flat assembler
Message board for the users of flat assembler.

Index > Windows > need help with exe size 65536

Author
Thread Post new topic Reply to topic
hdj1958



Joined: 09 Jul 2009
Posts: 9
Location: tenerife/spain
hdj1958
i am sure that i have made a mistake but i dont have found an answer in the fasm help file:

i have a windows exe program nearly 60.000 byte (format PE GUI 4.0),
than i have added some (4) function in proc ... endp and know the size is exactly 65.536 bytes,
when i will start the program, windows system says that there is an error and can not execute the program,

my debug programm (gobug) has ask me at the beginning "it that an 32-bit executable program?" - smile
FASM has not said anything while assembling, that there is something wrong with the source,

now i have made a copy of my program and cut all the function without the 4 last, (to test it)
now my smaller one programm start well - so i dont think that the error is in the programer lines/codes/...

do you have any idea where ist my error?
i think i have forgotten some parameters in the "format line" but i dont know which one,

regards
Post 09 Jul 2009, 10:01
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
Without seeing the source code it is difficult to say what is wrong.
Post 09 Jul 2009, 10:47
View user's profile Send private message Visit poster's website Reply with quote
hdj1958



Joined: 09 Jul 2009
Posts: 9
Location: tenerife/spain
hdj1958
hi revolution,
its not in the source code, because i have made some more programs with the same functions under 65.536 byte and they are start ALL and run well,
but each program which has 65.536 bytes or more wont start,
i am sure that i have to advise to FASM to write a missing option, BUT WHICH ONE ?

these are my first lines:
format PE GUI 4.0
entry Start

which are yours?
Post 09 Jul 2009, 12:09
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
What are your section options? Are you using the standard 'win32{a|w}.inc' type of includes?
Post 09 Jul 2009, 12:26
View user's profile Send private message Visit poster's website Reply with quote
hdj1958



Joined: 09 Jul 2009
Posts: 9
Location: tenerife/spain
hdj1958
the third line is: include 'c:/fasm/include/Win32axp.inc'

and all code section have: section '.code' code readable executable
or data section '.data' code readable (writeable)
Post 09 Jul 2009, 16:58
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
Since you are using the standard include 'win32axp' then you don't need the 'format ...' or 'entry ...' lines. But make sure you have the '.end Start' line.
Post 10 Jul 2009, 00:26
View user's profile Send private message Visit poster's website Reply with quote
hdj1958



Joined: 09 Jul 2009
Posts: 9
Location: tenerife/spain
hdj1958
if i add at the end ".end Start" FASM says:
"setting already specified" because in Win32axp, line 174 and below (its a marco), will produce again:
176: entry label
178: section '.idata' import data readable writeable
179: ...

if i delete the third line "entry Start" then FASM says:
"section '.idata' import data readable writeable"
data already defined

my ".idata" section (one of the last programer lines/code) is:
section '.idata' import data readable writeable
;*************************************************************************
library wininet,'wininet.dll',\
urlmon,'urlmon.dll'

import wininet,\
HttpOpenRequest,'HttpOpenRequestA',\
HttpQueryInfo,'HttpQueryInfoA',\
HttpSendRequest,'HttpSendRequestA',\
InternetOpen,'InternetOpenA',\
InternetOpenUrl,'InternetOpenUrlA',\
InternetReadFile,'InternetReadFile',\
InternetCloseHandle,'InternetCloseHandle',\
InternetCanonicalizeUrl,'InternetCanonicalizeUrlA',\
InternetQueryDataAvailable,'InternetQueryDataAvailable',\
InternetConnect,'InternetConnectA'

import urlmon,\
URLDownloadToFile,'URLDownloadToFileA'

NOTHING MORE

the macro ".end label" does not include/import the 2 libraries (above), so that i mean, that the error ("data already defined") refer to the section name ".idata",
and if its true that i can not use twice a section ".idata" than i can not use the macro ".end Start" because i need some additional libraries (see above)

so finaly i have deleted ".end Start", written again "entry Start" at the begining , added in section ".idata" the 8 libraries from line 180-187 (Win32axp.inc), and then suddenly FASM does not know what is (for example) GetMessage, thats very strange, because in line 159-166 there are the EXPLICIT order to include the 8 api files, these 8 files are OUTSIDE ANY marco definition, so FASM has include them every time (without ANY conditions), but FASM wont do it, with the consequence that i have added the 8 api includes in the section ".idata" and now FASM knows what means "GetMessage",
is it correct/logic that somebody has to include TWICE the same 8 api files???

