Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  immunity debugger and IDA

Topic created on: April 4, 2013 07:37 CDT by blowcheck .

Hi all,
another stupid question, i'm debugging an app with immdbg and ida, i'm not able to rebase in a correct way a .dll into idapro.
from the immdbg side i have 0043232B and in IDA i have 1006232B, so seems that xxxx232B is equal, how i should rebase the address in IDA?
Another doubt is, Are we speaking about RVA?
thanks a lot

  blowcheck     April 4, 2013 15:29.12 CDT
i found this link..
http://www.ownedcore.com/forums/world-of-warcraft/world-of-warcraft-bots-programs/wow-memory-editing/311142-some-help-needed-reversing.html

but is not clear to me, someone is so kindly to help me?
thanks

  codeinject     April 5, 2013 01:34.31 CDT
Write down exactly what you are doing. This allows me to see what you do right, and what you do wrong.

For now ASLR just springs to mind. But I might be off by a mile. Therefore, please write down what you do. How you got there. What happened, what you thought that should have happened. Maybe supported by screenshots and what not.

- Codeinject

  blowcheck     April 5, 2013 04:26.04 CDT
ok thanks codeinject.
Well,
ok
i'm debugging an application on windows server 2003 (no aslr), the DLL that i want to load with IDAPRO is called DLLprog (as shown below), so since i'm debugging with immdbg i checked memory in this way:

clicking on M (show memory window) i get:

Memory map, item 38
Address=00410000
Size=00001000 (4096.)
Owner=DLLprog 00410000 (itself)
Section=
Contains=PE header
Type=Imag 01001002
Access=R
Initial access=RWE


clicking on E (show modules window ) i get:

Executable modules, item 3
Base=00410000
Size=00146000 (1335296.)
Entry=004B9BA1 DLLprog.<ModuleEntryPoint>
Name=DLLprog
File version=2.07
Path=C:\Program Files\Common Files\soft\rtt\cimay\bin\DLLprog.dll

so the DLLprog address is 00410000 ( Is it VirtualAddrees  or Relative Virtual Address ?? how to understand both with immdbg?)


then since i would like to perform some cross-check with IDAPRO i loaded the DLLprog on it, i noticed that the address of the first segment in IDA is 0x10001000... is not 00410000 as immdbg shown above (on M address=00410000 and on E is Base=00410000..)
I would like to rebase the whole program with IDA-pro in a correct way.
Hope now is a little bit more clear, thanks in advance

  blowcheck     April 5, 2013 04:44.06 CDT
a more detailed M (show memory window) about Dllprog

00410000   00001000   dllprog 00410000 (itself)                    PE header                 Imag   R         RWE
00411000   000B9000   dllprog 00410000                  .text      code                      Imag   R E       RWE
004CA000   00073000   dllprog 00410000                  .rdata     imports,exports           Imag   R         RWE
0053D000   00006000   dllprog 00410000                  .data      data                      Imag   RW        RWE
00543000   00001000   dllprog 00410000                  .rsrc      resources                 Imag   R         RWE
00544000   00012000   dllprog 00410000                  .reloc     relocations               Imag   R         RWE

  codeinject     April 5, 2013 05:46.39 CDT
Well,

I'd recommend you to first read this about RVA and VA: http://stackoverflow.com/questions/2170843/va-virtual-adress-rva-relative-virtual-address
After that, when you use an old version of IDA (IDA Free for example) you can rebase segments with the segment tool ( shift + F7 ).

This might also help you, http://stackoverflow.com/questions/10663139/rebasing-and-debugging

Let me know if this helps you out.

  blowcheck     April 5, 2013 06:33.34 CDT
ok, ehm i'm reading it.. not easy to understand.. to be honest i read it some days ago.. but i didn't catch the point..i feel ashamed..

  blowcheck     April 5, 2013 07:01.06 CDT
ok done ida has been rebased correctly,  but i tried many times.. not sure to have understood in deep.
i got 41000000 + 1000 = 41100000 --> put it to ida (shift+F7)
probably i could have used what the (show memory window) suggested because if i understood correctly 00411000 is where .text code start.., is it right?

00411000   000B9000   dllprog 00410000                  .text      code                      Imag   R E       RWE

Note: Registration is required to post to the forums.

There are 31,056 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit