flat assembler
Message board for the users of flat assembler.

Index > Windows > Why every program starts on 00 40 10 00?

Author
Thread Post new topic Reply to topic
hieronim-bosch



Joined: 04 Jul 2023
Posts: 1
Location: Poznań, Poland
hieronim-bosch 04 Jul 2023, 16:20
Hi, I'm coming from Tomasz's tutorial on YouTube about flat assembly syntax, and there's one thing that's been bothering me. I mean, why does every fasm program start at memory location 00 40 10 00? Is there any specific reason for those particular numbers?[/b]
Post 04 Jul 2023, 16:20
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 04 Jul 2023, 17:02
Default Windows exe base address is 0x400000.
The header needs one 4kB page so add +0x1000
And if you have your entry at the beginning then the resulting address is 0x401000

You can change both of these values.
Code:
format pe console at 0x1000000

;section '.idata' import data readable writeable
data import

        dd      0,0,0,rva kernel_name,rva kernel_table
        dd      0,0,0,0,0

kernel_table:
        ExitProcess     dd rva _ExitProcess
        GetStdHandle    dd rva _GetStdHandle
        WriteFile       dd rva _WriteFile
                        dd 0

kernel_name     db 'KERNEL32.DLL',0

_ExitProcess    db 0,0,'ExitProcess',0
_GetStdHandle   db 0,0,'GetStdHandle',0
_WriteFile      db 0,0,'WriteFile',0

end data
;section '.text' code readable executable

STD_OUTPUT_HANDLE       = -11
entry $
        push    STD_OUTPUT_HANDLE
        call    [GetStdHandle]
        push    0
        mov     ecx,esp
        push    0
        push    ecx
        push    message_length
        push    message
        push    eax
        call    [WriteFile]
        push    0
        call    [ExitProcess]

message         db 'Hello World!',13,10,0
message_length  = $ - message    
Code:
~ objdump -f pe.exe

pe.exe:     file format pei-i386
architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x0100106e    
Post 04 Jul 2023, 17:02
View user's profile Send private message Visit poster's website Reply with quote
sts-q



Joined: 29 Nov 2018
Posts: 57
sts-q 04 Jul 2023, 17:02
Hi,

for Linux
Wikipedia: Executable and Linkable Format ELF
and
man 5 elf
do know (a lot) more.

Greetings

Very Happy
Post 04 Jul 2023, 17:02
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4020
Location: vpcmpistri
bitRAKE 04 Jul 2023, 19:51
Microsoft has complicated the base address defaults for various binaries. Specifically, the legacy 0x400000 value is related to the 4MB paging of x86 processors. The constraints which made it a good choice in the beginning no longer apply (unless working in embedded space). Win11 is perfectly fine using a base address of 0x1_0000.

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 04 Jul 2023, 19:51
View user's profile Send private message Visit poster's website Reply with quote
int0x50



Joined: 19 Jul 2019
Posts: 54
int0x50 05 Jul 2023, 07:46
see if this is useful ...

Why is 0x00400000 the default base address for an executable? - https://devblogs.microsoft.com/oldnewthing/20141003-00/?p=43923
Post 05 Jul 2023, 07:46
View user's profile Send private message Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 19 Jul 2023, 18:35
I just aware that although PE32+ uses QWORD runtime address in memory, but in reality it will never use up all the high order DWORD, because even 40-bit address is enough for 1TB RAM, am I right?

For example, image base in PE32+ may starts with 0x0000 0001 xxxx xxxx
Post 19 Jul 2023, 18:35
View user's profile Send private message Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 23 Jul 2023, 16:00
bitRAKE wrote:
...Win11 is perfectly fine using a base address of 0x1_0000.


Hi bitRAKE, congratulations for your 20 years membership anniversary.

What is the value of 0x1_0000? I don't understand the meaning of underscore, web search result doesn't reveal anything.
Post 23 Jul 2023, 16:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 23 Jul 2023, 16:05
It's just a spacer. Same for the single quote:
Code:
mov ax, 2''''______'______''''''''1     ; = 21    
Post 23 Jul 2023, 16:05
View user's profile Send private message Visit poster's website Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 23 Jul 2023, 16:06
revolution wrote:
It's just a spacer. Same for the single quote:
Code:
mov ax, 2''''______'______''''''''1     ; = 21    


Oh, I see now. So simple, thanks.
Post 23 Jul 2023, 16:06
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 23 Jul 2023, 17:00
Flier-Mate wrote:
... web search result doesn't reveal anything.
I'm not sure that a "web search" would be helpful. The fasm manual would be the first place I'd look for information on fasm syntax.
Post 23 Jul 2023, 17:00
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4020
Location: vpcmpistri
bitRAKE 23 Jul 2023, 20:43
Flier-Mate wrote:
Hi bitRAKE, congratulations for your 20 years membership anniversary.

What is the value of 0x1_0000? I don't understand the meaning of underscore, web search result doesn't reveal anything.
TY. Many programming languages support number separators. I think assembly benefits greatly from it - working with bit sets and masks. Here it makes the number easier to read/change - for me at least. The lower 16-bits must be zero. So, splitting the number also serves that purpose.

Sometimes I want to test the code using the 64-bit address range. The Windows loader will put the Heap and Stack above 32-bit address range if high-entropy ASLR is turned on. Just setting a base address of 0x12345678_0000 isn't going to do that, in my experience. The loader can also move around the system DLL mapping.

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 23 Jul 2023, 20:43
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.