17

This is a very silly question, but surprisingly I've had a problem with this today. In a hex editor, I've found an offset and I wanted to take a look at that code in a disassembler. In the hex-editor, the offset is EBE75, and it looks like this:

enter image description here

Obviously a CALL, I wanted to find it in IDA/Olly and take a look. This is, however, where I wasn't sure how to translate that to an offset that IDA/Olly could understand. Do I add the imagebase, or maybe the offset of the .text section? I've managed to find the code using IDA's hexscan, and it's located at address 004ECA75:

enter image description here

The difference between these addresses is 4ECA75 - EBE75 = 400C00. This is quite surprising to me, where did that number come from? How is this related to the .exe's layout?

user4520
  • 595
  • 8
  • 21
  • 3
    Your "raw offsets" are also called "file offsets"; this might help you find relevant commands. – SamB Jan 19 '15 at 20:09

2 Answers2

17

To convert a raw offset in a PE file to its corresponding "disassembler offset" (known as the virtual address or VA), you need to perform the following steps:

Step 1

Using a PE editor, look at the PE file's section table to find the section containing the file offset.

For example, let's say your PE file's section table looks like this:

+-----------------------------------------------------------------+
|  Name  | Virtual Address | Virtual Size | Raw Offset | Raw Size |
|--------+-----------------+--------------+------------+----------|
| .text  |    00001000     |   00152CA1   |  00000400  | 00152E00 |
| .data  |    00154000     |   000040C0   |  00153200  | 00004200 |
| .rsrc  |    00159000     |   00062798   |  00157400  | 00062800 |
| .reloc |    001BC000     |   00003B3C   |  001B9C00  | 00003C00 |
+-----------------------------------------------------------------+

You can see above that the section containing raw offset EBE75 is the .text section, since 00000400 <= EBE75 < 00153200.

Step 2

Using a PE editor, look up the PE file's image base. For example, let's say your file's image base is 00400000.

Step 3

Perform the following calculation:

(target raw offset) - (raw offset of section) + (virtual address of section) + (image base)
= (target virtual address)

Filling in the example values above, we find that the virtual address for raw offset EBE75 is:

EBE75 - 00000400 + 00001000 + 00400000
= 4ECA75
Jason Geffner
  • 20,681
  • 1
  • 36
  • 75
2

ollydbg 1.10

if you have

  1. the binary loaded in ollydbg
  2. disasm window is in the correct module

  3. the binary is also open in hexeditor

    Right Click -> View -> Executable File

In the New Window do ctrl+g and enter the offset you saw in hexeditor ebe75

right click in new window -> follow in disassembler

in hexeditor 0x1529 has the 0xe8 opcode

xxd -s 0x1520 -l 0x10 -g 1 c:\WINDOWS\system32\calc.exe
0001520: ff d6 6a 01 a3 4c 4d 01 01 e8 e9 f8 ff ff 6a 69  ..j..LM.......ji

in ollydbg after rightclick-> view -> executable file and ctrl+g 1520 in new window

00001520    FFD6            CALL    NEAR ESI
00001522    6A 01           PUSH    1
00001524    A3 4C4D0101     MOV     DWORD PTR DS:[1014D4C], EAX
00001529    E8 E9F8FFFF     CALL    00000E17
0000152E    6A 69           PUSH    69

in new window rightclick -> view image in disassembler 

01002120  |.  FFD6                   CALL    NEAR ESI                         ; \GetProfileIntW
01002122  |.  6A 01                  PUSH    1                                ; /Arg1 = 00000001
01002124  |.  A3 4C4D0101            MOV     DWORD PTR DS:[gbUseSep], EAX     ; |
01002129  |.  E8 E9F8FFFF            CALL    InitSciCalc                      ; \InitSciCalc
0100212E  |.  6A 69                  PUSH    69                               ; /TableName = 69
blabb
  • 16,376
  • 1
  • 15
  • 30