在拆卸查找功能 [英] Finding a function in a disassembly

问题描述

我忙着下面在这里笔者使用DUMPBIN列出出口的教程，并OllyDbg的获得大会code的导出函数。我将如何找到完整的disassemly功能code，鉴于导出表RVA的不对应真实地址在拆装。

I'm busy following a tutorial where the author uses DUMPBIN to list exports, and OllyDbg to get the assembly code for an exported function. How would I find the functions code in the complete disassemly, given that the export tables RVA's don't correspond to real addresses in the disassembly.

推荐答案

一个RVA是一个重新定位的虚拟地址。要查找您需要知道该模块的进程中加载​​的基址的进程空间中的真实地址。该基地地址添加到RVA，你有真正的地址。我没有使用过OllyDbg的，但是我会很惊讶，如果它没有在过程中加载的模块提供基址，它附着。如果由于某种原因，它不提供这些信息，您可以通过使用procexp.exe从sysinternal工具得到它。

A RVA is a relocatable virtual address. To find the real address in the process space you need to know the base address where the module was loaded in the process. Add that base address to the RVA and you have the real address. I haven't used ollydbg but I'd be astounded if it didn't supply the base address for the modules loaded in the process to which it was attached. If for some reason it doesn't supply that info, you can get it by using procexp.exe from the sysinternal tools.

这篇关于在拆卸查找功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！