info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
KESYS may go UEFI
35 views
Skip to first unread message
wolfgang kern
Jan 5, 2024, 1:40:05 AMJan 5
to
some work to do before I can even start:
need to convert these C-styled documentations into machine code
engineers format [aka RBIL-styled].
***
I'm not sure about the PE-file contents (the last part below)
if you can enter what's missing or correct anything please do :)
TIA
***
__
wolfgang
FIRST steps:
create a MBR on either an USB-RAM-stick or an empty SSD.
manually set partition entries as GPT:
MBR:
0000 ... all zero
01BE xx xx xx EE yy yy yy 01 00 00 00 ss ss ss ss
x = start CHS usually 1
y = end CHS usually FFFFFF
0000_0001 start-LBA of GPT image (could be elsewhere also)
s = size of this GPT image (in sectors)
01CE ... all zero
01FE 55 AA
-----------------
GPT header format
0x00 Signature 45 46 49 20 50 41 52 54 ;"EFI PART"
0x08 Revision (for GPT version 1.0 (through at least UEFI version
2.3.1), the value is 00h 00h 01h 00h)
0x0C Header size (in bytes, usually 5Ch 00h 00h 00h)
0x10 CRC32 of header (offset +0 up to header size),
with this field zeroed during calculation
0x14 Reserved; must be zero
0x18 Current LBA (location of this header copy)
0x20 Backup LBA (location of the other header copy)
0x28 First usable LBA for partitions (primary table last LBA + 1)
0x30 Last usable LBA (secondary partition table first LBA - 1)
0x38 Disk GUID (also referred as UUID on UNIXes)
0x48 Starting LBA of array of partition entries (always 2 in primary)
0x50 Number of partition entries in array
0x54 Size of a single partition entry (usually 128)
0x58 CRC32 of partition array
0x5C Reserved; must be zeroes for the rest of the block
(420 bytes for a sector size of 512 bytes; but can be more with
larger sector sizes)
---------------------------
GUID partition entry format
0x00 Partition type GUID
0x10 Unique partition GUID
0x20 First LBA (little endian)
0x28 Last LBA (inclusive, usually odd)
0x30 Attribute flags (e.g. bit 60 denotes read-only)
0x38 72 bytes Partition name (36 UTF-16LE code units)
[128 bytes total]
The 64-bit partition table attributes are shared between 48-bit common
attributes for all partition types, and 16-bit type-specific attributes.
Partition attributes
Bit Content
0 System partition (disk partitioning utilities must preserve the
partition as is)
1 EFI firmware should ignore the content of the partition and not try to
read from it
2 Legacy BIOS bootable (equivalent to active flag (typically bit 7 set)
at offset +0h in partition entries of the MBR partition table)
3–47 Reserved for future use
48–63 Defined and used by the individual partition type
Microsoft defines the type-specific attributes for Basic data partition
according to a TechNet article as:
Basic data partition attributes
Bit Content
60 Read-only
62 Hidden
63 Do not automount (i.e., do not assign drive letter)
just for Info:
Partition type GUIDs
OS type Globally unique identifier (GUID)
(None) Unused 00 00 00 00-00 00 00 00 00 00 00 00-00 00 00 00
MBR 41 EE 4D 02-E7 33 D3 11 9D 69 00 08 C7 81 F3 9F
EFI 28 73 C1 2A-1F F8 D2 11 BA 4B 00 A0 C9 3E C9 3B
ROM-BIOS 48 61 68 21-49 64 6F 6E 74 4E 65 65 64 45 46 49
"Hah!IdontNeedEFI"
M$ Reserved 16 E3 C9 E3 5C 0B B8 4D 81 7D F9 2D F0 02 15 AE
data A2 A0 D0 EB E5 B9 33 44 87 C0 68 B6 B7 26 99 C7
Logical Disk Manager meta-data
AA C8 08 58 8F 7E E0 42 85 D2 E1 E9 04 34 CF B3
Logical Disk Manager data
A0 60 9B AF 31 14 62 4F BC 68 33 11 71 4A 69 AD
Windows Recovery Environment
A4 BB 94 DE D1 06 40 4D A1 6A BF D5 01 79 D6 AC
IBM File System (GPFS) partition
90 FC AF 37 7D EF 96 4E 91 C3 2D 7A E0 55 B1 74
Storage Spaces partition
8F AF 5C E7 80 F6 EE 4C AF A3 B0 01 E5 6E FC 2D
Intel Fast Flash
DE E2 BF D3-AF 3D DF 11 BA 40 E3 A5 56 D8 95 93
Sony boot 32 97 01 F4-6E 06 12 4E 82 73 34 6C 56 41 49 4F
[there are much more... see WIKI if you need any]
----------------
FAT32 formatting (try shortest possible)
------------
the PE-file:
-------------------------------------------------------
0000 w 5a4d "MZ" DOS 2.0 Compatible EXE Header
...
003c q Offset to PE Header (relative to file-start)
0040 ... DOS 2.0 Stub Program & Relocation Information
------------
PE HEADER
pointed to by file-offset 003c q
+[003c]q
label0: ; = imagebase 00400000
0000 q 00004550 "PE"0,0 SIGNATURE
0004 w 0000 Unknown CPU TYPE
014C 80386
014D 80486
014E PentiumTM
???? RYZEN 5/6..
0162 MIPS Mark I (R2000, R3000)
0163 MIPS Mark II (R6000)
0166 MIPS Mark III (R4000)
0006 w number of entries in Object-table
0008 q TIME/DATE STAMP (created/modified)
000c q reserved/ PointerToSymbolTable
0010 q reserved/ NumberOfSymbols
0014 w SizeOfOptionalHeader
0016 w FLAGS /Charcteristics
b0 Relocation info stripped from file.
b1 File is executable (i.e. no unresolved externel references).
b2 Line nunbers stripped from file.
b3 Local symbols stripped from file.
b4 Agressively trim working set
b5,6 ??
b7 Bytes of machine word are reversed.
b8 32 bit word machine.
b9 Debugging info stripped from file in .DBG file
b10 If Image is on removable media, copy and run from the swap file.
b11 If Image is on Net, copy and run from the swap file.
b12 System File.
b13 File is a DLL.
b14 File should only be run on a UP machine
b15 Bytes of machine word are reversed.
0018 w 010b MAGIC # ??
001a b Lmajor linker version
001b b Lminor
001c q SizeOfCode
0020 q SizeOfInitializedData
0024 q SizeOfUninitializedData
0028 q RVA-entry-point /winmain-ImageBase;AddressOfEntryPoint
002c q BaseOfCode
0030 q BaseOfData
0034 q IMAGE BASE
0038 q 1000 SectionAlignment
003c q 0200 FileAlignment
0040 w MajorOperatingSystemVersion
0042 w MinorOperatingSystemVersion
0044 w MajorImageVersion
0046 w MinorImageVersion
0048 w MajorSubsystemVersion
004a w MinorSubsystemVersion
004c q Win32VersionValue
0050 q SizeOfImage
0054 q SizeOfHeaders
0058 q 0 CheckSum
005c w 2 or 3 SUBSYSTEM
0: Unknown subsystem.
1: Image doesn't require a subsystem.
2: Image runs in the Windows GUI subsystem.
3: Image runs in the Windows character subsystem.
5: image runs in the OS/2 character subsystem.
7: image run in the Posix character subsystem.
8: image run in the 8 subsystem.
005e w DLL FLAGS /DllCharacteristics
Indicates special loader requirements.
b0 Per-Process Library Initialization
b1 Per-Process Library Termination
b2 Per-Thread Library Initialization
b3 Per-Thread Library Termination
b15..4 reserved for future use and should be set to zero.
