1
00:00:00,810 --> 00:00:10,980
Hello and welcome to the lecture hall and P. Peter, there we are going to look at the export directory

2
00:00:10,980 --> 00:00:19,830
structure, which forms her, but her behavior in order to study the behavior.

3
00:00:20,160 --> 00:00:30,870
We are going to use contrary to the DSM VI opening in a tool called Be there and look at the behavior.

4
00:00:32,510 --> 00:00:40,820
You're also going to open a file called Win A. The Hague, who he's an important data file.

5
00:00:41,180 --> 00:00:46,640
He comes star, if you we to studio two or one night.

6
00:00:47,880 --> 00:00:50,010
And it is found in this location.

7
00:00:52,170 --> 00:00:56,710
The country to deal can be found in this location.

8
00:00:58,690 --> 00:01:10,360
So on the left of this diagram, I have open win and header file in notepad plus press and I search

9
00:01:10,630 --> 00:01:15,910
for a structure called the export that a tree structure.

10
00:01:17,470 --> 00:01:24,660
This is per day three structure forms, but I'll be there on the right.

11
00:01:24,730 --> 00:01:33,800
You can see that I used to be there to open country to Darndale and I clicked on the optional heater

12
00:01:33,800 --> 00:01:33,980
to.

13
00:01:35,020 --> 00:01:41,620
This shows the export directory structure, which is just one.

14
00:01:43,720 --> 00:01:55,600
And then if you wanted to view the raw hex values of the memory location, you can rectly this address

15
00:01:55,600 --> 00:01:55,870
here.

16
00:01:56,930 --> 00:02:05,390
This is the reality and virtual address, if you right click on this, you will open up the memory of

17
00:02:05,390 --> 00:02:13,880
that dot panel and then you can examine the raw values experience day and you will be able to analyze

18
00:02:13,880 --> 00:02:20,000
and see that all of these values here correspond to this structure and the left here.

19
00:02:21,470 --> 00:02:26,690
So we are going to do this later on when we do the practical session.

20
00:02:27,110 --> 00:02:33,440
No, I'm just showing you the theoretical background knowledge, which you need to know before we went

21
00:02:33,440 --> 00:02:36,470
to the practical on this.

22
00:02:38,220 --> 00:02:39,750
No, this is not a dying game.

23
00:02:41,100 --> 00:02:49,730
Showing the same to fans, but on the right, I now click on the expert step, as you can see export

24
00:02:49,740 --> 00:02:50,130
stem.

25
00:02:50,880 --> 00:02:56,970
So the experts that will show you in a human readable form what is on top.

26
00:02:58,620 --> 00:03:09,180
And this is easier to understand, and you can actually find the correlation between this and this.

27
00:03:09,840 --> 00:03:10,770
So you can see.

28
00:03:12,040 --> 00:03:18,760
The first member of the expert directory structure is characteristics.

29
00:03:19,450 --> 00:03:24,970
And here you can see characteristics and the value is zero and you can see any very zero.

30
00:03:26,210 --> 00:03:33,070
For base all zeros, and then the second member is timely STEM, as you can see on the right timely

31
00:03:33,080 --> 00:03:41,780
stem and the value is in Hex Phi Phi for the cc1 one fight, which corresponds to this.

32
00:03:44,280 --> 00:03:50,550
In reverse, he caused a little engine in CPU, in castleview memory, in reverse order.

33
00:03:51,150 --> 00:03:56,370
So you realize two zero five five 40 60.

34
00:03:58,200 --> 00:04:03,540
So he should be here five for the cc1 fight, which is this.

35
00:04:04,670 --> 00:04:13,860
And in the 10 member, he's worked major abortion and you can see a major zero referring to this work

36
00:04:13,920 --> 00:04:14,570
he still buys.

37
00:04:15,830 --> 00:04:17,760
And then in this, a minor machine.

38
00:04:18,050 --> 00:04:23,870
He also you can see minor version zero, which refers to these two by here.

39
00:04:25,380 --> 00:04:29,190
And you can go on down and analyze it this way.

40
00:04:29,610 --> 00:04:31,860
On the left is your south school.

41
00:04:32,280 --> 00:04:36,840
On the right is your hex view of the EPI area.

42
00:04:38,250 --> 00:04:44,760
So let's try to understand how the appeal or the results of how she names when the program wants to

43
00:04:44,760 --> 00:04:48,570
run the bill, they will look to file into memory.

44
00:04:49,140 --> 00:04:57,770
And part of the process of loading the file involves trying to resolves the function needs in over on

45
00:04:57,780 --> 00:04:58,170
this.

46
00:04:58,170 --> 00:05:05,550
In this diagram, on the top left hand corner is the export directory structure, which is taken from

47
00:05:05,550 --> 00:05:08,700
here and then on the.

48
00:05:09,770 --> 00:05:18,890
Bottom right corner here, I spend it issue these three members into a easier to understand diagram

49
00:05:18,890 --> 00:05:19,090
you.

