Reverse Engineering Asked by Daros911 on May 1, 2021
When i load an exe
in the IDA the assembled code always starts at 00401000
address. Does it mean that in pe
files the code always starts at that specific address?
This means that your entrypoint is 0x1000, and your base is 0x00400000, use a tool that allows you to view the AddressOfEntryPoint attribute you see value 0x1000, Your program's EntryPoint address is made up of ImageBase + AddressOfEntryPoint, this is the starting point for running your software.
Correct answer by 0x0A on May 1, 2021
No it does not all pe files do not start at the same address 0x401000
historically 0x400000 is the ImageBaseAddress Header is 0x1000 bytes
so .code section starts at 0x401000 for a normal exe
since the Exe's module is the first to be loaded it normally gets its Preferred ImageBase Address
but a relocation table is a part of exe in case there is a conflict and the imagebase needs to be shifted to another base
you can control both aspects using linker switches
C:>link /? | grep -iE "base|fixed"
/BASE:{address[,size]|@filename,key}
/DYNAMICBASE[:NO]
/FIXED[:NO]
you can also lookup about rebasing in ida
Answered by blabb on May 1, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP