I'm just trying to plus 0x3C but the compiler is converting it to 0x0F0. Why??
This is the kernel32_base declaration that is passed as argument to the function:
DWORD* kernel32_base
And here the C code and the desassembled code:
DWORD PE_shift=NULL;
00DB212E mov dword ptr [PE_shift],0
PE_shift = *(kernel32_base + 0x3C); //60=3Ch
00DB2135 mov eax,dword ptr [kernel32_base]
00DB2138 mov ecx,dword ptr [eax+0F0h] ; <-----------------
00DB213E mov dword ptr [PE_shift],ecx
From where is that 0F0h coming from? It should be a 0x3C right?
Because DWORD is a four byte type. Your C code says load the 0x3C'th 4-byte quantity after the base pointer. 4 times 0x3C is 0xF0. If you want to get the DWORD at byte offset 0x3C, then it needs to be:
PE_shift = *(DWORD*)((char*)kernel32_base + 0x3C);