Windows CE version number confusion

I wonder if there is a compiler "tell"? CE 1 exe's had to come from Visual C++ 5, while CE 2 - 3 come from VS6. Otherwise MIPS CE 4 code could wind up as a false-detection (or are you checking for MIPSII flags?).

Nope, but every PE also has the compilation date included, so I also put a cutoff date in there after which it assumes that 4.0 means CE4.0, not 1.0
There are surely more sophisticated ways of figuring this out, I'm open for ideas!

Oh yes, that's very true. Good thinking!

I think that if it has any import references to Peg* it is also a tell for CE1. The API were normalised back to Win32 nomenclature with CE 2.

I was looking at the eVC compiler file, .vcp.

Here's some snippets that may help you out.

 
# TARGTYPE "Win32 (WCE MIPSIV_FP) Application" 0x9201 

# TARGTYPE "Win32 (WCE x86) Application" 0x8301 

# TARGTYPE "Win32 (WCE ARMV4) Application" 0xa301 

# TARGTYPE "Win32 (WCE MIPS16) Application" 0x8901 

# TARGTYPE "Win32 (WCE SH3) Application" 0x8101 

# TARGTYPE "Win32 (WCE ARMV4I) Application" 0xa501 

# TARGTYPE "Win32 (WCE SH4) Application" 0x8601 

# TARGTYPE "Win32 (WCE MIPSII_FP) Application" 0xa201 

# TARGTYPE "Win32 (WCE emulator) Application" 0xa601 

# TARGTYPE "Win32 (WCE MIPSIV) Application" 0x9601 

# TARGTYPE "Win32 (WCE ARMV4T) Application" 0xa401 

# TARGTYPE "Win32 (WCE MIPSII) Application" 0xa101 

Partly snipped:

 

# PROP BASE Use_MFC 0 

# PROP BASE Use_Debug_Libraries 0 

# PROP BASE Output_Dir "MIPSII_FPRel" 

# PROP BASE Intermediate_Dir "MIPSII_FPRel" 

# PROP BASE CPU_ID "{D8AC856C-B213-4895-9E83-9EC51A55201E}" 

# PROP BASE Platform_ID "{8A9A2F80-6887-11D3-842E-005004848CBA}" 

# PROP BASE Target_Dir "" 

# PROP Use_MFC 0 

# PROP Use_Debug_Libraries 0 

# PROP Output_Dir "MIPSII_FPRel" 

# PROP Intermediate_Dir "MIPSII_FPRel" 

# PROP CPU_ID "{D8AC856C-B213-4895-9E83-9EC51A55201E}" 

# PROP Platform_ID "{8A9A2F80-6887-11D3-842E-005004848CBA}" 

# PROP Target_Dir "" 

 

.... 

 

# PROP BASE Use_MFC 0 

# PROP BASE Use_Debug_Libraries 1 

# PROP BASE Output_Dir "SH3Dbg" 

# PROP BASE Intermediate_Dir "SH3Dbg" 

# PROP BASE CPU_ID "{D6519020-710F-11D3-99F2-00105A0DF099}" 

# PROP BASE Platform_ID "{8A9A2F80-6887-11D3-842E-005004848CBA}" 

# PROP BASE Target_Dir "" 

# PROP Use_MFC 0 

# PROP Use_Debug_Libraries 1 

# PROP Output_Dir "SH3Dbg" 

# PROP Intermediate_Dir "SH3Dbg" 

# PROP CPU_ID "{D6519020-710F-11D3-99F2-00105A0DF099}" 

# PROP Platform_ID "{8A9A2F80-6887-11D3-842E-005004848CBA}" 

# PROP Target_Dir "" 

Maybe you can decompile the exe and grab some of the strings like CPU_ID, Platform_ID etc.

The real .vcp here in my GitHub repository:
https://github.com/stingraze/tinybrowser/blob/master/tinybrowser.vcp

-stingraze

Edited by stingraze 2022-02-19 11:06 AM

I found a resource that may aid us in the future of reverse engineering and figuring out the version of .exe .cab etc.

Security Warrior by Cyrus Peikari, Anton Chuvakin
Chapter 4. Windows CE Reverse Engineering
https://www.oreilly.com/library/view/security-warrior/0596005458/ch0...

From site linked from the site above:

Ma First Steps in Reversing on a PPC/WinCE-Platform
https://web.archive.org/web/20020825170501fw_/http://www.peak.at/reg...
eVT Debug
https://web.archive.org/web/20020825170826fw_/http://www.peak.at/reg...

DEF CON 11 - Seth Fogie - Embedded Reverse Engineering
https://www.youtube.com/watch?v=oEZVO6fZvzE


Edited by stingraze 2022-02-21 10:00 AM