[Code-Crunchers] Tiny PE: now 274 bytes

Arkon arkon at ragestorm.net
Mon Oct 23 02:55:01 CDT 2006 

Yep, I work on a yet smaller version.

I really liked your loadlibrary idea, instead of running an .exe you can
indeed only load the new lib you just dl'ed. :) this will spare lots of
bytes...

But I want first to stick to the original code, and try to crunch it and
reuse the PE header as much as possible.

Matthew here already said about DAV, that you can do something like:
WinExec("\\ragestorm.net/f.exe");
But this will really limit the Windows versions that the TinyPE runs on,
already now - it is very limited anyways...

BTW - I checked that DWORD signature stuff (to get URLDownloadToFileA), I
managed to find a signature for two versions, they weren't DWORD-aligned,
and the distance from the start wasn't the same, and other versions didn't
have that same DWORD. Maybe it's still possible, I'm not saying it is not,
but it will require some more code probably, and I'm not sure, eventually,
whether it is worth.... oh well. :)

> -----Original Message-----
> From: Brett Moore [mailto:brett.moore at security-assessment.com]
> Sent: Monday, October 23, 2006 4:01 AM
> To: code-crunchers at whitestar.linuxbox.org
> Subject: Re: [Code-Crunchers] Tiny PE: now 274 bytes
> 
> I saw that someone has got it smaller but not made public yet, so
> they might already be doing this. Anyway, how about instead of
> using winexec, just reuse loadlibrary() to run a downloaded .dll
> 
> If DAV/SMB sharing is to be considered then just loadlibrary() the
> remote dll to do a download and exec in one call.
> 
> Brett
> -----Original Message-----
> From: Arkon [mailto:arkon at ragestorm.net]
> Sent: Sunday, 22 October 2006 8:13 p.m.
> To: Brett Moore; code-crunchers at whitestar.linuxbox.org
> Subject: RE: [Code-Crunchers] Tiny PE: now 274 bytes
> 
> Well, you do got the source, although in binary form...
> Peter, you expect people do OCR on your BMP? :)
> 
> > -----Original Message-----
> > From: Brett Moore [mailto:brett.moore at security-assessment.com]
> > Sent: Sunday, October 22, 2006 7:05 AM
> > To: code-crunchers at whitestar.linuxbox.org
> > Subject: [Code-Crunchers] Tiny PE: now 274 bytes
> >
> > Heya..
> >
> > Is there any source or more details on the makeup of your current .exe
> > for us to play
> > with, or are we meant to write our own?
> > Cheers
> >
> > Brett
> > _______________________________________________
> > Code-Crunchers mailing list
> > Code-Crunchers at whitestar.linuxbox.org
> > http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
> 
> _______________________________________________
> Code-Crunchers mailing list
> Code-Crunchers at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers

More information about the Code-Crunchers mailing list