News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Re: Location counter??

Started by plutocat, October 29, 2011, 02:51:33 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

plutocat

October 29, 2011, 02:51:33 AM
If you look at IAT in Olly Dbg you can see something like this:
004013FE   .-FF25 84314000  JMP DWORD PTR DS:[<&USER32.KillTimer>]   ;  USER32.KillTimer
or like that:
0040140A   $-FF25 8C314000  JMP DWORD PTR DS:[<&USER32.LoadCursorA>] ;  USER32.LoadCursorA
Could somebody explain the meaning of current location counter ($) in this context? What is the meaning of "$-" or "$+" and ".-" ?
Thanks a lot in advance!



dedndave

#1
October 29, 2011, 03:00:35 AM
not sure about the '.'
$ typically means the current address - i think olly is using it for something else   :P
those addresses represent where the kernel loaded the table with addresses of those functions

Code Select
0040140A   FF25 8C314000  JMP DWORD PTR DS:[<&USER32.LoadCursorA>]
if you look at addres 0040140A, you will see FF 25 8C 31 40 00
which means
Code Select
        jmp dword ptr [0040318C]
at 0040318C, you will find the actual address of the code
Print
Go Up Pages1
User actions