News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

small hello world again

Started by StarsInTheSky, May 08, 2015, 12:34:45 PM

Previous topic - Next topic

StarsInTheSky

Hi guys,

reading this:
http://www.masmforum.com/board/index.php?PHPSESSID=8d46cd4ecb1688be429ab49694ec53e6&topic=1202.0

I have a couple of questions:

I am trying the same, to minimize my file. I am on windows 7. My first question is I read somewhere with good parameters, link.exe can be as good as polink.exe.

here is my try:

"C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\link.exe" /SUBSYSTEM:WINDOWS /defaultlib:C:\masm32\lib\kernel32.lib /defaultlib:C:\masm32\lib\user32.lib messageboxa2.obj /MERGE:.rdata=.text /MERGE:.data=.text /OPT:REF /OPT:ICF /INCREMENTAL:NO /OUT:messageboxa2c.exe

this is giving me a 2048 bytes file. If I try anything with /ALIGN or /FILEALIGN the messagebox won't run no more.

With polink.exe I get 1536 bytes. So I am not quite there. 1.any ideas?

It seems I can call the libraries two ways. either using

include     \masm32\include\windows.inc
include     \masm32\include\kernel32.inc
include     \masm32\include\user32.inc

includelib  \masm32\lib\kernel32.lib
includelib  \masm32\lib\user32.lib

and then "invoke"

or use

extrn MessageBoxA@16 : PROC
extrn ExitProcess@4 : PROC

and then "call". but then I need to use /defaultlib in the linker.

2.is there a middle way? Can I use "call" without need of using /defaultlib for every single library?

ok my third question is about what can be read in the given url. Someone got a lot more advanced and used a packer, and then added an unpacker inside the file. Unfortunately the given link for that is not working anymore. 3.How would I go about doing the same and learn all that?

next when I disassembled my file, I found that my disassembler got all disoriented when I merged the data and text sections. I can no longer easily extract the strings. 4.How do I help my poor disassembler to regain sanity and display the strings? (well you can suggest the disassembler of your choice)

Mikl__

#1
Hi, StarsInTheSky !
see Tiny PE in win64 msgbox_64 in 345 bytes
for WinXP msgbox can be in 97 bytes

StarsInTheSky

Mikl, oh my so nice!! there is no makeit.bat file, how do you assemble and link this? and is there a 32 bit version?

Mikl__

version for ONLY 32-bit WinXP
the text of the program, which received from the boot loader address WinAPI-functions LoadLibraryA and MessageBox, creates a file tiny97.exe, consisting only of minimum PE-header file. Within this heading, in those of his fields, which can be ignored, it is the program code that displays the MessageBox, with a headline and the text "user32".
We proceed to the construction of our PE-file. We take the minimum possible size of the alignment of sections - 4 bytes - and file - 4 bytes.
The image of our program will consist of only one section, which will be published and the data and code
.686P
.model flat
include windows.inc
includelib user32.lib
includelib kernel32.lib
extern _imp__MessageBoxA@16:dword
extern _imp__WriteFile@20:dword
extern _imp__CreateFileA@28:dword
extern _imp__CloseHandle@4:dword
extern _imp__wsprintfA:dword
extern _imp__LoadLibraryA@4:dword
image_base=400000h
.code
start: xor ebx,ebx
mov eax,_imp__MessageBoxA@16
        push eax
sub eax,_MessageBox-buffer+image_base+4
mov _MessageBox,eax
mov eax,_imp__LoadLibraryA@4
        push eax
        sub eax,_LoadLibrary-buffer+image_base+4
mov _LoadLibrary,eax
push offset szInfoText
        push offset cBuff
call _imp__wsprintfA
add esp,4*4
        push MB_ICONINFORMATION OR MB_SYSTEMMODAL;1040h
        push offset szInfoCap 
        push offset cBuff
        push ebx
call _imp__MessageBoxA@16
push ebx ;NULL
push FILE_ATTRIBUTE_ARCHIVE
push CREATE_ALWAYS
push ebx
push FILE_SHARE_READ or FILE_SHARE_WRITE
push GENERIC_READ or GENERIC_WRITE
push offset namefile
call _imp__CreateFileA@28
mov edi,eax     ;hFile
push ebx        ;lpOverlapped
      push offset SizeReadWrite ;lpNumberOfBytesToWrite
push buffer_end-buffer;97 ;nNumberOfBytesToWrite
push offset buffer ;lpBuffer
push edi ;hFile
call _imp__WriteFile@20
push edi ;hFile
call _imp__CloseHandle@4
retn
.data
buffer dd 'ZM','EP';Signantures
dw 14Ch     ;Machine
dw 1     ;count of section
start1: xchg eax,ebx
mov edi,offset user-buffer+image_base
push edi
jmp a1
db 0,0,0
dw buffer_end-optional_header;size of optional header
dw 103h     ;characteristics
optional_header:
dw 10Bh     ;magic optional header
a1:     
db 0E8h     ;call LoadLibraryA
_LoadLibrary dd 0
push ebx
push edi
push edi
push ebx
jmp a2
db 0,0,0
dd start1-buffer ;Entry point
a2:
        db 0E8h     ;call MessageBoxA
_MessageBox dd 0
        ret
dw 0
dd image_base
dd 4     ;section alignment
dd 4     ;file alignment
user db 'user32',0,0
dw 4     ;Image version major
dw 0     ;Image version minor
dd 0     ;reserved
dd 68h     ;size of image
dd 64h     ;size of header
dd 0     ;checksum
db 2     ;subsystem (gui)
; ---------------------------------------------------------------------------
buffer_end:
szInfoCap db "Creator tiny MessageBox",0
szInfoText db "API Addresses:",13,10
   db "LoadLibraryA:  0x%08lX",13,10
   db "MessageBoxA:  0x%08lX",0
cBuff db 70 DUP (0)
namefile db 'tiny97.exe',0
SizeReadWrite dd 0
end start
  • Getting immediate addresses of imported functions LoadLibraryA and MessageBox from the "mother" of the program eliminates the need for an import table in our program and replace the 6-byte indirect function calls with the code 0FF.15.XX.XX.XX.XXh to 5-byte code 0EB. XX.XX.XX.XXh (direct CALL)
  • 97 bytes are the theoretical minimum for the length of PE-file. At offset + 5Ch the signature «PE» is a field Subsystem. Accommodation in this field is zero or absence of this field is seen in the file system loader, the value IMAGE_SUBSYSTEM_UNKNOWN (= 0) and the system will not download the file. Therefore, a shift of + 5Ch «PE» must be within non-zero value. Since we put in this field to IMAGE_SUBSYSTEM_WINDOWS_GUI = 2, then the field is enough Subsystem take 1 byte.
    Total: 4 bytes (MZ-header) + 5Ch (the size of PE-header field to «Subsystem») + 1 byte (the field under actual «Subsystem») = 61h = 97 bytes

