Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TCC/LE 64-bit Crashes on Loading / Attaching #354

Closed
alexgieg opened this issue Jul 18, 2016 · 2 comments
Closed

TCC/LE 64-bit Crashes on Loading / Attaching #354

alexgieg opened this issue Jul 18, 2016 · 2 comments
Labels
how to?

Comments

@alexgieg
Copy link

Expected Behavior

Open a TCC/LE 64-bit tab in ConsoleZ 64-bit and have it working.

Actual Behavior

Opening a TCC/LE 64-bit tab from within ConsoleZ, or trying to attach a running one, causes a crash followed by a DLL injection error:

a) When launching directly:

czss01
czss02
czss03
czss04

b) When attaching an existing console:

czss05
czss06
czss04

Steps to reproduce

  1. Download and install TCC/LE 64-bit from JPSoft's Website.
  2. Create a tab entry pointing to the TCC/LE 64-bit executable (screenshot below).
  3. Launch it.

czss07

Diagnostic Report

Crash Report
@cbucher
Copy link
Owner

cbucher commented Jul 19, 2016

tcc.exe has been compiled with large address support disabled.

>dumpbin /HEADERS "C:\Program Files\JPSoft\TCCLE14x64\tcc.exe"
Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file C:\Program Files\JPSoft\TCCLE14x64\tcc.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
            8664 machine (x64)
               5 number of sections
        56B611A2 time date stamp Sat Feb 06 16:30:42 2016
               0 file pointer to symbol table
               0 number of symbols
              F0 size of optional header
               3 characteristics
                   Relocations stripped
                   Executable

DLL injection requires guessing the address of LoadLibraryW function in the target process. We assume ConsoleZ and target process loads kernel32 module in the same address space.
This assumption is correct because ntdll and kernel32 are always loaded in the same order for each process.
But if 64 bits process is not large address aware, then modules will be loaded at different addresses (under 2 GB).

You can modify the flag with EditBin.exe:
>EditBin /LARGEADDRESSAWARE "C:\temp\tcc.exe"

After modification, the DLL injection will be a success.

>dumpbin /HEADERS "C:\temp\tcc.exe"
Microsoft (R) COFF/PE Dumper Version 10.00.40219.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file C:\temp\tcc.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
            8664 machine (x64)
               5 number of sections
        56B611A2 time date stamp Sat Feb 06 16:30:42 2016
               0 file pointer to symbol table
               0 number of symbols
              F0 size of optional header
              23 characteristics
                   Relocations stripped
                   Executable
                   Application can handle large (>2GB) addresses

Note: editbin.exe and dumpbin.exe are parts of Visual Studio. If you don't want install Visual Studio you use another tools.

With CFF Explorer (http://www.ntcore.com/exsuite.php):
image

@alexgieg
Copy link
Author

Thank you very much! I'll file a bug report with JPSoft asking them to enable large address support in the next update.

@cbucher cbucher closed this as completed Nov 9, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
how to?
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cbucher @alexgieg