3

Will every .exe file start from 00401000 or am I wrong assuming such a thing.

Edit: total beginner here.

when the program is first loaded onto x64dbg it immediately goes into a DLL, so I could not see the address 00401000, but indeed it is present by going into the memory map.

Question: the program goes directly into a DLL, how can I make x64dbg start it from 00401000, I tried setting a breakpoint(software and hardware) at 00401000 and also breaks on events such as "entry breakpoint" and "system breakpoint"

thanks for the welcome

jimmy_james
  • 31
  • 2
  • Hi and welcome to RE.SE. When a process gets loaded and the PE file has the settings to enable relocations, there is a good chance the base address differs. However, it's not quite clear what you're asking. Please edit your question to clarify and then click the "reopen" link. Thanks. – 0xC0000022L Jul 03 '19 at 21:56

1 Answers1

4

no every exe will not start from 0x401000

the image base is hardcoded in header and is configurable with /entry switch when linking (ms linkers)

the operating system can and will override the preferred image base

all other address in the exe file are relative to the hardcoded preferred imagebase

if os overrides it and maps it elsewhere all other address will be relative to the newly mapped address

:\>dumpbin /headers cmd.exe  | findstr base
            1000 base of code
       140000000 image base (0000000140000000 to 0000000140064FFF)
                   Dynamic base

as you can see the preferred image base for this specific binary is 140000000 and the base of code is relative to this address

so if the binary got loaded in 140000000 the base of code will be at

140000000 + 0x1000 == 0x140001000
if it got loaded at 200000000 the base of code will be at 200000000 + 0x1000 == 0x200001000

and so on

blabb
  • 16,376
  • 1
  • 15
  • 30