x86/Windows 95 executables - Identify pointers in a hex editor.

Started by MeshGearFox, June 10, 2015, 08:25:02 PM

Previous topic - Next topic

MeshGearFox

I have a Windows 95 executable with a block of text starting at position 00125FE8, and I want to find the pointers to this so I can update them to point at some other text. I used IDA to look up the pointers, but that got me wondering how you would go about doing it manually, from looking at the executable in a hex editor.

What I understand is that I want to start by adding 400000 to the base address, giving me 00525GE8, and then reverse the bytes, giving me E85F5200.

Searching for E85F5200 through the executable using the hex editor gives me six results -- one at position 000DBEB2, and five more starting position 001ADD2C.

As per IDA, the ones after 001ADD2C are pointers arranged in some null-delimited array thing with other pointers, whereas the hit at 000DBEB2 is actually a CALL opcode E8 with some argument after it. Obviously I don't want to change /that/.

What I'm wondering is how someone -- or IDA, for that matter -- would tell that the first one isn't a pointer. I noticed, for instance, that the actual pointers were all located after the data that they were pointing to. Is stuff like that relevant?

henke37

IDA traces the flow to spot what is code and data, assuming that what code reads is data.

MeshGearFox

Thanks!

Is there any way to get IDA to export a list of all memory addresses where data is stored? If not I guess I could just dump a .lst file and write something to extract the data memory addresses for me (assuming all of them start with one of the db/dw/dd/etc. instructions).

henke37

It is automatable, so you can dump the data using scripting. But a lot of the data is incomplete.