flat assembler
Message board for the users of flat assembler.

Home Search Register
Log in to check your private messages Log in

Index > Windows > Problem with resource RT_VERSION
Author
Thread Post new topic Reply to topic
Core i7



Joined: 14 Nov 2024
Posts: 160
Location: Socket on motherboard
Core i7 23 Apr 2026, 17:46
Hello everyone!
Why does this work in Windows 7,
but in Windows 10 there's no information in the file properties?

Code:
format pe64 gui 6.0
include 'win64ax.inc'

section '.text' code readable executable

    push    rbp
    invoke  MessageBox,0,<'Hello World!',0>,0,0
    invoke  ExitProcess,0
;-------------
section '.idata' import data readable writeable
library  kernel32,'KERNEL32.DLL',user32,'USER32.DLL'
include  'api\kernel32.inc'
include  'api\user32.inc'
;-------------
section '.rsrc' resource data readable
directory  RT_VERSION, version
resource   version,1,LANG_NEUTRAL,vInfo

versioninfo  vInfo,\
             VOS__WINDOWS32, VFT_APP, VFT2_UNKNOWN,\
             LANG_ENGLISH + SUBLANG_DEFAULT, 1252,\  
            'LegalCopyright'  , 'Copyright (c) 2020-2026. Core i7',\
            'ProductName'     , 'Example',\
            'ProductVersion'  , '6.1.7601',\
            'FileDescription' , 'Version resource example',\
            'FileVersion'     , '1.0.0',\
            'OriginalFilename', 'Version64.exe'
Post 23 Apr 2026, 17:46
View user's profile Send private message Reply with quote
frankobach26



Joined: 10 Apr 2026
Posts: 11
Location: Kassel
frankobach26 24 Apr 2026, 18:42
I have got an Error in messagebox Header Line.. with your code

Test this Code perhaps

Code:
format PE64 GUI 6.0
entry start

include 'win64a.inc'

; ---------------------------------------------------------
section '.text' code readable executable
; ---------------------------------------------------------

start:
    sub     rsp, 8                     ; stack alignment

    invoke  MessageBox, 0, msgText, msgTitle, MB_OK
    invoke  ExitProcess, 0


; ---------------------------------------------------------
section '.data' data readable writeable
; ---------------------------------------------------------

msgText  db 'Hello World!',0
msgTitle db 'FASM64 Example',0


; ---------------------------------------------------------
section '.idata' import data readable writeable
; ---------------------------------------------------------

library kernel32, 'KERNEL32.DLL',\
        user32,   'USER32.DLL'

include 'api\kernel32.inc'
include 'api\user32.inc'


; ---------------------------------------------------------
section '.rsrc' resource data readable
; ---------------------------------------------------------

directory RT_VERSION, version
resource  version, 1, LANG_NEUTRAL, vInfo

versioninfo vInfo,\
    VOS__WINDOWS32, VFT_APP, VFT2_UNKNOWN,\
    LANG_ENGLISH + SUBLANG_DEFAULT, 1252,\
    'LegalCopyright','Copyright (c) 2020-2026. Core i7',\
    'ProductName','Example',\
    'ProductVersion','6.1.7601',\
    'FileDescription','Version resource example',\
    'FileVersion','1.0.0',\
    'OriginalFilename','Version64.exe'
Post 24 Apr 2026, 18:42
View user's profile Send private message Reply with quote
Core i7



Joined: 14 Nov 2024
Posts: 160
Location: Socket on motherboard
Core i7 24 Apr 2026, 19:04
frankobach26, --> sub rsp,8 == push rbp
include 'win64ax.inc'
Post 24 Apr 2026, 19:04
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20963
Location: In your JS exploiting you and your system
revolution 25 Apr 2026, 08:17
Core i7 wrote:
frankobach26, --> sub rsp,8 == push rbp
include 'win64ax.inc'
Both codes above don't comply with the FASTCALL spec.
Code:
start:
    push    rbp                        ; stack alignment, using "sub rsp,8" makes debuggers work harder
    mov     rbp,rsp                    ; make the debugger's job easier
    sub     rsp,4 * 8                  ; reserve shadow stack space for API calls, unless crashes are a desirable "feature"
    invoke  MessageBox, 0, msgText, msgTitle, MB_OK
;.
Those extra instructions can be omitted and it will still work, but putting them in is worthwhile IMO. Things like AVs will treat the code as more "safe", debuggers will make better decisions thus making the programmers job easier.
Post 25 Apr 2026, 08:17
View user's profile Send private message Visit poster's website Reply with quote
WatQuasar



