2

I hope someone has an idea on what's happening.

Let's say I have a .NET application (with any other application, apparently, there is no such problem). I open the app in a hex editor, search for the code section header and change the Characteristics value (the last one in a section header) by adding an IMAGE_SCN_MEM_WRITE value to it (and by adding I mean the OR operation).

For example, it was 0x60 0x00 0x00 0x02, i change it to 0xE0 0x00 0x00 0x02. (IMAGE_SCN_MEM_WRITE = 0x80 0x00 0x00 0x00)

Then I try to start the application that worked fine before me changing anything and I get this error message error "This application could not be started"

That's where it redirects me when i press OK https://support.microsoft.com/en-us/help/2715633/shim-errors-for-the--net-framework-version-and-platform-support

That's what it says there:

The app is not configured in a way that makes it possible to determine the appropriate version of the .NET Framework runtime. The corresponding shim code is SHIM_NOVERSION_FOUND. You can't fix the configuration problem yourself. Contact the app vendor to resolve the issue.

So what could possibly be the problem here? Oh, by the way, no other bytes in the file were changed and when I change the Characteristics value back everything works fine.

w1th3r
  • 21
  • 1
  • 1
    why are you editing your file in a hex editor? What's the purpose of this? It's not clear what you're trying to achieve. – ADyson Jan 10 '18 at 11:35
  • Trying to understand the PE format. Stumped right away. – w1th3r Jan 10 '18 at 12:44
  • Does this help? https://www.red-gate.com/simple-talk/blogs/anatomy-of-a-net-assembly-pe-headers/ – ADyson Jan 10 '18 at 12:51
  • FWIW I think this is a perfectly valid question as the best learning comes with tinkering IMO. My guess is that since you've edited the file, but haven't updated the PE checksum, it therefore no longer matches causing a security check to fail. Use a tool to calculate and replace the checksum after your edit, or you can try MSVC++'s editbin (using argument: /section:.text,cerw) which updates the checksum along with your change if nothing else to see if the problem goes away. – byteptr Jan 11 '18 at 20:23
  • I thought about it. The checksum is set to zero. What I think is happening is that there is some code that modifies itself for some reason while in memory So the original file wouldn't allow to edit anything and start fine. I don't know why would you even add this code. – w1th3r Jan 12 '18 at 09:22
  • Does the module have a digital signature? – byteptr Jan 12 '18 at 19:04
  • Sounds like a loader error but still could be app-defined. Can you find the error string/dialog using a resource dumping tool like Reshacker? Also try stepping through in a debugger, even an assembly level debugger (e.g. OllyDbg, Windbg). The question is whether the Windows loader is throwing this error or code within the executable. If not the Windows loader, is it .NET boostrapping past the PE entrypoint (but prior to the .NET entry) or .NET code itself. Use ILSpy/ILSpector to test the latter without a debugger. – byteptr Jan 15 '18 at 17:36

0 Answers0