01.REBASING: IDENTIFYING BASE ADDRESS (IF REQUIRED)

Rebasing ensures that code in reverse engineering tools like Ghidra matches its actual runtime memory layout. This prevents misaligned addresses, broken references, and incorrect analysis results. It enables accurate disassembly, direct correlation with debugger or crash log addresses, and is crucial for tasks like exploit development and malware analysis. Rebasing also avoids redundant work if the correct base address is identified later.

  1. Accurate Disassembly: without the right base address, all code and data references will be misaligned. This leads to broken function pointers, incorrect jump/call targets, and misleading cross-references.

  2. Match Runtime Addresses: analysis of memory dump, debugger output, or logs from a system (e.g. 0x401234 seen in a crash trace), enables the ability to correlate those addresses to functions in Ghidra without manual translation. If Ghidra is loaded at a wrong base, an address of 0x401234 might appear as something like 0x00401234 - 0x1000 = 0x00400234 which requires constant manual math calculations.

  3. Exploit Development / Reverse Engineering: Exploit writers often need to reference exact instruction addresses (e.g., ROP gadgets). Malware analysts rely on real virtual addresses when correlating instructions to logs, behaviors, or indicators of compromise (IOCs).

  4. Avoids Rework: analyzing a binary at the wrong base, and later get the correct base (from a debugger trace), the analyst might have to either redo the work or rebase the whole analysis.

STEP 1: WINDBG

PS C:\sre> WinDBG
 ...

WinDBG > File > Open Executable > anti-debug.exe

//step 1: list the modules and identify the "base address" of the anti-debug program
WinDBG > Command
 0:000> lm
 Start          End          module_name
 00c00000       00c6b000     anti_debug   (deferred)
 76a70000       76b60000     KERNEL32     (deferred)
 770f0000       7730c000     KERNELBASE   (deferred)
 77320000       774c4000     ntdll        (pdb symbols)     c:\ProgramData\dbg\sym\wntdll.

 * ghidra will be set to the same "base address" found by WinDBG
    - Base Address: 00c00000

STEP 2: GHIDRA

Ghidra must be set to the same "base address" found by WinDBG. When the interesting code parts are found and identified, no address translation will be required, as the addresses in WinDBG and Ghidra will match.

PS C:\sre> ghidra
 ...
 
Ghidra > File > Open > anti-debug.exe > Open in Code Browser
 Analyze: Yes
 Options: Default

Ghidra > Memory Map > Home Icon
 Base Image Address: 00c00000
 
 * ghidra's default base address is 00400000

PreviousANALYSISNext02.IDENTIFYING MAIN() IN STRIPPED BINARIES

Last updated