flat assembler
Message board for the users of flat assembler.

Index > Windows > Partial relocations

Author
Thread Post new topic Reply to topic
randomdude



Joined: 01 Jun 2012
Posts: 83
randomdude
Is it possible to prevent relocation on certain code parts?

Currently i have to use something like this

Quote:
myaddress dd 0x12345678
...
Jmp [myaddress]


Instead of this

Quote:
jmp 0x12345678


Which obviously would be faster...
Post 17 Jun 2015, 21:06
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17328
Location: In your JS exploiting you and your system
revolution
"jmp address" doesn't generate any relocation because "jmp near" is relative.

"jmp [address]" will need a relocation.

To answer your question, it is easy to prevent all relocations by not including and relocation information in the exe.
Post 17 Jun 2015, 23:47
View user's profile Send private message Visit poster's website Reply with quote
alexfru



Joined: 23 Mar 2014
Posts: 75
alexfru
revolution wrote:
"jmp address" doesn't generate any relocation because "jmp near" is relative.


If "address" happens to be a numeric constant and not a code label, there needs to be relocation when assembling into an object file. I just had to include support for such relocations in my linker. The relocation isn't needed, of course, when assembling into an executable that will be loaded at a known fixed location.
Post 18 Jun 2015, 06:18
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17328
Location: In your JS exploiting you and your system
revolution
alexfru wrote:
If "address" happens to be a numeric constant and not a code label, there needs to be relocation when assembling into an object file.
Okay. But I am curious to know where in Windows would one need to jump to a fixed location? jmp 0x00000000?

So anyway, if you need that then an alternative could be:
Code:
mov eax,0x12345678
jmp eax    
Post 18 Jun 2015, 06:40
View user's profile Send private message Visit poster's website Reply with quote
alexfru



Joined: 23 Mar 2014
Posts: 75
alexfru
Doesn't have to be Windows. In my case someone was trying to create C-callable wrappers for MikeOS APIs and my C compiler, Smaller C, and calls to those are like "call 3". Everything was fine until they tried to link object files containing those "call 3's" with my linker. It was definitely not an expected scenario for me when I was writing my linker. Smile
Post 18 Jun 2015, 06:52
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17328
Location: In your JS exploiting you and your system
revolution
alexfru wrote:
Doesn't have to be Windows.
Would you like this topic moved to Main? That way people will be less confused by the non-Windows usage scenario.
Post 18 Jun 2015, 07:05
View user's profile Send private message Visit poster's website Reply with quote
alexfru



Joined: 23 Mar 2014
Posts: 75
alexfru
Sure, move, unless your question was intended for the OP.
Post 18 Jun 2015, 07:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17328
Location: In your JS exploiting you and your system
revolution
I got confused there. But anyhow, if the OP doesn't mean Windows specifically then the question still stands. Otherwise it might be useful for another topic to discuss non-Windows (and perhaps any non-mainstream-OS) style relocations.
Post 18 Jun 2015, 08:39
View user's profile Send private message Visit poster's website Reply with quote
randomdude



Joined: 01 Jun 2012
Posts: 83
randomdude
i have a dll that creates a codecave into the main exe. lets say i want to create it at exe address 0x00401000 by placing a jmp there and then jmp back to 0x00401005

Quote:
mycodecave:

;do stuff

jmp 0x00401005


this wont work, it will jmp to base of dll code +5 isntead of at exe address 0x00401005
Post 18 Jun 2015, 14:01
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17328
Location: In your JS exploiting you and your system
revolution
So the exe has no relocations? But the DLL does?

Does using a register work for you?
Code:
mov eax,0x00401005
jmp eax    
Post 18 Jun 2015, 14:38
View user's profile Send private message Visit poster's website Reply with quote
randomdude



Joined: 01 Jun 2012
Posts: 83
randomdude
sure i can use that, but it would be much better if i could jmp directly like when a dll has no relocations


Description:
Download
Filename: projects.zip
Filesize: 1.14 KB
Downloaded: 100 Time(s)

Post 18 Jun 2015, 15:29
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17328
Location: In your JS exploiting you and your system
revolution
If you make it a macro then it will feel just like a normal instruction:
Code:
macro goto dest {
  push dest
  ret
}    
Post 18 Jun 2015, 15:43
View user's profile Send private message Visit poster's website Reply with quote
randomdude



Joined: 01 Jun 2012
Posts: 83
randomdude
LOL man

i dont care how it looks in my code, i just want to be able to use jmp <address> in a realocated dll wtihout using any dirty trick
Post 18 Jun 2015, 15:51
View user's profile Send private message Reply with quote
randomdude



Joined: 01 Jun 2012
Posts: 83
randomdude
made this dll in c

it probably has relocation table, yet the jmp is not relocated

push ebp
mov ebp, esp
jmp near ptr 401000h

cant fasm do the same?


Description:
Download
Filename: Desktop.zip
Filesize: 8.8 KB
Downloaded: 68 Time(s)

Post 18 Jun 2015, 16:22
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
randomdude wrote:
sure i can use that, but it would be much better if i could jmp directly like when a dll has no relocations


Just parse the PE headers man. Also look into ASLR.
Post 19 Jun 2015, 13:47
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7734
Location: Kraków, Poland
Tomasz Grysztar
randomdude wrote:
made this dll in c

it probably has relocation table, yet the jmp is not relocated

push ebp
mov ebp, esp
jmp near ptr 401000h

cant fasm do the same?

The problem here is that the x86 near jump instruction is encoded with a relative offset and not the absolute address. So when "jmp 401000h" has to be created, the encoder needs to know where this instruction is going to reside in memory in order to calculate this offset correctly.

The sample DLL you provided contains this instruction encoded with the assumption that this DLL is loaded at its default image address (6FA00000h). Therefore it is not going to work correctly when it is loaded at a different address.

You can verify it by first loading some other DLL at 6FA00000h address, thus forcing the hello2.dll to be loaded elsewhere - note that then the jump instruction no longer jumps to 401000h:
Code:
; foo.asm

format PE GUI 4.0 DLL at 6FA00000h ; hijack the base address
entry DllEntryPoint

include 'win32a.inc'

section '.text' code readable executable

proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
        mov     eax,TRUE
        ret
endp

proc foo
        mov     eax,$
        ret
endp

section '.edata' export data readable

  export 'foo.dll',\
         foo,'foo'

section '.reloc' fixups data readable discardable

; hello1.asm

format PE GUI 4.0 at 0x00400000 as 'exe'
entry start

;==================================================
; Includes
;==================================================

include 'win32a.inc'

;==================================================
section '.text' code readable executable
;==================================================

;0x00401000
        invoke  MessageBox,0,testmsg,0,MB_OK
        invoke  ExitProcess,0
        dllname db 'hello2.dll',0

proc start
        invoke  foo                     ; make sure that foo.dll is loaded
        invoke  LoadLibrary,dllname     ; the jump to 401000h is not going to happen this time
endp

;==================================================
section '.idata' import data readable
;==================================================

library advapi32,'ADVAPI32.DLL',\
        comctl32,'COMCTL32.DLL',\
        comdlg32,'COMDLG32.DLL',\
        gdi32,'GDI32.DLL',\
        kernel32,'KERNEL32.DLL',\
        shell32,'SHELL32.DLL',\
        user32,'USER32.DLL',\
        wsock32,'WSOCK32.DLL',\
        foo_dll,'FOO.DLL'

include 'api\advapi32.inc'
include 'api\comctl32.inc'
include 'api\comdlg32.inc'
include 'api\gdi32.inc'
include 'api\kernel32.inc'
include 'api\shell32.inc'
include 'api\user32.inc'
include 'api\wsock32.inc'

import foo_dll,\
       foo,'foo'

;==================================================
section '.data' data readable writeable
;==================================================

testmsg         db 'test',0

;==================================================
;section '.reloc' fixups data readable discardable
;==================================================

;if ~ $-$$
;        dd 0,8
;end if
    


That being said, you can easily obtain the same effect in fasm, the ORG directive is there to tell the assembler that you want to assume that your assembled code is going to be loaded at specified address. But to make sure that this is a valid assumption is then up to you:
Code:
        org     BASE + RVA $
        jmp     401000h    
Post 19 Jun 2015, 15:25
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17328
Location: In your JS exploiting you and your system
revolution
randomdude: There is no way to do what you want with current x86 encoding and Windows DLL requirements. You will have to use at least one "dirty trick".

In another thread you appear to be focussed upon making it "fast". But I seriously doubt that this is actually a problem for you. So I would suggest just start with something simple like the goto macro above. Then if the performance is really shown to be an issue move on to something more advanced and awkward to code.
Post 20 Jun 2015, 04:12
View user's profile Send private message Visit poster's website Reply with quote
randomdude



Joined: 01 Jun 2012
Posts: 83
randomdude
ok guys, thanks for clearing it up Smile

il use the auto patching my own dll jmp's like i posted in the other thread
Post 20 Jun 2015, 09:49
View user's profile Send private message Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc
randomdude
Your original question is quite confusing, cause what you actually need is not to prevent, but to generate a relocation. The relocation should be of a type that does not add, but rather subtracts the base offset. The problem is that this type of relocations is not supported by PEs.

In fact you could use a far jump to jump to an absolute address:
Code:
jmp $23:$00401005    

But you should avoid it in terms of performance, cause that might be much slower, and does not provide any size advantage versa revolution's suggestion anyway.

_________________
Faith is a superposition of knowledge and fallacy
Post 20 Jun 2015, 20:32
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.