In the lower left of the disassembly window of IDA, there are three different indicators showing the current location. I'm currently browsing a Keen 5 disassembly and I see these values:
00008E2D | 0000622D: sub616D+C0
The leftmost value is the location in the EXE, the address you would give to your hex editor if you wanted to see that spot.
The one in the next section of the status bar is the address in memory, distinct from the EXE address because the EXE format has a header with various information before the actual code and data. This address is very important because it's the one you should give to CKPatch to alter the instructions in memory.
The last isn't really a distinct address; it's a restatement of the previous. It gives the current location relative to the last name or the current segment, depending on where you are in the file. In this case, I'm 0xC0 bytes into the function auto-named sub616D. If it's showing a segment (evidenced by the presence of another colon), you can use the Segmentation window to find the Base of the segment and use that to get an RL value for CKPatch. Otherwise, this alternate value display isn't super useful for patching purposes.
No comments:
Post a Comment