Path: utzoo!attcan!uunet!wuarchive!brutus.cs.uiuc.edu!tut.cis.ohio-state.edu!ucbvax!hplabs!pyramid!mikel From: mikel@pyrps5 (Mike Lipsie) Newsgroups: comp.sys.ibm.pc Subject: Re: modifying executables Message-ID: <81937@pyramid.pyramid.com> Date: 24 Aug 89 22:23:40 GMT Sender: daemon@pyramid.pyramid.com Reply-To: mikel@pyrps5.pyramid.com (Mike Lipsie) Organization: Pyramid Technology Corp., Mountain View, CA Lines: 38 In article <708@megatek.UUCP> hollen@eta.megatek.uucp (Dion Hollenbeck) writes: And makes some good points. But some items need further clarification. > If you find any instances of the value showing up >in the code segment, there is a small possiblity that it is an >immediate value arguement to an opcode. Highly likely. However, if the 180 that was originally mentioned is a floating point value there is zero chance that it will be an immediate value. It might, however, be in a code segment since it is a constant. > To verify this, you must start >a ways back from the suspected address and disassemble on successive >incrementing byte boundaries until you get a disassembly which >makes sense. This is wrong. Start back "far enough" (which is usually less than 10 bytes), the disassembler will "recover" rather quickly. Every time that they dump constants in the code segment, the disassembler will hiccough until it recovers again. Most compilers don't do this. Microsoft (and other) compilers put some debugging information in the executable which allows debuggers (such as PFIX by Phoenix, and maybe, CodeView by Microsoft) to tell you where procedures and lines begin. (This must be done on the .EXE file before you rename it.) To reiterate what Dion says, if you don't have the original source this is not an easy thing to do. The one time I did something comparable, I had to follow the logic of the code to the point that I was interested in changing (I needed to change a "branch equal" to a "branch"). Good Luck PS. Since this has nothing to do with the Fortran language, I have changed the newsgroups line.