17

This is a very silly question, but surprisingly I've had a problem with this today. In a hex editor, I've found an offset and I wanted to take a look at that code in a disassembler. In the hex-editor, the offset is EBE75, and it looks like this:

enter image description here

Obviously a CALL, I wanted to find it in IDA/Olly and take a look. This is, however, where I wasn't sure how to translate that to an offset that IDA/Olly could understand. Do I add the imagebase, or maybe the offset of the .text section? I've managed to find the code using IDA's hexscan, and it's located at address 004ECA75:

enter image description here

The difference between these addresses is 4ECA75 - EBE75 = 400C00. This is quite surprising to me, where did that number come from? How is this related to the .exe's layout?

Improve this question
1
  • 3
    Your "raw offsets" are also called "file offsets"; this might help you find relevant commands. Commented Jan 19, 2015 at 20:09

2 Answers 2

Reset to default
17

To convert a raw offset in a PE file to its corresponding "disassembler offset" (known as the virtual address or VA), you need to perform the following steps:

Step 1

Using a PE editor, look at the PE file's section table to find the section containing the file offset.

For example, let's say your PE file's section table looks like this:

+-----------------------------------------------------------------+ | Name | Virtual Address | Virtual Size | Raw Offset | Raw Size | |--------+-----------------+--------------+------------+----------| | .text | 00001000 | 00152CA1 | 00000400 | 00152E00 | | .data | 00154000 | 000040C0 | 00153200 | 00004200 | | .rsrc | 00159000 | 00062798 | 00157400 | 00062800 | | .reloc | 001BC000 | 00003B3C | 001B9C00 | 00003C00 | +-----------------------------------------------------------------+

You can see above that the section containing raw offset EBE75 is the .text section, since 00000400 <= EBE75 < 00153200.

Step 2

Using a PE editor, look up the PE file's image base. For example, let's say your file's image base is 00400000.

Step 3

Perform the following calculation:

(target raw offset) - (raw offset of section) + (virtual address of section) + (image base) = (target virtual address)

Filling in the example values above, we find that the virtual address for raw offset EBE75 is:

EBE75 - 00000400 + 00001000 + 00400000 = 4ECA75
Improve this answer
4
  • Nice explanation, it's perfectly clear now, thanks :) Commented Jan 19, 2015 at 15:29
  • 00000400 <= EBE75 < 00053200 umm, no... Rest of answer is nice, though. Commented Jan 22, 2015 at 11:41
  • @FRob Oops, yeah, good point. Doesn't change much though. Commented Jan 22, 2015 at 12:56
  • Thanks for the catch, @FRob! I've fixed the example section table above. Commented Jan 22, 2015 at 14:29
2

ollydbg 1.10

if you have

  1. the binary loaded in ollydbg
  2. disasm window is in the correct module

  3. the binary is also open in hexeditor

    Right Click -> View -> Executable File

In the New Window do ctrl+g and enter the offset you saw in hexeditor ebe75

right click in new window -> follow in disassembler

in hexeditor 0x1529 has the 0xe8 opcode

xxd -s 0x1520 -l 0x10 -g 1 c:\WINDOWS\system32\calc.exe 0001520: ff d6 6a 01 a3 4c 4d 01 01 e8 e9 f8 ff ff 6a 69 ..j..LM.......ji

in ollydbg after rightclick-> view -> executable file and ctrl+g 1520 in new window

00001520 FFD6 CALL NEAR ESI 00001522 6A 01 PUSH 1 00001524 A3 4C4D0101 MOV DWORD PTR DS:[1014D4C], EAX 00001529 E8 E9F8FFFF CALL 00000E17 0000152E 6A 69 PUSH 69

in new window rightclick -> view image in disassembler 

01002120 |. FFD6 CALL NEAR ESI ; \GetProfileIntW 01002122 |. 6A 01 PUSH 1 ; /Arg1 = 00000001 01002124 |. A3 4C4D0101 MOV DWORD PTR DS:[gbUseSep], EAX ; | 01002129 |. E8 E9F8FFFF CALL InitSciCalc ; \InitSciCalc 0100212E |. 6A 69 PUSH 69 ; /TableName = 69
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.