TransWikia.com

Pe file code starting address

Reverse Engineering Asked by Daros911 on May 1, 2021

When i load an exe in the IDA the assembled code always starts at 00401000 address. Does it mean that in pe files the code always starts at that specific address?

2 Answers

This means that your entrypoint is 0x1000, and your base is 0x00400000, use a tool that allows you to view the AddressOfEntryPoint attribute you see value 0x1000, Your program's EntryPoint address is made up of ImageBase + AddressOfEntryPoint, this is the starting point for running your software.

Correct answer by 0x0A on May 1, 2021

No it does not all pe files do not start at the same address 0x401000
historically 0x400000 is the ImageBaseAddress Header is 0x1000 bytes
so .code section starts at 0x401000 for a normal exe

since the Exe's module is the first to be loaded it normally gets its Preferred ImageBase Address

but a relocation table is a part of exe in case there is a conflict and the imagebase needs to be shifted to another base

you can control both aspects using linker switches

C:>link /? | grep -iE "base|fixed"
      /BASE:{address[,size]|@filename,key}
      /DYNAMICBASE[:NO]
      /FIXED[:NO]

you can also lookup about rebasing in ida

Answered by blabb on May 1, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP