
              ***************************************************
              *                                                 *
              *               PE Rebuilder v0.95b               *
              *                                                 *
              *      by TiTi/BLiZZARD & Virogen/PhrozenCrew     *
              *                                                 *
              *                Released 08/26/99                *
              *                                                 *
              ***************************************************



Check for updates at : http://titiasm.cjb.net


Tested on Win95/98/NT4/2000
----------------------------------------------------------------------------------

Intro :
=======

 Firstly, after the first public release of this tool, I got some nice feedbacks
so thanks to those who support this project :)
 Here is the 2nd public release : v0.95b.

 Two brand new functions have been added, in order to make your PE files the
smallest possible. Check details below.

 This tool is totally free for use and MUST be freely distribued. It has
been made for 2 different aims :

   - To reduce PE files physical size to its minimum (without compression). This
    is done by realigning the file, wiping useless padding between sections,
    reducing space used by MZ header, and wiping useless sections.

   - To rebuild a file that has been purely dumped from memory (with a softice
    dumper for example). Actualy, those files need to be slightly modified in
    order for them to run properly : This tool automatically fixes section entries
    in header (size & offset) and is also able to rebuild the import table if
    needed.

  This tool has been coded in pure win32asm language and we included full TASM
source code. This may be a nice example of : general pe files operations, pe
alignment modifs, resource tree traversal, import table traversal, basic gui
programming with win32asm, etc...

THE SOURCE CODE IS INCLUDED FOR EDUCATIONAL PURPOSE. IF YOU WANT TO USE A PART
OF THIS SOURCE IN YOUR OWN PROGRAMS, YOU HAVE TO ASK THE AUTHORS BEFORE !!!


Functions :
===========

  Using this tool is very easy. Here is a short explanation of each function :


  1. 'Realign PE File'
  --------------------

   This will set the new specified file alignment and 're-compute' the pe file for
  optimal using of this new alignment. This leads to significiant physical size
  reducing. This function is based on an improved version of virogen's PE Realign
  routine v0.41; here are its main features : makes PE exe/dlls smaller, removes
  unnecessary padding from PEs and object tables, and stores new corrrect checksum.

      Explanation:
    For whatever reason (I think perhaps for quicker load time), newer win32
  executables typically have a file alignment of 1000h (4096). What this means is
  that there is a shitload of wasted space in the executable. To explain this,
  consider an object that has a real physical size of 8050h. Since this physical
  size must be aligned on a file alignment boundary, the end physical size of the
  object is 9000h. This is 0FB0h (4016) bytes of wasted disk space for this one
  object. Now if we change the file alignment to 200h (512) then the end physical
  size of the object is only 8200h, wasting only 1B0h (423) bytes of disk space.
  This function also checks for other wasted space in the PE file and removes it.


  NB : The new file alignment you specify in the corresponding field must NOT be
      greater than the original file alignment, and must NOT be lower than 200h.


  2. 'Fix Section Sizes'
  ----------------------

    This is a sub-option of the PE realigner. It will re-compute each section RAW
  size in order remove unnecessary 00h that stand at the end of each section. It
  will make your PE smaller, especially if it has been dumped from memory.


  3. 'Rebuild Import Table'
  -------------------------

    This function is useful for dumped files. Actually, if you dump compressed
  executables from memory, sometimes the import table will be corrupt. (for example
  with Petite 1.4 or 2.0, PE-Pack v1.00, etc...). For more details about import
  table rebuilding, read TiTi's essay, which is included with this tool.


  4. 'Restructure Resource Directory'
  -----------------------------------

    This function will not lead to any size decrease of the pe file. However it
  will restructure the resource directory of the file, placing icons and version
  info in the first position. This can be helpful to get better results with PE
  compressors.


  5. 'Fix Section RAW Offsets'
  ----------------------------

    This is only useful if the pe file has just been purely dumped from memory,
  using a softice dumper or a basic/custom dumper. What it does is just to replace
  each section's RAW offset by RVA, and RAW size by Virtual Size. This is just a
  very simple operation that has to be performed on every dumped file for them to
  run properly.


  6. 'Make a backup copy of original pe file'
  -------------------------------------------

    Hmmm well i think you'll understand what this function does :pppp. Anyway,
  backing up your PE file is more than recommended if you dont want it to be
  definitively corrupted.


  7. 'Super-Align'  NEW !
  -----------------------

    This new function in v0.95b is specific and complete alignment routine that
  will make your PE the smallest possible. What it does is reducing the MZ header
  to minimum, wiping the end of the file, and doing a 2 pass realign. Although
  these hard aligned PE Files will ONLY RUN ON Win95/98... and NOT on WinNT/2000.
  There are 2 modes :

	Strong Mode : This mode places the PE Header at offset 0Ch which makes
                     the DOS stub (MZ Header) corrupted -> if such a modified PE
                     file is launched from 16bits DOS, it will crash. Anyway it
                     will stay fully functionnal on Win95/98.
                      This method uses the fact that, by placing PE Header at
                     offset 0Ch, we obtain MZ(3Ch) = PE(30h) which is the
                     BaseOfData entry of the PE Header. This entry is unreliable
                     and its modifying doesn't affects the running of the PE.
                     So we put PE(30h) = MZ(3Ch) = PtrToPEHeader = 0Ch

      Friendly Mode : This Mode doesn't corrupt the DOS stub (MZ Header) : the
                     PE Header begins at offset 54h, but when run on 16bits DOS,
                     your program will just quit (and not crash).

    NB : The only difference between the 2 modes specified above is the behaviour
        of your PE file when launched from 16bits DOS. The Strong mode makes the
        placement of the PE header optimal.


  8. 'Wipe the .reloc section'  NEW !
  -----------------------------------

    Another new function in PE Rebuilder v0.95b. It will simply delete the .reloc
  object from your PE file (and also from the object table). Actually, this
  reloc section is often useless for a PE file to run properly, provided it is
  a classic EXE and not a DLL.
    This function actually wipes the .reloc section and then automatically
  performs a realignment of the file, in order to fix other objects and gain more
  space. Anyway it doesn't change the filealign value or resize sections. For that
  just use the first function above :)


WARNING !!!
===========

  PE Rebuilding is a sensitive process, and may lead to crashes on some PE Files.
So, ALWAYS do a save copy of the file you want to rebuild. Authors are not
responsible of any damage made by this tool to your system. Use it at your own
risk :p


Contact :
=========

  If you have any bug report, comment, advice, question, or any feedback about this
tool or its source code, feel free to contact the authors at :

    TiTi    - titi@blizzard.st  -  http://titiasm.cjb.net
    Virogen - vgen@hotmail.com

Or come to #win32asm (EFNet)


Version History :
=================

v0.80 -> v0.95 Changes :

  - Added the 'Super-Align' function
  - Added the 'Wipe .reloc section' function
  - File Size Decrease percentage indicator in the report dialog
  - Some minor code fixes
  - Added the little logo (crucial change :P)

v0.85 -> v0.90 Changes :

  - FIRST PUBLIC RELEASE
  - Fixed minor infos in the about box
  - Written help file :ppp

v0.80 -> v0.85 Changes :

  - Cleaned code and commented some functions
  - Fixed a bug that caused error when opening files under win95/98
  - Added icon to the window
  - Fixed tab order in the window
  - Filename editbox is no more readonly
  - Fixed minor bug in section raw fix report
  - Added about box

v0.75 -> v0.80 Changes :

  - Included Resource Restructure routine
  - Added an error check in the GetRsrcRva function that seemed to crash sometimes
  - Fixed a bug in report display (report text didn't init when the 'backup'
   option wasn't checked, now fixed).
  - Improved error notification system
  - Added progress bar and status bar indicators

v0.70 -> v0.75 Dev :

  - Cleaned a bit the code (especially file mapping operations)
  - Improved and cleaned the import rebuild function by using imagehlp functions
   to convert Rva->Va instead of a personnal routine.
  - Import table rebuilding is now more 'intelligent' and don't fix IAT that dont
   need to be fixed. (Detection is better).
  - Added full detailed report feature.


Things to do/add :
==================

  - Improve the import table routine for ordinal imported functions support
  - The code becomes to be confusing and not very optimized... We'll try to clean
   that soon... :p