the purpose is that when the interesting code parts are found and identified, no address translation will be required
PS C:\sre> WinDBG
...
WinDBG > File > Open > anti-debug.exe
//step 1: list the modules and identify the "base address" of the anti-debug program
WinDBG > Command
0:000> lm
Start End module_name
00c00000 00c6b000 anti_debug (deferred)
76a70000 76b60000 KERNEL32 (deferred)
770f0000 7730c000 KERNELBASE (deferred)
77320000 774c4000 ntdll (pdb symbols) c:\ProgramData\dbg\sym\wntdll.
* ghidra will be set to the same "base address" found by WinDBG
- Base Address: 00c00000
STEP 2: REBASE GHIDRA
ghidra must be set to the same "base address" found by WinDBG. the purpose is that when the interesting code parts are found and identified, no address translation will be required
PS C:\sre> ghidra
...
Ghidra > File > Open > anti-debug.exe > Open in Code Browser
Analyze: Yes
Options: Default
Ghidra > Memory Map > Home Icon
Base Image Address: 00c00000
