Find the right address

[Ikse]

Hi,

I'm trying to make my own dumper, and I'm at the very beginning of the process.
I've at the moment few python lines that search into a binary file a given pattern.

Here is my "problem":

When I try my python script on a simple binary file (like ls program), I've no problem find the correct address, but when I'm trying it on more complex program, it "almost" find it.

I explain myself:

if I do an objdump on a binary and take an arbitrary line like:

Code:

1400d114b:	48 89 05 36 8c 3d 00

So now, I take the pattern: 48 89 05 36 8c 3d 00 and wait to result to be d114b.
The problem is that on this binary file: the python script give me as result: 0xd054b which is 0xC00 less than the expected result.

Or maybe the result should be result + 0x1000 - 0x400
why + 0x1000 ?
I don't know exactly, i've found that the .text section in objdump start at 140001000

Can someone help me find out the explanation ?

Thank you in advance for your help !

[Ikse]

I've found the solution, that was pretty obvious finally.
Just had to find out the offset of the .text section in the binary file and substract the result given by my python script and the found .text address.

Hope this help someone is beginning

[Jadd]

Sorry I'm late to the thread. The offset to each section (.text, etc.) can be found in the PE file header. Check out CFF Explorer, it'll give you a good idea of the structure of a PE file.

If you want the info to translate the address programatically, your process should look like this:

1. DOS PE header:
Read e_lfanew (offset to NT header)

2. NT PE header:
Read NumberOfSections (number of entries in sections)
Read SizeOfOptionalHeader
Sections Address = (e_lfanew + sizeof(NtHeader) + SizeOfOptionalHeader)

3. Sections (array containing NumberOfSections of the following data, iterate it until you find Name == ".text\0\0\0"):
0x00 Name (8 byte string)
0x08 Virtual Size (DWORD)
0x0C Virtual Address (DWORD)
0x10 Raw Size (DWORD)
0x14 Raw Address (DWORD)
0x18 Reloc Address (DWORD)
0x1C Line Numbers (DWORD)
0x20 Reloc Number (DWORD)
0x24 Characteristics (DWORD)

4. Translate from raw address to virtual address using the above data.
Result += (Virtual Address - Raw Address), which should (at least for Wow) look like the two values you have found:
Result += (0x1000 - 0x400)

[Ikse]

Thank you

This is very clear and I'm sure it will help more than one beginner !

I'm on linux so my binary file is in an ELF file format. But the idea is still the same

Thank you again