如何手动[没有任何额外的脚本/程序]查看Windows可执行文件是否为32/64位?
我一直在环顾四周,发现应该是我的答案。 根据我的理解,在60字节输入时,假设出现以下数字。
I386 0x014c
IA64 0x0200
AMD64 0x8664
跳到PE偏移后,我仍然没有看到机器类型。我做了一个Find&没有看到任何匹配[除非由于某种原因靠近底部]。 64 86 06 00不在上面的列表中,所以我不知道我做错了什么。
Notepad.exe (64bit)
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00
0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68
69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F
74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20
6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00
83 C2 32 29 C7 A3 5C 7A C7 A3 5C 7A C7 A3 5C 7A
CE DB D8 7A C6 A3 5C 7A CE DB C9 7A C5 A3 5C 7A
CE DB CF 7A DA A3 5C 7A C7 A3 5D 7A 33 A3 5C 7A
CE DB DF 7A D3 A3 5C 7A CE DB D5 7A CC A3 5C 7A
CE DB C8 7A C6 A3 5C 7A CE DB CD 7A C6 A3 5C 7A
52 69 63 68 C7 A3 5C 7A 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 <--
B3 C9 5B 4A 00 00 00 00 00 00 00 00 F0 00 22 00
0B 02 09 00 00 A8 00 00 00 58 02 00 00 00 00 00
70 35 00 00 00 10 00 00 00 00 00 00 01 00 00 00
00 10 00 00 00 02 00 00 06 00 01 00 06 00 01 00
06 00 01 00 00 00 00 00 00 50 03 00 00 06 00 00
49 E7 03 00 02 00 40 81 00 00 08 00 00 00 00 00
00 10 01 00 00 00 00 00 00 00 10 00 00 00 00 00
00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00
00 00 00 00 00 00 00 00 F8 CF 00 00 2C 01 00 00
00 40 01 00 60 F1 01 00 00 30 01 00 B4 06 00 00
00 00 00 00 00 00 00 00 00 40 03 00 B8 00 00 00
10 B7 00 00 38 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 E0 02 00 00 38 01 00 00
00 C0 00 00 F0 07 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2E 74 65 78 74 00 00 00 70 A7 00 00 00 10 00 00
00 A8 00 00 00 06 00 00 00 00 00 00 00 00 00 00
答案 0 :(得分:1)
出现的60字节不是机器类型,而是PE头的偏移量。 (在这种情况下,0x00000100:256字节。)PE标头开始:'P','E',00,00。之后的是机器类型。
答案 1 :(得分:0)
OMG想出来了。列出AMD64 0x86 64的代码匹配“64 86”。我从未意识到它被翻过了。