AddressOfEntryPoint is beyond the end of the file

Banksy

New Member
#1
I'm trying to understand what the AddressOfEntryPoint in the COFF header.

I have a "nothing" .NET exe:
Mã:
class Program
{
    public static void Main()
    {
    }
}
(I've compiled it as an x86 application)

The values I get for the standard fields in the COFF header are:
Mã:
COFF - Optional Header Standard Fields
======================================

UInt16    Magic                         0x0000010B
Byte      MajorLinkerVersion            0x30
Byte      MinorLinkerVersion            0x0
UInt32    SizeOfCode                    0x0400
UInt32    SizeOfInitializedData         0x0800
UInt32    SizeOfUninitializedData       0x0000
UInt32    AddressOfEntryPoint           0x2356
UInt32    BaseOfCode                    2000
UInt32    BaseOfData                    4000
The AddressOfEntryPoint is 0x2356.
The file isn't long enough for this value to be an offset from anywhere, so what it is it?
(Files at: https://drive.google.com/open?id=1VClORkJKyGhd7o3YBPbCZEni1ad_mncl)
 

Admin

Administrator
Thành viên BQT
#2
In order to calculate the offset of EntryPoint in the file, you need to subtract BaseOfCode but also add PointerToRawData from .text section. For this file, the last one is 0x200 and with the previous calculations it gives 0x556 which points to a nice jmp to _CorExeMain.

UfNKQ.png
 
OP
OP
B

Banksy

New Member
#3
That's what I'm missing then! The instruction that point to if FF 25 00 20 40. Hans said above that it should start with 0xE9. How com this is different?
 
OP
OP
B

Banksy

New Member
#5
YES! When I disassembly that I get jmp DWORD PTR ds:0x402000 m which I think looks about right, Thank you!
 

Từ khóa phổ biến

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top