Thus said Dan Egli on Fri, 02 Jan 2015 22:50:12 -0800: > Doable, I suppose. IF you know exactly what to do. I have no idea > where in an EXE the icon is stored so that makes dd rather tricky. And > as far as od goes, I've never HEARD of it, nor of netpbm for that > matter. :|
od is venerable, hexdump is modern. Might want to use hexdump instead. At any rate, it will definitely be a challenge: https://www.intosec.org/index.php?topic=532.0 You have to know block location of the ICO that you want to extract (which given the nature of the .rsrc section in the PE, may require a lot of calculation of positions in the file) and the size. Then you just use dd to extract. For example, to extract the fossil.ico from fossil.exe: $ dd if=fossil.exe of=fossil.ico count=18 skip=3068248 bs=1 18+0 records in 18+0 records out 18 bytes transferred in 0.000 secs (180000 bytes/sec) $ printf "\026\000\000\000" >> fossil.ico $ dd if=fossil.exe of=fossil.ico seek=22 skip=3055408 bs=1 count=12840 12840+0 records in 12840+0 records out 12840 bytes transferred in 0.019 secs (657922 bytes/sec) $ file fossil.ico fossil.ico: MS Windows icon resource - 1 icon $ display fossil.ico ... And I get a pretty ICO displayed on my desktop. Not sure why they place the ICO header after the ICO, but they did. In this particular case, I know what the 18 byte header looks like, so I just look through hexdump output until I find it (specifically, a 64x64 ICO, which in hex would look something like 00 00 01 00 01 00 40 40). Then note the position and find out the size of the image which in hex is identified by: 28 32 00 00, or: $ echo 16i3228d16+f | dc 12862 12840 So the image size (without header) is 12840 and the image with the header is 12862. We know the position of the header (which trails the image content): $ hexdump -C fossil.exe | grep '00 00 01 00 01 00 40 40' 002ed150 00 00 00 00 00 00 00 00 00 00 01 00 01 00 40 40 |..............@@| So we calculate the offsets for the dd commands above: $ echo 16i2ED158d 3228-f | dc 3055408 3068248 At any rate, probably not the easiest way to get them, but it works and as long as you can easily find the header of the ICO(s) it should work. I probably got lucky that the header wasn't split across multiple lines. You could optionally look at icoutils: http://www.nongnu.org/icoutils/ Andy -- TAI64 timestamp: 4000000054a86b25 /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
