Today, let’s do something interesting. We all know that .reloc section is used for relocation in the PE file and it is essential for most DLL file because usually these files can’t be loaded into the desired image base. But for the PE file, it might not be so important. So, what we will do is to delete this section and change some bytes in the PE file to make it runnable. By doing this, hope we can have a better understanding of the PE format. Let’s start.

I used this C++ code to build the file.

++
1
2
3
4
5
6
#include<iostream>

int main(){
std::cout<< “Delete the .reloc section!” << std::endl;
system(“pause”);
}

First, we need to delete the .reloc section header. Use the PEview we can see this.

This section header starts at offset 300 and the size is 28. So overwrite this part with 0 using HxD.

We can also see from PEview that the .reloc section starts at offset EC00 so let’s delete all the data starts from that place.

Don’t celebrate now, there are other things we need to do.
In the IMAGE_FILE_HEADER structure, there is a data for Number of Sections. In our case, we can see it’s 8.

Since we deleted one section, we should decrease it to 7.

And we need to change the Size of Image in the IMAGE_OPTIONAL_HEADER.

We know the virtual size of the .reloc section is 771 and due to the section alignment we should make it as 1000. In this case, the new Size of the image will be 24000-1000=23000.

Ok, let’s run the file.

It’s done!

Any question, please contact me at xudong_shao@hotmail.com.