科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>c - Read variable value from PE file - Stack Overflow

    c - Read variable value from PE file - Stack Overflow

    programmeradmin2浏览0评论

    I got following C code compiled with GCC on Windows

    #include <stdio.h>
#include <conio.h>

int main() {
    int a = 68639977;

    printf("int: %d", a);
    getch();
    a++;
    return 0;
}

    For education purposes i was trying to figure out the int value from exe PE file (from .data section) with some HEX editor.

    I converted the decimal value to hex (4175CE9) But i was unable to find this value

    I searched the whole .exe (not only .data section) and i cant find this value..

    What im doing wrong? Or maybe im totally wrong and i cant see this value in exe file for some reason.

    Ty.

    I got following C code compiled with GCC on Windows

    #include <stdio.h>
#include <conio.h>

int main() {
    int a = 68639977;

    printf("int: %d", a);
    getch();
    a++;
    return 0;
}

    For education purposes i was trying to figure out the int value from exe PE file (from .data section) with some HEX editor.

    I converted the decimal value to hex (4175CE9) But i was unable to find this value

    I searched the whole .exe (not only .data section) and i cant find this value..

    What im doing wrong? Or maybe im totally wrong and i cant see this value in exe file for some reason.

    Ty.

    • c
    • portable-executable
    Share Improve this question asked Jan 29 at 18:20 popouupopouu 431 silver badge6 bronze badges 9
    • 4 386x and x64 cpus using little endian. So search for e9 5c 75 41. – Wiimm Commented Jan 29 at 18:23
    • You are looking for a 4-byte sequence if sizeof(int) == 4 for your compiler. If sizeof(int) == 8 (64-bit int) then you will be looking for an 8-byte sequence. The more likely scenario is a 4-byte sequence, and hence @Wiimm has steered you correctly. NOTE: way back when, ints were only 2 bytes, but that's a topic for another day . . . – greg spears Commented Jan 29 at 18:32
    • 2 @Wiimm ... or even e9 5c 17 04 :) – Weather Vane Commented Jan 29 at 18:32
    • 1 @WeatherVane I found this value! But i dont know why.. This is not little endian? And why this value is in .text section instead of .data? – popouu Commented Jan 29 at 18:39
    • 1 That's because modern compilers try to optimize the binary and often decide to put local variables directly into the instruction section – Proteus Commented Jan 29 at 18:47
     |  Show 4 more comments

    1 Answer 1

    Reset to default 2

    As it was already pointed out in the comments, the reason you can't find 4175CE9 is that the modern CPUs are using little endian ("reversed") notation (you can read about it here and here).
    Check out this example on Godbolt. In line 8 (4 in decimal) you can see the reversed value in the machine view, and the assembly view reversed it automatically (note it's using the GCC compiler)

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论