0060 q STACK RESERVE SIZE SizeOfStackReserve
0064 q STACK COMMIT SIZE SizeOfStackCommit
0068 q HEAP RESERVE SIZE SizeOfHeapReserve
006c q HEAP COMMIT SIZE SizeOfHeapCommit
0070 q reserved /NumberOfRvaAndSize (entries in the data dir)
<Image Data Directory>:
0074 q EXPORT TABLE RVA /Export Directory
0078 q TOTAL EXPORT DATA SIZE
007c q IMPORT TABLE RVA /Import Directory
0080 q TOTAL IMPORT DATA SIZE
0084 q RESOURCE TABLE RVA /Resource Directory
0088 q TOTAL RESOURCE DATA SIZE
008c q EXCEPTION TABLE RVA /Exception Directory
0090 q TOTAL EXCEPTION DATA SIZE
0094 q SECURITY TABLE RVA /Security Directory
0098 q TOTAL SECURITY DATA SIZE
009c q FIXUP TABLE RVA /Base Relocation Table
00a0 q TOTAL FIXUP DATA SIZE
00a4 q DEBUG TABLE RVA /Debug Directory
00a8 q TOTAL DEBUG DIRECTORIES
00ac q IMAGE DESCRIPTION RVA /Description String
00b0 q TOTAL DESCRIPTION SIZE
00b4 q MACHINE SPECIFIC RVA /Machine Value (MIPS GP)
00b8 q MACHINE SPECIFIC SIZE
00bc q THREAD LOCAL STORAGE (TLS)RVA /TLS Directory
00c4 q TOTAL TLS SIZE
00d0 q RVA/Load Configuration Directory
00d4 q SIZE
00d8 q RVA/Bound Import Directory in headers
00dc q SIZE
00e0 q RVA/Import Address Table "IAT"
00e4 q SIZE
00e8 q RVA/14
00ec q SIZE
00f0 q RVA/15
00f4 q SIZE
00f8 q RVA/16
00fc q SIZE
-----------------------
<Image Sections Header>
object table:
Each Object Table entry has this format (40 byte):
000 s OBJECT NAME (ascii8 Z-pad)
008 q VIRTUAL SIZE /(VSizeOf_text/VSizeOf_idat/VSizeOf_udat)
00c q RVA /VBaseOf_text
010 q PHYSICAL SIZE /FSizeOf_text ;raw data
014 q PHYSICAL OFFSET /FBaseOf_text ;raw data
018 q RESERVED /pointer to relocatins
01c q RESERVED /pointer to line numbers
020 w /number of relocations
022 w /number of line numbers
024 q OBJECT FLAGS /characteristics (E0000020/40/80)
b5 Code object
b6 Initialized data object
b7 Uninitialized data object
b26 Object must not be cached
b27 Object is not pageable
b28 Object is shared
b29 Executable object
b30 Readable object
b31 Writeable object
All other bits are reserved and should be set to zero.
----------------
need to convert these C-styled documentations into machine code
engineers format [aka RBIL-styled].
***
I'm not sure about the PE-file contents (the last part below)
if you can enter what's missing or correct anything please do :)
TIA
***
__
wolfgang
FIRST steps:
create a MBR on either an USB-RAM-stick or an empty SSD.
manually set partition entries as GPT:
MBR:
0000 ... all zero
01BE xx xx xx EE yy yy yy 01 00 00 00 ss ss ss ss
x = start CHS usually 1
y = end CHS usually FFFFFF
0000_0001 start-LBA of GPT image (could be elsewhere also)
s = size of this GPT image (in sectors)
01CE ... all zero
01FE 55 AA
-----------------
GPT header format
0x00 Signature 45 46 49 20 50 41 52 54 ;"EFI PART"
0x08 Revision (for GPT version 1.0 (through at least UEFI version
2.3.1), the value is 00h 00h 01h 00h)
0x0C Header size (in bytes, usually 5Ch 00h 00h 00h)
0x10 CRC32 of header (offset +0 up to header size),
with this field zeroed during calculation
0x14 Reserved; must be zero
0x18 Current LBA (location of this header copy)
0x20 Backup LBA (location of the other header copy)
0x28 First usable LBA for partitions (primary table last LBA + 1)
0x30 Last usable LBA (secondary partition table first LBA - 1)
0x38 Disk GUID (also referred as UUID on UNIXes)
0x48 Starting LBA of array of partition entries (always 2 in primary)
0x50 Number of partition entries in array
0x54 Size of a single partition entry (usually 128)
0x58 CRC32 of partition array
0x5C Reserved; must be zeroes for the rest of the block
(420 bytes for a sector size of 512 bytes; but can be more with
larger sector sizes)
---------------------------
GUID partition entry format
0x00 Partition type GUID
0x10 Unique partition GUID
0x20 First LBA (little endian)
0x28 Last LBA (inclusive, usually odd)
0x30 Attribute flags (e.g. bit 60 denotes read-only)
0x38 72 bytes Partition name (36 UTF-16LE code units)
[128 bytes total]
The 64-bit partition table attributes are shared between 48-bit common
attributes for all partition types, and 16-bit type-specific attributes.
Partition attributes
Bit Content
0 System partition (disk partitioning utilities must preserve the
partition as is)
1 EFI firmware should ignore the content of the partition and not try to
read from it
2 Legacy BIOS bootable (equivalent to active flag (typically bit 7 set)
at offset +0h in partition entries of the MBR partition table)
3–47 Reserved for future use
48–63 Defined and used by the individual partition type
Microsoft defines the type-specific attributes for Basic data partition
according to a TechNet article as:
Basic data partition attributes
Bit Content
60 Read-only
62 Hidden
63 Do not automount (i.e., do not assign drive letter)
just for Info:
Partition type GUIDs
OS type Globally unique identifier (GUID)
(None) Unused 00 00 00 00-00 00 00 00 00 00 00 00-00 00 00 00
MBR 41 EE 4D 02-E7 33 D3 11 9D 69 00 08 C7 81 F3 9F
EFI 28 73 C1 2A-1F F8 D2 11 BA 4B 00 A0 C9 3E C9 3B
ROM-BIOS 48 61 68 21-49 64 6F 6E 74 4E 65 65 64 45 46 49
"Hah!IdontNeedEFI"
M$ Reserved 16 E3 C9 E3 5C 0B B8 4D 81 7D F9 2D F0 02 15 AE
data A2 A0 D0 EB E5 B9 33 44 87 C0 68 B6 B7 26 99 C7
Logical Disk Manager meta-data
AA C8 08 58 8F 7E E0 42 85 D2 E1 E9 04 34 CF B3
Logical Disk Manager data
A0 60 9B AF 31 14 62 4F BC 68 33 11 71 4A 69 AD
Windows Recovery Environment
A4 BB 94 DE D1 06 40 4D A1 6A BF D5 01 79 D6 AC
IBM File System (GPFS) partition
90 FC AF 37 7D EF 96 4E 91 C3 2D 7A E0 55 B1 74
Storage Spaces partition
8F AF 5C E7 80 F6 EE 4C AF A3 B0 01 E5 6E FC 2D
Intel Fast Flash
DE E2 BF D3-AF 3D DF 11 BA 40 E3 A5 56 D8 95 93
Sony boot 32 97 01 F4-6E 06 12 4E 82 73 34 6C 56 41 49 4F
[there are much more... see WIKI if you need any]
----------------
FAT32 formatting (try shortest possible)
------------
the PE-file:
-------------------------------------------------------
0000 w 5a4d "MZ" DOS 2.0 Compatible EXE Header
...
003c q Offset to PE Header (relative to file-start)
0040 ... DOS 2.0 Stub Program & Relocation Information
------------
PE HEADER
pointed to by file-offset 003c q
+[003c]q
label0: ; = imagebase 00400000
0000 q 00004550 "PE"0,0 SIGNATURE
0004 w 0000 Unknown CPU TYPE
014C 80386
014D 80486
014E PentiumTM
???? RYZEN 5/6..
