Hi!
I did some tests on the .exes outputed by both FASM and Pelles C:
C code:
#include <stdio.h>
#include <windows.h>
void mymain() {
__asm {
jmp @skip
db 0xC3
@skip:
}
BYTE c=0;
int i=0;
FILE *fp=fopen("test.exe","rb");
lop:
if(c==0xC3) goto found;
c=fgetc(fp);
i++;
goto lop;
found:
printf("%x %x",i, c);
fclose(fp);
system("pause>nul");
ExitProcess(0);
}
FASM code:
format PE console
include '%fasminc%\win32ax.inc'
start:
jmp skip
retop: db 0c3h
skip:
invoke fopen,fname,crb
mov [hfile],eax
xor ecx,ecx
lop:
invoke fgetc,[hfile]
inc ecx
cmp eax,0c3h
je found
jmp lop
found:
invoke printf,pcd,ecx,eax
invoke fclose,[hfile]
invoke system,ppause
invoke ExitProcess,0
pcd db '%x %x',0
hfile dd 0
fname db 'test.exe',0
crb db 'rb',0
ppause db 'pause>nul',0
data import
library crt,'msvcrt.dll',\
kernel32,'kernel32.dll'
import crt,printf,'printf',\
fopen,'fopen',\
fclose,'fclose',\
fgetc,'fgetc',\
system,'system'
import kernel32,ExitProcess,'ExitProcess'
end data
to build:
@echo off
call povars32
cc /Ze /c /Os test.c
polink test.obj msvcrt.lib kernel32.lib /entry:mymain /nodefaultlib /merge:.data=.flat /merge:.text=.flat /merge:.rdata=.flat /section:.flat,erw
fasm test2.asm
And also outputed binary are a little different:
FASM:
MZ€ ÿÿ @ @ € º ´ Í!¸LÍ!This program cannot be run in DOS mode.
$ PE L j•%C à @ @
±x } Í .flat J ` à ëÃhp@ hf@ ÿí@ £b@ 1Éÿ5b@ ÿõ@ A=à tëêPQh\@ ÿé@ ÿ5b@ ÿñ@ hs@ ÿù@ j ÿ4@ %x %x test2.exe rb pause>nul Ñ ¹ é , Ä 4 msvcrt.dll kernel32.dll
#
# printf fopen fclose fgetc system < < ExitProcess
Pelles C:
MZ ÿÿ ¸ @ € º ´ Í!¸LÍ!This program cannot be run in DOS mode.
$ PE L >“%C à 2 @ ¬ < .flat ~ à U‰åƒìëÃÆEÿ ƒeø h @ h£@ èR YY‰Eô€}ÿÃtÿuôèE YˆEÿÿEøëé¶EÿPÿuøhš@ è0 ƒÄÿuôè+ Yh@ è& Yj ÿ @ ‰ì]ÃÌÿ%@ ÿ%@ ÿ%@ ÿ%@ ÿ%@ pause>nul %x %x rb test.exe è V p ( 0 8 B L b ( 0 8 B L b Wfopen Pfgetc žprintf Lfclose Ísystem MSVCRT.dll
ExitProcess KERNEL32.dll
One question: Is it possible to make my variable be compiled at the place I want like I do in FASM with db? Is it only FASM can do it? Cause I think other assembler that use linkers will be like C compiled codes. So FASM is more powerful, cause it do what i tell...
2º question: is it possible to write self-modifying-code in C (maybe with inline asm?)?
Both work fine as expected. They output the size from first byte of the EXE until it finds 0C3h (ret) and outputs it correcty. But why the first value are diferente? is the size of the PE header entry point different? How to get the size of the PE header?
I'm testing this to learn more about PE files.
Thanks!