Heaventools

   English English  Deutsch Deutsch

Frequently Asked Questions

For your convenience, a list of frequently asked questions is provided below. Please be sure to review this list, as it is very possible that your question has already been answered here. If the solution you seek is not here, feel free to contact our easy going Technical Support.

Also note that another important source of information is the extensive Help system that has been provided with PE Explorer. The Help system is well-organized and very easy to use. Moreover, by taking a few moments to review the help, you will better familiarize yourself with the program and learn more about all the features available. See also our Getting Started articles.

Questions

Common Questions

File Open

File Save

Resource Editor

Export Viewer

Disassembler

Plug-ins

Common Questions

What is the difference between the trial version and the full version?

Your evaluation copy of PE Explorer is a fully functional time-limited demo with a few restrictions. This means that the same capabilities available in the registered software are present in the non-registered software. This allows you to try out all the basic features in PE Explorer to confirm that they work to your satisfaction.

Some minor functions are disabled until PE Explorer is registered: the "Save all resources at once", "Remove relocations", "Remove debug information", and "Save disassembly" menu commands do not work in trial mode. It is also limited to the number of days you can use the software. Please buy a license to remove these limitations.

Why is PE Explorer so expensive over a free alternative like Resource Hacker?

Let's make it clear: PE Explorer is not a resource editor. It's different. It's better. Even though it contains the resource editor, PE Explorer is meant for "heavy lifting" and has nothing to do with Resource Hacker, just like Notepad is not exactly a free viable alternative to MS Word. PE Explorer is intended to be used in various scenarios such as software development, forensics practice, reverse engineering, extensive binary security analysis and binary auditing processes, and the resource editor is only a tiny fraction of the PE Explorer features. When you utilize all the different tools PE Explorer integrates, you will agree that $129 is definitely an awesome price.
Check out The Feature List

If you want to edit resources only but don't need the extended functionality of PE Explorer, Resource Tuner is the right product for you.

PE Explorer fails if I use it to examine itself. Is this intentional?

Yes. It was our intent.

It claims to be an editor, yet doesn't let me edit the program code. Why?

PE Explorer is not a binary code editor. PE Explorer edits the internal structure of PE files, including resources. If you want to edit the program code, you need a hex editor, such as Flex HEX Editor.

How can I change something in an EXE or DLL file?

Most people asking how to open/edit .EXE or .DLL files are actually not really aware of what they are trying to deal with. EXE and DLL files are not plain, traditional text ASCII files that you can easily read and edit. You cannot simply open up an .EXE like a text file and start editing or reading the contents. Opening an EXE file is equivalent to opening the television box to look at the circuitry inside, instead of using your remote to change the channels. Sometimes the only meaningful information inside executable files is Vendor information (copyrights, trademarks, origins) and Product Version information. These binary files have a complex nested structure defined by the Portable Executable format, and they are not intended to be editable by users, neither are DLLs meant to be opened separately from the programs they belong to.

However, if you do want to change something in an EXE or DLL file for whatever reason, you may be able to do this by changing their resources with Resource Tuner. But still you will not be able to modify the actual code in any way: resources are separated from the program code. This way, you can make significant changes to the interface of the program while leaving the code untouched. You may also be able to translate the program interface into another language.

I couldn't even open a single dll file. All that popped up when I opened it was a whole bunch of numbers.

That's what DLL's are all about. If you expect to see a comics inside, forget it. PE Explorer provides the most useful representation of the data. What you do need is a good understanding of programming functions, and at a minimum the ability to read and understand those numbers.

What is a PE file... I heard of them but thought my OS couldn't run them? Am I likely to have one on my PC? And if so would I want to explore it?

"PE" in this context stands for "Portable Executable", the file format used by EXEs, DLLs, ActiveX controls, and other executable files on 32-bit Windows. The term "Portable Executable" was chosen because the intent was to have a common file format for all flavors of Windows, on all supported processors.

A PE file is a 32-bit executable developed by Microsoft for NT (and W9x) platform. The other notable executable types that run on MS platforms are "MZ" (DOS), "NE" and "LE" — but those 16-bit formats are obsolete (but they will still run). Open an exe file in a Hex Editor and the first two values in the file will be 'MZ' — yes the DOS header is still there. Scan down 128 bytes and you should find the values 'PE' — this is where the PE format takes over.

For greater detail download PE Explorer and consult the extensive Help system that has been provided with PE Explorer. The Help system is well-organized and very easy to use. Moreover, by taking a few moments to review the help, you will better familiarize yourself with the program and learn more about all the features available.