Joined: 17 Apr 2026
Posts: 12
WatQuasar 25 Apr 2026, 08:22
Core i7 wrote:

Code:

directory  RT_VERSION, version
resource   version,1,LANG_NEUTRAL,vInfo

versioninfo  vInfo,\
             VOS__WINDOWS32, VFT_APP, VFT2_UNKNOWN,\
             LANG_ENGLISH + SUBLANG_DEFAULT, 1252,\  
            'LegalCopyright'  , 'Copyright (c) 2020-2026. Core i7',\
            'ProductName'     , 'Example',\
            'ProductVersion'  , '6.1.7601',\
            'FileDescription' , 'Version resource example',\
            'FileVersion'     , '1.0.0',\
            'OriginalFilename', 'Version64.exe'


If you change the 1252 to 0, what will happen?
Post 25 Apr 2026, 08:22
View user's profile Send private message Reply with quote
Core i7



Joined: 14 Nov 2024
Posts: 160
Location: Socket on motherboard
Core i7 25 Apr 2026, 08:28
revolution wrote:
Those extra instructions can be omitted and it will still work, but putting them in is worthwhile IMO.

It's strange to hear this from you. The compiler itself reserves stack space in x64 mode.


Description:
Filesize: 6.93 KB
Viewed: 703 Time(s)

001.png

Post 25 Apr 2026, 08:28
View user's profile Send private message Reply with quote
Core i7



Joined: 14 Nov 2024
Posts: 160
Location: Socket on motherboard
Core i7 25 Apr 2026, 08:34
WatQuasar It also works on Win7 at zero, but I can't test it on Win10 yet.
But I don't think that's the problem, but rather some changes in the new OS. In particular, the AI ​​says that the verification policy on Windows 10 has become stricter, and all the nuances must be observed.
Post 25 Apr 2026, 08:34
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20963
Location: In your JS exploiting you and your system
revolution 25 Apr 2026, 08:39
Core i7 wrote:
revolution wrote:
Those extra instructions can be omitted and it will still work, but putting them in is worthwhile IMO.

It's strange to hear this from you. The compiler itself reserves stack space in x64 mode.
Okay, The invoke used must be different from mine.

So now it should look like this
Code:
start:
    push    rbp                        ; stack alignment, using "sub rsp,8" makes debuggers work harder
    mov     rbp,rsp                    ; make the debugger's job easier
    invoke  MessageBox, 0, msgText, msgTitle, MB_OK
Post 25 Apr 2026, 08:39
View user's profile Send private message Visit poster's website Reply with quote
Core i7



Joined: 14 Nov 2024
Posts: 160
Location: Socket on motherboard
Core i7 26 Apr 2026, 05:54
I still don't understand the point of "mov rbp,rsp" and how it can help the debugger.
If you could explain it in more detail, it might help me figure out the truth. By default, RBP=0 at the entry point, so what happens if we write the value of the RSP register to it? But that's just thinking out loud...

On the topic, I found the reason why Win10 doesn't display the version in file properties, while everything works fine in Win7. The AI ​​told me that Win10 tightened the checks, requiring the language to be 1200, i.e., UTF-16(LE). With other values, the version isn't displayed in Win10. Then I opened the Windows 10 system libraries in CFF-Explorer and sure enough, all the dlls had the value 040904B0 (0x04B0=1200), but fasm\include\macro\resource.inc --> versioninfo contained the Unicode string [du 040904E4], meaning encoding 1252 = ANSI Latin. I changed this value to 040904B0, and now the version is displayed in both Windows 7 and Windows 10 systems.

