EXE format - how to Interpret CS:IP

Question

Hi I've got a problem with EXE format http://www.delorie.com/djgpp/doc/exe/.

I've loaded my file as hex into my editor (qedit) then I disassembled that and I was surprised !

My CS equalled 0 and IP also but code of my program (maybe it's 00000040 ?) is starting several bytes later and I can't be even sure because the code which I wrote is next!

On 00000200 Address I can see >my< (written by me) disassembled code.

So Could you explain me where does CS:IP (mine 0000:0000) points to (give me address)? Because As I read it should point on my code.

00000000 :4D 5A 90 00 03 00 00 00 - 04 00 00 00 FF FF 00 00
00000010 :B8 00 00 00 00 00 00 00 - 40 00 00 00 00 00 00 00
00000020 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000030 :00 00 00 00 00 00 00 00 - 00 00 00 00 A8 00 00 00
00000040 :0E 1F BA 0E 00 B4 09 CD - 21 B8 01 4C CD 21 54 68
00000050 :69 73 20 70 72 6F 67 72 - 61 6D 20 63 61 6E 6E 6F
00000060 :74 20 62 65 20 72 75 6E - 20 69 6E 20 44 4F 53 20
00000070 :6D 6F 64 65 2E 0D 0D 0A - 24 00 00 00 00 00 00 00
00000080 :5D 17 1D DB 19 76 73 88 - 19 76 73 88 19 76 73 88
00000090 :E5 56 61 88 18 76 73 88 - 52 69 63 68 19 76 73 88
000000A0 :00 00 00 00 00 00 00 00 - 50 45 00 00 4C 01 01 00
000000B0 :B8 EC 66 4B 00 00 00 00 - 00 00 00 00 E0 00 0F 01
000000C0 :0B 01 05 0C 00 02 00 00 - 00 00 00 00 00 00 00 00
000000D0 :00 10 00 00 00 10 00 00 - 00 20 00 00 00 00 40 00
000000E0 :00 10 00 00 00 02 00 00 - 04 00 00 00 00 00 00 00
000000F0 :04 00 00 00 00 00 00 00 - 00 20 00 00 00 02 00 00
00000100 :00 00 00 00 03 00 00 00 - 00 00 10 00 00 10 00 00
00000110 :00 00 10 00 00 10 00 00 - 00 00 00 00 10 00 00 00
00000120 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000130 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000140 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000150 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000160 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000170 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000180 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000190 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000001A0 :2E 74 65 78 74 00 00 00 - 1B 00 00 00 00 10 00 00
000001B0 :00 02 00 00 00 02 00 00 - 00 00 00 00 00 00 00 00
000001C0 :00 00 00 00 20 00 00 60 - 00 00 00 00 00 00 00 00
000001D0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000001E0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000001F0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000200 :33 C0 B0 32 50 66 B8 40 - 1F 50 B8 8F 7A 83 7C FF
00000210 :D0 33 C0 50 B8 FA CA 81 - 7C FF D0 00 00 00 00 00
00000220 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000230 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000240 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000250 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000260 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000270 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000280 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000290 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000002A0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000002B0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000002C0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000002D0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000002E0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000002F0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000300 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000310 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000320 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000330 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000340 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000350 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000360 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000370 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000380 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000390 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000003A0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000003B0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000003C0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000003D0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000003E0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000003F0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00000400 :

Answer 1

What you show here is a hex view of your .EXE file.

There's another thing, much different, that is the program loaded on memory.

When you are talking about IP (instruction pointer, although I think you actually mean EIP), you are talking about the memory address of the next instruction to be executed.

Running an executable file will make your operating system to read the file, find the sections (code sections, data sections, etc) and map them to the memory, creating a process. All the memory pointers refer to these locations, and not to locations in your executable file.

This is where the difference comes from.

NOTE: for the record, what you are presenting is not the disassemble of your executable. It is simply a hex dump (that is, you view your file as a sequence of hex values). A disassemble would show you actual machine instructions (MOVs, CMPs, JMPs, etc).

Answer 2

IIRC dos exe does not load at an absolute address. It allocates the next available free segments, and relocates the start segments (and loads of segments) by applying fixups. (the existance of which can be seen in the URL you provide).

The offsets within segments are not relocated, but since segments start every 16 byte that doesn't cost that much slack memory.

This is logical, since loading a few extra TSRs in dos, can make the address of the first memory the binary can be loaded higher.

Have a look at a linkers and loaders free ebook that explains binary formats in a coherent way:

http://www.iecc.com/linker/

==== added ===

Oops, saw djgpp a bit late. IIRC DJGPP is COFF. If it is djgpp generated, you should probably look through the DJGPP provided utils to see if it has something to examine binary files (a -dump program or so)