False Alarm

[jorgon]

Really!

That is very nasty indeed.
Someone complained once about that string in the MSDOS stub, but you've found that it has another valuable use.

Does this mean that if someone did want to use GoAsm and GoLink to make a trojan it would not be picked up by the anti virus software?

[rkhb]

And the next problem: Antivir doesn't allow me to link a console program against MSVCRT.DLL   :snooty:

But now I know the solution: So I don't want to miss GoLink I have to change to GoAsm :P

viele grüße
ralph

[dedndave]

I really hope we don't get into the habit of "fixing" our code because
the programmers at Avira are being lazy. At least, that is how it appears
to me. They have some catch-all code in their av program that needs to
be removed. This should not become our problem. I suggest using a
different av program altogether.

[Vortex]

And the next problem: Antivir doesn't allow me to link a console program against MSVCRT.DLL   :snooty:

But now I know the solution: So I don't want to miss GoLink I have to change to GoAsm :P

viele grüße
ralph

I am using Avira Personal Edition with the latest updates and I don't have any problem with linking this console application against msvcrt.dll :

Code Select Expand


; Demo built with GoAsm.Exe Version 0.56.5b and GoLink.Exe Version 0.26.9e

.data

msg     db 'hello world!',0
msg2    db 'THIS IS A MSVCRT DEMO.',0
format1 db '%s',13,10,'%s',0

.code

start:

    invoke  _strupr,ADDR msg
    add     esp,4
    invoke  _strlwr,ADDR msg2
    add     esp,4
    invoke  printf,ADDR format1,ADDR msg,ADDR msg2
    add     esp,3*4
    invoke  ExitProcess,0


Jotti reports clean the final executable.

Could you attach your project here so we can test it?

[attachment deleted by admin]

[rkhb]

Hi Vortex!

You misunderstood me. I assembled so far with Nasm and linked with GoLink. Linking without /CONSOLE causes a "TR/Crypt.XPACK.Gen" alarm. So I thought I could at least link with /CONSOLE. Far from it!

I attach a little program which shows dividing two integers without use of DIV:

1) GoAsm and GoLink, linked against MSVCRT.DLL,
2) GoAsm and GoLink, linked against CRTDLL.DLL.
3) Nasm and GoLink, linked against MSVCRT.DLL,
4) Nasm and GoLink, linked against CRTDLL.DLL,

I sent the four Executables to www.virustotal.com and got only an alarm for No. 3).

viele grüße
ralph

[attachment deleted by admin]

[GregL]

I agree with dedndave, it's the anti-virus software company's problem, not ours.

I have been running without an anti-virus program for a few months now and I haven't had any problems.  I'm coming to the conclusion that anti-virus software is just not necessary as long as you are careful.

[Vortex]

Hi rkhb,

I understand the situation but you should be more specific in that posting. There was no any reference to a Nasm+Golink test.

[Vortex]

rkhb,

Could you please test this version? It's reported clean by VirusTotal :

Code Select Expand


; Name:         test.asm
; Assemblieren: GoAsm.exe test.asm
; Linken:       a) GoLink.exe test.obj /console /entry _main test.exe kernel32.dll msvcrt.dll


.DATA
    Dividend: dd 3979415386
    Divisor:  dd 100000
    fmt:      db "%u div %u = %u",10,0
    Quotient dd ?

.CODE
_main:                                 ; ; EDI = EAX / EBX
        mov eax, [Dividend]
        mov ebx, [Divisor]
        xor edi, edi                   ; Quotient = 0 (Anfangswert)
        xor edx, edx                   ; Zahl (dl) = 0 (Anfangswert)
        mov cl, 32                     ; 32 Schleifendurchgänge: for (CL=32; CL>0; CL--)
    Schleife:
        shl eax, 1                     ; Bit 31 von EAX ...
        rcl edx, 1                     ;     ... nach Bit 1 von EDX
        cmp ebx, edx                   ;  Carry gesetzt, wenn EDX > Divisor (Fall Weiß)
        ja >Sprungmarke                ; Sprung, wenn Carry=0 und Zero=0 (Ergebnis nicht Null)
        sub edx, ebx                   ; Fall Weiß: EDX = EDX - EBX
        stc                            ; Carry setzen
    Sprungmarke:
        rcl edi, 1                     ; Carry (0 oder 1) an Quotienten kleben.
        sub cl, 1
        jnz Schleife
        mov [Quotient], edi

        PUSH [Quotient], [Divisor], [Dividend], ADDR fmt
        call printf ; msvcrt.dll
        add     esp,16                 ; cdecl

        xor eax, eax                   ; Exitcode=0
        invoke ExitProcess,eax


[rkhb]

@Vortex

In Reply #14 of this thread I wrote "For me assembling with Nasm...". Why should I write in Reply #16 "...I have to change to GoAsm"?

I don't need to test your program, I'm sure you are right. In Reply #14 I assumed that Antivir and McAfee have a general exception for programs assembled with GoAsm. They check the string in the MSDOS stub generated by GoLink. I presume that <b>any</b> OBJ-file which is <b>not</b> generated by GoAsm would be linked by GoLink to an Executable which will cause Antivir and McAfee to complain.

@Greg

Who is "ours"? It's prior my problem because I can't publish a program which causes a Trojan horse alarm - whencesoever (this word really exists in my dictionary ::)). If people faced the choice to delete my program or the AV program - which choice will they make? But I can solve my problem: I change the assembler or I change the linker. My intention for my postings was to help and not to get help.

viele grüße
ralph