StarsInTheSky

aaah, you have given up on link and polink, you are writing your own .exe !!! smart !!
when you say win xp only, what makes it not working in win7 ?

Mikl__

Quotewhat makes it not working in win7 ?
StarsInTheSky,
to get accurate answers to need to send precise questions, for Win seven x64 see Tiny PE in win64 sorry for my bad English

StarsInTheSky

I know it's a bit wide. but I can run 32-bit files on my win7 as well, and I can compile x86 code. so I was wondering for instance, could be requirements on the PE file format that has changed for 64 os's ?

the header directives looks so great in the tiny PE. but you must be using a more potent assembler :)
I tried to add it to my file and my ML.exe got stumped on the first one .Machine  :icon_mrgreen: 

Mikl__

I used masm (ml and link) for msgbox in 97 byte, for Tiny PE x64 I used FASM, but I was afraid to tell about it on the MASM32-forum so as not to start a holy war FASM vs MASM
The file format for Win64 is called PE32+. From nearly every viewpoint, the format is structurally identical to the Win32 PE file. A very few fields such as the ImageBase in the header have been widened, one field was deleted, and one field was changed to reflect a different CPU type. Table shows the fields that have changed.

Header FieldChange
MagicSet to 0x20b instead of 0x10b
BaseOfDataDeleted
ImageBaseWidened to 64 bits
SizeOfStackReserveWidened
SizeOfStackCommitWidened
SizeOfHeapReserveWidened
SizeOfHeapCommitWidened
Beyond the PE header, there aren't many changes. A few structures such as IMAGE_LOAD_CONFIG and IMAGE_THUNK_DATA simply had some of their fields widened to 64 bits. The addition of the PDATA section is more interesting, as it highlights one of the major differences between the Win32 and Win64 implementation: exception handling.

StarsInTheSky

yes, thanks, so one answer to my q #1 is to use other tools :D
But then I might not be able to use some of the nice libraries available here.
everything has its pros and cons.

What is the best you've got it down to with masm ? I've got it down to 1024 bytes with polink now.

EDIT: ah, just saw your table, thank you for taking the time elaborating.
So with those changes, would it run on an x64 win XP ? and win 7 ?

hutch--

> so as not to start a holy war FASM vs MASM

Don't hold your breath waiting for the holy war, there never has been one.

One favour, forget "[still open]", we are a forum of members, not a paid help desk.

StarsInTheSky

did not mean offending, removed the tag 8)

Mikl__

Good evening, hutch--!
I just did not want to break the rules...

sinsi

> so as not to start a holy war FASM vs MASM
Some of us use both, different tools for different jobs...

jj2007

Quote from: Mikl__ on May 08, 2015, 06:35:58 PMa holy war FASM vs MASM

Just curious: can you do macros such as mov ecx, len(esi) in FASM?

Mikl__

Ciao, jj2007!
Non ho potuto scrivere questo macro in FASM o in MASM