1

I use IDA to analyse an EXE and find something confusing. The .data section should contain initialized data, so every location should have something like this:

var_A db 0h
var_B dw 12h

But I get a lot of entries with question marks. e.g.

.data:00000001400F1680 qword_1400F1680 dq ?                    ; DATA XREF: sub_14004F8B0+8Er
.data:00000001400F1680                                         ; sub_1400539D0+12Aw ...
.data:00000001400F1688 qword_1400F1688 dq ?                    ; DATA XREF: sub_1400539D0+F5w
.data:00000001400F1688                                         ; sub_1400539D0+FCr
.data:00000001400F1690 qword_1400F1690 dq ?                    ; DATA XREF: sub_1400539D0+C0w
.data:00000001400F1690                                         ; sub_1400539D0+C7r

As far as I know, the ? in x86 assembly means uninitialized data. But this is in the .data section! So are they really uninitialized, or the question mark in db/dw/dd/dq in IDA has a different meaning?

kbridge4096
  • 901
  • 1
  • 11
  • 22
  • 2
    PE sections can be larger in memory than in the disk. See [https://stackoverflow.com/questions/38093168/ida-pro-disassembly-how-to-see-data-portion-in-plain-ascii/38094048](https://stackoverflow.com/questions/38093168/ida-pro-disassembly-how-to-see-data-portion-in-plain-ascii/38094048) – Margaret Bloom Apr 14 '17 at 05:59
  • @MargaretBloom Right answer. thx. – kbridge4096 Apr 14 '17 at 06:14

1 Answers1

0

IDA Pro shows uninitialized value to '?'. The '?' marks appear .data section when the virtual size of the .data section is bigger than the raw size of the .data section. The addresses bigger than the virtual_address('.data')+raw_size('.data') show '?' marks.

db/dw/dd/dq has different meaning in IDA Pro. IDA Pro analyzes the assembly code and set type the location. db/dw/dd/dq means the instructions referencing the address uses 1/2/4/8 bytes respectively.

Seokwoo Choi
  • 64
  • 2