REBASING

STEP 1: IDENTIFY PROGRAM'S BASE ADDRESS

the purpose is that when the interesting code parts are found and identified, no address translation will be required

PS C:\sre> WinDBG
 ...

WinDBG > File > Open > anti-debug.exe

//step 1: list the modules and identify the "base address" of the anti-debug program
WinDBG > Command
0:000> lm
Start          End          module_name
00c00000       00c6b000     anti_debug   (deferred)
76a70000       76b60000     KERNEL32     (deferred)
770f0000       7730c000     KERNELBASE   (deferred)
77320000       774c4000     ntdll        (pdb symbols)     c:\ProgramData\dbg\sym\wntdll.

* ghidra will be set to the same "base address" found by WinDBG
   - Base Address: 00c00000

STEP 2: REBASE GHIDRA

ghidra must be set to the same "base address" found by WinDBG. the purpose is that when the interesting code parts are found and identified, no address translation will be required

PS C:\sre> ghidra
 ...
 
Ghidra > File > Open > anti-debug.exe > Open in Code Browser
 Analyze: Yes
 Options: Default

Ghidra > Memory Map > Home Icon
 Base Image Address: 00c00000

PreviousSPECIFYING ARRAYS NextIDENTIFYING MAIN VIA REFERENCES & CALL TREES

Last updated 5 months ago