Cool, nice to see another "pervert" :grin:

I've been playing a bit with the minimal pe executable thing, here's my results so far..
The smallest one is 300 bytes and fully functional under xp and probably 2k as well.
Then there's one that actually calls ExitProcess, that one's 550 bytes using only VC++ and my beloved tool :)

They don't work under win9x tho, just tested..
Nice work getting it to work under all windows versions, I'm gonna take a good look at your header if you don't mind ;)
That'd be nice to make it produce working executables for all windows versions.. Not that I care much about wether or not something is 9x compatible, but it's nice to have the option anyway!
Posted on 2004-03-11 22:57:35 by snq
vecna, :P

edited :)
Posted on 2004-03-12 15:23:29 by Drocon
drocon,

fixed ;)

ancev
Posted on 2004-03-12 20:24:19 by ancev
Hi vecna!

I used time ago manual relocations to get the correct virtual
address, but this makes tiresome add uninitialized data.

http://mipagina.cantv.net/numator/PEMAC.zip

Now I use virtual sections with NASM, that let NASM does all
the dirty work:

http://mipagina.cantv.net/numator/NPEMAC.zip

I've used these techniques in great projects without problems.
Posted on 2004-03-14 11:55:07 by n u M I T_o r
Well, I'm only a newbie when it comes to the Win32Asm arena. Still, I've tried to put together what I consider my best results ever achieved in
PE size optimization. Included in the zip file is the NASM source and a batch file to produce the executable using VC++ linker. Also included are
two different EXEs produced from the sources, and a tiny stub.exe. The files were produced and tested on WinXP.

The smallest I could achieve on my own was 544 bytes, without tinkering with the PE section, except the stub changing. This is probably
because of my lack of the experience required for such a work. Although, I felt proud when the resulting file was so small.

Another included EXE is of size 480 bytes, compiled (term used for assmbling + linking, :grin: ) using the same source and batch files. So, what
caused the difference in size? A little cheating on my side. I used the linker hack posted in this very thread to remove some of the PE
header, thus causing the reduction.

What makes me wonder is the work of truly brilliant hackers constantly trying to come up with a better solution. The 276 bytes EXE (by vecna?)
is truly a prime target for the most enlightened among us.

Let me know what you people think of this work of mine. I know there is much to learn for having become one of you. However, I do expect
some help in form of insights, comments and yes, a few links to improve my knowledge. Keep up the good work! :)

Regards,
AgentX
Posted on 2004-03-15 15:28:52 by AgentX
Where has the very interesting info about the encrypted data after the DOS stub gone?! It was somewhere in this thread before, I can swear. There are even several follow-up posts left in the thread, referencing that info, which aren't deleted!? Did MS send out their hitmen to clean it up, or what? That was some very interesting info! :(
Posted on 2004-03-16 07:54:05 by dELTA
Hi AgentX!


What makes me wonder is the work of truly brilliant hackers
constantly trying to come up with a better solution. The 276
bytes EXE (by vecna?) is truly a prime target for the most
enlightened among us.


The 276 bytes EXE was written by blaz, from Spain. It was
written with a hexadecimal editor.

http://pe.blazlabs.com/276.html

I know that does not run in win9x :(

Sure you found it here:
http://mipagina.cantv.net/numetorl869/flatpe.html

I have a 133 bytes EXE that only runs in w9x, but who
wrote this exe does not want that I share it.


I do expect some help in form of insights, comments and yes, a
few links to improve my knowledge. Keep up the good work!


You need to know well the pe header structure:
http://spiff.tripnet.se/~iczelion/files/pe1.zip
http://www.msdn.microsoft.com/msdnmag/issues/02/03/PE2/default.aspx
http://www.msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx

and some info about the windows loader:
http://msdn.microsoft.com/msdnmag/issues/02/03/Loader/default.aspx

It seems to me that the best is write your EXE without use
linker, using only binary mode with NASM, possibly with FASM,
or using a hex editor.

Look at the NASM macros that I've passed in the links above.
There are a lot of interesting things about the PE file structure.
Posted on 2004-03-16 10:20:07 by n u M I T_o r
Hi nuMIT_or!

Thanks for the info about the ownership of that tiny file. I was
never sure who coded it, anyway. I visited both the pages you
posted above about the 276 bytes file.

Wow! 133 bytes is really small. Too bad it runs only on 9x, which
is officially a dead line of products, now.

Thanks again for the M$ links. Of the three you mentioned, only the
loader one was new to me, and this is what I was lacking most.
I've already visited your site and also that of NAGOA. I truly thank
you for the work you've done to bring up such macros.

