I have some software that reads out a value from another software's memory. I can perfectly find the static offsets of it with every update. My issue is the following:
Let's say, the software uses ASLR with a base pointer of 0x00123456.. The static offset for the wanted value would be base + 0x00006666. I would want to find those automatically, and therefore parse the .exe file on every update. In theorey, the addresses should be in the assembly. The question is: how are they encoded ?
If I open up the .exe file a hex editor and search for offset or base+offset none of it is contained in the file. How do I need to convert my adresses, when I want to find the places they are getting used in the assembly code ?
Most .DLL files and many .EXE files contain a base relocation table.
This table contains a list of all absolute addresses used in the .EXE file.
It is typically stored in a section named ".reloc". However the section name is ignored by Windows; the PE EXE file header contains a reference to the base relocation table.
However not all .EXE files contain such a base relocation table. If such a table is not present then the .EXE file is always loaded into the same address - even if ASLR is active.
This is the case for most 32-bit EXE files created by the GNU linker.