Tiny PE – Rel0ad3d (304 bytes!)

Another long night, :sigh:

Creativeness is the name of the game,
in the end if you shave another byte or two, it’s not a big deal, (as much fun as it is, don’t get me wrong) you have to come up with better ideas. Sometimes, you are sure that what you got something good, but then you have to push your limits, and come up with something better.

I wish to thank Peter Ferrie, Nicolas Brulez and Jamz Yaneza for encouraging me and providing some information, about that downloader virus which is known to be around 330 bytes…

I haven’t got any sample of it, nor I know the real size, but to be sure my Tiny PE is smaller, my latest version stands at 304 bytes. If you read carefully my first blog post about this Tiny PE, I said that I was playing with Optional Header Size. So this time I cut a big part of it, and managed to crunch my code even more and put the Import Module Descriptor inside the header itself :) Though, now I think I broke compatibility with other versions of Windows…

Who is going to get it to below 300 bytes? hehe.

You can find the latest Tiny PE here: tiny3.exe.

If you like Assembly, or you just happen to remember hex code by heart,
even something easy like: EB 02 13 37 33 C0 40 C3 (LOL – sad but true), then you should subscribe to our new code crunchers mailing list at http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers !

Have a beautiful weekend,
Gil Dabah

  • Gaius

    If you broke compatibility with other windows versions, then you can skip “.dll” in dll names as well, “kernel”, “urlmon” will work just fine.

  • Gaius

    “kernel32″ i meant ;)

  • Gaius

    also, how many bytes do you waste on creating section and string encryption? isnt easier to make pe without any -real- section at all? :)

  • http://ragestorm.net Gil

    You need a section because you need IAT for imports.
    Encryption takes around 8 bytes for all of it.
    You can’t use “kernel32″ without the .DLL suffix since the PE Loader still looks for it.

    LoadLibrary will know to suffix a .DLL, but that was already discussed on the code crunchers mailing list.

  • Gaius

    no, read carefully what I wrote, I said in case he dropped support for older systems, .dll is not needed, not even in import table. And section in my EXE is not needed either since I run code on the stack and dont use import table.

  • Gaius

    feel free to remove .dll part of the kernel32.dll string from his current 304 byte exe, it will still work on 2k/xp

  • Gaius

    And if the competition is now for 2k/xp only, you cant beat my 264 byte exe :D

  • http://www.ragestorm.net/ Arkon

    Ahh dude, you are not follwing, there’s Peter’s 232 bytes version. :)

    I will check that thing out anyways.

  • Gaius

    well, in my exe byte count is 264 due security reasons in my custom api resolving code, i can easily make it under 232 with less security code…

  • Gaius

    I mean, in my code even ‘Z’ from MZ header is crucial part of the code ;)

  • http://www.ragestorm.net/ Arkon

    that’s nice data resuse.
    security code which does what???

    please write to code crunchers your techniques and share your .exe then.