0162 MIPS Mark I (R2000, R3000)
0163 MIPS Mark II (R6000)
0166 MIPS Mark III (R4000)
0006 w number of entries in Object-table
0008 q TIME/DATE STAMP (created/modified)
000c q reserved/ PointerToSymbolTable
0010 q reserved/ NumberOfSymbols
0014 w SizeOfOptionalHeader
0016 w FLAGS /Charcteristics
b0 Relocation info stripped from file.
b1 File is executable (i.e. no unresolved externel references).
b2 Line nunbers stripped from file.
b3 Local symbols stripped from file.
b4 Agressively trim working set
b5,6 ??
b7 Bytes of machine word are reversed.
b8 32 bit word machine.
b9 Debugging info stripped from file in .DBG file
b10 If Image is on removable media, copy and run from the swap file.
b11 If Image is on Net, copy and run from the swap file.
b12 System File.
b13 File is a DLL.
b14 File should only be run on a UP machine
b15 Bytes of machine word are reversed.
0018 w 010b MAGIC # ??
001a b Lmajor linker version
001b b Lminor
001c q SizeOfCode
0020 q SizeOfInitializedData
0024 q SizeOfUninitializedData
0028 q RVA-entry-point /winmain-ImageBase;AddressOfEntryPoint
002c q BaseOfCode
0030 q BaseOfData
0034 q IMAGE BASE
0038 q 1000 SectionAlignment
003c q 0200 FileAlignment
0040 w MajorOperatingSystemVersion
0042 w MinorOperatingSystemVersion
0044 w MajorImageVersion
0046 w MinorImageVersion
0048 w MajorSubsystemVersion
004a w MinorSubsystemVersion
004c q Win32VersionValue
0050 q SizeOfImage
0054 q SizeOfHeaders
0058 q 0 CheckSum
005c w 2 or 3 SUBSYSTEM
0: Unknown subsystem.
1: Image doesn't require a subsystem.
2: Image runs in the Windows GUI subsystem.
3: Image runs in the Windows character subsystem.
5: image runs in the OS/2 character subsystem.
7: image run in the Posix character subsystem.
8: image run in the 8 subsystem.
005e w DLL FLAGS /DllCharacteristics
Indicates special loader requirements.
b0 Per-Process Library Initialization
b1 Per-Process Library Termination
b2 Per-Thread Library Initialization
b3 Per-Thread Library Termination
b15..4 reserved for future use and should be set to zero.
0060 q STACK RESERVE SIZE SizeOfStackReserve
0064 q STACK COMMIT SIZE SizeOfStackCommit
0068 q HEAP RESERVE SIZE SizeOfHeapReserve
006c q HEAP COMMIT SIZE SizeOfHeapCommit
0070 q reserved /NumberOfRvaAndSize (entries in the data dir)
<Image Data Directory>:
0074 q EXPORT TABLE RVA /Export Directory
0078 q TOTAL EXPORT DATA SIZE
007c q IMPORT TABLE RVA /Import Directory
0080 q TOTAL IMPORT DATA SIZE
0084 q RESOURCE TABLE RVA /Resource Directory
0088 q TOTAL RESOURCE DATA SIZE
008c q EXCEPTION TABLE RVA /Exception Directory
0090 q TOTAL EXCEPTION DATA SIZE
0094 q SECURITY TABLE RVA /Security Directory
0098 q TOTAL SECURITY DATA SIZE
009c q FIXUP TABLE RVA /Base Relocation Table
00a0 q TOTAL FIXUP DATA SIZE
00a4 q DEBUG TABLE RVA /Debug Directory
00a8 q TOTAL DEBUG DIRECTORIES
00ac q IMAGE DESCRIPTION RVA /Description String
00b0 q TOTAL DESCRIPTION SIZE
00b4 q MACHINE SPECIFIC RVA /Machine Value (MIPS GP)
00b8 q MACHINE SPECIFIC SIZE
00bc q THREAD LOCAL STORAGE (TLS)RVA /TLS Directory
00c4 q TOTAL TLS SIZE
00d0 q RVA/Load Configuration Directory
00d4 q SIZE
00d8 q RVA/Bound Import Directory in headers
00dc q SIZE
00e0 q RVA/Import Address Table "IAT"
00e4 q SIZE
00e8 q RVA/14
00ec q SIZE
00f0 q RVA/15
00f4 q SIZE
00f8 q RVA/16
00fc q SIZE
-----------------------
<Image Sections Header>
object table:
Each Object Table entry has this format (40 byte):
000 s OBJECT NAME (ascii8 Z-pad)
008 q VIRTUAL SIZE /(VSizeOf_text/VSizeOf_idat/VSizeOf_udat)
00c q RVA /VBaseOf_text
010 q PHYSICAL SIZE /FSizeOf_text ;raw data
014 q PHYSICAL OFFSET /FBaseOf_text ;raw data
018 q RESERVED /pointer to relocatins
01c q RESERVED /pointer to line numbers
020 w /number of relocations
022 w /number of line numbers
024 q OBJECT FLAGS /characteristics (E0000020/40/80)
b5 Code object
b6 Initialized data object
b7 Uninitialized data object
b26 Object must not be cached
b27 Object is not pageable
b28 Object is shared
b29 Executable object
b30 Readable object
b31 Writeable object
All other bits are reserved and should be set to zero.
----------------
Herbert Kleebauer
Jan 5, 2024, 4:14:08 AMJan 5
to
On 05.01.2024 07:40, wolfgang kern wrote:
> ***
> I'm not sure about the PE-file contents (the last part below)
> if you can enter what's missing or correct anything please do :)
> TIA
> ***
Here the PE header (starting at file position $00a0) of a
> ***
> I'm not sure about the PE-file contents (the last part below)
> if you can enter what's missing or correct anything please do :)
> TIA
> ***
minimal Win32 program. But the information is more than
30 years old.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; DEMO.mac: copy stdin to stdout, convert a-z to A-Z ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
UseIdatSection=0 ; 0 if no idat section is used
UseUdatSection=0 ; 0 if no udat section is used
;#==================================================================#
;# Start of Headers #
;#==================================================================#
; +--------------------------------------------+
; | Start of DOS Header |
; +--------------------------------------------+
; DOS .EXE header
00000000: 00000000: 4d 5a dc.b 'MZ' ; Magic number
00000002: 00000002: 0160 dc.w dosfilesize\512 ; Bytes on last page of file (0->512)
00000004: 00000004: 0001 dc.w (dosfilesize-1)/512+1
; Pages in file (Page=512 byte)
00000006: 00000006: 0000 dc.w 0 ; Relocations (nr of entries)
00000008: 00000008: 0004 dc.w doshead_end/16 ; Size of header size in paragraphs (16 byte)
0000000a: 0000000a: 0000 dc.w 0 ; Minimum extra paragraphs needed
0000000c: 0000000c: ffff dc.w $ffff ; Maximum extra paragraphs needed
0000000e: 0000000e: 0000 dc.w 0 ; Initial (relative) SS value (ss=load_adr+nr)
00000010: 00000010: 0160 dc.w dosstack ; Initial SP value
00000012: 00000012: 0000 dc.w 0 ; Checksum
00000014: 00000014: 0000 dc.w dosmain ; Initial IP value
00000016: 00000016: 0000 dc.w 0 ; Initial (relative) CS value (cs=load_adr+nr)
00000018: 00000018: 0040 dc.w reloc ; File address of relocation table
0000001a: 0000001a: 0000 dc.w 0 ; Overlay number
0000001c: 0000001c: 0000 0000 0000
00000022: 00000022: 0000 dc.w 0,0,0,0 ; Reserved words
00000024: 00000024: 0000 dc.w 0 ; OEM identifier (for e_oeminfo)
00000026: 00000026: 0000 dc.w 0 ; OEM information; e_oemid specific
00000028: 00000028: 00000000 00000000
00000030: 00000030: 00000000 00000000
00000038: 00000038: 00000000 dc.l 0,0,0,0,0 ; Reserved words
0000003c: 0000003c: 000000a0 dc.l WinHeader ; File address of new exe header
reloc:
doshead_end:
@=$0
00000040: 00000000: 0e dosmain:move.w s6,-(sp)
00000041: 00000001: 1f move.w (sp)+,s0
00000042: 00000002: ba 000e move.w #_text,r1
00000045: 00000005: b4 09 move.b #$09,m0
00000047: 00000007: cd 21 trap #$21
00000049: 00000009: b8 4c01 move.w #$4c01,r0
0000004c: 0000000c: cd 21 trap #$21
0000004e: 0000000e: 4e 69 63 65 20 74
00000054: 00000014: 6f 20 6d 65 65 74
0000005a: 0000001a: 20 73 6f 6d 65 62
00000060: 00000020: 6f 64 79 20 77 68
00000066: 00000026: 6f 20 69 73 20 73
0000006c: 0000002c: 74 69 6c 6c 20 75
00000072: 00000032: 73 69 6e 67 20 44
00000078: 00000038: 4f 53 2c 0d 0a _text: dc.b 'Nice to meet somebody who is still using DOS,',13,10
0000007d: 0000003d: 62 75 74 20 74 68
00000083: 00000043: 69 73 20 70 72 6f
00000089: 00000049: 67 72 61 6d 20 72
0000008f: 0000004f: 65 71 75 69 72 65
00000095: 00000055: 73 20 57 69 6e 33
0000009b: 0000005b: 32 2e 0d 0a 24 dc.b 'but this program requires Win32.',13,10,'$'
even 16
dosstack=@+256 ; 256 Byte stack
dosfilesize=@+256
; +--------------------------------------------+
; | End of DOS Header |
; +--------------------------------------------+
; +--------------------------------------------+
; | Start of Windows Header |
; +--------------------------------------------+
ImageBase== $00400000
SectionAlignment== 4096
FileAlignment== 512
WinHeader=@@
@=ImageBase
; see WINNT.H for information
000000a0: 00400000: 50 45 00 00 dc.b 'PE',0,0 ; magic word
; _IMAGE_FILE_HEADER:
000000a4: 00400004: 014c dc.w $014c ; Machine ($014c=Intel x86 processor)
000000a6: 00400006: 0001 dc.w NumberOfSections ; NumberOfSections
000000a8: 00400008: 36a57950 dc.l $36a57950 ; TimeDateStamp (seconds since 31.12.69 16:00)
000000ac: 0040000c: 00000000 dc.l 0 ; PointerToSymbolTable
000000b0: 00400010: 00000000 dc.l 0 ; NumberOfSymbols
000000b4: 00400014: 00e0 dc.w SizeOfOptionalHeader ; SizeOfOptionalHeader
000000b6: 00400016: 010f dc.w $010f ; Charcteristics
; 0x0001 Relocation info stripped from file.
