Hello all, in the following url http://www.securityfocus.com/tools/1706 contains a very small tool called tini.exe backdoor, While I tried to write my one, compiled with Masm6.15 it becomes 10 times as his. the question I want ask is how to write a smaller program with Masm? if you can Disammble it and rewrite it , will you post me one? I use the .data, .code modle Iczelions offers, the exe is too large to tolerate!!!!!!!!!! I only attached kerner32.lib,kernel32.inc in my source ,wsock32.lib is load dynamicaly. following is a snippet. but i wonder why if I cut the Load user32.dll, I can not use SoftIce to debug the program, and it does not run at all!!! const .code Start: ; push ebp ;mov ebp,esp ; load user32.dll ; save "user32.dll' into stack push offset user32 call LoadLibrary ;acquire the MessageBox func push offset messagebox push eax mov eax,GetProcAddr call eax ; ;Call MessageBOx function to show call success or not push 0 push offset messagebox push offset messagebox push 0 call eax ; create pipe ;1) load kerner32.dll push offset kernel32 mov eax,Loadlib call eax ; save kerlib handle mov libhandle,eax ;2)locate CreatePipe API func push offset createpipe ; kernel32.lib push libhandle mov eax ,GetProcAddr call eax ; now eax is returen with CreatePipe ;save CreatePipe api push eax push edx xor edx,edx push edx push offset sat push offset writepipe push offset readpipe ; CreatePipe call eax Thanks ! Baumann
Could you please repost that URL? I'd like to look at the orgional please.
http://www.securityfocus.com/tools/1706 you can find tini.exe there , it's so small!!! and can u read my question?
u can use upx to have smaller program, but i don't think u can't get prog smaller than 4kb with masm32, is this dos prog ?
You can get sub 4k with masm (simple "hello world" is about 3k), but FAT32 clusters are a minimum of 4k. Any file smaller than 4k just leaves slack harddisk space! I've fooled myself before looking at the properties of a file in windows, and looked at the wrong part of the info :)
TASM 5.0 .. C:\LAB\dir hello.exe 19/11/2000 01:53 4.096 hello.exe ... then compress with UPX v1.02 C:\LAB\upx -9 hello.exe C:\LAB\dir hello.exe 19/11/2000 01:56 3.072 hello.exe and now .. realign ;) C:\LAB\vgalign hello.exe Realigned file: hello.exe Original File Alignment: 200h New File Alignment: 200h Original Size: 3072 New Size: 2560 Difference: 512 VGAlign complete! The 1 files decreased a total of 512 bytes. C:\LAB\dir hello.exe 19/11/2000 01:56 2.560 hello.exe .....
The smallest I can get a hello world in MASM is 1024 bytes, the minimum size of 2 PE sections. The trick is in the linking, \masm32\bin\Link /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text minimum.obj > nul Merge the 2 sections and you save 512 bytes. This leaves you with a valid PE file that will run on NT and other versions of windows, tricks like running non-standard stubs prevent the file from running on some windows versions. Regards, firstname.lastname@example.org
Thanks , but ,Hutch , I use your method , relink it, it does not matter at all, the size of my program is still about 30k, and I used your method mentioned in Debugging in MASM32, but if I removed the codes creating MessageBox, the prog wont enter into Softice( I use 4.05 under nt4.0). I have another question is which is better about small the prog to push data in .data or push data as following : push ebp mov ebp, esp sub esp,1024 mov ,64h mov ,65h ..... as in my prog, I want load All needed dll & funcs with LoadLibrary & GetProcAddress, it really adds more code to GetProcaddress each time. does it matter?
Sure, a 1K program may take 4K on a hard drive, but how many bytes does that mean get sent in a download?
