Menu

#227 PE Analyzer - Resources from different languages show the same content

Fixed
nobody
PEAnalyzer (10)
Medium
Defect
2024-03-12
2024-03-08
Rohitab Batra
No

When a PE contains resources in multiple languages, all the resources are listed in the Resource directory, along with their LANGID and Size. However, when viewing the resources, all of them show the same content, which appears to be the one from the first available language. The same PE when viewed with ArcLite, shows the correct content.

The PE file FortiClient VPN Installer contains resources in multiple languages. If you open this file in PE Analyzer and navigate to the Resource\DIALOG directory, you will see 14 entries for the dialog 0x000000cb (203). If you select the entry with LANGID of 0x0409 and press F3 to view the resource, the first line will display LANGUAGE LANG_CHINESE SUBLANG_DEFAULT, which is incorrect, since 0x409 or 1033 is English, not Chinese. All 14 entries for the dialog show the same resource with LANG_CHINESE.

This issue is not present in PE Analyzer version 3.8.0. Versions from 3.9.2 to the current version 3.10.8 all have this issue.

Discussion

  • Vladimir Surguchev

    Vladimir Surguchev - 2024-03-08
    • status: New --> Fixed
     

  • Vladimir Surguchev

    Vladimir Surguchev - 2024-03-08

    3.10.9

     

  • Rohitab Batra

    Rohitab Batra - 2024-03-08

    Thanks, but you forgot to release the binaries, so I can't try it out yet.

     

  • Vladimir Surguchev

    Vladimir Surguchev - 2024-03-09

    Oops... Done.

     

  • Rohitab Batra

    Rohitab Batra - 2024-03-10

    I just tried out 3.10.9. This issue is now resolved.

    Also, thanks for adding the language name to the filename. I was going to report an issue with search, which was caused by duplicate filenames. But now that the filenames are unique, that issue got resolved too.

     

  • Rohitab Batra

    Rohitab Batra - 2024-03-10

    I just noticed that resources like MANIFEST and ICON, which are language independent, show the language in the filename. For example, in the PE file FortiClient VPN Installer, the name of the manifest is displayed as 1_en-US. Shouldn't the name be 1 or even 1_system instead?

    These resources are the ones defined with LANGID = 0x0800, which is LOCALE_SYSTEM_DEFAULT. Since my system is configured with language English (United States), these resources show up with en_US in the name.

     

  • Vladimir Surguchev

    Vladimir Surguchev - 2024-03-10

    LANG_SYSTEM_DEFAULT = MAKELANGID(LANG_NEUTRAL, SUBLANG_SYS_DEFAULT)
    base lang_id is LANG_NEUTRAL I think "1" is more suitable.

     

  • Rohitab Batra

    Rohitab Batra - 2024-03-10

    Agreed.

     

  • Vladimir Surguchev

    Vladimir Surguchev - 2024-03-10

    3.10.10

     

  • Rohitab Batra

    Rohitab Batra - 2024-03-10

    Looks great. Thanks!

     

  • Rohitab Batra

    Rohitab Batra - 2024-03-12

    PE's that contains resources with LANGID of 0x0000 and 0x0400, which are LANG_NEUTRAL and LANG_USER_DEFAULT, still display resources with the language suffix, which is en-US in my case.

    I think you'll have to make the change for these two languages as well. Actually, for any language that is LANG_NEUTRAL. Something like the following should cover all three cases.

    -   if (ri.lang_id != LANG_SYSTEM_DEFAULT) {
+   if (PRIMARYLANGID(ri.lang_id) != LANG_NEUTRAL) {

    Note that if a PE contains resources with any of these combinations, the filenames will be duplicate, causing the issue that I reported in this ticket. However, I think its an unlikely case.

     

  • Vladimir Surguchev

    Vladimir Surguchev - 2024-03-12

    Agreed. 3.10.11

     

  • Rohitab Batra

    Rohitab Batra - 2024-03-12

    I tested it, and it's working fine. Thank you.

     

Anonymous
Anonymous

Add attachments
Cancel