Find out which architecture an exe was compiled for

I'm writing some scripts to sort through loads of old software, lots of them are just loose exe and dll files.

Before I spend too much time reading on file headers, I'll ask here first!

Which bytes in the header of an exe/dll tell me which architecture the file was compiled for (and ideally also which windows ce version)

This might help:

https://www.cabextract.org.uk/wince_cab_format/

snippet from the site:

The .000 file begins at file offset 0 with a fixed size header of exactly 100 bytes. The format of this header is as follows: 
Offset	Size in bytes	Description 
... 
20	4	Target architecture for this cabinet: see Appendix A 
... 

Appendix A:

Appendix A: a list of processor architectures 
Value	Description 
0	No specific architecture 
103	SHx SH3 
104	SHx SH4 
386	Intel 386 
486	Intel 486 
586	Intel Pentium 
601	PowerPC 601 
603	PowerPC 603 
604	PowerPC 604 
620	PowerPC 620 
821	Motorola 821 
1824	ARM 720 
2080	ARM 820 
2336	ARM 920 
2577	StrongARM 
4000	MIPS R4000 
10003	Hitachi SH3 
10004	Hitachi SH3E 
10005	Hitachi SH4 
21064	Alpha 21064 
70001	ARM 7TDMI 

But this is for cabinet file though. Maybe there's info on .exe and dll. I will report back if I find it.

A bit tangent, but may come in handy:

Embedded Reverse Engineering: Cracking Mobile Binaries
https://media.defcon.org/DEF%20CON%2011/DEF%20CON%2011%20presentatio...

-stingraze

Edited by stingraze 2020-11-14 12:53 AM

This comes very handy. Thanks for the pointer!

Sounds very familiar, stingraze:

https://www.hpcfactor.com/support/cesd/d/0004.asp



If you're looking at the file in a hexeditor, search for the first instance of the sequence 50 45 00 00. Right after that is the CPU identifier:

4C 01 = x86 (also applies to .NET Compact Framework-based apps)
66 01 = MIPS
A2 01 = SH3
A6 01 = SH4
C0 01 = ARM
C2 01 = thumb

The CE version is 72 bytes past the 50 byte above:

02 00 00 = Windows CE 2.0
02 00 01 = CE 2.01 (Palm-size PC)
02 00 0A = CE 2.10
02 00 0B = CE 2.11
02 00 0C = CE 2.12
03 00 00 = CE 3.0
04 00 00 = CE.net 4.0
04 00 0A = CE.net 4.1
04 00 14 = CE.net 4.2
04 00 15 = CE.net 4.21 (Windows Mobile 2003 SE)

hpcboy: You're welcome!

Thanks CE Geek.
Always more things to learn.

Edited by stingraze 2020-11-14 4:39 AM

That's very helpful, thanks CE Geek!

Also thanks stingraze, I already knew this site! I think I'll also make a tool to automatically process the headers of the 000 file inside a cab file, so I can automatically sort cabs and executables by architecture and minimum CE version!
I literally have hundreds of loose exe and cab files with not-too-helpful names, so anything that helps with sorting is good

I just spent 2 hours going through a whole cache of CE1.0 applications, testing if they actually work on me HP320lx and taking screenshots of every app!

PS > gcc -o wce.exe .\wcepeinfo.c; .\wce.exe .\nqce.exe  
Processing file .\nqce.exe 
Machine: 0x01A2 
Machine name: SH3 
Timestamp: 946208555 
Timestamp: 1999-12-26 

Making progress!
As it turns out, the PE header also contains a timestamp from then the program was compiled! That'll help dating obscure CE apps!

Unlike my previous app for converting 2bp files, which turned out to be a 40mb binary using node-pkg, I'm doing that I should've done long ago and learn proper C
I did a lot of embedded dev in C/C++, but on PC all my experience is higher level languages, so while I do speak C, I have a little catching up to do to write proper cli tools!

Also, in a pinch, the Linux 'file' utility is pretty good for this -- I use it all the time on Windows 10 with WSL.
For example, running it on whatever random loose .exe files in my Windows CE stuff folder:

$ file *.exe 
PocketDOS_OEM_1123.exe: PE32 executable (GUI) Intel 80386, for MS Windows, ZIP self-extracting archive (WinZip) 
TicTacToe.exe:          PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows 
captce SH3.exe:         PE32 executable (Windows CE) Hitachi SH3, for MS Windows 
hpcv2pt.exe:            PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MS CAB-Installer self-extracting archive

It's not as good as a specialized tool, doesn't check the CE version, and doesn't peek into CAB files -- some example output on one of those is "netcf.core.wce211.sh3.sp3.050308.cab: Microsoft Cabinet archive data, 2492762 bytes, 28 files", but it's been dead useful for figuring out what random binaries I have go with what system even beyond CE.

That's good to know!

I actually ended up writing a cli tool to extract all kinds of info, including DLL imports, from Windows CE PEs! https://github.com/HPC-Factor/windows-ce-cab-info

Oops. wrong url, this is the correct one: https://github.com/HPC-Factor/windows-ce-pe-info

I've been meaning to start a general device library. It would be interesting to start getting a list of 'common' links for given devices and see if there is a fingerprint in there or one or two 'smoking gun' links or the like for iding binaries.

One of the fun ideas I had when I was working on my assembler was also a disassembler and, given the fact that most apps are written in a higher level lang like C/C++ if there was actually a way to use the binary for one device to 'cross compile' for another device.

When Mac OS went from 68k to PowerPC and also when Palm jumped from 68k to ARM they leveraged the fact that most apps spend most of their time in the system code. One would think given that there would be less 'novel' code to cross walk on a number of apps given they are linked by the common CE backend.