[Bug] Error while using 64 bit dll_to_exe

[bruce30262]

Hello,

I was using dll_to_exe on a 64 bit dll
After I convert it to exe and debugged with IDA & Windbg
It gave me the ACCESS_VIOLATION error (Exception code C0000005)

After some tracing I found the bug happens to be in the back_stub for the 64 bit dll:

    BYTE back_stub64[] = {
        0x65, 0x48, 0x8B, 0x0C, 0x25, 0x60, 0x00, 0x00, 0x00, // mov rcx,qword ptr gs:[0x60]
        0x48, 0x8B, 0x4E, 0x10, // mov rcx,qword ptr ds:[rsi+10]  <-- ACCESS_VIOLATION error
        0x48, 0x8B, 0xF9, // mov rdi, rcx
        0xBA, 0x01, 0x00, 0x00, 0x00, // mov edx, 1
        0x48, 0x8B, 0xDA, // mov rbx, rdx
        0x4C, 0x8B, 0xC0, // mov r8, rax
        0xE9, 0xDE, 0xAD, 0xF0, 0x0D, //jmp [ep]
        0xC3 //ret
    };

The second instruction is mov rcx,qword ptr ds:[rsi+10], while rsi is NULL, causing the error.
According to your blog, I believe it should be [rcx + 10h] instead of [rsi + 10h] ?

Also if we're calling DllMain(handle, 1, 0), I think the back_stub should be something like:

    BYTE back_stub64[] = {
        0x65, 0x48, 0x8B, 0x0C, 0x25, 0x60, 0x00, 0x00, 0x00, // mov rcx,qword ptr gs:[0x60]
        0x48, 0x8B, 0x49, 0x10, // mov rcx,qword ptr ds:[rcx+10], 1st arg = handle
        0xBA, 0x01, 0x00, 0x00, 0x00, // mov edx, 1, 2nd arg = 1
        0x4D, 0x31, 0xC0, // xor r8, r8, 3rd arg = 0 ( at this point rax != 0, which will make r8 non-zero if we use mov r8, rax)
        0xE8, 0xDE, 0xAD, 0xF0, 0x0D, // call [ep] instead of jmp [ep]
        0xC3 //ret
    };

Not sure if we have to set rdi and rbx while calling DllMain in 64 bit dll ( I'm not familiar with Windows , please correct me if I misunderstood anything ).

[hasherezade]

Thank you, you are right - the thing with RSI register was just a typo that somehow I didn't notice yesterday. Please check the latest build attached to the README and let me know if it fixed the problem.

[bruce30262]

It's fixed now 👍
Closing issue