MAYBE i have some logical error in my mind - smile, but in no way i see where it is,
or maybe FASM has a bug?
Post 10 Jul 2009, 11:09
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
Post your code please. We are just going around in circles. I think you have made a mistake with mixing the 'win32axp' macros and your own custom sections. But I can't say for sure because I have no code to see.
Post 10 Jul 2009, 12:28
View user's profile Send private message Visit poster's website Reply with quote
hdj1958



Joined: 09 Jul 2009
Posts: 9
Location: tenerife/spain
hdj1958
which part of my program do you want to see?
the whole programm has more than 50 includes, because each include is a sub-routine like proc ... endp
i dont think that is a good idea to put here more than 50 source file - smile,

but this is the main part:


Code:
format PE GUI 4.0
entry start

include 'c:/fasm/include/Win32axp.inc'

;*************************************************************************
  section '.code' code readable executable
;*************************************************************************
start:   call      X000StartWindows
         cmp       eax,-1
         jne       ReturnToWindow


; Window + Menus + div. anderer sachen bevor   LOOP GETMESSAGE
;-------------------------------------------------------------------------
.ab100:        call    newsreaderinit
      or      eax,eax
     jz      ReturnToWindow

  stdcall X011InternetOpen


getmessageloop:
     invoke    GetMessage ,sys_windowmessage ,NULL ,0 ,0
         or        eax,eax             ;If the function retrieves the WM_QUIT message, the return value is zero.
         jz        ReturnToWindow
         cmp       eax,-1              ;If there is an error, the return value is -1
         je        ReturnToWindow

         invoke    TranslateMessage,sys_windowmessage
         invoke    DispatchMessage,sys_windowmessage
         jmp       getmessageloop


ReturnToWindow:
;-------------------------------------------------------------------------
    call    newsreadercloseall

      mov     eax,[sys_internetopen_handle]
         or    eax,eax
     jz      .back
       invoke  InternetCloseHandle ,eax
         xor        eax,eax
     mov     [sys_internetopen_handle],eax

.back: invoke  ExitProcess ,0

;*************************************************************************
    section         '.data' data readable writeable
;*************************************************************************
sys_windowmessage            MSG
sys_windowlistbox                dd      0000

testmemo            db      'src='
            db      '"http://www.espanyainfo.net/system/pic_default.jpg"',0
             rb      MAX_PATH

testurl         db      'http://www.espanyainfo.net/system/pic_default.jpg',0
         rb      MAX_PATH

testdir         db      'f:/readercache/feeds/zzztest/',0






;*************************************************************************
       section         '.code' code readable executable
;*************************************************************************
proc     MainWindowProc, msg_hwnd, msg_wmsg, msg_wparam, msg_lparam
;-------------------------------------------------------------------------
       mov     eax,[msg_wmsg]

  cmp     eax,WM_CLOSE
        je      .wmclose
    cmp     eax,WM_DESTROY
      je      .wmdestroy


; hier werden die WM_... Commands vom jeweiligen programm ausgefuehrt
; dieses HAUPT-modul weiss ja nicht welche COMMANDS von sub-prog benoetigt werden
; wird noch modifiziert, besser ist include xxxx.asm
    mov     eax,[msg_hwnd]
         mov  [sysmsg_hwnd],eax
   mov     eax,[msg_wmsg]
         mov  [sysmsg_wmsg],eax
   mov     eax,[msg_wparam]
         mov        [sysmsg_wparam],eax
 mov     eax,[msg_lparam]
         mov        [sysmsg_lparam],eax
 call    newsreaderwmcommands
        or      eax,eax
     jnz     .back                   ;WM_COMMAND wurde verarbeitet


.defwindowproc:
        invoke    DefWindowProc,[msg_hwnd],[msg_wmsg],[msg_wparam],[msg_lparam]
.back:   ret

