Why exit code is what it is and why first bytes of call is 0x0000 and then "printf"

1

I'm currently reversing the smallest pe file. Here is what I analysed :

The program print * 268b universal tiny PE\n and return exit code 26 (which is the string length)

(1): Magic DOS Signature header
(2): e_lfanew address of PE header
(3): PE Signature Magic
(4): Machine code 386
(5): Optional Header magic Signature
(6): Address Of EntryPoint : 0x00000107
(7): jump to 0x0000001e
(8): push 0x004000e4 (which is address of the string)
(9): the string at 0x000000e4
(10): call 0x00400044 (which call (a) 0x00000062 which refers to (b) `printf` string )
(11): jump to (12) 0x00000034 
(12): add esp,0x4 (to restore the stack due to call)
(13): ret (which should exit the program because we are not in a call ?)

Questions:

  1. Why (a) is 0x00000062 (and not 0x00000064 because printf start at 0x00000064) ?
  2. Why the program return 26 (aka the length of the string) ?
  3. How would we add instructions to return specific exit code ?

enter image description here

assembly
x86
reverse-engineering
portable-executable
machine-code
asked on Stack Overflow Apr 22, 2021 by 8HoLoN

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0