I'm trying to understand how the old winice.exe vxd combination
is relocating. Anyone know how ?? NZ ??
It's not a PE I know

Hi

Not sure exactly what you're getting at, but the vxd is in LE format and will be loaded somewhere above 0C0000000h, the base address for the system shared region in Win9x. The exact starting address can be obtained from the Softice 'VXD' command, or programatically if need be.

K.

Well i mean
who calculate something like this
mov esi, adress
in hex seen only
BE 00 00 00 00

so how come the adress into this zeros,
i didn't see any reloc section
(like in ntice.sys 8 -> reloc)
inside this winice.exe (vxd inside)

how is it done

well i really should wipe W9X

I'm not sure exactly how the OS maps vxd sections, I think it's dependant on load order, size of the sections, available memory, etc., and not to any inherent reloc info. as might exist in PE files. I haven't got things installed any longer to look into it further.

The easiest thing to do is get the "real" starting address of the driver sections with the 'VXD' command and calculate the offset from the disassembled addresses as seen in IDA. You can then use this raw->virtual offset to unassemble selected instructions and read the real Data variable addresses from the Softice window.

If you were really interested, you could look into how the Vxd_Desc_Block DDB structure was initialized when a driver is loaded, along with the Device_Location_List, ObjectLocation and other structures which define linear address and other info about a driver. But methinks this is not the case