flat assembler
Message board for the users of flat assembler.
![]() |
Author |
|
revolution 23 Sep 2023, 15:36
The hex bytes in the ENTRYPOINT tag look like code.
Code: push 0 ; 6a00 call ... ; ff15 |
|||
![]() |
|
FlierMate7 23 Sep 2023, 15:58
revolution wrote: The hex bytes in the ENTRYPOINT tag look like code. You're right, I guess it is signatures used to detect the version of FASM used to assemble the program? But the CFF Explorer is wrong. My COLORDUMP.asm code coincidentally meet the code pattern 0x6A XX FF 15: Code: start: push -11 call [GetStdHandle] Code: L_00402000: push -0xb L_00402002: call [0x403060] And it was reported as FASM 1.3. ![]() Now if I assemble a dummy program: Code: entry $ mov ax, 1 ret The File Info will say "No match found" even it was assembled by FASM. What an inaccurate way to read signature. ![]() But I understand that CFF Explorer has not been updated since long ago.... maybe should try PE-bear.
|
||||||||||
![]() |
|
FlierMate7 23 Sep 2023, 16:10
Another signature example used in CFF Explorer to detect Dev-C++ v5:
Code: <ENTRY> <NAME>Dev-C++ v5</NAME> <COMMENTS> </COMMENTS> <ENTRYPOINT> </ENTRYPOINT> <ENTIREPE>5589E583EC146A??FF15??????00????????????????????????????00000000</ENTIREPE> </ENTRY> ...which is... Code: 0: 55 push ebp 1: 89 e5 mov ebp,esp 3: 83 ec 14 sub esp,0x14 6: 6a .byte 0x6a Is this how rich header in PE file should behave? |
|||
![]() |
|
revolution 23 Sep 2023, 16:50
The Rich Header is an MS link.exe undocumented format. So it can be literally anything and we wouldn't know if that is how "should behave" unless you can convince MS to say something about it.
The only "signature" fasm leaves in an MZ header is the DOS stub code. It isn't a real signature. It is just that fasm uses the same stub for all PE outputs. You can change the stub to anything of your liking. Tools that try to guess the compiler with heuristics can't be 100% accurate. Anyone can create a unique file with no recognised patterns. |
|||
![]() |
|
FlierMate7 23 Sep 2023, 17:13
Thanks for your useful info, revolution.
|
|||
![]() |
|
MatQuasar 10 Jan 2024, 13:55
Today I found the real Rich header (in a Rust-compiled binary) , between "This program cannot be run in DOS mode" data string and PE signature.
|
||||||||||
![]() |
|
macomics 10 Jan 2024, 16:44
The PE header should be searched for by the offset indicated at the end of the MZ header (bytes 0x3C-0x3F)
And it most likely specifies 0x00000100 In any case, this yellow block of data will be skipped by loader and there should be a reference to it from code. To find them, it is enough to feed the disassembler program or debugger. Last edited by macomics on 13 Nov 2024, 20:54; edited 1 time in total |
|||
![]() |
|
MatQuasar 10 Jan 2024, 17:16
Maybe you misunderstand it.
A description about Rich header: Quote: The Rich header is an undocumented header contained within PE files compiled and linked using the Microsoft toolchain. It contains information about the build environment that the PE file was created in. But what you said about locating PE header from offset 0x3C is correct. |
|||
![]() |
|
Mat Quasar 30 Dec 2024, 09:52
Example of rich header in PE file:
|
||||||||||
![]() |
|
Core i7 30 Dec 2024, 12:22
Mat Quasar, information on the topic:
https://codeby.net/threads/asm-tjomnaja-storona-re-fajla.79133/ |
|||
![]() |
|
Mat Quasar 30 Dec 2024, 13:03
Core i7 wrote: Mat Quasar, information on the topic: We must be having same interest if Marylin was you! ![]() A good read, now I understand the block between DanS and Rich is rich header, and the XOR key is the checksum after 'Rich'. I learned one thing or two from your PE_RICH example, I didn't know previously that we can set console title for console app, and also console app can support Open File Dialog (which is part of GUI). (I also saw these in Picnic's HB example, but not confirming until I saw yours) And the world is so small, Mikl___ is also your fellow member, I know they created tiny PE... I ran your PE_RICH.EXE on the same EXE that I analyzed using PE-bear. Yours is less meaningful (no "Visual Studio 15" for example), but it worked.
Last edited by Mat Quasar on 31 Dec 2024, 06:06; edited 1 time in total |
||||||||||
![]() |
|
Mat Quasar 30 Dec 2024, 15:49
I advertise a bit for my File Visual Analyzer:
( https://board.flatassembler.net/topic.php?t=22924 ) This is the hexdump of MZ header and rich header in colors!
Last edited by Mat Quasar on 31 Dec 2024, 07:31; edited 1 time in total |
||||||||||
![]() |
|
Core i7 30 Dec 2024, 16:16
Mat Quasar wrote: I ran your PE_RICH.EXE on the same EXE that I analyzed using PE-bear. Yours is less meaningful (no "Visual Studio 15" for example), but it worked. Yes, the base is small there. The full list of "CompilerId.txt" can be found here: https://github.com/dishather/richprint/blob/master/comp_id.txt |
|||
![]() |
|
Core i7 31 Dec 2024, 02:21
Probably the best PE file viewer today is Pe-Anatomist. Shows all undocumented structures of Windows executable files, including "RichHeader". Moreover, it is the only tool that can collect information about *.PDB debug files. I recommend it!
|
||||||||||
![]() |
|
akatatsu27 13 Jan 2025, 22:32
The best analysis of the Rich Header I've found is here: https://www.ntcore.com/files/richsign.htm
I've made a macro to generate the Rich header, and a helper macro to insert it before the PE header using the standard fasm2 includes: Code: macro toolUsage mask, qwordpadding, tools& Rich: db 'DanS' dd 0x0 dd 0x0 dd 0x0 iterate <buildid,productid,timesUsed>, tools dw buildid dw productid dd timesUsed end iterate RichInfoEnd: db 'Rich' dd mask RichEnd: dq qwordpadding dup 0 repeat (RichInfoEnd - Rich)/4 load a : dword from Rich + (%-1)*4 store a xor mask : dword at Rich + (%-1) * 4 end repeat end macro namespace PE macro Header &tail& toolUsage 0xa6191cf1, 2,\ 30729, 131, 100,\ 30729, 147, 11,\ 0, 1, 108,\ 30729, 149, 62,\ 30729, 142, 866,\ 30729, 132, 26,\ 30729, 146, 1,\ 30729, 148, 1,\ 30729, 145, 1 Header tail end macro end namespace format PE64 GUI |
|||
![]() |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.