flat assembler
Message board for the users of flat assembler.

Index > Compiler Internals > New FASM compiles dialogs different from old version-Bug?

Author
Thread Post new topic Reply to topic
newbie1



Joined: 14 Feb 2015
Posts: 2
newbie1
[color=black][/color]
Hi,

Pardon me if this is already known. I noticed that the executable dialog.exe has different internals from a fresh compile of dialog.asm in the examples folder. If I run the original executable dialog, I don't get a virus warning and everything's fine. If I run the newly compiled file from dialog.asm, my antivirus software (Symantec) kicks in and quarantines the exe file. The risk shown ia SONAR.Heuristic.121.

I did an FC (filecompare) command between the newly generated file and the EXE provided and this is what I get.

Comparing files DIALOG.EXE and DIALOGBACKUP.EXE (the exe that comes with the install zip file is renamed to dialogbackup.exe). Seems that a few critical bytes are different:

00000088: 00 39
00000089: 3B EC
0000008A: DF 27
000000D8: F5 FC
000000D9: F1 B3
00000804: 00 39
00000805: 3B EC
00000806: DF 27
0000081C: 00 39
0000081D: 3B EC
0000081E: DF 27
00000834: 00 39
00000835: 3B EC
00000836: DF 27

Am I supposed to compile the dialog example with some flags? If not, why does fasm.exe give an EXE file with different internals?

Thanks in advance for your guidance. Fasm.exe is a great program.


Description: Screenshot of Virus found on compiled version of dialog.asm
Filesize: 133.54 KB
Viewed: 4018 Time(s)

test1.jpg


Post 14 Feb 2015, 12:21
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
All of those differences are timestamp and checksum fields set to the time the .exe was compiled. So ignoring those there are no differences.

And to answer your question: Yes it is a bug ... with your AV. Time you delete your AV.
Post 14 Feb 2015, 13:27
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8906
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
hi, is that possible to turn off any kind of "private" information inside assembled exe?
eg. time? and maybe others identifiable information.
Post 14 Feb 2015, 17:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
hi, is that possible to turn off any kind of "private" information inside assembled exe?
eg. time?
Sure it is. There are two ways. 1) find all instances of %t in your sources and replace them with something else. 2) edit the fasm source for make_timestamp (in system.inc) to create a fixed value.
Post 15 Feb 2015, 00:25
View user's profile Send private message Visit poster's website Reply with quote
newbie1



Joined: 14 Feb 2015
Posts: 2
newbie1
Thanks revolution for the quick advice... hmm.. looks like I should inform the AV company about this silly problem so that they can fix it. Imagine AV tools triggering off false positives for executables built using fasm...

Thanks again.
Post 21 Feb 2015, 16:34
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
newbie1,

Heuristics all the way. They are responsible for the most false positive nowadays.
Post 22 Feb 2015, 09:04
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.