📄 29a-7.023
字号:
Asm is the most powerful language but the more difficult to learn. Use
your brain ;-)
If you have began coding asm under DOS so you can easy understand this:
;----------------------------------------------------------------;
model tiny ; model for a .COM file ;
.radix 16 ; ;
.code ; code section ;
org 100h ; a .COM file is load at offset 100h ;
start: ; coded for TASM ;
;------------------------; ;
;
mov ah,09 ; ;
mov dx,offset hello ; address of text to print on screen ;
int 21 ; ;
;
mov ax,4c00 ; ;
int 21 ; END ! ;
;
hello db "HELLO $",0 ;
;
;----------------------------------------------------------------;
You had to put some values on specific register before to call DOS or BIOS
interrupt(int). In win32 you should put values on stack before to call
WIN32 API and the APIs will do the job for you.
I will now show you the same program in WIN32:
;----------------------------------------------------------;
; Coded for NASM ;
; nasm -fobj hello.asm ;
; alink -oPE hello \lib\kernel32.lib \lib\user32.lib ;
;
extern MessageBoxA ; APIs used ;
extern ExitProcess ; in this file ;
;
[SECTION CODE USE32 CLASS=CODE] ; code section ;
..start: ; for the linker ;
;
push byte 0 ; only the buttons 'OK' ;
push dword caption ; caption of the BOX ;
push dword text ; text in the BOX ;
push byte 0 ; handle of the Box ;
call MessageBoxA ; print BOX on screen ;
;
push byte 0 ; ;
call ExitProcess ; EXIT ;
;
caption db "Your first WIN32 programm",0 ;
text db "HELLO",0 ;
;
end ; for the linker ;
;
;----------------------------------------------------------;
you can link and compile this prog...I will use it to explain you some tricks
=============================================================
+ ________ +
+ /\ |---\ | | | / +
+ / \ | | | --+----+-- / +
+ / \ |___/ | | | / | +
+ /------\ | \ | --+----+-- /---|-- +
+ / \ | \ | | | | +
+ +
=============================================================
PE FILE FORMAT
- Where DOS were still alive the two principal file formats of executable files
were *.COM and *.EXE ,the image of a COM file (after been loaded in memory) is
the same as is physical aspect (on hard drive). The image is just load
after the PPS (Post Prefix Segment). A .COM file begin at offset 100h on
memory, and his size can't be more than FFFFh bytes. It is not the case
for EXE files. A EXE file begin with an header on which are put some
values needed to load the file (DOS EXE files have only one header)
- Windows 3.x appeared with a new kind of executable: the NE .EXE files
(New Executable)
- Windows 9X appeared with a new .EXE format: the PE .EXE files (Portable
Executable) The name "Portable Executable" refers to the fact that the
format is not architecture-specific.
I will now show you the PE file format (PE32 only):
A .EXE PE file looks like this:
+--------------------------+
| OLD DOS EXE HEADER |
+--------------------------+
| PE HEADER |
+--------------------------+
| PE OPTIONAL HEADER |
+--------------------------+
| OBJECT TABLE |
+--------------------------+
| SECTION # 1 |
+--------------------------+
| SECTION # 2 |
+--------------------------+
| SECTION # 3 |
+--------------------------+
.
| . |
.
| . |
+--------------------------+
| SECTION # n |
+--------------------------+
The most common section you will find in PE file are:
-code section : section of win32 code (program).
-data sections : initialized/uninitialized data.
-import section : the APIs used in the file are enumerate here and
the loader will write here address of APIs used
in order to call them.
-export section : for .DLL file: entry point of APIs are enumerate
here.
-resource section : contains info about the file (icon,...).
-debug section : contains debugging info.
-relocation section : use for relocation.
**********************
* OLD DOS EXE HEADER *
**********************
I will not describe in detail this header because a lot of values are
unused nowadays. Read old vx articles if you want.
Offset Size Description
00h 2 BYTEs .EXE signature, "MZ" (4D5Ah)
02h WORD number of bytes in last page
04h WORD number of pages (include the last page) (a page=512 bytes)
06h WORD number of relocation entries
08h WORD header size in paragraphs (a paragraph=16 bytes)
0Ah WORD minimum paragraphs of memory needed
0Ch WORD maximum paragraphs of memory needed
0Eh WORD initial SS
10h WORD initial SP
12h WORD checksum
14h DWORD initial CS:IP (beginning of the executable)
18h WORD Set to 40h or more for new-format (NE,LE,LX,PE,...)
1Ah WORD overlay number (normally set to 0)
1Ch 4 BYTEs Reserved
20h WORD ?
22h 26 BYTEs Reserved
3Ch DWORD offset of new executable (NE,LE,PE,...) header
Take a look at our HELLO.EXE file (edit it in hex):
Physical
offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 4D 5A 6C 00 01 00 00 00 04 00 11 00 FF FF 03 00 MZ..............
00000010 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 00 ................
00000040 0E 1F BA 0E 00 B4 09 CD 21 B8 00 4C CD 21 54 68 ..............Th
00000050 69 73 20 70 72 6F 67 72 61 6D 20 72 65 71 75 69 is program requi
00000060 72 65 73 20 57 69 6E 33 32 0D 0A 24 00 00 00 00 res WIN32.......
-At offset 0h you can see the MZ signature (4D5Ah), all EXE files begin
with this signature.
-At Offset 18h is the word 0040h so if you try to run this file under DOS then
a JMP to offset 40h is done and the code is:
HEX values op codes
0E - push cs
1F - pop ds
BA0E00 - mov dx,offset text ;
B409 - mov ah,09 ;
CD21 - int 21 ; print text on screen
B8004C - mov ax,4C00 ;
CD21 - int 21 ; END
- text db "This programm requires WIN32",0D,0A
So the .EXE file print "This programm requires WIN32" if you don't run it
in a WIN32 environment (win9x and later)
-At offset 3ch is the dword 'header relocation'. This value here is 70h
So the New Header (PE header) begin at offset 70h
*************
* PE HEADER *
*************
The PE HEADER looks like:
<---------DWORD---------> <---WORD--->
+-------------------------+------------+------------+
| SIGNATURE | CPU TYPE | # OBJECTS |
+-------------------------+------------+------------+
| TIME/DATE | RESERVED |
+-------------------------+-------------------------+
| RESERVED | OPTIONAL | FLAGS |
| | HDR SIZE | |
+-------------------------+------------+------------+
SIGNATURE :This value is "PE",0,0 or 00005045h in hex. All PE .EXE
files begin with this value.
CPU TYPE :Type of CPU required by this image to run. The values are:
0 unknown
014Ch 386 or later, and compatible processors.
014Dh 80486
014Eh Pentium TM
0162h MIPS Mark I (R2000, R3000)
0163h MIPS Mark II (R6000)
0166h MIPS Mark III (R4000)
0168h MIPS little-endian
0169h MIPS little-endian WCE v2
0184h Alpha_AXP
01F0h IBM PowerPC Little-Endian
01a2h Hitachi SH3 little-endian
01a4h Hitachi SH3E little-endian
01a6h SH4 little-endian
01c0h ARM Little-Endian
01f0h Power PC, little endian
0200h Intel 64
0266h MIPS16
0268h Motorola 68000 series
0284h Alpha AXP 64-bit
0366h MIPS FPU
0466h MIPS 16 FPU
0284h ALPHA64
# OBJECTS :Number of entries in the Object Table.
TIME/DATE :Time and date the file was created or modified by the
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -