Cheat Engine

iNoobHacker · Posted: Sat Mar 07, 2009 4:10 am Post subject: PE Header

Hi,

I'm trying to read the PE Header of a file, so I used the MapViewOfFile API which returned the starting address of the PE Header in the calling process, I want to access the import address for example so I'm adding the RVA to the base address, but when I'm trying to access some address, for example the entry point, I add the RVA to the base address but I get to some diffrent address.

I tested this on notepad.exe and I searched for the entry point manually and I found out that the addresses are subtracted by 0xF00 for some reason, so if the entry point RVA was 0x7604 then the address was base+0x6704, or if the IAT is at 0x1000 then the address was base+0x100.

In runtime, the addresses are correct, however when I read the file the addresses are subtracted by 0xF00, at least on notepad it does.

Does anyone know what the problem might be?

tombana · Posted: Sat Mar 07, 2009 4:23 am Post subject:

If you read it from a file, you first have to parse the section headers, and then convert the RVA to an offset in one of the sections.

iNoobHacker · Posted: Sat Mar 07, 2009 12:57 pm Post subject:

How do I know which section contains the IAT and all the rest?
And how do I get the section headers base addresses? or I just add their offsets to the image base?

Bump...