Heaventools

English English  Deutsch Deutsch  Français Français  Italiano Italiano

Frequently Asked Questions

For your convenience, a list of frequently asked questions is provided below. Please be sure to review this list, as it is very possible that your question has already been answered here. If the solution you seek is not here, please feel free to contact us.

General Questions

What is the difference between the trial version and the full version?

Your evaluation copy of PE Explorer is a full-featured release. This means that the same capabilities available in the registered software are present in the non-registered software. This allows you to try out all the features in PE Explorer to confirm that they work to your satisfaction.

Why is PE Explorer so expensive over a free alternative like Resource Hacker?

Let's make it clear: PE Explorer is not a resource editor. Even though it contains a resource editor, PE Explorer is meant for "heavy lifting" and has nothing to do with Resource Hacker. PE Explorer is intended to be used in various scenarios such as software development, forensics practice, reverse engineering, extensive binary security analysis and binary auditing processes, whatever. When you utilize all the different tools PE Explorer integrates, you will agree that $129 is definitely an awesome price. Check out The Feature List

If you want to edit resources only but don't need the extended functionality of PE Explorer, Resource Tuner is the right product for you.

PE Explorer fails if I use it to examine itself. Is this intentional?

Yes. It was our intent.

Will there be a version for 64-bit exe files in the future?

Yes. We will come up with 64 bits in the version 2.

Any plans to localize your software product in German and/or other languages?

Yes. The version 2 will have the multilingual interface.

File Open

I got an immediate error of something like "This file is likely damaged, packed or compressed". What can I do?

Nothing. This is not viewed as a bug. We are not going to defeat the security attempts of other software authors. PE Explorer unpacks only files compressed with UPX using the Plug-In subsystem.

When I try to put my DLL back I get the following error: Can't create new image file, the original file has been probably packed. Any hints?

Please be advised that your dll might be really packed! Our software unpacks only files compressed with UPX. So if your dll was packed by any other third party packer, you have to unpack it before modifying. Otherwise the chances are you can't create a new image file.

What are packers?

Packers are utilities that compress Windows portable executables (EXE, DLL, etc) significantly while leaving them 100% functional. Most of them encrypt data and resources and protect exe files from reverse engineering.

I got an immediate error of something like "Incompatible" and "of type NE". What is a "NE" type file?

PE Explorer works with PE files only. A NE (or "New Executable") file is a 16-bit application intended to run on Windows® 3.xx.

What is a PE file... I heard of them but thought my OS couldn't run them?

"PE" stands for "Portable Executable". The term "Portable Executable" was chosen because the intent was to have a common file format for all flavors of Windows, on all supported CPUs. A PE file is a 32 bit executable developed by Microsoft for NT (and Win95). The other notable executable types that run on MS platforms are "MZ" (DOS), "NE" and "LE" — but those formats are obsolete (but they will still run). Open an exe file in a hex editor or binary viewer and the first two values in the file will be 'MZ' — yes the DOS header is still there. Scan down 128 bytes and in most cases you should find the values 'PE' — this is where the PE format takes over.

Not all PE files have the 'exe' extension. Other notable PE files have the extensions "dll", "scr", "sys", "cpl" and "ocx", and even "msstyles" featured in Windows XP. Also note that not all PE files will run on their own — dll's for example. PE files that run on their own include exe, scr and cpl.

Will the PE Explorer work with NE and other 16-bit files?

No. The NE format is obsolete.

If PE Explorer doesn't work on NE type files, do you have a product that does?

No. At any rate, knowledge of 16-bit format makes less sense especially since the 64 bit processors have hit the market.

Your tool says it has some internal error and hence opening in SAFE MODE. Why?

If opening a file produces an error, PE Explorer opens that file in Safe mode. While in Safe mode, the data that caused the error can not be operated on. This does not guarantee that the excluded file data is error free, but in many cases allows you to work with damaged files (e.g. compressed files). For example, if the Import section follows the Resource section, you normally cannot open such a file in a binary analyzer. PE Explorer provides a solution by enabling you to to work with damaged/packed/crypted files and examine the inner workings of applications and dll's.

File Save

If I open an executable with PE Explorer and then go to SaveAs and save the executable under a different name WITHOUT making ANY changes to it, and then I compare the two files with a hex editor, there are MANY changes to the file. Why are there changes even though I didn't make any?

PE Explorer provides two functions that are automatically performed when opening a file: unpacking files compressed with UPX using the Plug-In subsystem, and error checking.

If your target file was packed with UPX, it was unpacked automatically and saved unpacked. PE Explorer does not re-pack the previously packed files. That is why the original file size is increased. Check out the logfile for details.

The next thing PE Explorer does is re-compiling the file resources according to the MS PE file specification. That may also be the reason why the original file size is changed after a simple "Save as..." operation.

If you don't want any changes to be made, just do not save.

Disassembler

Is true decompilation possible?

No, of course not. Fully automated decompilation is not possible — no decompiler could exactly reproduce the original source code.

Well, we hate to burst your illusions but PE Explorer does not decompile code. It disassembles code, which is the task of converting machine code into assembler, but it does not generate C or C++ code from the disassembled output. Which is a task of great difficulty.

It spits the results out in assembly format, which I don't understand at all. Do you have other products/plug-ins that can spit it out in English?

Obviously, source language syntax no longer exists in the executable. It would be very difficult for a decompiler to interpret the series of machine language instructions (ASM) that exist in an executable file and decide what the original source instruction was.

I have just run the disasembler on an exe file and want to change some code in it. But how do I put it back into an application format like it was?

Results generated by the PE Explorer disassembler are for comparison purposes only. The generated output can not be recompiled as is and has not been optimized for memory and processor usage.

Why couldn't be the disassembler slightly more usable (a list of API functions etc)?

It will be — in future versions. The "what-to-do" list is mile long and seems to be endless.

What are the benefits of the disassembler if all it gives you just an unreadable assembly format?

The disassembly listing uses Intel mnemonics. A familiarity with Intel mnemonics helps with reading the listings. A solid grasp of the PE file format also helps. A description of the format can be found in the PE Explorer help.

The PE Explorer Disassembler provides addititional processing for the section header data of a PE file. The disassembler translates the binary machine language digits that form the PE file into assembly language instructions and displays the results as a best approximation of how the original instructions might have appeared to the person who wrote them. The interpretation introduces imprecision just as a letter written in English then translated into Chinese and then translated back into English might contain errors.

The PE Explorer Disassembler handles common variants by default and can be set to handle uncommon variants as well. The benefit of having the disassembly listing is proportional to one's grasp of assembly language.

A description of Intel mnemonics, cpu architectures and assembly language in general can be found elsewhere at intel.com.

 

 Download PE Explorer and learn how it can make you more productive.