From:	"Jacky Luk" <nospam AT nospam DOT com>
Newsgroups:	comp.os.msdos.djgpp
Subject:	Relocations for PE exeutables
Date:	Fri, 25 Jul 2003 19:54:16 +0800
Organization:	IMS Netvigator
Lines:	24
Message-ID:	<bfr5pa$m1d3@imsp212.netvigator.com>
NNTP-Posting-Host:	n218103222037.netvigator.com
X-Priority:	3
X-MSMail-Priority:	Normal
X-Newsreader:	Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE:	Produced By Microsoft MimeOLE V6.00.2600.0000
To:	djgpp AT delorie DOT com
DJ-Gateway:	from newsgroup comp.os.msdos.djgpp
Reply-To:	djgpp AT delorie DOT com

I'm just building a PE disassembler using DJGPP. As discussed in the PE
document found in wotsit.org written by LUEVELSMEYER, there is a paragraph
that I'm wondering if it always holds true. It says something like if you
want to find a particular byte to disassemble in a file, you don't need to
load the code into memory, you just work it out with some calculations. e.g.
"if the executation starts at RVA 0x1560, and want to disassemble the code
starting there. To find the address in the "file" (emphasis), you will have
to find out the sections in RAM are aligned to 4096 bytes and the ".code"
section starts at RVA 0x1000 in RAM is 16384 bytes long; then you know that
RVA 0x1560 is at offset 0x560 in that section (it sounds like a guess,
sounds no true v2loadimage happening) Find out that the sections are aligned
to 512-byte-borders in the file and that ".code" begins at offset 0x800 in
the file, and you know that the code execution start is at byte
0x800+0x560=0xd60 in the file" I quoted it from the article, the location
seems to me like a wild guess.To my understanding, it means just that
(disassembling without loading). I'm just wondering if there is a relocation
for any types of segments, without loading it, can it give you the correct
results of where a segment jump jumps to, or referring to the correct data?
like DOS programs, a relocation is really important, but does it always hold
true for PE programs?
Thanks
Jack

- Raw text -