; 0x0002 File is executable (i.e. no unresolved externel references).
; 0x0004 Line nunbers stripped from file.
; 0x0008 Local symbols stripped from file.
; 0x0010 Agressively trim working set
; 0x0080 Bytes of machine word are reversed.
; 0x0100 32 bit word machine.
; 0x0200 Debugging info stripped from file in .DBG file
; 0x0400 If Image is on removable media, copy and run from the swap file.
; 0x0800 If Image is on Net, copy and run from the swap file.
; 0x1000 System File.
; 0x2000 File is a DLL.
; 0x4000 File should only be run on a UP machine
; 0x8000 Bytes of machine word are reversed.
@a=@ ; _IMAGE_OPTIONAL_HEADER
000000b8: 00400018: 010b dc.w $010b ; Magic
000000ba: 0040001a: 05 dc.b 5 ; MajorLinkerVersion
000000bb: 0040001b: 0c dc.b 12 ; MinorLinkerVersion
000000bc: 0040001c: 00000200 dc.l SizeOfCode ; SizeOfCode
000000c0: 00400020: 00000000 dc.l SizeOfInitializedData ; SizeOfInitializedData
000000c4: 00400024: 00000000 dc.l SizeOfUninitializedData ; SizeOfUninitializedData
000000c8: 00400028: 00001094 dc.l winmain-ImageBase ; AddressOfEntryPoint
000000cc: 0040002c: 00001000 dc.l BaseOfCode ; BaseOfCode
000000d0: 00400030: 00002000 dc.l BaseOfData ; BaseOfData
000000d4: 00400034: 00400000 dc.l ImageBase ; ImageBase
000000d8: 00400038: 00001000 dc.l SectionAlignment ; SectionAlignment
000000dc: 0040003c: 00000200 dc.l FileAlignment ; FileAlignment
000000e0: 00400040: 0004 dc.w 4 ; MajorOperatingSystemVersion
000000e2: 00400042: 0000 dc.w 0 ; MinorOperatingSystemVersion
000000e4: 00400044: 0000 dc.w 0 ; MajorImageVersion
000000e6: 00400046: 0000 dc.w 0 ; MinorImageVersion
000000e8: 00400048: 0004 dc.w 4 ; MajorSubsystemVersion
000000ea: 0040004a: 0000 dc.w 0 ; MinorSubsystemVersion
000000ec: 0040004c: 00000000 dc.l 0 ; Win32VersionValue
000000f0: 00400050: 00002000 dc.l SizeOfImage ; SizeOfImage
000000f4: 00400054: 00000200 dc.l SizeOfHeaders ; SizeOfHeaders
000000f8: 00400058: 00000000 dc.l 0 ; CheckSum
000000fc: 0040005c: 0003 dc.w 3 ; Subsystem
; 0: Unknown subsystem.
; 1: Image doesn't require a subsystem.
; 2: Image runs in the Windows GUI subsystem.
; 3: Image runs in the Windows character subsystem.
; 5: image runs in the OS/2 character subsystem.
; 7: image run in the Posix character subsystem.
; 8: image run in the 8 subsystem.
000000fe: 0040005e: 0000 dc.w $0000 ; DllCharacteristics
; 2: Image runs in the Windows GUI subsystem.
; 3: Image runs in the Windows character subsystem.
; 5: image runs in the OS/2 character subsystem.
; 7: image run in the Posix character subsystem.
; 8: image run in the 8 subsystem.
00000100: 00400060: 00100000 dc.l $00100000 ; SizeOfStackReserve
00000104: 00400064: 00001000 dc.l $00001000 ; SizeOfStackCommit
00000108: 00400068: 00100000 dc.l $00100000 ; SizeOfHeapReserve
0000010c: 0040006c: 00001000 dc.l $00001000 ; SizeOfHeapCommit
00000110: 00400070: 00000000 dc.l $00000000 ; LoaderFlags
00000114: 00400074: 00000010 dc.l NumberOfRvaAndSize ; NumberOfRvaAndSize (entries
; in the data dir)
; ..............................................
; : Start of Image Data Directory :
; ..............................................
; virtual address, size
@b=@
00000118: 00400078: 00000000 00000000 dc.l 0,0 ; Export Directory
00000120: 00400080: 00001014 00000028 dc.l imp_start,imp_size ; Import Directory
00000128: 00400088: 00000000 00000000 dc.l 0,0 ; Resource Directory
00000130: 00400090: 00000000 00000000 dc.l 0,0 ; Exception Directory
00000138: 00400098: 00000000 00000000 dc.l 0,0 ; Security Directory
00000140: 004000a0: 00000000 00000000 dc.l 0,0 ; Base Relocation Table
00000148: 004000a8: 00000000 00000000 dc.l 0,0 ; Debug Directory
00000150: 004000b0: 00000000 00000000 dc.l 0,0 ; Description String
00000158: 004000b8: 00000000 00000000 dc.l 0,0 ; Machine Value (MIPS GP)
00000160: 004000c0: 00000000 00000000 dc.l 0,0 ; TLS Directory
00000168: 004000c8: 00000000 00000000 dc.l 0,0 ; Load Configuration Directory
00000170: 004000d0: 00000000 00000000 dc.l 0,0 ; Bound Import Directory in headers
00000178: 004000d8: 00001000 00000014 dc.l iat_start,iat_size ; Import Address Table
00000180: 004000e0: 00000000 00000000 dc.l 0,0 ; 14
00000188: 004000e8: 00000000 00000000 dc.l 0,0 ; 15
00000190: 004000f0: 00000000 00000000 dc.l 0,0 ; 16
NumberOfRvaAndSize = (@-@b)/8
SizeOfOptionalHeader = @-@a
; ..............................................
; : End of Image Data Directory :
; ..............................................
; ..............................................
; : Start of Image Sections Header :
; ..............................................
