Author Topic: Export name with 'disallowed' character  (Read 7937 times)

revolta

  • Regular Member
  • *
  • Posts: 6
Export name with 'disallowed' character
« on: September 09, 2013, 04:57:11 PM »
hi all,

i'm coding one dll, it contains one exported function. the name of the exported function is a base64
encoded string - base64 encoded strings have sometimes at the end one or two '=' characters (sometimes
without the '=' character(s)). this is the problem, masm doesn't want to compile the dll with the '='
in the name of exported function. so, my question is.. is it possible to compile a dll with '=' character
in the name of exported function?

my code (simplified) looks like this:


Library.def
Code: [Select]
LIBRARY Library
EXPORTS c3Vja2VkIG15IGNvY2s=


Library.asm
Code: [Select]
.486p
.model flat, stdcall
option casemap:none

include    \masm32\include\windows.inc

.code

dllentry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD
mov eax,TRUE
ret
dllentry Endp


c3Vja2VkIG15IGNvY2s= proc
nop
ret
c3Vja2VkIG15IGNvY2s= endp

End dllentry


for compilation i use a batch file that look like this:
Code: [Select]
@echo off

SET PROJECTNAME=Library
SET MASMBINPATH=\MASM32\BIN

%MASMBINPATH%\Cvtres.exe /nologo /machine:ix86 rsrc.res
%MASMBINPATH%\Ml.exe /nologo /Zp1 /c /coff %PROJECTNAME%.asm
%MASMBINPATH%\Link.exe /DLL /DEF:Library.def /SUBSYSTEM:WINDOWS /LIBPATH:\masm32\lib Library.obj

DEL *.obj

ECHO.
PAUSE
CLS

qWord

  • Member
  • *****
  • Posts: 1473
  • The base type of a type is the type itself
    • SmplMath macros
Re: Export name with 'disallowed' character
« Reply #1 on: September 09, 2013, 06:11:06 PM »
You can rename the function in the module definition file:
Code: [Select]
LIBRARY Library
EXPORTS "c3Vja2VkIG15IGNvY2s="=_foo@0
with
Code: [Select]
foo proc ; stdcall
nop
ret
foo endp
MREAL macros - when you need floating point arithmetic while assembling!

dedndave

  • Member
  • *****
  • Posts: 8823
  • Still using Abacus 2.0
    • DednDave
Re: Export name with 'disallowed' character
« Reply #2 on: September 09, 2013, 10:29:01 PM »
that seems pretty "sneaky"   :(

Tedd

  • Member
  • ***
  • Posts: 377
  • Procrastinor Extraordinaire
Re: Export name with 'disallowed' character
« Reply #3 on: September 09, 2013, 11:03:00 PM »
c3Vja2VkIG15IGNvY2s=

Firstly, congratulations.
Secondly, are you seriously naming your functions this way - and why?
Potato2

Antariy

  • Member
  • ****
  • Posts: 551
Re: Export name with 'disallowed' character
« Reply #4 on: September 10, 2013, 01:21:36 PM »
LOL

If one will decode the string "c3Vja2VkIG15IGNvY2s=" from base64 to a binary, one will get the string "sucked my cock" :greensml:

Probably the topic is about the things that disallowed by the rulezzz of the forum :lol:

revolta

  • Regular Member
  • *
  • Posts: 6
Re: Export name with 'disallowed' character
« Reply #5 on: September 10, 2013, 04:52:09 PM »
qWord: thx, will try it like that..

Tedd: definitelly, i am serious. :) i have to code dll files which names contains base64 strings. those base64 (encoded) strings can have at the end one, two or no zero (depends on the string that has to be coded to base64 form). these dll files are used for my reverse engineering project (cant say more about that). :)

Antariy: hey, that string is bogus one. it's the first that came on my mind.. when i was writing this question to this board. :D (it was required, that it should contain one or more '=')

Antariy

  • Member
  • ****
  • Posts: 551
Re: Export name with 'disallowed' character
« Reply #6 on: September 10, 2013, 05:10:17 PM »
Antariy: hey, that string is bogus one. it's the first that came on my mind.. when i was writing this question to this board. :D (it was required, that it should contain one or more '=')

It was funny to find what the string actually is :biggrin:

revolta

  • Regular Member
  • *
  • Posts: 6
Re: Export name with 'disallowed' character
« Reply #7 on: September 14, 2013, 05:50:45 PM »
You can rename the function in the module definition file:
Code: [Select]
LIBRARY Library
EXPORTS "c3Vja2VkIG15IGNvY2s="=_foo@0
with
Code: [Select]
foo proc ; stdcall
nop
ret
foo endp
i've done these modifications.. but there's a problem, when i'm trying to compile it get an error:

Code: [Select]
Assembling: Library.asm
Microsoft (R) Incremental Linker Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.

   Creating library Library.lib and object Library.exp
Library.exp : error LNK2001: unresolved external symbol "=_foo@0
Library.dll : fatal error LNK1120: 1 unresolved externals

how to fix this, pleeease?

Vortex

  • Member
  • *****
  • Posts: 1993
Re: Export name with 'disallowed' character
« Reply #8 on: September 14, 2013, 07:57:38 PM »
Hi revolta,

Replacing Link.exe with Pelle's Polink.exe will solve the unresolved external symbol problem. The symbol = is a problem here :

Code: [Select]
c3Vja2VkIG15IGNvY2s= PROTO
My solution is to replace = with another symbol.

Download Gsar for Windows, it's a general search and replace utility :

http://gnuwin32.sourceforge.net/packages/gsar.htm

Code: [Select]
.386
.model flat, stdcall
option casemap :none

include     \masm32\include\windows.inc
include     \masm32\include\kernel32.inc

includelib  \masm32\lib\kernel32.lib
includelib  Base64Name.lib

c3Vja2VkIG15IGNvY2sx PROTO SYSCALL ; no symbol decoration

.code

start:

    call    c3Vja2VkIG15IGNvY2sx

    invoke  ExitProcess,0

END start

The problematic = symbol is replaced with x

Code: [Select]
\masm32\bin\ml /c /coff Base64Name.asm
\masm32\bin\polink /SUBSYSTEM:WINDOWS /DLL /DEF:Base64Name.def Base64Name.obj

\masm32\bin\ml /c /coff Test.asm

gsar.exe -o -sc3Vja2VkIG15IGNvY2sx -rc3Vja2VkIG15IGNvY2s= Test.obj

\masm32\bin\polink /SUBSYSTEM:WINDOWS Test.obj

gsar will modify the object file to replace sc3Vja2VkIG15IGNvY2sx with sc3Vja2VkIG15IGNvY2s=




Gunther

  • Member
  • *****
  • Posts: 3585
  • Forgive your enemies, but never forget their names
Re: Export name with 'disallowed' character
« Reply #9 on: September 14, 2013, 08:29:36 PM »
Hi Erol,

good catch.  :t

Gunther
Get your facts first, and then you can distort them.

Vortex

  • Member
  • *****
  • Posts: 1993
Re: Export name with 'disallowed' character
« Reply #10 on: September 15, 2013, 03:03:58 AM »
Another method is to use Agner Fog's objconv tool to replace symbol names :

Code: [Select]
-nr:N1:N2  Replace symbol Name N1 with N2
Code: [Select]
\masm32\bin\ml /c /coff Base64Name.asm
\masm32\bin\polink /SUBSYSTEM:WINDOWS /DLL /DEF:Base64Name.def Base64Name.obj

\masm32\bin\ml /c /coff Test.asm

objconv -fcoff -nr:c3Vja2VkIG15IGNvY2sx:c3Vja2VkIG15IGNvY2s= Test.obj Test2.obj

\masm32\bin\polink /SUBSYSTEM:WINDOWS /OUT:Test.exe Test2.obj

jj2007

  • Member
  • *****
  • Posts: 9683
  • Assembler is fun ;-)
    • MasmBasic
Re: Export name with 'disallowed' character
« Reply #11 on: September 26, 2013, 06:01:02 AM »
Here is a valid export from slbiop.dll:
??4?$list@VFilePathComponent@iop@@V?$allocator@VFilePathComponent@iop@@@std@@@std@@QAEAAV01@ABV01@@Z

And that is not the worst case - try yourself ::)

Gunther

  • Member
  • *****
  • Posts: 3585
  • Forgive your enemies, but never forget their names
Re: Export name with 'disallowed' character
« Reply #12 on: September 26, 2013, 09:56:22 AM »
Jochen,

Here is a valid export from slbiop.dll:
??4?$list@VFilePathComponent@iop@@V?$allocator@VFilePathComponent@iop@@@std@@@std@@QAEAAV01@ABV01@@Z

And that is not the worst case - try yourself ::)

that's the famous and infamous name mangling and name decoration and it's a mess.

Gunther
Get your facts first, and then you can distort them.

Vortex

  • Member
  • *****
  • Posts: 1993
Re: Export name with 'disallowed' character
« Reply #13 on: September 27, 2013, 03:54:35 AM »
MS VC++ has a specific name decoration convention :

http://en.wikipedia.org/wiki/Visual_C%2B%2B_name_mangling

Gunther

  • Member
  • *****
  • Posts: 3585
  • Forgive your enemies, but never forget their names
Re: Export name with 'disallowed' character
« Reply #14 on: September 27, 2013, 07:21:24 AM »
Hi Erol,

MS VC++ has a specific name decoration convention :

http://en.wikipedia.org/wiki/Visual_C%2B%2B_name_mangling

sure, but that doesn't make it better.

Gunther
Get your facts first, and then you can distort them.