AddressOfEntryPoint is beyond the end of the file

1

I'm trying to understand what the AddressOfEntryPoint in the COFF header.

I have a "nothing" .NET exe:

class Program
{
    public static void Main()
    {
    }
}

(I've compiled it as an x86 application)

The values I get for the standard fields in the COFF header are:

COFF - Optional Header Standard Fields
======================================

UInt16    Magic                         0x0000010B
Byte      MajorLinkerVersion            0x30
Byte      MinorLinkerVersion            0x0
UInt32    SizeOfCode                    0x0400
UInt32    SizeOfInitializedData         0x0800
UInt32    SizeOfUninitializedData       0x0000
UInt32    AddressOfEntryPoint           0x2356
UInt32    BaseOfCode                    2000
UInt32    BaseOfData                    4000

The AddressOfEntryPoint is 0x2356.

The file isn't long enough for this value to be an offset from anywhere, so what it is it?

(Files at: https://drive.google.com/open?id=1VClORkJKyGhd7o3YBPbCZEni1ad_mncl)

.net
windows
executable
portable-executable
coff
asked on Stack Overflow Sep 7, 2018 by BanksySan

1 Answer

0

In order to calculate the offset of EntryPoint in the file, you need to subtract BaseOfCode but also add PointerToRawData from .text section. For this file, the last one is 0x200 and with the previous calculations it gives 0x556 which points to a nice jmp to _CorExeMain.

enter image description here

answered on Stack Overflow Sep 9, 2018 by Paweł Łukasik

User contributions licensed under CC BY-SA 3.0