning the file and wiping useless padding between sections... - To rebuild a file that has been purely dumped from memory (with a softice dumper for example). Actualy, those files need to be slightly modified in order for them to run properly. This tool automatically fixes section entries in header (size & offset) and is also able to rebuild the import table if needed. PE Fixer by Bonker. 26.I.2000. PE Fixer 1.0 (9K). This utility is for when you are unpacking an app and you need to fix the section data so that the PSize = VSize and Offset = RVA. Instead of having to go through each and every section in Procdump, just fire up this util, click on the button, select the file, and you're done. Related links: - PEditor.

Exe modifiers

Topo by Mr Crimson. 20.III.2000. Topo 1.2 (8K). News: - Earlier version only scan executable PE sections looking for zero padded areas. This version allows scanning all sections. This is a little application which breaks classical limitation in file patching and avoids the use of loaders/uncompressors. -It can add new sections to EXE/DLLs. -It can setup space into existing sections. -It can redirects the entrypoint to new available area. -It can return to old entrypoint once added code is executed. -It cannot be detected by antivirus soft since PE structure is changed according compiler/linker specifications. - Samples of ASPack and UPX patching without loaders/unpackers are included. Code Snippet Creator by Iczelion. 30.III.2000. Code Snippet Creator 1.05.2 (107K). - Can generate code snippets and save them as binary files. - Support both TASM and MASM. - Integrated PE editor - Can insert the snippet into the target PE files as a new section or into any existing section or even in PE header. - You can call any functions that are imported by the target PE file. Function Replacer by DEATH of Execution. 16.VII.2000. Function Replacer 1.0 (83K). This programme will replace any export from a DLL with another DLL's export, it performs an automatic loading of the DLL + getting the function's address, then calling it. Could be useful sometimes. Imhotep by ArthaXerxes. 03.V.2000. Imhotep 1.2.0.15 (184K). The purpose of this program is to remove "interleaved" jumps that make disassembling and reversing harder. This utility is definitely not for unexperimented reversers. PE Header Editor by bart. 15.IV.2000. PE Header Editor 0.1 (22K). The name says it all :), this is a PE header editor. Includes full TASM source code. PEditor by M.o.D. & yoda. 29.VIII.2000. PEditor 1.6 (381K). - all important infos of the PE Header are shown and can be changed. - file location calculator (VA-RVA-Offset). - looks up the Section Table and the Directory Table and changes them too. - splits a file into it's sections & PE Header. - optimizes the PE Header in some things. - shows the checksum of a file and is able to correct it. - looks up the most important directories. - adds, copies and deletes section in the PE Header. - there's sth like break&enter. - dumpfixer (RS:=VS and RO:=VO). - task viewer/killer/dumper. - importTable rebuilder and PE Realigner included. Sadd by NeuRaL_NoiSE. 05.I.2000. Sadd 1.0 (17K). A little tool that creates, appends and zero pads a new section in the specified PE file (dll or exe). Written for educational purposes only! (Including ASM source.) Imagebase changer by Predator NLS. 03.I.2000. Imagebase changer (103K). This tool is able to change to Imagebase of Win32 files. PE Validator by LaZaRuS. 02.V.2000. PE Validator 1.0 (7K). PE Validator is a small tool that adjusts PE headers of EXE files that don't run under Win2K (this file is not a valid Win32 Executable) so that they run under Win2K. PEUtils by Andrew de Quincey. 12.I.1999. PEUtils v1.0. This is a suite of utilities for manipulating PE-format executables. Full source included. BP7PAT by PHaX. 05.XII.1999. BP7PAT 1.2 (6K). Patches any EXE file compiled by Borland Pascal 7 which has an runtime error 200.

Virtual offset to file offset converters

VA2FO by Iczelion. Updated 18.III.1999. VA2FO 1.01 (6K). This is a utility from PC Coding Division. Written entirely in win32asm. It's a handy little utility that you can use to convert virtual addresses seen under SoftICE into file offset that you can use in hex editors. You can specify two modes: Virtual Address or RVA. OFFset CALculator by Mr Crimson. 10.I.2000. OFFset CALculator v1.0 (6K). Another virtual address to file offset converter. Offset Converter by Apus. 20.XII.1999. Offset Converter 1.0 (22K). Offset Converter is a little tool. The task of it is to convert the virtual offset to the matching file offset. RVA Converter by LaZaRuS. 29.IV.2000. RVA Converter 1.1 (8K). RVA converter is a nice tool which converts memory addresses to file offsets and the other way. It allows you to find bytes you saw in a debugger in few seconds.

