[Dailydave] tiny PE now at... 304 bytes. Is this the end?

Dave Korn dave.korn at artimi.com
Mon Oct 23 13:48:22 Local tim 2006 

On 21 October 2006 00:35, BobCat wrote:

> On 10/20/06, Dave Korn <dave.korn at artimi.com> wrote:
> 
>>  It may be two bytes, but all it does is raise an exception.  That's not
>> "grabbing a file from the internet and executing it".
> 
> I think it does actually get executed. That was the only spec. Not
> that it does anything useful...

  No, you need to re-read the thread... the spec was more than that:

"  The challange was to create a PE that downloads a file from the Internet
and executes it, which will be smaller than what his friends did. He got
to 411 bytes.  "

  Still, as long as we're going for utterly minimal programs, based on the old
16-bit .com format, that don't even have to do anything, I can beat you by
50%, trivially:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\dk>dir foo.exe
 Volume in drive C has no label.
 Volume Serial Number is 5C59-B377

 Directory of C:\Documents and Settings\dk

23/10/2006  14:42                 1 foo.exe
               1 File(s)              1 bytes
               0 Dir(s)   6,313,840,640 bytes free

C:\Documents and Settings\dk>od -t x1 foo.exe
0000000 c3
0000001

C:\Documents and Settings\dk>.\foo.exe

C:\DOCUME~1\dk>debug foo.exe
-u 100 100
0D3B:0100 C3            RET
-g

Program terminated normally
-q

C:\DOCUME~1\dk>

  Hey, my one doesn't even crash like yours does!  :)

  However, you have raised a good point: the small downloader exe could
probably be squeezed even more if it was put in a .com format rather than a
.exe; the space saved on headers would be easily enough for a shellcode to
look up loadlibrary and getprocaddress, but it depends what restrictions there
are that I don't know about on 16-bit apps.

>>  OTOH, what does "NTVDM does not support a ROM BASIC" mean?  Sounds
>> interesting...
> 
> The program is just INT 18
> 
> http://lrs.uni-passau.de/support/doc/interrupt-57/RB-2177.HTM
> 
> and there's no reason for a virtual ROM BASIC, so it's not there. Try
> that program on a 386 under OS/2 2.0 and the BIOS reports "NO ROM
> BASIC" in big block letters (in a window) which is what you saw if you
> did not have a boot device. Usually that is - many systems behaved
> this way back then. I never tried it on a machine with rom basic,
> which I think only the IBM PC and XT had.

  Oh, blimey, it's a hangover from the old PCjr!  I remember those things!
(IIRC the PCjr was the only one that had rom basic, the standard AT/XT models
didn't).

> I wrote a 6 (iirc) byte program that under OS/2 would open a window
> with the BIOS setup running in it. Can't find it atm.

  Now you're getting really obscure!


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

More information about the Dailydave mailing list