@a=@
00000198: 004000f8: 2e 74 65 78 74 00
0000019e: 004000fe: 00 00 dc.b '.text',0,0,0 ; name
000001a0: 00400100: 0000014c dc.l VSizeOf_text ; virtual size
000001a4: 00400104: 00001000 dc.l VBaseOf_text ; virtual address
000001a8: 00400108: 00000200 dc.l FSizeOf_text ; size of raw data
000001ac: 0040010c: 00000200 dc.l FBaseOf_text ; pointer to raw data
000001b0: 00400110: 00000000 dc.l 0 ; pointer to relocatins
000001b4: 00400114: 00000000 dc.l 0 ; pointer to line numbers
000001b8: 00400118: 0000 dc.w 0 ; number of relocations
000001ba: 0040011a: 0000 dc.w 0 ; number of line numbers
000001bc: 0040011c: e0000020 dc.l $e0000020 ; characteristics
IF UseIdatSection
dc.b '.idat',0,0,0 ; name
dc.l VSizeOf_idat ; virtual size
dc.l VBaseOf_idat ; virtual address
dc.l FSizeOf_idat ; size of raw data
dc.l FBaseOf_idat ; pointer to raw data
dc.l 0 ; pointer to relocatins
dc.l 0 ; pointer to line numbers
dc.w 0 ; number of relocations
dc.w 0 ; number of line numbers
dc.l $e0000040 ; characteristics
ENDIF
IF UseUdatSection
dc.b '.udat',0,0,0 ; name
dc.l VSizeOf_udat ; virtual size
dc.l VBaseOf_udat ; virtual address
dc.l FSizeOf_udat ; size of raw data
dc.l FBaseOf_udat ; pointer to raw data
dc.l 0 ; pointer to relocatins
dc.l 0 ; pointer to line numbers
dc.w 0 ; number of relocations
dc.w 0 ; number of line numbers
dc.l $e0000080 ; characteristics
ENDIF
NumberOfSections=(@-@a)/40
; ..............................................
; : End of Image Sections Header :
; ..............................................
; characteristics
; 0x00000020 // Section contains code.
; 0x00000040 // Section contains initialized data.
; 0x00000080 // Section contains uninitialized data.
; 0x00000200 // Section contains comments or some other type of information.
; 0x00000800 // Section contents will not become part of image.
; 0x00001000 // Section contents comdat.
; 0x01000000 // Section contains extended relocations.
; 0x02000000 // Section can be discarded.
; 0x04000000 // Section is not cachable.
; 0x08000000 // Section is not pageable.
; 0x10000000 // Section is shareable.
; 0x20000000 // Section is executable.
; 0x40000000 // Section is readable.
; 0x80000000 // Section is writeable.
; +--------------------------------------------+
; | End of Windows Header |
; +--------------------------------------------+
000001c0: 00400120: 00 00 00 00 00 00
000001c6: 00400126: 00 00 00 00 00 00
000001cc: 0040012c: 00 00 00 00 00 00
000001d2: 00400132: 00 00 00 00 00 00
000001d8: 00400138: 00 00 00 00 00 00
000001de: 0040013e: 00 00 00 00 00 00
000001e4: 00400144: 00 00 00 00 00 00
000001ea: 0040014a: 00 00 00 00 00 00
000001f0: 00400150: 00 00 00 00 00 00
000001f6: 00400156: 00 00 00 00 00 00
000001fc: 0040015c: 00 00 00 00 evencom FileAlignment
SizeOfHeaders==@@
;#==================================================================#
;# End of Headers #
;#==================================================================#
;#==================================================================#
;# Start of Sections #
;#==================================================================#
; +--------------------------------------------+
; | Start of .text Section |
; +--------------------------------------------+
FBaseOf_text==@@
VBaseOf_text==(@-ImageBase+SectionAlignment-1)/SectionAlignment*SectionAlignment
BaseOfCode==VBaseOf_text
@=ImageBase+VBaseOf_text
; ..............................................
; : Start of Thunk Table :
; ..............................................
iat_start=@-ImageBase
KERNEL32_thunk:
00000200: 00401000: 0000105e ExitProcess:: dc.l KERNEL32_ExitProcess -ImageBase
00000204: 00401004: 0000106c GetStdHandle:: dc.l KERNEL32_GetStdHandle -ImageBase
00000208: 00401008: 0000107c ReadFile:: dc.l KERNEL32_ReadFile -ImageBase
0000020c: 0040100c: 00001088 WriteFile:: dc.l KERNEL32_WriteFile -ImageBase
00000210: 00401010: 00000000 dc.l 0
iat_size=@-ImageBase-iat_start
; ..............................................
; : End of Thunk Table :
; ..............................................
; ..............................................
; : Start of Import Directory :
; ..............................................
imp_start==@-ImageBase
imp:
00000214: 00401014: 0000104a dc.l KERNEL32_import -ImageBase
00000218: 00401018: 00000000 dc.l 0
0000021c: 0040101c: 00000000 dc.l 0
00000220: 00401020: 0000103c dc.l KERNEL32_name -ImageBase
00000224: 00401024: 00001000 dc.l KERNEL32_thunk -ImageBase
00000228: 00401028: 00000000 dc.l 0
0000022c: 0040102c: 00000000 dc.l 0
00000230: 00401030: 00000000 dc.l 0
00000234: 00401034: 00000000 dc.l 0
00000238: 00401038: 00000000 dc.l 0
imp_size==@-imp
; ..............................................
; : End of Import Directory :
; ..............................................
KERNEL32_name:
0000023c: 0040103c: 4b 45 52 4e 45 4c
00000242: 00401042: 33 32 2e 64 6c 6c
00000248: 00401048: 00 dc.b 'KERNEL32.dll',0
00000249: 00401049: 00 even
KERNEL32_import:
0000024a: 0040104a: 0000105e dc.l KERNEL32_ExitProcess -ImageBase
0000024e: 0040104e: 0000106c dc.l KERNEL32_GetStdHandle -ImageBase
00000252: 00401052: 0000107c dc.l KERNEL32_ReadFile -ImageBase
00000256: 00401056: 00001088 dc.l KERNEL32_WriteFile -ImageBase
0000025a: 0040105a: 00000000 dc.l 0
even
KERNEL32_ExitProcess:
0000025e: 0040105e: 0000 dc.w 0
00000260: 00401060: 45 78 69 74 50 72
00000266: 00401066: 6f 63 65 73 73 00 dc.b 'ExitProcess',0
even
KERNEL32_GetStdHandle:
0000026c: 0040106c: 0000 dc.w 0
0000026e: 0040106e: 47 65 74 53 74 64
00000274: 00401074: 48 61 6e 64 6c 65
0000027a: 0040107a: 00 dc.b 'GetStdHandle',0
0000027b: 0040107b: 00 even
KERNEL32_ReadFile:
0000027c: 0040107c: 0000 dc.w 0
0000027e: 0040107e: 52 65 61 64 46 69
00000284: 00401084: 6c 65 00 dc.b 'ReadFile',0
00000287: 00401087: 00 even
KERNEL32_WriteFile:
00000288: 00401088: 0000 dc.w 0
0000028a: 0040108a: 57 72 69 74 65 46
00000290: 00401090: 69 6c 65 00 dc.b 'WriteFile',0
even
; ..............................................