Binary file editors

Hiew by Eugene Suslikov. 27.VI.2000. Hiew 6.55 (720K). News: - fix: crash on long function name for PE import - fix: keyword 'insert' not recognize into ini-file - fix: first char clearing all line for line insert mode - fix: find with pattern from 16bit don't switch into 32bit - fix: findInput: 0 truncate text line - fix: don't show latest chars for text/hex findInput - fix(6.29): lost hi-byte for address in assembler (16bit) - PE import show at F7 into PE header view - F7 moved at F10 into PE header view - NE/LX flags ala Michael Hering - PEDUMP 1.01 Basically HIEW (Hacker's view) is a hex viewer for those who need change some bytes in the code (usually 7xh to 0EBh). Hiew is able to view unlimited length files in text/hex modes and in Pentium(R) Pro disassembler mode. Features: - Text/hex mode editor - Built-in Pentium(R) Pro assembler - HIEW is able to create new files - Search and replace mode (can be restricted to block size) - Context-sensitive help (but who needs any goddamned help anyways? HIEW can operate without help file HIEW.HLP) - Search of assembler commands using pattern (for real hackers!) Biew by Nick Kurshev. 09.VII.2000. Biew 5.1.2 (dos, dos32, os/2, win32, linux versions). News: - Initial Watcom C and DOS/4GW port. - Suppressed most compilation extra warnings. - Fixed bug of uninitializing lx_cache in LE format. (le_cache more not used) BIEW is binary file viewer with build-in editors for binary, hexadecimal & disassembler modes. - Highlight PentiumIII/K7 Athlon!/Cyrix-M2 disassembler. - Text viewer with russian codepage support. - Full preview of formats MZ, NE, PE, LE, LX, DOS.SYS, NLM, arch, ELF, a.out, coff32 PharLap, rdoff. - Work with dumps. - Powerful search system. - Mouse support. - Code guider. QView by AGC. 15.XII.1999. QView 2.80.05 (193K). News: - Added a new function to the 'Header' dialogue for PE-files: CreateIFL - [F9], that provides a creation of a text file with the same name of a viewed file but '.IFL' extention. This file contains a names of all the imported libraries and their functions (imported by names only). - Fixed a bug with incorrect function names representation for PE-files - Editing of files, logical and physical disks, and also 1 Mb of memory in Text/Hex/Asm modes. - Built-in Alt/Win/KOI, and up to 4 user-defined enconding tables. - Support of various LineFeeds. - Support of analysis of headers of 'MZ','PE','NE','LE','LX' files. - Viewing of boot record and MBR disks. - Built-in i486/87 disassembler & i486 assembler. - Tracing of transitions such as jmp/..., etc. - Commenting of a file in assembler viewing mode. - All operations with blocks. - Support of .CRK files. - Built-in calculator (H/D/O/B/Ch). - Multitasking environment friendly. - And much more... HexIt by Mikael Klasson. 12.XII.1999. HexIt v1.55 (139K). - Built-in assembler (AzmIt) & disassembler. - Calculator. - Record & play macros. - Configurable keys, customizable mouse support. - Manipulate the EXE-header. - Compare (w/ lots of options). - Text viewer, dump viewer w/ mask-option. - Online help. - Search & Replace, clipboard (cut,copy,paste), insert & delete bytes. - Goto (absolute or relative). - Use all available mem, up to 100 files in memory. - Native MS-DOS text mode, native Win32 console mode, splitscreen. eco by ultraschall. 29.XII.1999. eco 2.0 (192K). A very handy tool for manipulating binary files. You can copy a part from a file to another, fill in/insert extra bytes, write data, etc... Supports saving/running commands from a macro file. Related links: - File Scanner.

Spy tools

File Monitor by http://www.sysinternals.com. 16.VIII.2000. File Monitor 4.29 (76K). Filemon LOG Killer (20K) by Marton & R0ach. A very cool low level file access monitor. Registry Monitor by http://www.sysinternals.com. 28.V.2000. Registry Monitor 4.25 (64K). A very cool low level registry access monitor. ATM by Enrico Del Fante. 03.XII.1999. ATM 2.2 (57K). News: - Better memory stats. - Improved interface (now resizeable). - HEIGHT and WEIGHT command line option added. ATM is a Windows9x-only application ideated for power-users who actually like to handle their systems. It allows you to completely manage the system priority of all processes (and some of their own thread) running. It provides a real-time capability to monitor all processes and threads, to manage them (maybe kill'em all...), and even to spy and control their owned windows. Spy & Capture by Kobi Krichmar. 06.VIII.1999. Spy & Capture 2.7 (247K). News: - System Active Processes List added, with Modules dependencies. - Now it is possible to Send Messages to selected window (in "Misc" tab). - Minor bug fixes. Spying tool for Windows 9x/NT. It uses direct mouse positioning to get window properties and all it's objects, styles, classes and process information. If the window is a control you get it's control styles. Also included: - System Active Windows. - System Active Processes (with Modules dependencies). - Window Capture (Included region capture). - Color-Spy (supports HTML color format). - Grabb Password Fields ("***" fields). - Web Update support. API Spy by Vitaly Evseenko. 17.VI.1999. API Spy 2.4. Keygen (2K) by Deniska. It allows to examine any known API functions call that is resolved during the program load time and is given by APIS32. APIS32 will only work with Windows95/98/NT and Win32s applications which will be executed under Windows 95 or Windows 98 platform. It won't spy upon API functions called by 16 bit programs. ApiHooks by EliCZ. 06.IX.2000. ApiHooks 3.0 (105K). News: - New (remote) threads are silent. DLLs and TLS callbacks in Target get no DLL_THREAD_* notifications. - Working with running Win9x console applications is possible. - New APIs: h* allow user to specify Target by handle. - New API: GetLastStatus - Old APIs were simplified and changed to more uniform form. - Return (error) codes were slightly changed. - ... ApiHooks allows developers to watch intermodule communications. Suitable for file monitors, registry monitors, dumpers, antiviruses and unpackers. Process Memory Manipulator by TrainSpotter. 19.I.2000. Process Memory Manipulator 0.2 (176K). Process memory manipulator is a win32 application which allows to map the memory of a specified currently running process. Locpinfo for NT by EliCZ. 09.VII.2000. Locpinfo for NT (8K). Locpinfo is for NT only and displays info about current processes on local machine. SMU Inspector by ???. 13.IX.1999. SMU Inspector (4K). A simple windows spy. VB-coded.

Misc.

PE Characteristic Converter by EdCamper. 25.II.2000. PE Characterisitc Converter (4K). At the moment it is just a beta tool to allow you to calculate a sections characteristic visually. LibDump by George Poulose. 23.V.2000. LibDump 1.0. LibDump is a Win32 utility tool similar to Microsoft's DumpBin utility except that it can be used to display the contents of library files instead of portable executables and COFF (Common Object File Format) .OBJ files. Source code is available.