; An application can prompt the user for confirmation, prior to destroying a window, by processing the WM_CLOSE message
; and calling the DestroyWindow function only if the user confirms the choice.
;da ich im moment nicht drauf regiere, springe ich direkt zu .destroy
.wmclose:
      nop
.wmdestroy:
;-------------------------------------------------------------------------
        invoke  PostQuitMessage,0
   xor     eax,eax
     ret

endp

;*************************************************************************
   section         '.data' data readable writeable
;*************************************************************************
sysmsg_hwnd                          dd      0000
sysmsg_wmsg                             dd      0000
sysmsg_wparam                           dd      0000
sysmsg_lparam                           dd      0000

sys_internetopen_handle                     dd      0000
sys_internet_header_status              dd      0000,00         ;z.b. 200 oder 302 oder 400 oder...
sys_internet_header_contenttype          dd      0000,00         ;z.b. img_ / txt_ / ....
sys_internet_header_contentsubtype  dd      0000,00         ;z.b. jpg_ / gif_ / bmp_ / ....
sys_internet_header_contentlength    dd      0000            ; byte groesse von file xxx


include 'includes/X000StartWindows.asm'
include 'xnewsreader/newsreader_call.asm'    
Post 10 Jul 2009, 13:02
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17716
Location: In your JS exploiting you and your system
revolution
Hmm, how about this:
  • try to minimise the problem to the smallest set of code that stills fails, and post that.
  • Consider merging all the .code and .data sections into two sections rather than multiple sections of the same name.
  • Use a PE viewer program to see what is the contents of the PE file you are creating (maybe you have two import sections or something like that).
  • Try to pad some working code with lots of nops (use rept or times) to push it past the 64k size you suspect is causing a problem.
That is about all I can suggest since you are reluctant to attach the code.

Also: This forum supports "code" tags. like this [code]My fasm code[/code], it would be nice to see your code above surrounded by these tags Wink
Post 10 Jul 2009, 13:25
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7802
Location: Kraków, Poland
Tomasz Grysztar
There is one substantial error in this code: multiple code and data sections should be avoided, because fasm itself does not do any "linking" tasks, and therefore the final executable will contain separate section for each "section" definition in code (if you'd like to have section mergin, consider switching to MS COFF format and some linker).
As for the error, it's quite possible that there is some empty section created because of this (for example if you have "section" declaration with "proc" declarations withing, which are not used in the program, and therefore not included, because "proc" macro does such check) - and PE loader in Windows doesn't like empty sections.
Post 10 Jul 2009, 13:28
View user's profile Send private message Visit poster's website Reply with quote
hdj1958



Joined: 09 Jul 2009
Posts: 9
Location: tenerife/spain
hdj1958
its a little bit strange, that all exe size less than 65.536 are running well, independently which sub-rountine i have included or not,
then i have mixed / tested each include function and ALL exe file has started !!!
ONLY if the exe file has reached 65.536 byte or more then i could not start the program with double click,

all my includes i have only in one folder and with the search function with my totalcommander i have searched for "import", TC has show me ONLY ONE file and ONLY ONE part which contains the word "import", so that i have twice the import section is EXCLUDED,

now i have started the prog "Anywhere PE Viewer" from ucware, it tells me, that i have 99 headers Smile

E:\fasm\newsreader.exe
File Headers
DOS EXE:true
NT EXE:true
Dos STUB size:64 bytes
DOS Header
e_magic:5a4dh (23.117)
e_cblp:80h (128)
e_cp:1h (1)
e_crlc:0h (0)
e_cparhdr:4h (4)
e_minalloc:10h (16)
e_maxalloc:ffffh (65.535)
e_ss:0h (0)
e_sp:140h (320)
e_csum:0h (0)
e_ip:0h (0)
e_cs:0h (0)
e_lfarlc:40h (64)
e_ovno:0h (0)
e_res:0h (0)
e_oemid:0h (0)
e_oeminfo:0h (0)
e_res2:0h (0)
e_lfanew:80h (128)

COFF File Header (Object & Image)
Machine:Intel 386 or later, and compatible processors
NumberOfSections:63h (99)
TimeDateStamp:Fri Jul 10 13:55:38 BST 2009
PointerToSymbolTable:0h (0)
NumberOfSymbols:0h (0)
SizeOfOptionalHeader:e0h (224)
Characteristics:IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE

Optional Header (Usually Image Only)
PE Format:PE32
Standard fields
MajorLinkerVersion:1h (1)
MinorLinkerVersion:44h (6Cool
SizeOfCode:7200h (29.184)
SizeOfInitializedData:7c00h (31.744)
SizeOfUninitializedData:0h (0)
AddressOfEntryPoint:2000h (8.192)
BaseOfCode:2000h (8.192)
BaseOfData:3000h (12.288)
NT additional fields
ImageBase:400000h (4.194.304)
SectionAlignment:1000h (4.096)
FileAlignment:200h (512)
MajorOperatingSystemVersion:1h (1)
MinorOperatingSystemVersion:0h (0)
MajorImageVersion:0h (0)
MinorImageVersion:0h (0)
MajorSubsystemVersion:4h (4)
MinorSubsystemVersion:0h (0)
SizeOfImage:66000h (417.792)
SizeOfHeaders:1200h (4.608)
CheckSum:1bcfbh (113.915)
Subsystem:Image runs in the Windows™ graphical user interface (GUI) subsystem
DllCharacteristics:
SizeOfStackReserve:1000h (4.096)
SizeOfStackCommit:1000h (4.096)
SizeOfHeapReserve:10000h (65.536)
SizeOfHeapCommit:0h (0)
LoaderFlags:0h (0)
NumberOfRvaAndSizes:10h (16)

Optional Header Data Directories (Image Only)

Export Table
VirtualAddress:0h (0)
Size:0h (0)

Import Table
VirtualAddress:56000h (352.256)
Size:478h (1.144)

Resource Table
VirtualAddress:0h (0)
Size:0h (0)

Exception Table
VirtualAddress:0h (0)
Size:0h (0)

Certificate Table
VirtualAddress:0h (0)
Size:0h (0)

Base Relocation Table
VirtualAddress:0h (0)
Size:0h (0)

Debug
VirtualAddress:0h (0)
Size:0h (0)

Architecture
VirtualAddress:0h (0)
Size:0h (0)

Global Ptr
VirtualAddress:0h (0)
Size:0h (0)

TLS Table
VirtualAddress:0h (0)
Size:0h (0)

Load Config Table
VirtualAddress:0h (0)
Size:0h (0)

Bound Import
VirtualAddress:0h (0)
Size:0h (0)

IAT
VirtualAddress:0h (0)
Size:0h (0)

Delay Import Descriptor
VirtualAddress:0h (0)
Size:0h (0)

COM+ Runtime Header
VirtualAddress:0h (0)
Size:0h (0)

Reserved
VirtualAddress:0h (0)
Size:0h (0)

Section Table (Section Headers)[99]

each ".code" or ".data" has in the variable name "VirtualSize" a value greater than 3 bytes
and the variable name "Characteristics" contains
Section contains executable code and/or
Section can be executed as code and/or
Section can be read and/or
Section contains initialized data and/or
Section can be written to

WITHOUT ANY EXCEPTION

THERE IS NO EMPTY SECTION


to avoid (evitar in spanish) en empty section i have written in each include file which contain a sub-routine on the TOP (first line)
xor eax,eax
ret
proc ... endp
so each include make at least a section of less 3 or 4 bytes,
I KNOW thats not the fine art, but i am STILL TESTING the functions/program and i am sure in the near future i will modernize a lot of things !!!
Post 10 Jul 2009, 15:02
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7802
Location: Kraków, Poland
Tomasz Grysztar
Can you post the final executable file that is not working? Maybe we can trace it back this way.
Post 10 Jul 2009, 15:05
View user's profile Send private message Visit poster's website Reply with quote
hdj1958



Joined: 09 Jul 2009
Posts: 9
Location: tenerife/spain
hdj1958
hola tomasz,
here comes the exe file in .zip


Description:
Download
Filename: newsreader.zip
Filesize: 10.65 KB
Downloaded: 133 Time(s)

Post 10 Jul 2009, 15:20
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7802
Location: Kraków, Poland
Tomasz Grysztar
You definitely have too many sections there. According to Microsoft's PE/COFF specification, Windows loader limits the number of sections to 96.
Post 10 Jul 2009, 15:30
View user's profile Send private message Visit poster's website Reply with quote
hdj1958



Joined: 09 Jul 2009
Posts: 9
Location: tenerife/spain
hdj1958
OK and thanks for your help,

but maybe you could add next time a section counter into FASM that will returns an error if somebody will have more than 96 sections Smile

regards from spain
Post 10 Jul 2009, 15:38
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7802
Location: Kraków, Poland
Tomasz Grysztar
hdj1958 wrote:
but maybe you could add next time a section counter into FASM that will returns an error if somebody will have more than 96 sections Smile

This is only the limitation of Windows loader, not the PE format. And PE format may be used not only in Windows.
Post 10 Jul 2009, 15:40
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.