Not all PE files have the 'exe' extension. Other notable PE files have the extensions "dll", "scr", "sys", "cpl" and "ocx", and even "msstyles" featured in Windows XP. Also note that not all PE files will run on their own — dll's for example. PE files that run on their own include exe, scr and cpl.

More detailed information can be found in the Microsoft Developer Journal article, February 2002: An In-Depth Look into the Win32 Portable Executable File Format by Matt Pietrek.

Is PE Explorer a developer tool, or is this something a general computer user would use?

Everyone can benefit from this software. Being an affordable developer tool, PE Explorer makes every person who is interested in looking inside of Windows programs a potential buyer. The program is an easy-to-use tool for all users, but some functions require advanced programming knowledge to comprehend. Using PE Explorer assumes some basic knowledge of the internal structures of PE files.

See also: User Testimonials

Will there be a version for 64-bit exe files in the future?

Yes. We will come up with 64 bits in the version 2.

Any plans to localize PE Explorer in German and/or other languages?

Yes. The version 2 will have the multilingual interface.

File Open

I got an immediate error of something like "This file is likely damaged, packed or compressed". What can I do?

Nothing. This is not viewed as a bug. We are not going to defeat the security attempts of other software authors. PE Explorer automatically unpacks only files compressed with UPX, Upack and NsPack.    More on File Open Errors...

When I try to put my DLL back I get the following error: Can't create new image file, the original file has been probably packed. Any hints?

Please be advised that your dll might be really packed! Our software unpacks only files compressed with UPX, Upack and NsPack. So if your dll was packed by any other third party packer, you have to unpack it before modifying. Otherwise the chances are you can't create a new image file.

What are packers?

Packers are utilities that compress Windows portable executables (EXE, DLL, etc) significantly while leaving them 100% functional. They alter executables to include a decryptor routine that is first executed. The result is a smaller executable overall with one extra section inside, and that section is executed on startup to decompress, and the executable runs as normal. Most of packers encrypt data and resources and protect exe files from reverse engineering.

I got an immediate error of something like "Incompatible" and "of type NE". What is a "NE" type file?

PE Explorer works with PE files only. An NE (or "New Executable") file is a 16-bit application intended to run on old Windows versions 3.xx.

Will the PE Explorer work with NE and other 16-bit files?

No. The NE format is obsolete.

If PE Explorer doesn't work on NE type files, do you have a product that does?

No. At any rate, knowledge of 16-bit format makes less sense especially since the 64 bit processors have hit the market.

PE Explorer doesn't work with .Net files, why?

PE Explorer (at least, the current version) does not support for .Net assemblies. It was designed to work with pure win32 unmanaged PE files.

Your tool says it has some internal error and hence opening in SAFE MODE. Why?

If opening a file produces an error, PE Explorer opens that file in Safe mode. While in Safe mode, the data that caused the error can not be operated on. This does not guarantee that the excluded file data is error free, but in many cases allows you to work with damaged files (e.g. compressed files). For example, if the Import section follows the Resource section, you normally cannot open such a file in a binary analyzer. PE Explorer provides a solution by enabling you to to work with damaged/packed/crypted files and examine the inner workings of applications and dll's.

File Save

If I open an executable with PE Explorer and then go to SaveAs and save the executable under a different name WITHOUT making ANY changes to it, and then I compare the two files with a hex editor, there are MANY changes to the file. Why are there changes even though I didn't make any?

PE Explorer provides two functions that are automatically performed when opening a file: unpacking files compressed with UPX, Upack and NsPack, and error checking.

If your target file was packed with UPX, it was unpacked automatically and saved unpacked. PE Explorer does not re-pack the previously packed files. That is why the original file size is increased. Check out the logfile for details.

The next thing PE Explorer does is re-compiling the file resources according to the MS PE file specification. That may also be the reason why the original file size is changed after a simple "Save as..." operation.

If you don't want any changes to be made, just do not save.

Resource Editor

How can I get started editing PE file resources?

This page: Resource Tuner Tutorials covers some of the most popular features of the Resource Editor. Find out how Resource Tuner can help you have a personal touch on your favorite applications.

How do I export all resources, edit them and import them back?

The current version of the Resource Editor has no import feature. We recognize the potential value of this feature, but this will be available only in version 2.

It seems to only handle regular Win32 resources. Do you have a version that handles .NET resources in managed assemblies?

No. Or not yet.

Why does PE Explorer tell me that the icons I have selected to replace do not have the same size and the same bits and color depth? Can you fix it?

This is not a program error. When replacing icons, you must make certain that the replacement sources are the same size and have the same number of colors as the item to be replaced (e.g. a 16x16 4-bit icon can not be replaced with a 32x32 8-bit icon).

