Hmmm.. I just took a look at Hexplorer and it
sounds good but doesn't look so good. Too flashy for a hex editor and none of the screenshots show the disassembler even though it's in the feature list. I'm recommend XVI32 for general hex editing. It's simple and gets the job done.
As for finding offsets, I find that using a disassembler is the best way to get data addresses. I use PEBrowse because I haven't found anything better that's free. You can go looking for patterned data in a hex editor but if it doesn't contain text data it can be very difficult.
By disassembling the the code section you can look for specific code blocks that tell you where useful data might be. This takes the pseudo code form:
- load some variable (the offset)
- multiply the offset by the data segment size (0x3C for bullet data)
- add an address (this is where the data begins)
For Example starting at offset 0x020C25 you have a reference to the map data section.
Code:
0x420C14: 68D4C74800 PUSH 0x48C7D4 ; .rdata:stage
0x420C19: 8D55E8 LEA EDX,[EBP-0x18]
0x420C1C: 52 PUSH EDX
0x420C1D: E8DE040600 CALL 0x481100
0x420C22: 83C408 ADD ESP,0x8
0x420C25: 8B4508 MOV EAX,DWORD PTR [EBP+0x8]
0x420C28: 69C0C8000000 IMUL EAX,EAX,0xC8
0x420C2E: 0500F04B00 ADD EAX,0x4BF000 ; .csmap:0x30 0x00 0x00 0x00
0x420C33: 50 PUSH EAX
0x420C34: 8D4DE8 LEA ECX,[EBP-0x18]
0x420C37: 51 PUSH ECX
0x420C38: 68DCC74800 PUSH 0x48C7DC ; .rdata:%s\Prt%s
0x420C3D: 8D95D8FEFFFF LEA EDX,[EBP-0x128]
0x420C43: 52 PUSH EDX
0x420C44: E8C7030600 CALL 0x481010
In this case you can tell this code segment is preping for the call to the function @ 0x481010 (file address of 0x081010). Remember that most disassemblers will show offsets in the
memory space and not the file space. In general, programs are set to be loaded with an offset of 0x400000. So the Actual data it's reading starts at address 0x08C7DC and not 0x48C7DC.
Hope that helps any aspiring Hackers/Modders to find interesting things in the code. I don't know all that much assembly myself and still haven't worked out where any data read from external files goes in memory.