; : Start of Code :
; ..............................................
label_block
seg32
winmain::
00000294: 00401094: e8 00000063 _20: bsr.l getc
00000299: 00401099: 83 f8 ff cmpq.l #-1,r0
0000029c: 0040109c: 74 11 beq.b exit
0000029e: 0040109e: 3c 61 cmp.b #'a',r0
000002a0: 004010a0: 72 06 blo.b _10
000002a2: 004010a2: 3c 7a cmp.b #'z',r0
000002a4: 004010a4: 77 02 bhi.b _10
000002a6: 004010a6: 04 e0 add.b #'A'-'a',r0
000002a8: 004010a8: e8 00000009 _10: bsr.l putc
000002ad: 004010ad: eb e5 br.b _20
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; OS specific functions: getc, putc, exit ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
000002af: 004010af: 50 exit: move.l r0,-(sp)
000002b0: 004010b0: ff 15 00401000 jsr.l (ExitProcess) ; exit program
000002b6: 004010b6: 60 putc: movem.l r0-r7,-(sp)
000002b7: 004010b7: 31 c0 eor.l r0,r0
000002b9: 004010b9: 03 05 004010f8 add.l _handle,r0
000002bf: 004010bf: 75 0d bne.b _10
000002c1: 004010c1: 6a f5 moveq.l #-11,-(sp)
000002c3: 004010c3: ff 15 00401004 jsr.l (GetStdHandle)
000002c9: 004010c9: a3 004010f8 move.l r0,_handle
000002ce: 004010ce: 6a 00 _10: moveq.l #0,-(sp)
000002d0: 004010d0: 8d 54 24 10 lea.l 4*4.b(r7),r1
000002d4: 004010d4: 52 move.l r1,-(sp)
000002d5: 004010d5: 6a 01 moveq.l #1,-(sp)
000002d7: 004010d7: 83 c2 10 addq.l #4*4,r1
000002da: 004010da: 52 move.l r1,-(sp)
000002db: 004010db: 50 move.l r0,-(sp)
000002dc: 004010dc: ff 15 0040100c jsr.l (WriteFile)
000002e2: 004010e2: 09 c0 or.l r0,r0
000002e4: 004010e4: 75 08 bne.b _20
000002e6: 004010e6: 6a 00 _30: moveq.l #0,-(sp)
000002e8: 004010e8: ff 15 00401000 jsr.l (ExitProcess)
000002ee: 004010ee: 83 7c 24 0c 01 _20: cmpq.l #1,3*4.b(r7){s7}
000002f3: 004010f3: 75 f1 bne.b _30
000002f5: 004010f5: 61 90 movem.l (sp)+,r0-r7
000002f7: 004010f7: c3 rts.l
even4
000002f8: 004010f8: 00000000 _handle:dc.l 0
000002fc: 004010fc: 31 c0 getc: eor.l r0,r0
000002fe: 004010fe: 60 movem.l r0-r7,-(sp)
000002ff: 004010ff: 03 05 00401148 add.l _handle,r0
00000305: 00401105: 75 0d bne.b _10
00000307: 00401107: 6a f6 moveq.l #-10,-(sp)
00000309: 00401109: ff 15 00401004 jsr.l (GetStdHandle)
0000030f: 0040110f: a3 00401148 move.l r0,_handle
00000314: 00401114: 6a 00 _10: moveq.l #0,-(sp)
00000316: 00401116: 8d 54 24 10 lea.l 4*4.b(r7),r1
0000031a: 0040111a: 52 move.l r1,-(sp)
0000031b: 0040111b: 6a 01 moveq.l #1,-(sp)
0000031d: 0040111d: 83 c2 10 addq.l #4*4,r1
00000320: 00401120: 52 move.l r1,-(sp)
00000321: 00401121: 50 move.l r0,-(sp)
00000322: 00401122: ff 15 00401008 jsr.l (ReadFile)
00000328: 00401128: 09 c0 or.l r0,r0
0000032a: 0040112a: 75 08 bne.b _20
0000032c: 0040112c: 6a 00 moveq.l #0,-(sp)
0000032e: 0040112e: ff 15 00401000 jsr.l (ExitProcess)
00000334: 00401134: 83 7c 24 0c 01 _20: cmpq.l #1,3*4.b(r7){s7}
00000339: 00401139: 74 08 beq.b _30
0000033b: 0040113b: c7 44 24 1c
0000033f: 0040113f: ffffffff move.l #-1,7*4.b(r7){s7}
00000343: 00401143: 61 90 _30: movem.l (sp)+,r0-r7
00000345: 00401145: c3 rts.l
00000346: 00401146: 00 00 even4
00000348: 00401148: 00000000 _handle:dc.l 0
; ..............................................
; : End of Code :
; ..............................................
VSizeOf_text==@-Imagebase-VBaseOf_text
@a=@
0000034c: 0040114c: 00 00 00 00 00 00
00000352: 00401152: 00 00 00 00 00 00
00000358: 00401158: 00 00 00 00 00 00
0000035e: 0040115e: 00 00 00 00 00 00
00000364: 00401164: 00 00 00 00 00 00
0000036a: 0040116a: 00 00 00 00 00 00
00000370: 00401170: 00 00 00 00 00 00
00000376: 00401176: 00 00 00 00 00 00
0000037c: 0040117c: 00 00 00 00 00 00
00000382: 00401182: 00 00 00 00 00 00
00000388: 00401188: 00 00 00 00 00 00
0000038e: 0040118e: 00 00 00 00 00 00
00000394: 00401194: 00 00 00 00 00 00
0000039a: 0040119a: 00 00 00 00 00 00
000003a0: 004011a0: 00 00 00 00 00 00
000003a6: 004011a6: 00 00 00 00 00 00
000003ac: 004011ac: 00 00 00 00 00 00
000003b2: 004011b2: 00 00 00 00 00 00
000003b8: 004011b8: 00 00 00 00 00 00
000003be: 004011be: 00 00 00 00 00 00
000003c4: 004011c4: 00 00 00 00 00 00
000003ca: 004011ca: 00 00 00 00 00 00
000003d0: 004011d0: 00 00 00 00 00 00
000003d6: 004011d6: 00 00 00 00 00 00
000003dc: 004011dc: 00 00 00 00 00 00
000003e2: 004011e2: 00 00 00 00 00 00
000003e8: 004011e8: 00 00 00 00 00 00
000003ee: 004011ee: 00 00 00 00 00 00
000003f4: 004011f4: 00 00 00 00 00 00
000003fa: 004011fa: 00 00 00 00 00 00 evencom FileAlignment
@=@a
FSizeOf_text==@@-FBaseOf_text
SizeOfCode==FSizeOf_text
; +--------------------------------------------+
; | End of .text Section |
; +--------------------------------------------+
; +--------------------------------------------+
; | Start of .idat Section |
; +--------------------------------------------+
FBaseOf_idat==@@
VBaseOf_idat==(@-ImageBase+SectionAlignment-1)/SectionAlignment*SectionAlignment
BaseOfData==VBaseOf_idat
@=ImageBase+VBaseOf_idat
; Insert initialized variables here (and set UseIdatSection=1
; at the top of this file). Because the code section is set
; r/w-able, you can put initialized variables also into the
; code section.
; var1: dc.l 0
; var2: dc.l $12345678
VSizeOf_idat==@-Imagebase-VBaseOf_idat
@a=@
evencom FileAlignment
@=@a
FSizeOf_idat==@@-FBaseOf_idat
; +--------------------------------------------+
; | End of .idat Section |
; +--------------------------------------------+
SizeOfInitializedData==FSizeOf_idat
; +--------------------------------------------+
; | Start of .udat Section |
; +--------------------------------------------+
FBaseOf_udat==@@
VBaseOf_udat==(@-ImageBase+SectionAlignment-1)/SectionAlignment*SectionAlignment
@=ImageBase+VBaseOf_udat
; Insert uninitialized variables here (and set UseUdatSection=1
; at the top of this file). Because the code section is set
; r/w-able, you can put uninitialized variables also at the END
; of the code section.