Why? Because there are more than just one icon inside an EXE, even though they all may look the same especially the 8-bit and 32-bit ones. For example, this is how the Icon Group from our beloved Notepad looks like:

Notepad IconGroup

Each Icon Group can contain multiple icon images, each with a different size and/or color depth. Common sizes include 16, 32, and 48 pixels square, color depths include 32-bit (24-bit with 8-bit alpha channel), 8-bit (256 colors) and 4-bit (16 colors).

When Windows prepares to display an icon, a desktop shortcut for example, it chooses an icon from the Icon Group based on specific criteria. Carelessly swapping out the icon sizes may result in The Big Icon Mess: when you mess with icons they cease to be right icons.

How can I edit resources from the command line?

Resource Tuner Console, a command line batch processing version of the resource editor is available for download.    More on RT Console...

I need a command-line tool to change the Icon in an exe file. Do you have that?

Yes, we have Resource Tuner Console. Since there may be more than one icon in an exe file, the tool supports Icon resource files (files with a .ICO extension) that contain one or more images which may be at different pixel sizes and/or color depths. If an .ico file contains more than one image, the whole icon set will be added or changed (depending on the EditMode and ChangeMode settings) at once. RTC accepts input from a script file. Sample scripts can be found within the Resource Tuner Console package.

Export Viewer

How do I get parameters on function exports? I have the function name, but that is near useless unless I can figure out the parameters.

If you don't have the source code and API documentation, the machine code is all there is. PE Explorer provides a Disassembler. There is only one way to figure out the parameters: run the disassembler and read the disassembly output. Unfortunately, this task of reverse engineering the interface cannot be automated.

PE Explorer comes bundled with descriptions for 39 various libraries, including the core Windows operating system libraries (eg. KERNEL32, GDI32, USER32, SHELL32, WSOCK32), key graphics libraries (DDRAW, OPENGL32) and more. But PE Explorer is unable to provide description sets for all libraries or functions ever written by humankind.

Disassembler

What is a disassembler?

A disassembler is a computer program which translates machine language into assembly language, performing the inverse operation to that of an assembler. A dissasembler differs from a decompiler, which targets a high level language rather than assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principly a reverse-engineering tool. Though this may not do you any good unless you know assembler already.

Is true decompilation possible?

No, of course not. Fully automated decompilation is not possible — no decompiler could exactly reproduce the original source code.

Well, we hate to burst your illusions but PE Explorer does not decompile code. It disassembles code, which is the task of converting machine code into assembler, but it does not generate C or C++ code from the disassembled output. Which is a task of great difficulty.

It spits the results out in assembly format, which I don't understand at all. Do you have other products/plug-ins that can spit it out in English?

Obviously, source language syntax no longer exists in the executable. It would be very difficult for a decompiler to interpret the series of machine language instructions (ASM) that exist in an executable file and decide what the original source instruction was.

I have just run the disasembler on an exe file and want to change some code in it. But how do I put it back into an application format like it was?

Results generated by the PE Explorer disassembler are for comparison purposes only. The generated output can not be recompiled as is and has not been optimized for memory and processor usage.

Why couldn't be the disassembler slightly more usable (a list of API functions etc)?

It will be — in future versions. The "what-to-do" list is mile long and seems to be endless.

What are the benefits of the disassembler if all it gives you just an unreadable assembly format?

The disassembly listing uses Intel mnemonics. A familiarity with Intel mnemonics helps with reading the listings. A solid grasp of the PE file format also helps. A description of the format can be found in the PE Explorer help.

The PE Explorer Disassembler provides addititional processing for the section header data of a PE file. The disassembler translates the binary machine language digits that form the PE file into assembly language instructions and displays the results as a best approximation of how the original instructions might have appeared to the person who wrote them. The interpretation introduces imprecision just as a letter written in English then translated into Chinese and then translated back into English might contain errors.

The PE Explorer Disassembler handles common variants by default and can be set to handle uncommon variants as well. The benefit of having the disassembly listing is proportional to one's grasp of assembly language.

A description of Intel mnemonics, cpu architectures and assembly language in general can be found elsewhere at intel.com.

Plug-ins

How can I write my own custom plug-in for PE Explorer?

See the PE Explorer help for the plug-in API.   More on the plug-ins



Have More Questions?

Feel free to contact our easy going Technical Support and submit your request.

 

Start Exploring Your Applications Now!

Give PE Explorer a trial run!Give PE Explorer a trial run for 30 days free! Once you try it, we think you will find it hard to go back to other PE file hacking utilities. For maximum editing and inspecting power, purchase a Personal license now for $129.00. The Business license is available for $229.95.