Now, after all these personalized hacks and tricks, all the known
and unknown works of brave assembly hackers, there is only one
things lacking ...and that is some proper documentation in form of
a tutorial. I agree that PE documents are good, but they don't
elaborate much on optimization aspects. This is where one of you
people can outperform them. So, who's up for a tutorial there? ;)

Regards,
AgentX
Posted on 2004-03-16 12:08:33 by AgentX
Hello everyone,
Sometime time ago I disassembled Blaz's 276.exe, here it is again (assemble: nasmw -fbin d276.asm -od276.exe):
Posted on 2004-03-20 13:36:15 by Poimander
Well, it turns out the BaseRelocation field and the first dword of the Debug field are freely editable in 276, this gives 12 bytes just large enough to store the asciiz string 'Hello World'. Hense the following modified version of 276 is now available:
Posted on 2004-03-20 23:23:28 by Poimander
There's an error in the m276.asm source file I just discovered. The four bytes at offset 0b0h should be commented out:


;BaseRelocation db 48h, 65h, 6Ch, 6Ch ;Offset: 0ach
; db 6Fh, 20h, 57h, 6Fh ;Offset: 0b0h <---
;Debug db 72h, 6Ch, 64h, 00h ;Offset: 0b4h

I've uploaded the corrected source file here:
Posted on 2004-03-21 11:26:25 by Poimander
Presenting 233.exe:
Posted on 2004-03-26 20:38:04 by Poimander
Poimander,
Nice work, but I get an error when I run your 233.exe (on XP pro)

Only part of a ReadProcessMemory or WriteProcessMemory request was completed
Posted on 2004-03-26 20:48:18 by snq
Greetings snq, As far as I know the program
only runs on Win2KSp4. Thanks for testing it on XP. Perhaps
some variant of the program may be found that is compatible
with XP. Changing the image base may work however. I also
tested the program on Win98, and unfortunately it does'nt run
on that platform either.
Posted on 2004-03-26 21:08:42 by Poimander
Ok, I had to register just because of this thread. About 2 years ago I focused on writing the smallest possible PE files.

n u M I T_o r, I'm afraid to say that I don't believe you have a 133 byte PE, that runs in W9X, unless you mess with the loader. W9X is very picky when it comes to alignment. The minimum align is 512.

I have been able to make a stable PE that works in every 32-bit Windows environment, and it should also work in DOS. It has a size of 552 bytes.

Windows NT systems don't have this alignment limitation, hence the EXE files can be made alot smaller. Windows Xp works best so far... I have a XP only EXE that is 97 bytes!!

Beware, alot of virus scanner go off on these files. (It's not a virus, but use at own risk)

Edit: Just a reminder: I tested this PE on a second system and I got a nasty bluescreen (IRQL_LESS_OR_EQUAL, 0x0000000A). It works fine on my own PC. Must have to do with
If anybody knows what is causing this, I'd be interested. Tnx


Edit2: AFAIK Windows XP with SP1 will crash. It seems to have a different loader then the unupdated XP version.

Newer attachments will be uploaded as I make progress.
Later


pmpch
Posted on 2004-04-14 09:56:18 by pmpch
woah, neat stuff pmpch :alright:
Posted on 2004-04-16 14:45:54 by Drocon
Sweet :grin: :alright:
Posted on 2004-04-16 15:35:04 by Delight

n u M I T_o r, I'm afraid to say that I don't believe you have a 133
byte PE, that runs in W9X, unless you mess with the loader. W9X
is very picky when it comes to alignment. The minimum align is
512.


Oh, yes, I was sure that I had a PE file that runed in win9x that
had a size of 133 bytes, but really runs in w2k and wxp.

But I have a PE file that runs in win9x and has a size of 250 bytes.
Posted on 2004-04-17 11:02:18 by n u M I T_o r
Here is the 133 bytes PE file.

I did not write this and I don't know who wrote it. So that is anonymous.

I don't remember who wrote the win9x 250 bytes PE. I believe that was
xezaw, from Spain.

These files were written in hexadecimal.

I think that is possible to write a full portable small PE.
Posted on 2004-04-17 11:15:29 by n u M I T_o r
Very nice!

- It works on XP_SP1
- It doesn't work on Win98 (as I assumed)

The 250 byte PE that works in W9X would really interest me.


Edit: Btw, I know whats crashing the 97 byte prog.... gonna fix it soon :grin:
Posted on 2004-04-17 11:34:35 by pmpch