; buf1: blk.l 10
; buf2: blk.l 200
VSizeOf_udat==@-Imagebase-VBaseOf_udat
@a=@
evencom FileAlignment
@=@a
FSizeOf_udat==@@-FBaseOf_udat
; +--------------------------------------------+
; | End of .udat Section |
; +--------------------------------------------+
SizeOfUninitializedData==VSizeOf_udat
SizeOfImage==(@-ImageBase+SectionAlignment-1)/SectionAlignment*SectionAlignment
;#==================================================================#
;# End of Sections #
;#==================================================================#
useidatsection. 00000000 useudatsection. 00000000 reloc.......... 00000040
doshead_end.... 00000040 dosmain........ 00000000 dosstack....... 00000160
dosfilesize.... 00000160 imagebase...... 00400000 sectionalignment 00001000
filealignment.. 00000200 winheader...... 000000a0 numberofrvaandsize 00000010
sizeofoptionalheader 000000e0 numberofsections 00000001 sizeofheaders.. 00000200
fbaseof_text... 00000200 vbaseof_text... 00001000 baseofcode..... 00001000
iat_start...... 00001000 kernel32_thunk. 00401000 exitprocess.... 00401000
getstdhandle... 00401004 readfile....... 00401008 writefile...... 0040100c
iat_size....... 00000014 imp_start...... 00001014 imp............ 00401014
imp_size....... 00000028 kernel32_name.. 0040103c kernel32_import 0040104a
kernel32_exitprocess 0040105e kernel32_getstdhandle 0040106c kernel32_readfile 0040107c
kernel32_writefile 00401088 winmain........ 00401094 exit........... 004010af
putc........... 004010b6 getc........... 004010fc vsizeof_text... 0000014c
fsizeof_text... 00000200 sizeofcode..... 00000200 fbaseof_idat... 00000400
vbaseof_idat... 00002000 baseofdata..... 00002000 vsizeof_idat... 00000000
fsizeof_idat... 00000000 sizeofinitializeddata 00000000 fbaseof_udat... 00000400
vbaseof_udat... 00002000 vsizeof_udat... 00000000 fsizeof_udat... 00000000
sizeofuninitializeddata 00000000 sizeofimage.... 00002000
wolfgang kern
Jan 5, 2024, 5:34:08 AMJan 5
to
On 05/01/2024 10:14, Herbert Kleebauer wrote:
> On 05.01.2024 07:40, wolfgang kern wrote:
>> ***
>> I'm not sure about the PE-file contents (the last part below)
>> if you can enter what's missing or correct anything please do :)
>> TIA
>> ***
> Here the PE header (starting at file position $00a0) of a
> minimal Win32 program. But the information is more than
> 30 years old.
thx, I copied it to my other PE info.
> On 05.01.2024 07:40, wolfgang kern wrote:
>> ***
>> I'm not sure about the PE-file contents (the last part below)
>> if you can enter what's missing or correct anything please do :)
>> TIA
>> ***
> Here the PE header (starting at file position $00a0) of a
> minimal Win32 program. But the information is more than
> 30 years old.
but coz I need it for efix64 I still may miss a lot.
__
wolfgang
wolfgang kern
Jan 7, 2024, 12:58:05 AMJan 7
to
On 05/01/2024 11:34, I wrote:
still many question marks in there
(my size cast: b/w/q/dq/qq/dqq/qqq for 8/16/32/64/128/256/512)
info gathered from WIKI and Herbert's PE.
the PE-file: ;but it should be UEFI x8664 conform
is my main code an object or not?
TIA for any insight.
__
wolfgang
-------------------------------------------------------
000 w 5A4D "MZ" DOS 2.0 Compatible EXE Header
002 w .... remaining bytes on last sector, aka tail start (0160)?
004 w 0001 file size (in 512 byte sectors)
006 w 0000 number of relocation entries ??? required or not ???
008 w 0004 DOS header size (in 16 byte paragraphs) ==0040
00a w 0000 needed minimum extra paragraphs
00c w ffff needed maximum extra paragraphs ?? why max ???
00e w 0000 add SS (to load-address)
010 w .... SP initial (0160 if it use the tail here)
012 w 0000 checksum (of what and how)
014 w 0000 IP initial
016 w 0000 add CS (to load address)
018 w 0040 offset of RELOCATION table **** useless if none ???
01a w 0000 overlay number
01c dq.... reserved, all Zero
024 w 0000 OEM identifier, mine would be "KE" even not recognized
026 w 0000 OEM specific
028 .... unused, all Zero
03c q 00a0 Offset to PE Header (relative to file-start)
040 ... relocation table (if any at all)
;DOS 2.0 Stub Program
040 push CS ;assume it's 0004 (from DOS header size) yet ???
041 pop DS
042 mov DX,000e
045 mov AH,09
047 INT_21
049 mov AX.4c01
04c INT_21
04e (aka 000e) just text+$ 0004:000e
------------
PE HEADER
pointed to by file-offset 003c q
+[003c]q == 00a0 yet
0a0 q 00004550 "PE"0,0 SIGNATURE
0a4 w 0000 Unknown CPU TYPE
0a6 w 0001 number of sections
0a8 q 3700_0000 TIMESTAMP (seconds since 31.12.69 16:00)
0ac q reserved Zero/ PointerToSymbolTable
0b0 q reserved Zero/ NumberOfSymbols
0b4 w 00e0 why? SizeOfOptionalHeader
0b6 w 010f (I had 030f) Characteristics-flags
bit# my |if set
0 1 Relocation info stripped from file.
1 1 File is executable (i.e. no unresolved externel references).
2 1 Line numbers stripped from file.
3 1 Local symbols stripped from file.
4 0 Aggressively trim working set
5..6 00 ??
7 0 Bytes of machine word are reversed.
8 1 ? 32 bit word machine.
9 1 Debugging info stripped from file in .DBG file
10 0 If Image is on removable media, copy and run from swap file.
11 0 If Image is on Net, copy and run from the swap file.
12 0 System File.
13 0 File is a DLL.
14 0 File should only be run on a UP machine
15 0 Bytes of machine word are reversed.
0b8 w 010b MAGIC # ??
0ba b 05 ?? major linker version
0bb b 0c ?? minor
0bc q any SizeOfCode
0c0 q any SizeOfInitializedData
0c4 q any SizeOfUninitializedData
0c8 q ???? /winmain-ImageBase;AddressOfEntryPoint (0000_1094) ????
0cc q any BaseOfCode
0d0 q any BaseOfData
0d4 q ... IMAGE BASE (0040_0000) ??? required by UEFI ???
0d8 q 1000 SectionAlignment
0dc q 0200 FileAlignment
0e0 w ? MajorOperatingSystemVersion
0e2 w 0 minorOperatingSystemVersion
0e4 w 0 MajorImageVersion
0e6 w 0 MinorImageVersion
0e8 w ? MajorSubsystemVersion
0ea w 0 MinorSubsystemVersion
0ec q 0 Win32VersionValue
0f0 q any SizeOfImage
0f4 q 0200 SizeOfHeaders ?
0f8 q 0 CheckSum of what?
0fc w 0003 SUBSYSTEM
bit# my |if set
0 1 Unknown subsystem.
1 1 Image doesn't require a subsystem.
2 0 Image runs in the Windows GUI subsystem.
3 0 Image runs in the Windows character subsystem.
4 0 ?
5 0 image runs in the OS/2 character subsystem.
6 0 ?
7 0 image run in the Posix character subsystem.
8 0 image run in the 8 subsystem.
9..15 all zero
0fe w 0000 DLL Characteristic flags
0104 q any STACK COMMIT SIZE SizeOfStackCommit
0108 q any HEAP RESERVE SIZE SizeOfHeapReserve
010c q any HEAP COMMIT SIZE SizeOfHeapCommit
0110 q 0 loader-flags ???? (guess what this is) ????
0114 q any NumberOfRvaAndSize (entries in the data dir)
0118 dq 0 EXPORT DIRECTORY start+size
0120 dq 0 IMPORT DIRECTORY start+size
0128 dq 0 Resource Directory
0130 dq 0 Exception Directory
0138 dq 0 Security Directory
0140 dq 0 Base Relocation Table
0148 dq 0 Debug Directory
0150 dq 0 Description String
0158 dq 0 Machine Value (MIPS GP)
0160 dq 0 THREAD LOCAL STORAGE TLS Directory
0168 dq 0 Load Configuration Directory
0170 dq 0 Bound Import Directory in headers
0178 q 00000014 Import Address Table "IAT" ???? what for ???
017c q 00001000 size
0180 dq 0 RVA/14 ;SIZE
0188 dq 0 RVA/15 ;SIZE
0190 dq 0 RVA/16 ;SIZE
-----------------------
022 w ?? number of line numbers
024 q OBJECT FLAGS (E0000020/40/80)
still many question marks in there
(my size cast: b/w/q/dq/qq/dqq/qqq for 8/16/32/64/128/256/512)
info gathered from WIKI and Herbert's PE.
the PE-file: ;but it should be UEFI x8664 conform
is my main code an object or not?
