flat assembler
Message board for the users of flat assembler.

Index > Windows > Base address $BFC00000 not working

Author
Thread Post new topic Reply to topic
Controller



Joined: 12 Mar 2008
Posts: 4
Controller
I need to create a dll with base address, $BFC00000, however i receive this error:

Error: value out of range.
Instruction: dd RVA kernel32dll.lookup,0,0,RVA _label?mb,RVA kernel32dll.address
Source:
userxp.fasm [14625]
import32.inc [9]

(This line is hilighted:
library kernel32dll,'KERNEL32.DLL'


BASE_ADDRESS = $BFC00000
format PE GUI 4.0 DLL at BASE_ADDRESS
entry DllEntryPoint

...

section '.idata' import data readable writeable
library kernel32dll,'KERNEL32.DLL'

...
Post 12 Mar 2008, 23:09
View user's profile Send private message Visit poster's website Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
In Windows, any address over 0x8000 0000 is reserved for the 2gb space for windows libraries and other fun stuff.

[edit] this cutoff mark can be changed, I don't remember how.
Post 12 Mar 2008, 23:16
View user's profile Send private message Visit poster's website Reply with quote
Controller



Joined: 12 Mar 2008
Posts: 4
Controller
I'm working on a replacing a system dll which uses this base address. That's why (I guess) I must same address.
Post 13 Mar 2008, 00:15
View user's profile Send private message Visit poster's website Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
Maybe it uses sysenter? IDK, someone else must be able to help you.
Post 13 Mar 2008, 01:37
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
AlexP wrote:
Maybe it uses sysenter? IDK, someone else must be able to help you.
What does sysenter have to do with the problem at hand?

Sounds like the problem is FASM has a signed check when dealing with RVAs for 32bit code...

_________________
Image - carpe noctem
Post 13 Mar 2008, 01:43
View user's profile Send private message Visit poster's website Reply with quote
Controller



Joined: 12 Mar 2008
Posts: 4
Controller
It endeed uses some strange code due mixed 16/32 code etc (Some instructions I even had to include as binary). But thats not the problem here Smile
Post 13 Mar 2008, 01:51
View user's profile Send private message Visit poster's website Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
f0dder wrote:
AlexP wrote:
Maybe it uses sysenter? IDK, someone else must be able to help you.
What does sysenter have to do with the problem at hand?

Sounds like the problem is FASM has a signed check when dealing with RVAs for 32bit code...

Just shows how much I know about OS libraries!
Post 13 Mar 2008, 02:28
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
AlexP wrote:
f0dder wrote:
AlexP wrote:
Maybe it uses sysenter? IDK, someone else must be able to help you.
What does sysenter have to do with the problem at hand?

Sounds like the problem is FASM has a signed check when dealing with RVAs for 32bit code...

Just shows how much I know about OS libraries!

Well, I just don't get why you're throwing sysenter into the mix, Controller's post is about a build-time FASM problem, and nowhere in his source snippet is sysenter mentioned. Are you just trying to sound smart because kernel32.dll was mentioned? Smile

I dunno if sysenter is even used directly in the "high-level" win32 subsystem DLLs anyway, or only after going through NTDLL.DLL... also, I can't recall seeing a sysenter being used directly, iirc always done through a "call [fs:0xC0]" or something like that.

_________________
Image - carpe noctem
Post 13 Mar 2008, 02:36
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
I think the problem is the wapple, it is probably due to the interaction with the cyletruncion. If that doesn't solve your problem then check the hoodickey on the whatsit, that ought to fix it.


Do I sound smart or what!!!
Post 13 Mar 2008, 02:51
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
But seriously, the minimal code to trigger this error:
Code:
format pe gui 4.0 dll at 0xbfc00000
start: dd RVA start  ; <---- error: value out of range.    
So RVA is the problem.


Last edited by revolution on 13 Mar 2008, 02:58; edited 1 time in total
Post 13 Mar 2008, 02:55
View user's profile Send private message Visit poster's website Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP
lol! I actually was trying to understand that untill about halfway through...

f0dder: No, I just (guessed) that since you cannot access the upper memory normally, you needed to be in some special windows mode (aka sysenter???) IDK, just a gues.. Ohh, and I have seen the sysenter instruction in Olly, just bored so I held down f7 through ExitProcess one time I think.
Post 13 Mar 2008, 02:57
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2915
Location: [RSP+8*5]
bitRAKE
f0dder wrote:
Sounds like the problem is FASM has a signed check when dealing with RVAs for 32bit code...
There isn't an explicit check - I was able to get by the error with:

org $FFFFFFFFBFC00000

Not that the addresses are generated correctly - he'll have to check that, but they should be relative.

Look at file EXPRESSI.INC of the FASM source:
Code:
      rva_ok:
        mov     byte [edi+12],0
        mov     eax,[code_start]
        mov     eax,[eax+34h]
        cdq ;* change to mov edx,0 should fix it - maybe break something else?
        sub     [edi],eax
        sbb     [edi+4],edx
        add     edi,14h
        jmp     calculation_loop    
The RVA calculation exceeds 32-bits and then the error happens later.

Edit: any ORG directive is sufficient to bypass the error - error is somewhere else? All the addresses get messed up, so it really doesn't fix anything.

org $BFC01000 worked on my test file, but I think it depends on section ordering.

_________________
¯\(°_o)/¯ unlicense.org
Post 13 Mar 2008, 03:18
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.