When you check on the PE header https://en.wikipedia.org/wiki/Portable_ ... _fixed.svg of trek.exe, you find that there are 6 sections listed in the section table Each of those section entries is 40 bytes large, so the section table can be enlarged by another 10 sections without having to move and patch any code: All that needs to be done is enlarge the exe file, update the PE Header for the new sections and write some proper values for the new section locations, virtual address mapping and characteristics of whether they are read, write or execution protected.
But step by step:
- With your hex editor, enlarge your exe file size by whatever space the new sections should be.
- Next, starting at 0x268 hex file offset, append your sections to the section table according to the PE header documentation above, by entering:
- up to 8 bytes for the new section name,
- skip 4 bytes, this is the virtual memory size used but doesn't seem to be relevant or is auto-calculated from the raw file size of the section
- enter the virtual memory address for the assembler addresses to where the code is loaded when the app is started,
- enter 4 bytes for the raw file size of the section,
- enter 4 more bytes for the raw file offset of the new section,
- skip 16 bytes for unused relocations,
- enter 4 bytes for the characteristic flags of the section
For the characteristic flags, either copy over the characteristics from another section you know or refer https://docs.microsoft.com/en-us/window ... tion-flags
The most important flags likely are:
As you might spot, the trek.exe .reloc relocation table section is flagged with "IMAGE_SCN_MEM_DISCARDABLE 0x02000000 The section can be discarded as needed.".Flag Value Description IMAGE_SCN_CNT_CODE 0x00000020 The section contains executable code. IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 The section contains initialized data. IMAGE_SCN_CNT_UNINITIALIZED_ DATA 0x00000080 The section contains uninitialized data. IMAGE_SCN_MEM_EXECUTE 0x20000000 The section can be executed as code. IMAGE_SCN_MEM_READ 0x40000000 The section can be read. IMAGE_SCN_MEM_WRITE 0x80000000 The section can be written to. - Then update the File header to increase the NumberOfSections
- Further update the 'Optional Header' SizeOfImage value to your last section virtual address + raw size, but increased to match the section alignment of 1000 in hex. Means the trek.exe .rsrc resource section is set to start at virtual address 0x29D000 with a size of 0xA00 so ends at 0x29DA00 but by the section alignment of 1000 the image size actually ends at 29E000.
- In addition in the 'Optional Header' there are some further size attributes named 'SizeOfCode', 'SizeOfInitializedData' and 'SizeOfUninitializedData'
I dunno if these are important, but they cumulate the size of the different section types. So when you have two sections of executable code you cumulate the raw sizes of both of them.