TIA for any insight.
__
wolfgang
-------------------------------------------------------
000 w 5A4D "MZ" DOS 2.0 Compatible EXE Header
002 w .... remaining bytes on last sector, aka tail start (0160)?
004 w 0001 file size (in 512 byte sectors)
006 w 0000 number of relocation entries ??? required or not ???
008 w 0004 DOS header size (in 16 byte paragraphs) ==0040
00a w 0000 needed minimum extra paragraphs
00c w ffff needed maximum extra paragraphs ?? why max ???
00e w 0000 add SS (to load-address)
010 w .... SP initial (0160 if it use the tail here)
012 w 0000 checksum (of what and how)
014 w 0000 IP initial
016 w 0000 add CS (to load address)
018 w 0040 offset of RELOCATION table **** useless if none ???
01a w 0000 overlay number
01c dq.... reserved, all Zero
024 w 0000 OEM identifier, mine would be "KE" even not recognized
026 w 0000 OEM specific
028 .... unused, all Zero
03c q 00a0 Offset to PE Header (relative to file-start)
040 ... relocation table (if any at all)
;DOS 2.0 Stub Program
040 push CS ;assume it's 0004 (from DOS header size) yet ???
041 pop DS
042 mov DX,000e
045 mov AH,09
047 INT_21
049 mov AX.4c01
04c INT_21
04e (aka 000e) just text+$ 0004:000e
------------
PE HEADER
pointed to by file-offset 003c q
0a0 q 00004550 "PE"0,0 SIGNATURE
0a4 w 0000 Unknown CPU TYPE
014C 80386
014D 80486
014E PentiumTM
???? RYZEN 5/6.. ????
014D 80486
014E PentiumTM
0a6 w 0001 number of sections
0a8 q 3700_0000 TIMESTAMP (seconds since 31.12.69 16:00)
0ac q reserved Zero/ PointerToSymbolTable
0b0 q reserved Zero/ NumberOfSymbols
0b4 w 00e0 why? SizeOfOptionalHeader
0b6 w 010f (I had 030f) Characteristics-flags
bit# my |if set
0 1 Relocation info stripped from file.
1 1 File is executable (i.e. no unresolved externel references).
2 1 Line numbers stripped from file.
3 1 Local symbols stripped from file.
4 0 Aggressively trim working set
5..6 00 ??
7 0 Bytes of machine word are reversed.
8 1 ? 32 bit word machine.
9 1 Debugging info stripped from file in .DBG file
10 0 If Image is on removable media, copy and run from swap file.
11 0 If Image is on Net, copy and run from the swap file.
12 0 System File.
13 0 File is a DLL.
14 0 File should only be run on a UP machine
15 0 Bytes of machine word are reversed.
0b8 w 010b MAGIC # ??
0ba b 05 ?? major linker version
0bb b 0c ?? minor
0bc q any SizeOfCode
0c0 q any SizeOfInitializedData
0c4 q any SizeOfUninitializedData
0c8 q ???? /winmain-ImageBase;AddressOfEntryPoint (0000_1094) ????
0cc q any BaseOfCode
0d0 q any BaseOfData
0d4 q ... IMAGE BASE (0040_0000) ??? required by UEFI ???
0d8 q 1000 SectionAlignment
0dc q 0200 FileAlignment
0e0 w ? MajorOperatingSystemVersion
0e2 w 0 minorOperatingSystemVersion
0e4 w 0 MajorImageVersion
0e6 w 0 MinorImageVersion
0e8 w ? MajorSubsystemVersion
0ea w 0 MinorSubsystemVersion
0ec q 0 Win32VersionValue
0f0 q any SizeOfImage
0f4 q 0200 SizeOfHeaders ?
0f8 q 0 CheckSum of what?
0fc w 0003 SUBSYSTEM
bit# my |if set
0 1 Unknown subsystem.
1 1 Image doesn't require a subsystem.
2 0 Image runs in the Windows GUI subsystem.
3 0 Image runs in the Windows character subsystem.
4 0 ?
5 0 image runs in the OS/2 character subsystem.
6 0 ?
7 0 image run in the Posix character subsystem.
8 0 image run in the 8 subsystem.
9..15 all zero
0fe w 0000 DLL Characteristic flags
Indicates special loader requirements.
b0 Per-Process Library Initialization
b1 Per-Process Library Termination
b2 Per-Thread Library Initialization
b3 Per-Thread Library Termination
b15..4 reserved for future use and should be set to zero.
0100 q any STACK RESERVE SIZE SizeOfStackReserve
b0 Per-Process Library Initialization
b1 Per-Process Library Termination
b2 Per-Thread Library Initialization
b3 Per-Thread Library Termination
b15..4 reserved for future use and should be set to zero.
0104 q any STACK COMMIT SIZE SizeOfStackCommit
0108 q any HEAP RESERVE SIZE SizeOfHeapReserve
010c q any HEAP COMMIT SIZE SizeOfHeapCommit
0110 q 0 loader-flags ???? (guess what this is) ????
0114 q any NumberOfRvaAndSize (entries in the data dir)
0118 dq 0 EXPORT DIRECTORY start+size
0120 dq 0 IMPORT DIRECTORY start+size
0128 dq 0 Resource Directory
0130 dq 0 Exception Directory
0138 dq 0 Security Directory
0140 dq 0 Base Relocation Table
0148 dq 0 Debug Directory
0150 dq 0 Description String
0158 dq 0 Machine Value (MIPS GP)
0160 dq 0 THREAD LOCAL STORAGE TLS Directory
0168 dq 0 Load Configuration Directory
0170 dq 0 Bound Import Directory in headers
0178 q 00000014 Import Address Table "IAT" ???? what for ???
017c q 00001000 size
0180 dq 0 RVA/14 ;SIZE
0188 dq 0 RVA/15 ;SIZE
0190 dq 0 RVA/16 ;SIZE
-----------------------
object table:
Each Object Table entry has this format (40 byte):
000 dq strptr ??? or 7char+00 OBJECT NAME (ascii Z-pad)
Each Object Table entry has this format (40 byte):
008 q VIRTUAL SIZE /(VSizeOf_text/VSizeOf_idat/VSizeOf_udat)
00c q RVA /VBaseOf_text
010 q PHYSICAL SIZE /FSizeOf_text ;raw data
014 q PHYSICAL OFFSET /FBaseOf_text ;raw data
018 q RESERVED /pointer to relocatins
01c q RESERVED /pointer to line numbers
020 w 0 number of relocations
00c q RVA /VBaseOf_text
010 q PHYSICAL SIZE /FSizeOf_text ;raw data
014 q PHYSICAL OFFSET /FBaseOf_text ;raw data
018 q RESERVED /pointer to relocatins
01c q RESERVED /pointer to line numbers
022 w ?? number of line numbers
024 q OBJECT FLAGS (E0000020/40/80)
b5 Code object
b6 Initialized data object
b7 Uninitialized data object
b26 Object must not be cached
b27 Object is not page able
b28 Object is shared
b29 Executable object
b30 Readable object
b31 Writable object
b6 Initialized data object
b7 Uninitialized data object
b26 Object must not be cached
b27 Object is not page able
b28 Object is shared
b29 Executable object
b30 Readable object
wolfgang kern
Jan 11, 2024, 1:36:06 AMJan 11
to
On 05/01/2024 11:34, wolfgang kern wrote:
[about newer PE files]
found on the net:
CPU-type
8664 AMD64
0EBC EFI bytecode
Magic number
020B PE32+
and a summary of characteristic flags:
https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#characteristics
more info to come soon.
__
wolfgang
[about newer PE files]
found on the net:
CPU-type
8664 AMD64
0EBC EFI bytecode
Magic number
020B PE32+
and a summary of characteristic flags:
https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#characteristics
more info to come soon.
__
wolfgang
0 new messages