AddressOfEntryPoint is beyond the end of the file

Question

I'm trying to understand what the AddressOfEntryPoint in the COFF header.

I have a "nothing" .NET exe:

class Program
{
    public static void Main()
    {
    }
}

(I've compiled it as an x86 application)

The values I get for the standard fields in the COFF header are:

COFF - Optional Header Standard Fields
======================================

UInt16    Magic                         0x0000010B
Byte      MajorLinkerVersion            0x30
Byte      MinorLinkerVersion            0x0
UInt32    SizeOfCode                    0x0400
UInt32    SizeOfInitializedData         0x0800
UInt32    SizeOfUninitializedData       0x0000
UInt32    AddressOfEntryPoint           0x2356
UInt32    BaseOfCode                    2000
UInt32    BaseOfData                    4000

The AddressOfEntryPoint is 0x2356.

The file isn't long enough for this value to be an offset from anywhere, so what it is it?

(Files at: https://drive.google.com/open?id=1VClORkJKyGhd7o3YBPbCZEni1ad_mncl)

Back in ~9x/XP era, when the OS didn't "know" about .NET, there was a CLR loader stub pointed to by the COFF header. I think it's still in there but irrelevant to how .NET code starts running on modern windows. — Damien_The_Unbeliever, Sep 07 '18 at 13:35
Thanks @HansPassant. That gives me `0x356` which seems to point to some data (maybe the strings table??). I was expecting it to point to `_CoreExeMain` or `mscorelib` at `0x53A`. — BanksySan, Sep 07 '18 at 13:37
Ought to be a tiny sliver of machine code, just a 5 byte JMP instruction to the mscoree.dll function. First byte should be 0xE9. Doesn't actually get used, but that's another story. — Hans Passant, Sep 07 '18 at 13:45
@HansPassant for me, `0x356` is in the middle of zero'd bytes. — BanksySan, Sep 07 '18 at 14:04

score 0 · Accepted Answer · answered Sep 09 '18 at 16:13

0

In order to calculate the offset of EntryPoint in the file, you need to subtract BaseOfCode but also add PointerToRawData from .text section. For this file, the last one is 0x200 and with the previous calculations it gives 0x556 which points to a nice jmp to _CorExeMain.

answered Sep 09 '18 at 16:13

Paweł Łukasik

3,893
1
24
36

That's what I'm missing then! The instruction that point to if `FF 25 00 20 40`. Hans said above that it should start with `0xE9`. How com this is different? – BanksySan Sep 09 '18 at 20:14
E9 is a call, this is jmp – Paweł Łukasik Sep 09 '18 at 20:22
YES! When I disassembly that I get `jmp DWORD PTR ds:0x402000 `m which I _think_ looks about right, Thank you! – BanksySan Sep 09 '18 at 20:28
The jump location is, `0x402000`, but `_CoreExeMain` is at `0x054A`. How does the value `0x402000` map? – BanksySan Oct 02 '18 at 11:16
What is @ 0x54A? If you are referring to offset 0x53A then it's just a string there not the code for _CorExeMain. – Paweł Łukasik Oct 02 '18 at 11:28
Aye, where does `0x0402000` point? I know it should point to the import table entry. – BanksySan Oct 02 '18 at 11:34
have a look at [this](https://www.red-gate.com/simple-talk/blogs/anatomy-of-a-net-assembly-the-clr-loader-stub/) – Paweł Łukasik Oct 02 '18 at 19:44

AddressOfEntryPoint is beyond the end of the file

1 Answers1