GoAsm 53 bug? or GoLink 0.2.5.4 bug?

[Infro_X]

When I create the following executable the address doesn't match to the address that was filled in by the IAT/Import Table/Loader.

Code Select Expand


OllyDbg Output:
00401000 >/$ A1 06204000    MOV EAX,DWORD PTR DS:[402006]
00401005  |. 8B00           MOV EAX,DWORD PTR DS:[EAX]
00401007  |. 6A 00          PUSH 0                                   ; /ExitCode = 0
00401009  \. E8 F20F0000    CALL <JMP.&KERNEL32.ExitProcess>         ; \ExitProcess


It should be

Code Select Expand


MOV EAX,DWORD PTR DS:[40204C]
or
OllyDbg Output:
00401000 >   A1 4C204000    MOV EAX,DWORD PTR DS:[<&kbhook.counter>]
00401005  |. 8B00           MOV EAX,DWORD PTR DS:[EAX]
00401007  |. 6A 00          PUSH 0                                   ; /ExitCode = 0
00401009  \. E8 F20F0000    CALL <JMP.&KERNEL32.ExitProcess>         ; \ExitProcess


Anyone?

[attachment deleted by admin]

[Infro_X]

Well found something..
Using:
golink testkbhook.obj /entry Start   kernel32.dll   user32.dll   kbhook.dll
or
golink testkbhook.obj /entry Start   user32.dll   kernel32.dll

produces a bad file(s)

Using:
golink testkbhook.obj /entry Start   kbhook.dll   kernel32.dll   user32.dll

produces a good file

[jorgon]

Hi Infro_X

Do you think this has something to do with the order in which you declare the Dlls?

GoLink looks inside the Dlls from left to right to see if they contain the imported function.

You can override this using eg. CALL kbhook:function

This will cause GoLink only to look inside kbhook.dll for the imported function.

[Infro_X]

Not 100 percent sure, but i think it has to do with the number of imports before the "bugged" import is imported.

698-user32
548-gdi32
832-kernel32

(# of imports)
If i do, gdi,user,mydll,kernel, it works
If i do, gdi,kernel,mydll,user, it works                  ;564 imports
If i do, user,kernel,mydll,gdi, it DOES NOT work   ;5FA imports

If i do, any,any,any,mydll, it DOES NOT work
If i do, any,mydll,any,any, it works
If i do, mydll,any,any,any, it works

,but, that doesn't conicide with what was happening before

goasm assembledangit.asm
golink assembledangit.obj /entry Start   kernel32.dll      kbhook.dll
= bad file

[jorgon]

Infro_x

Looking more closely at your file, this certainly seems to be a bug in GoLink, involving importing pointers to data where that data is contained in a dll.

I'll try to produce a fix for this asap.

[jorgon]

Hi Infro_x

I believe I have fixed the problem in GoLink causing your difficulties.  An internal pointer within GoLink used when setting up the import address table was sometimes 6 bytes behind where it should have been.  This made no difference in most cases since the pointer was only important for data pointer imports.  However if you used a data pointer import immediately after a particular type of code import the data import might not be found properly.  I suppose, since data pointer imports are not used very often this is why this has not been reported before as an error.
Thanks a lot for letting me know about this bug!

The fix is attached.

[attachment deleted by admin]

[Infro_X]

No Problem, It helps me more than you (I think  ;) ) Thank you for fixing it jorgon

Infro