From: "Jacky Luk" Newsgroups: comp.os.msdos.djgpp Subject: Relocations for PE exeutables Date: Fri, 25 Jul 2003 19:54:16 +0800 Organization: IMS Netvigator Lines: 24 Message-ID: NNTP-Posting-Host: n218103222037.netvigator.com X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 To: djgpp AT delorie DOT com DJ-Gateway: from newsgroup comp.os.msdos.djgpp Reply-To: djgpp AT delorie DOT com I'm just building a PE disassembler using DJGPP. As discussed in the PE document found in wotsit.org written by LUEVELSMEYER, there is a paragraph that I'm wondering if it always holds true. It says something like if you want to find a particular byte to disassemble in a file, you don't need to load the code into memory, you just work it out with some calculations. e.g. "if the executation starts at RVA 0x1560, and want to disassemble the code starting there. To find the address in the "file" (emphasis), you will have to find out the sections in RAM are aligned to 4096 bytes and the ".code" section starts at RVA 0x1000 in RAM is 16384 bytes long; then you know that RVA 0x1560 is at offset 0x560 in that section (it sounds like a guess, sounds no true v2loadimage happening) Find out that the sections are aligned to 512-byte-borders in the file and that ".code" begins at offset 0x800 in the file, and you know that the code execution start is at byte 0x800+0x560=0xd60 in the file" I quoted it from the article, the location seems to me like a wild guess.To my understanding, it means just that (disassembling without loading). I'm just wondering if there is a relocation for any types of segments, without loading it, can it give you the correct results of where a segment jump jumps to, or referring to the correct data? like DOS programs, a relocation is really important, but does it always hold true for PE programs? Thanks Jack