Index
> Windows > Smallest Win32 PE..Goto page Previous 1, 2 |
| Author |
|
|
SDragon 24 Oct 2005, 10:07
Some guy called server2000 had published 153 bytes exe with no hardcoded addresses. Here is his article in Russian:
http://www.xakep.ru/post/21399/default.asp Some fields in headers are overlayed, "MZ..PE" used as message. IMHO, this should be interesting for you.
|
|||||||||||
24 Oct 2005, 10:07 |
|
|
Chewy509 25 Oct 2005, 01:33
polygon7 wrote:
This article:Google Cache of vol2 ? |
|||
|
25 Oct 2005, 01:33 |
|
|
Ancient One 25 Oct 2005, 03:43
wow.. thats really cool..can anyone help translate the article to english please???
|
|||
|
25 Oct 2005, 03:43 |
|
|
Ancient One 25 Oct 2005, 03:50
i done the overlapping header before but it didn't work so i thought it never will work.. silly me!
|
|||
|
25 Oct 2005, 03:50 |
|
|
shism2 25 Oct 2005, 04:28
ya someone transalate it to english... babelfish does an OK trans but not clear enough
|
|||
|
25 Oct 2005, 04:28 |
|
|
polygon7 25 Oct 2005, 07:13
Chewy509 wrote: This article:Google Cache of vol2 ?  _________________ best regards p7 |
|||
|
25 Oct 2005, 07:13 |
|
|
Ancient One 26 Oct 2005, 05:55
now here a really small exe based on the 153 bytes program.. (but it still use hardcoded address that run in xp sp-0). it's 98 bytes in size
Code: use32 image_base equ 0x400000 dos_header: dw 'MZ' dw 0 nt_header: dd 'PE' dw 0x14c, 0 main: push user32+image_base call 0x77e805d8-image_base jmp next1 dw sizeof_optional_header dw 0x10e optional_header: dw 0x10b next3: push eax call 0x77d6add7-image_base ret user32 db 'user32', 0 dd main next2: push user32+image_base jmp next3 rb 1 dd image_base dd 4, 4 dw 4, 1, 0, 0, 3 next1: xor eax, eax push eax eax jmp next2 dd sizeof_image dd sizeof_headers rb 4 dw 2 sizeof_optional_header = $-optional_header sizeof_headers=sizeof_optional_header sizeof_image=$ |
|||
|
26 Oct 2005, 05:55 |
|
|
estrang 16 Nov 2005, 13:28
Code: LoadLibrary equ 0x7c801d77-image_base ;hardcoded address MessageBox equ 0x77d804ea-image_base ;hardcoded address Where did you guys get these stuffs(addresses)?? Disassemblimg? |
|||
|
16 Nov 2005, 13:28 |
|
|
RedGhost 16 Nov 2005, 16:28
estrang wrote:
well you could disassemble or debug, but the easiest way would be to call GetProcAddress then log the address http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/getprocaddress.asp _________________ redghost.ca |
|||
|
16 Nov 2005, 16:28 |
|
|
chris 05 Jan 2006, 05:19
well, let's say it should be called the smallest 'hello world' win32 PE,
what if the program does nothing but ret immediately after it is loaded by windows loader? it would be definitely smaller |
|||
|
05 Jan 2006, 05:19 |
|
|
Ancient One 12 Jan 2006, 05:29
not really chris... the code itself use part of unused header so less code does not make it smaller.
the address can be found easily using any PE dump sort of programs. |
|||
|
12 Jan 2006, 05:29 |
|
|
chris 12 Jan 2006, 08:54
okey, I think I got your idea, Ancient One, thanks.
I guest the most tricky part is that the section alignment field in image_optional_header32 has an offset 60 (after padding 2bytes following 'MZ') which is exactly the offset of e_lfanew in image_dos_header. This makes the two headers "merged" together
For you guys want to run it in WinXP SP2, just change 0x77e805d8 to 0x7c801d77(LoadLibraryA) and 0x77d6add7 to 0x77d804ea(MessageBoxA) both of them have new addresses in SP2. |
|||
|
12 Jan 2006, 08:54 |
|
| Goto page Previous 1, 2 < Last Thread | Next Thread > |
Forum Rules:
|