(May 29th, 2016, 16:46)Bogus Wrote: well that explains the random weirdness that i experienced, thanks a lot for this explanation.
otherwise, i didnt yet look into the whole overlay buisness. where does ida show me which overlay segment im in or if its overlay at all?
also, why calculate 0378 +3? that doesnt quite make sense to me, did you want to write something else?
does the table have a header of some sorts to find it or is just data? where would i find that stub entry to remove these calls? i think i need those bytes the calls take up.
switch the view from graph to text and you see the segment and offset for each line of code.
+3 because a far call is 9A xx xx yy yy where yy yy is the part the relocation needs to point at, the 3rd byte of the 5 byte instruction. To be more specific, xxxx is the offset of the jump, and yyyy is the segment, and relocation only needs to be done to segment addresses.
the table is just data at the end of the segment. The easiest way to find is going to the beginning of the next segment in the hex editor and move backwards. The 00s are the empty space where you can add more relocation entries, and the numbers before them are the entries in use.
ofc if you know the entry you are looking for, hitting search for the exact bytes inside the segment you work on will get it found the fastest.
The stub shows up in IDA and the line marked "relsize" is the size of the relocation. (It's in bytes so 1 entry adds or subtracts 2 from this number)