When you can find documentation on the format utilized by a particular file, your life will be significantly easier as you attempt to map the file into an IDA database. Example 18-1 shows the first few lines of a PE file loaded into IDA as a binary file. With no help from IDA, we turn to the PE specification, which states that a valid PE file will begin with a valid MS-DOS header structure. A valid MS-DOS header structure in turn begins with the 2-byte signature
4Dh 5Ah (
MZ), which we see in the first two lines of Example 18-1.
At this point an understanding of the layout of an MS-DOS header is required. The PE specification would tell us that the 4-byte value located at offset
0x3C in the file indicates ...