Hi!
21-Авг-2006 14:34 [EMAIL PROTECTED] (Eric Auer) wrote to
[EMAIL PROTECTED]:
EA> i do know how exe files work. what i am trying to explain is
EA> that the upx decompressor does NOT set values for ss:sp. it
EA> ONLY sets a value for ss.
So what? May be, this is way to preserve original SP value without
modifying stub? Eric, don't cycle around this value, it irrelevant (unless
we view stub sources and prove, that this value is buggy).
EA> and because com2exe programs have a sp of -2,
...as it should be for .COM programs.
EA> the ss:sp is cs_of_decompressor:-2 during
EA> decompression. which is bad.
First, why you think about "cs_of_decompressor" (even if in some cases
SS may be equal to CS field)? Second, why this is bad (whereas there is only
one requirement: stack pointer should point not over code/date, but only
over non-used space in image or to dynamic memory.
EA> AFTER decompression, upx sets
EA> ss:sp to cs_of_display:-2, which is okay.
*IF* UPX sets SS to CS_OF_DISPLAY, then this is bug. It should set SS
to PSP_SEGMENT+SS_FIELD_OF_HEADER. SS=CS only for plain .COM and .EXE,
converted from .COM.
EA> the problem is that
EA> cs_of_decompressor is 62 kilobytes AFTER cs_of_display.
No. Problem is, that UPXed header requires 128k memory for loading
(image + dynamic memory), whereas original program requires only 62k. So,
this is bug in UPX (which writes in header too big value for MIN= field) or
this is too greedy unpacking algorithm. All of this absolutely irrelevent
with handling CS:IP and SS:SP values.
EA> if upx would set BOTH ss AND sp, there would not be a problem.
Irrelevent.
EA> stack could be at cs_of_decompressor:1000 during decompression
EA> and at cs_of_display:-2 after decompression.
Irrelevant. Unpacker should set SS:SP to original values from header
(ie., PSP_SEG+SS_FIELD:SP_FIELD). Which values it uses for itself in packed
executable header absolutely unimportant. And if compressor (noticeably)
increases MIN= field value only to preserve some specific value for SS:SP in
header, then this is bug.
Well, let make another tests. Below two sources (first for .COM file,
converted to .EXE, and second for .EXE file):
______________O\_/_________________________________\_/O______________
; tasm/m testc.asm
; tlink/t testc.obj
; com2exe -s128 testc.com testc.exe
.model tiny
.code
.startup
.exit 0
db 16*1024 dup (0)
end
_____________________________________________________________________
O/~\ /~\O
______________O\_/_________________________________\_/O______________
; tasm/m teste.asm
; tlink teste.obj
.model small
.code
.startup
.exit 0
db 16*1024 dup (0)
.stack 128
end
_____________________________________________________________________
O/~\ /~\O
As you see, programs (almost) identical, execpt initial values for CS:IP and
SS:SP. Now, differences between first unpacked/packed .exe-s and second
unpacked/packed .exe-s:
______________O\_/_________________________________\_/O______________
-Pages to load/last page size: 0021/0025h (33 pages/37 bytes)
+Pages to load/last page size: 0001/0118h (1 pages/280 bytes)
-Relocation table offset/size: 001C/0000h (28 bytes/0 dwords)
+Relocation table offset/size: 001C/0001h (28 bytes/1 dwords)
Header size: 0002h (2 para)
- Min/max memory to allocate: 0008/0008h (8/8 para)
+ Min/max memory to allocate: 080B/080Bh (2059/2059 para)
- CS:IP: FFF0:0100h
+ CS:IP: 0000:0000h
- SS:SP: FFF0:418Eh
+ SS:SP: 0402:418Eh
Checksum: 0000h
Overlay #: 0000h (0)
- File size: 00004025h (16421 bytes)
+ File size: 00000118h (280 bytes)
Header size: 00000020h (32 bytes)
- Program image size: 00004005h (16389 bytes)
+ Program image size: 000000F8h (248 bytes)
>- Required memory to load: 00004190h (16784 bytes)
>+ Required memory to load: 000082B0h (33456 bytes)
_____________________________________________________________________
O/~\ /~\O
______________O\_/_________________________________\_/O______________
-Pages to load/last page size: 0022/001Ch (34 pages/28 bytes)
+Pages to load/last page size: 0001/015Fh (1 pages/351 bytes)
-Relocation table offset/size: 003E/0001h (62 bytes/1 dwords)
+Relocation table offset/size: 001C/0001h (28 bytes/1 dwords)
- Header size: 0020h (32 para)
+ Header size: 0002h (2 para)
- Min/max memory to allocate: 0009/FFFFh (9/65535 para)
+ Min/max memory to allocate: 0430/FFFFh (1072/65535 para)
CS:IP: 0000:0000h
- SS:SP: 0402:0080h
+ SS:SP: 0424:0200h
Checksum: 0000h
Overlay #: 0000h (0)
- File size: 0000421Ch (16924 bytes)
+ File size: 0000015Fh (351 bytes)
- Header size: 00000200h (512 bytes)
+ Header size: 00000020h (32 bytes)
- Program image size: 0000401Ch (16412 bytes)
+ Program image size: 0000013Fh (319 bytes)
>- Required memory to load: 000041B0h (16816 bytes)
>+ Required memory to load: 00004540h (17728 bytes)
_____________________________________________________________________
O/~\ /~\O
This unambiguously indicates bugs in UPX, which wrongly requires too many
(twice, as originally) memory for programs, which are converted from .COM.
The more so, even for plain .EXE UPX requires more memory, than originally
(17728 bytes instead 16816 bytes)!
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Freedos-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/freedos-devel