In a download only those filled bytes or the "proper" file size are sent. For example in one of my programs which does an internet update, if the file is 1kb (Just for theory sake) and I'm using fat 32 with 4kb clusters, it will only send 1kb, it's when you actually save that file you've recieved onto the disk that it takes up 4kb off the disk. Same thing as transferring files from a disk to a harddisk. Let's say your program had to move 50 1kb files from a disk to the harddrive, it only reads that 1kb from the disk and only writes the 1kb to the harddisk, but due to the format of the allocation table, the file will take up 4kb. So the smaller size does make that install much faster. (Not that copying a 1kb file is much of a deal vs. a 4kb file!) See ya, Ben
psssssst... Ben... that was a rhetorical question.
Try passing "/opt:NoWin98" to the linker. This helps (a lot) on some versions. Basically, this changes alignment. As for the "it doesn't matter if you get it under 4k" blah, this depends quite a bit on what you're doing. If you're going to inject your code into an executable, you're not necessarily bothered by the 4k stuff.
Has no one spotted the example program that comes with masm32: "minium". Its only 1.5kb
what about code optimization, and packers ? =)
U can declare some functions in "urfilename.inc" instead of using ready made includes, cuz they have many useless functions (useless only for ur program, cuz it doesn't use em all, right?). For example u use only MessageBoxA and ExitProcess maybe u should try to optimize ur code 8):D , then in ur include file u write: ;-----------------code start---------------------- includelib kernel32.lib includelib user32.lib ExitProcess PROTO, : DWORD MessageBoxA PROTO, : DWORD,:DWORD,:DWORD,:DWORD ;-----------------code end------------------------ that's all, only don't forget to include this file in ur *.asm Once i wrote a prog using this umm... tactic :) and it was only 3kb and it wasn't a "hello world" program, it was an Ad banner removing patch for ACDSee. and think of code optimization 8)
Damn! Forum converted my words into smiles! Why don't u have something like "DISABLE THIS STUPIDITY!!!"? I hope ppl got my idea about code right.
The inc files are just "headers" aren't they? I thought that they merely provide structures, equates, and other non-code thingamy-bobs! So they don't add size, in the same way that declaring it in the .asm file wouldn't (it will increase compilation tho). If you did put some code in your inc it would make it bigger, but thats why we call some files .inc and others .asm to distinguish right? As for
being converted to :D I guess you should use
Hmm... i think any code consumes space. The thing is that when i just included that files, that goes with all ready-made declarations, the prog WAS bigger, that when i declared only what i needed to use. And one more thing i forgot to tell u in my previous message, about code optimization: usual mistake made by... hehe, inexpirienced porgrammers: never use
It becomes critical when u use it often in ur program - for API functions and so on. Windows APIs not changin the ebx register, so it'll be enough one "xor ebx,ebx" for all program. that's for the... how do they say? "fast starting" there's much to do 8) Have a nice day and sory for my not native language 8)))
push 0 ;<-it's a 2 bit command if u wana optimizin use: xor ebx, ebx ;<-ebx is set zero push ebx ;<-this is 1 bit command
that's three bytes for your approach versus two bytes for the simple approach. Unless of course you're suggesting that we should always keep EBX set to zero for zero-pushing. Which, imho, would be very stupid, as algos would then have a register less available.
push 0 ; 6A 00 xor ebx, ebx ; 31 DB push ebx ; 53
DAMNNNNN! I said: if u use it often it consumes too much space! Even if u use my approach three times, it already takes less space.
Of course, u can use registers as u wan't 8) I'm just showin u a way to make things faster 8) And, btw, the program in the first message doesn't use the ebx register.
for example u need to show a simple msgbox: xor ebx, ebx push ebx push ebx push offset wndName push offset buff push MB_OK call MessageBox ;here it's no use, but how about some functions where u push, ;push, push 0? For example searchin a window by window class ;only: xor ebx, ebx push ebx push offset regCls push ebx push ebx call FindWindowEx ;if u use push 0 here, then it'll be one byte bigger, than it's ;now. And so on - the more argument's and calls, the more use ;for this method