flat assembler
Message board for the users of flat assembler.
![]() |
Author |
|
Borsuc 16 Jun 2009, 02:00
I got bored one day some weeks ago, and looked through some Fasm examples when I encountered DOS386's manual PE (also known as "format binary as .EXE") (it's not official, it's found here).
Then I liked the idea a lot, to have much more low-level control, but it seemed pretty hardcoded: offsets and sections were hardcoded to given numbers (in sections case, just 1 section). While this may be ok for some apps, I'm always a planning type of dude so I thought, why not use Fasm's powerful macro capabilities to make it easy to change things? (like offsets and/or add sections). This is a good example for those who would like to learn Fasm's powerful macro capabilities, though it isn't very clear I warn you -- you'll have to be somewhat proficient in Fasm's macros to understand it. But don't worry -- you don't have to understand it if you want to simply add a section or change some offsets because that's incredibly easy right now with them! I think I'm gonna write all my small asm apps with this method cause I know all the junk produced ![]() Thanks goes to DOS386 for providing the base because PE is a beast to handle by default (not to mention, bloated) ![]() (see attachment for it, there are 3 files) Two are asm examples, one with a section for everything, the second with a section for code&data and one for imports, the differences between them is very small! ![]() The last one is a .txt file I saved from various sources over the net regarding the attributes/characteristics of a section, you'll need it if you'd like to modify them. By the way this is only for console but it's easy to do it for GUI, just change the relevant value somewhere and use GUI APIs ![]() If there are any bugs, which I hope there aren't, please report them. (I tested it and it worked, it also has an 'error checking' mechanism in the macros themselves). EDIT: Maybe it would've been better if I posted this in Main so all users can look at the macros?
_________________ Previously known as The_Grey_Beast Last edited by Borsuc on 21 Jun 2009, 16:17; edited 2 times in total |
|||||||||||
![]() |
|
DOS386 16 Jun 2009, 11:13
I had deliberately posted it in Main since it works in DOS also
![]() |
|||
![]() |
|
Borsuc 21 Jun 2009, 16:18
Updated, very few tweaks. Now it outputs 'exe' instead of 'bin' extension. Also "filealign" is 100% correct with any setting right now.
![]() |
|||
![]() |
|
wht36 01 Jul 2009, 04:51
Thank you for your hardwork! This is very good quality work indeed. I've only tried to code a PE manually once a few years back and failed miserably. Your code is very well commented and I will definately keep it as a reference. The added import section makes this way of coding a program workable. Thanks again!
|
|||
![]() |
|
Borsuc 01 Jul 2009, 13:56
Cheers. If you want you can even change the DOS stub message (e.g: make it specific for your app). You can make it very long also, larger than a DOS page, that is calculated.
(any bugs, please report, but I hope there aren't any). |
|||
![]() |
|
Borsuc 29 Aug 2009, 20:13
UPDATE
Here's a new version. Now it works with uninitialized sections properly (it uses 'virtual' for those sections automatically so, if you put any data in such section, it won't matter at all! you don't have to use 'rb' and such). I had to remove the "manually input section flags" because with that method I have no control in macros over the 'uninitialized' attribute, unfortunately. So you'll have to use the descriptive macros like "has uninitialized data" and such (there's an example). The console_2section.asm has two sections, the second one is with uninitialized data (it has no purpose whatsoever but to make you get the idea ![]()
_________________ Previously known as The_Grey_Beast Last edited by Borsuc on 30 Aug 2009, 14:20; edited 1 time in total |
|||||||||||
![]() |
|
Borsuc 30 Aug 2009, 14:18
Sorry, yet again another small update
This isn't a bugfix or anything, it's just that if you used "org" inside 'virtual' you would have got a wrong fileoffset. This fixes that. Hope it's the last version ![]() (download the previous attachment again, if you have previously downloaded -- it's a small addition at the beginning of the macros overriding the "virtual" directive) |
|||
![]() |
|
kohlrak 03 Sep 2009, 19:32
I'm curious. How do the outputted binaries hold up against false positives?
|
|||
![]() |
|
Borsuc 03 Sep 2009, 23:06
Not sure, and don't care. To be honest I don't think it would signal anything, it depends how you use (I guess if you have self-modifying code and data in one section, it would trigger). But no one said you have to make only one section.
_________________ Previously known as The_Grey_Beast |
|||
![]() |
|
kohlrak 04 Sep 2009, 00:01
Well, the main reason i ask is because i'm looking to manual PE because "format PE" is known for FPs (not sure exactly why). Anyway, i'll have to try it sometime. Keep up the good work.
|
|||
![]() |
|
windwakr 04 Sep 2009, 00:04
Off-topic from the macro's, but shows why FASMs "format PE" has so many false positives:
kohlrak wrote: Blah Blah Blah......(not sure exactly why).....Blah Blah Bleh I believe FASM stores its version number in the header, and that may mess with some virus scanners. OR, it could be because of the missing stuff in the header. EDIT: Found it. This thread. Tomasz Grysztar wrote:
EDIT: Must be the missing stuff from the header. I made the necessary changes to FASM(as mentioned in that thread) and recompiled the "Star Trek" game(the one with 11 reports on VirusTotal). Now look at its VirusTotal scan report. HUGE REDUCTION in false positives! From 11/41 scanners reporting it as a virus to 2/41! So, if you don't want FP's, just make those changes that are mentioned in the thread I linked. Last edited by windwakr on 04 Sep 2009, 03:00; edited 1 time in total |
|||
![]() |
|
Azu 04 Sep 2009, 01:37
Borsuc wrote: Not sure, and don't care. To be honest I don't think it would signal anything, it depends how you use (I guess if you have self-modifying code and data in one section, it would trigger). But no one said you have to make only one section. I think they come from something else. Probably the way format PE makes the header by default. |
|||
![]() |
|
Borsuc 04 Sep 2009, 15:17
hmm, virus scanners are stupid? why would they check the innocent header?
![]() |
|||
![]() |
|
revolution 04 Sep 2009, 15:22
Borsuc wrote: hmm, virus scanners are stupid? why would they check the innocent header? |
|||
![]() |
|
Azu 04 Sep 2009, 15:25
revolution wrote:
![]() |
|||
![]() |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.