Here's a dump with this Unicode string at offset 0x86, and also at the very end of the resource at offset 0x0290 in HEX format:

Code:
 Offset   00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F   Ascii
--------  -----------------------------------------------  ----------------
00000000  94 02 34 00 00 00 56 00 53 00 5F 00 56 00 45 00  ”4...V.S._.V.E.
00000010  52 00 53 00 49 00 4F 00 4E 00 5F 00 49 00 4E 00  R.S.I.O.N._.I.N.
00000020  46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00  F.O.....½ïþ...
00000030  00 00 01 00 00 00 00 00 01 00 06 00 00 00 B1 1D  ...........±
00000040  00 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00  ..............
00000050  00 00 00 00 00 00 00 00 00 00 00 00 F4 01 00 00  ............ô..
00000060  01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00  .S.t.r.i.n.g.F.
00000070  69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00  i.l.e.I.n.f.o...
00000080  D0 01 00 00 01 00 30 00 34 00 30 00 39 00 30 00  Ð...0.4.0.9.0.
00000090  34 00 42 00 30 00 00 00 66 00 21 00 01 00 4C 00  4.B.0...f.!..L.
000000A0  65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00  e.g.a.l.C.o.p.y.
000000B0  72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00  r.i.g.h.t...C.o.
000000C0  70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00  p.y.r.i.g.h.t...
000000D0  28 00 63 00 29 00 20 00 32 00 30 00 32 00 30 00  (.c.)...2.0.2.0.
000000E0  2D 00 32 00 30 00 32 00 36 00 2E 00 20 00 43 00  -.2.0.2.6.....C.
000000F0  6F 00 72 00 65 00 20 00 69 00 37 00 00 00 90 90  o.r.e...i.7...
00000100  42 00 11 00 01 00 50 00 72 00 6F 00 64 00 75 00  B...P.r.o.d.u.
00000110  63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 90 90  c.t.N.a.m.e...
00000120  4D 00 61 00 6E 00 69 00 66 00 65 00 73 00 74 00  M.a.n.i.f.e.s.t.
00000130  20 00 75 00 74 00 69 00 6C 00 69 00 74 00 79 00  ..u.t.i.l.i.t.y.
00000140  00 00 90 90 36 00 09 00 01 00 50 00 72 00 6F 00  ..6....P.r.o.
00000150  64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00  d.u.c.t.V.e.r.s.
00000160  69 00 6F 00 6E 00 00 00 36 00 2E 00 31 00 2E 00  i.o.n...6...1...
00000170  37 00 36 00 30 00 31 00 00 00 90 90 5C 00 1A 00  7.6.0.1...\..
00000180  01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00  .F.i.l.e.D.e.s.
00000190  63 00 72 00 69 00 70 00 74 00 69 00 6F 00 6E 00  c.r.i.p.t.i.o.n.
000001A0  00 00 90 90 50 00 45 00 33 00 32 00 2F 00 36 00  ..P.E.3.2./.6.
000001B0  34 00 20 00 6D 00 61 00 6E 00 69 00 66 00 65 00  4...m.a.n.i.f.e.
000001C0  73 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00  s.t...c.r.e.a.t.
000001D0  69 00 6E 00 67 00 00 00 2C 00 06 00 01 00 46 00  i.n.g...,...F.
000001E0  69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00  i.l.e.V.e.r.s.i.
000001F0  6F 00 6E 00 00 00 90 90 31 00 2E 00 30 00 2E 00  o.n...1...0...
00000200  30 00 00 00 4A 00 11 00 01 00 4F 00 72 00 69 00  0...J...O.r.i.
00000210  67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00  g.i.n.a.l.F.i.l.
00000220  65 00 6E 00 61 00 6D 00 65 00 00 00 4D 00 61 00  e.n.a.m.e...M.a.
00000230  6E 00 69 00 66 00 65 00 73 00 74 00 55 00 74 00  n.i.f.e.s.t.U.t.
00000240  69 00 6C 00 2E 00 65 00 78 00 65 00 00 00 90 90  i.l...e.x.e...
00000250  44 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00  D....V.a.r.F.i.
00000260  6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00  l.e.I.n.f.o.....
00000270  24 00 04 00 00 00 54 00 72 00 61 00 6E 00 73 00  $....T.r.a.n.s.
00000280  6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00  l.a.t.i.o.n.....
00000290  09 04 B0 04                                      .°
Post 26 Apr 2026, 05:54
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20963
Location: In your JS exploiting you and your system
revolution 26 Apr 2026, 06:03
Core i7 wrote:
I still don't understand the point of "mov rbp,rsp" and how it can help the debugger.
It helps with debuggers, and AVs.

