REBlog
October 19th, 2007, 20:27
It is common to hear reverse engineers throw around the phrase, “forty-thousand hex”. To someone unfamiliar with reverse engineering or debugging in Windows, this phrase would probably be interpreted to mean the value 0x00040000. However, when reverse engineers say, “forty-thousand hex”, they are actually referring to the value 0x00400000.
The value 0x00400000 is commonly seen when doing low-level work in Windows because this is the default base address of EXE files compiled by Microsoft’s C++ compiler.
So why say “forty-thousand hex” instead of “four-hundred-thousand hex”? For starters, the former is easier to say (one less syllable) than the latter. But more importantly, hexadecimal numbers are usually grouped in sets of 2-digits (bytes) instead of in groups of 3-digits as in base 10. As such, a reverse engineer could read 0x00400000 as 0x00,40,00,00. Going from right-to-left, we have 00 in the “tens” place, 00 in the “hundreds” place, and 40[FONT=Verdana][SIZE=2] in the “thousands” place.
http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2006/06/05/13.aspx
The value 0x00400000 is commonly seen when doing low-level work in Windows because this is the default base address of EXE files compiled by Microsoft’s C++ compiler.
So why say “forty-thousand hex” instead of “four-hundred-thousand hex”? For starters, the former is easier to say (one less syllable) than the latter. But more importantly, hexadecimal numbers are usually grouped in sets of 2-digits (bytes) instead of in groups of 3-digits as in base 10. As such, a reverse engineer could read 0x00400000 as 0x00,40,00,00. Going from right-to-left, we have 00 in the “tens” place, 00 in the “hundreds” place, and 40[FONT=Verdana][SIZE=2] in the “thousands” place.
http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2006/06/05/13.aspx