flat assembler
Message board for the users of flat assembler.
![]() Goto page Previous 1, 2 |
Author |
|
SDragon
Some guy called server2000 had published 153 bytes exe with no hardcoded addresses. Here is his article in Russian:
http://www.xakep.ru/post/21399/default.asp Some fields in headers are overlayed, "MZ..PE" used as message. IMHO, this should be interesting for you.
|
|||||||||||
![]() |
|
Chewy509
polygon7 wrote:
This article:Google Cache of vol2 ? |
|||
![]() |
|
Ancient One
wow.. thats really cool..can anyone help translate the article to english please???
|
|||
![]() |
|
Ancient One
i done the overlapping header before but it didn't work so i thought it never will work.. silly me!
|
|||
![]() |
|
shism2
ya someone transalate it to english... babelfish does an OK trans but not clear enough
|
|||
![]() |
|
polygon7
Chewy509 wrote: This article:Google Cache of vol2 ? ![]() _________________ best regards p7 |
|||
![]() |
|
Ancient One
now here a really small exe based on the 153 bytes program.. (but it still use hardcoded address that run in xp sp-0). it's 98 bytes in size
Code: use32 image_base equ 0x400000 dos_header: dw 'MZ' dw 0 nt_header: dd 'PE' dw 0x14c, 0 main: push user32+image_base call 0x77e805d8-image_base jmp next1 dw sizeof_optional_header dw 0x10e optional_header: dw 0x10b next3: push eax call 0x77d6add7-image_base ret user32 db 'user32', 0 dd main next2: push user32+image_base jmp next3 rb 1 dd image_base dd 4, 4 dw 4, 1, 0, 0, 3 next1: xor eax, eax push eax eax jmp next2 dd sizeof_image dd sizeof_headers rb 4 dw 2 sizeof_optional_header = $-optional_header sizeof_headers=sizeof_optional_header sizeof_image=$ |
|||
![]() |
|
estrang
Code: LoadLibrary equ 0x7c801d77-image_base ;hardcoded address MessageBox equ 0x77d804ea-image_base ;hardcoded address Where did you guys get these stuffs(addresses)?? Disassemblimg? |
|||
![]() |
|
RedGhost
estrang wrote:
well you could disassemble or debug, but the easiest way would be to call GetProcAddress then log the address http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/getprocaddress.asp _________________ redghost.ca |
|||
![]() |
|
chris
well, let's say it should be called the smallest 'hello world' win32 PE,
what if the program does nothing but ret immediately after it is loaded by windows loader? it would be definitely smaller ![]() |
|||
![]() |
|
Ancient One
not really chris... the code itself use part of unused header so less code does not make it smaller.
the address can be found easily using any PE dump sort of programs. |
|||
![]() |
|
chris
okey, I think I got your idea, Ancient One, thanks.
I guest the most tricky part is that the section alignment field in image_optional_header32 has an offset 60 (after padding 2bytes following 'MZ') which is exactly the offset of e_lfanew in image_dos_header. This makes the two headers "merged" together ![]() For you guys want to run it in WinXP SP2, just change 0x77e805d8 to 0x7c801d77(LoadLibraryA) and 0x77d6add7 to 0x77d804ea(MessageBoxA) both of them have new addresses in SP2. |
|||
![]() |
|
Goto page Previous 1, 2 < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.
Website powered by rwasa.