For debuggers, it permits stack unwinding to work correctly. When inside a sub-function, without the correct RBP value, a debugger can't find the correct place to unwind the stack. The debugger sees the loader's RBP value and displays a bad stack.

For AVs, the function entry code looks "normal" to them. There is a subset of AVs that like to panic when anything looks different from the normal boring HLL entry code. For code run entirely on one's own machine it doesn't matter, but once the code gets run by others, on their systems, their AVs complain.
Post 26 Apr 2026, 06:03
View user's profile Send private message Visit poster's website Reply with quote
WatQuasar



Joined: 17 Apr 2026
Posts: 12
WatQuasar 26 Apr 2026, 11:36
I don't know about 64-bit code, but in HLL compiled 32-bit code, there is always corresponding...

Code:
mov esp, ebp
pop ebp


... on exit. In @Core i7 code, do we need the above?
Post 26 Apr 2026, 11:36
View user's profile Send private message Reply with quote
WatQuasar



Joined: 17 Apr 2026
Posts: 12
WatQuasar 26 Apr 2026, 11:41
Core i7 wrote:

On the topic, I found the reason why Win10 doesn't display the version in file properties, while everything works fine in Win7.


Glad that you solved it. I think you meant CharSetID in VersionInfo.
I can't test it right now with value 1200, but 0 worked for me, as in my PEmenu.asm program.
Post 26 Apr 2026, 11:41
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20963
Location: In your JS exploiting you and your system
revolution 26 Apr 2026, 12:27
WatQuasar wrote:
I don't know about 64-bit code, but in HLL compiled 32-bit code, there is always corresponding...

Code:
mov esp, ebp
pop ebp


... on exit. In @Core i7 code, do we need the above?
ExitProcess doesn't require this. It is safe to call ExitProcess from anywhere in the program with the stack in any state.

I've never encountered an AV trigger on that missing. But I have encountered AVs trigger on the entry setup not being "correct".
Post 26 Apr 2026, 12:27
View user's profile Send private message Visit poster's website Reply with quote
WatQuasar



Joined: 17 Apr 2026
Posts: 12
WatQuasar 26 Apr 2026, 13:04
revolution wrote:

I've never encountered an AV trigger on that missing. But I have encountered AVs trigger on the entry setup not being "correct".


Too late to know this, you should tell us earlier. Maybe next time I should add "push ebp & mov ebp,esp" preventive measure to my:

https://board.flatassembler.net/topic.php?t=22773 wrote:

Top 4 Reasons Why Your EXE Are Falsely Detected As Malware
May 06, 2024


Thank you @revolution for your knowledge sharing.
Post 26 Apr 2026, 13:04
View user's profile Send private message Reply with quote
frankobach26



Joined: 10 Apr 2026
Posts: 11
Location: Kassel
frankobach26 26 Apr 2026, 14:52
Hello. Whats the correct Code example of Core's First Post?

Using my fasmgw Editor I have got Always an error in the Header Line of little messagebox ("Fehler") english Error. Why?