50
00:05:20,240 --> 00:05:21,380
So this one here.

51
00:05:22,100 --> 00:05:26,120
Address functions refers to this diagram here.

52
00:05:28,430 --> 00:05:31,400
And this is a function address.

53
00:05:32,030 --> 00:05:40,100
So each of these values start in here addresses, for example, in Hex two or three, four or five and

54
00:05:40,100 --> 00:05:40,550
so on.

55
00:05:42,170 --> 00:05:50,570
And this is a list of all the functions that I supported by this particular deal and the need for this

56
00:05:50,850 --> 00:05:53,990
array is a spot on this table.

57
00:05:56,210 --> 00:06:02,110
In Haiti, he signed his address and names through presenter here.

58
00:06:03,400 --> 00:06:08,860
So all these are name strings, their addresses to strings, for example, right?

59
00:06:08,950 --> 00:06:09,910
Process memory.

60
00:06:10,480 --> 00:06:17,140
So these are all human readable strings, which I use and zero to represent the strings and one and

61
00:06:17,140 --> 00:06:17,920
two and so on.

62
00:06:19,330 --> 00:06:25,330
And one of these could be see right process memory and that one could be get proper dress exciting could

63
00:06:25,330 --> 00:06:28,150
be get more you handle and so on and so forth.

64
00:06:29,260 --> 00:06:35,560
So these are the names which are string entire functions.

65
00:06:36,820 --> 00:06:42,160
And then the next array here down here, I call the ordinance ordinance.

66
00:06:42,160 --> 00:06:45,430
I just numbers to represent the.

67
00:06:46,440 --> 00:06:47,040
Strings.

68
00:06:47,820 --> 00:06:54,690
So the first thing may be represents memory having none zero, and then here my have and get progress.

69
00:06:55,380 --> 00:06:56,310
You one is on.

70
00:06:57,770 --> 00:07:05,360
So why do we need to have this ordinance, so the ordinance, how to make the functional dress?

71
00:07:06,050 --> 00:07:17,330
So for example, if the builder wants to find a particular function name in tree, so hippie lawyer

72
00:07:17,330 --> 00:07:26,210
will go to his nearest array and then look through each of the member of the array until he finds entry.

73
00:07:27,170 --> 00:07:34,070
Once you find a new entry, entry could be repossessed maybe five ember and then you will go down to

74
00:07:34,070 --> 00:07:40,330
the ordinance tree and look for the corresponding ordinance for entry.

75
00:07:41,180 --> 00:07:44,000
So you will find that the ordinance entries fight.

76
00:07:44,810 --> 00:07:52,700
So once it finds the ordinance for entry, you can then go to the following address array and look up.

77
00:07:53,150 --> 00:07:53,570
Five.

78
00:07:54,810 --> 00:07:56,040
So Fyfe will be here.

79
00:07:56,520 --> 00:07:58,850
Zero one two three four five.

80
00:07:59,610 --> 00:08:04,200
So if we get a dress for, I process memory entry.

81
00:08:05,580 --> 00:08:09,120
So this is how many people a resource function needs.

82
00:08:10,800 --> 00:08:17,260
It is also important to remember to know what is the meaning of base this year means to that.

83
00:08:17,440 --> 00:08:26,180
What is the starting ordinal number for this is why they actually are in a burning need.

84
00:08:26,180 --> 00:08:33,580
Not although this is just a 012 chief, I hear sometimes because you have a base which is non-zero.

85
00:08:34,030 --> 00:08:35,980
You have to add it to this.

86
00:08:36,460 --> 00:08:40,210
So if your base is to, then you had to do this.

87
00:08:40,660 --> 00:08:48,670
And then from here you get the actual if, let's say, you know, the order number and you want to find

88
00:08:48,670 --> 00:08:56,860
the actual ordinary here, here to minus, from here you have a 10 and you want to locate in this structure.

89
00:08:57,490 --> 00:09:02,830
So you have to take 10 minus your base address base on, you know, which is two.

90
00:09:03,070 --> 00:09:04,870
So 10 minus two, is it?

91
00:09:05,530 --> 00:09:07,570
So from there you go to eight.

92
00:09:08,200 --> 00:09:09,090
So you get it.

93
00:09:09,100 --> 00:09:10,840
So you go here and look for it.

94
00:09:11,110 --> 00:09:14,140
There you have a point of view to this address.

95
00:09:15,010 --> 00:09:18,220
So this is how the order results from a few names.

96
00:09:18,610 --> 00:09:24,970
So it is how the people there these are Spanish units in the next video will do a practical walkthrough

97
00:09:25,330 --> 00:09:25,990
on this.

98
00:09:26,320 --> 00:09:27,700
So I'll see you in the next one.

99
00:09:28,030 --> 00:09:29,110
Thank you for watching.