Code:
; what is the correct version for Core'i7 first post example?
; I have got always the "Fehler" (english: Error) message in little 
; messagebox window header line , why?

format pe64 gui 6.0
;include 'win64a.inc'
include 'win64ax.inc'

section '.text' code readable executable

    start:
    push    rbp                        ; stack alignment, using "sub rsp,8" makes debuggers work harder
    mov     rbp,rsp                    ; make the debugger's job easier
    invoke  MessageBox,0,<'Hello World!',0>,0,MB_OK

    invoke  ExitProcess,0
;-------------
section '.idata' import data readable writeable
library  kernel32,'KERNEL32.DLL',user32,'USER32.DLL'
include  'api\kernel32.inc'
include  'api\user32.inc'
;-------------
section '.rsrc' resource data readable
directory  RT_VERSION, version
resource   version,1,LANG_NEUTRAL,vInfo

versioninfo  vInfo,\
             VOS__WINDOWS32, VFT_APP, VFT2_UNKNOWN,\
             LANG_ENGLISH + SUBLANG_DEFAULT, 1200,\
            'LegalCopyright'  , 'Copyright (c) 2020-2026. Core i7',\
            'ProductName'     , 'Example',\
            'ProductVersion'  , '6.1.7601',\
            'FileDescription' , 'Version resource example',\
            'FileVersion'     , '1.0.0',\
            'OriginalFilename', 'Version64.exe'
Post 26 Apr 2026, 14:52
View user's profile Send private message Reply with quote
Core i7



Joined: 14 Nov 2024
Posts: 160
Location: Socket on motherboard
Core i7 26 Apr 2026, 15:40
frankobach26 wrote:
I have got Always an error

If it doesn't work, put the line in the data section.

WatQuasar wrote:
Maybe next time I should add "push ebp & mov ebp,esp" preventive measure to my

This is essentially logical, since this is exactly what a function prologue looks like, and if the code contains push rbp, then mov rbp, rsp is expected. However, if I submit both versions to VirusTotal, I see that six antiviruses complained about it, and six more are still complaining.

WatQuasar wrote:
Glad that you solved it. I think you meant CharSetID in VersionInfo.

That's right, only the field is called "szKey" in the "StringTable" structure, and "Value" in the "Var" structure. Here's a chain of related structures in the "Version" resource. Only by digging into the details do you realize how much work Tomasz has done — hats off to you!

Code:
; https://learn.microsoft.com/en-us/windows/win32/menurc/vs-versioninfo

struct VS_VERSIONINFO
  wLength        dw  0
  wValueLength   dw  0
  wType          dw  0      ; 0 = Bin, 1 = String
  szKey          du  'VS_VERSION_INFO'
  Padding1       dw  0
  Value          VS_FIXEDFILEINFO
  Padding2       dw  0
  Children       dw  0      ; array "StringFileInfo" or "VarFileInfo"
ends

struct VS_FIXEDFILEINFO
  dwSignature       dd  0xFEEF04BD
  dwStrucVersion    dd  0
  dwFileVersion     dq  0
  dwProductVersion  dq  0
  dwFileFlagsMask   dd  0
  dwFileFlags       dd  0
  dwFileOS          dd  0
  dwFileType        dd  0
  dwFileSubtype     dd  0
  dwFileDate        dq  0
ends

struct StringFileInfo
  wLength       dw  0
  wValueLength  dw  0
  wType         dw  0
  szKey         du  'StringFileInfo'
  Padding       dw  0
  Children      dw  0   ; StringTable array
ends

struct StringTable
  wLength       dw  0
  wValueLength  dw  0
  wType         dw  0
  szKey         du  '040904B0'  ; English + UTF16(LE): 0x04B0=1200
  Padding       dw  0
  Children      String   ; array
ends

struct String
  wLength       dw  0
  wValueLength  dw  0
  wType         dw  0
  szKey         du  '?'  ; key: for example "LegalCopyright"
  Padding       dw  0
  Value         du  '?'  ; value: for example "(с)WatQuasar"
ends

struct VarFileInfo
  wLength       dw  0
  wValueLength  dw  0
  wType         dw  0
  szKey         du  'VarFileInfo'
  Padding       dd  0
  Children      Var   
ends

struct Var
  wLength       dw  0
  wValueLength  dw  0
  wType         dw  0
  szKey         du  'Translation'
  Padding       dd  0
  Value         dd  0x04B00409
ends
Post 26 Apr 2026, 15:40
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Main index Download Documentation Examples Message board

Copyright © 1999-2026, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.