X64dbg 27.11 does not import database exported from IDA 6.85
kornos opened this issue · 11 comments
Hello Mr. Exodia
I try to import names from IDA 6.85 in X64dbg ver 27.11, but it doesn't work.
Exported database looks ok 👍
{
"text": "__tmainCRTStartup",
"manual": false,
"module": "PilotEdit.exe",
"address": "0x9B8D0"
},
In IDA it shows:
.text:000000014009BAA8 public start
.text:000000014009BAA8 start proc near ; DATA XREF: HEADER:0000000140000120�o
.text:000000014009BAA8 ; .pdata:00000001409ACB24�o ...
.text:000000014009BAA8 sub rsp, 28h
.text:000000014009BAAC call __security_init_cookie
.text:000000014009BAB1 add rsp, 28h
.text:000000014009BAB5 jmp __tmainCRTStartup
.text:000000014009BAB5 start endp
Same code snippet In X64DBG it shows:
000000014009BAA8 | 48 83 EC 28 | sub rsp,28 |
000000014009BAAC | E8 E3 7F 00 00 | call pilotedit.1400A3A94 |
000000014009BAB1 | 48 83 C4 28 | add rsp,28 |
000000014009BAB5 | E9 16 FE FF FF | jmp pilotedit.14009B8D0 |
I expected __tmainCRTStartup to appear in X64DBG , but it doesn't.
Where is the problem ?
Thanks very much
I cannot really make much sense of what's going on here. Could you post the last line of the infobox when highlighting the address that should have __tmainCRTStartup?
Excuse me , where is located the "infobox" (what program/menu - ida or x64dbg)?
As far as I can see in IDA , the adress of __tmainCRTstartup is: 00014009B8D0
This adress also appears in X64dbg in the right place.
I can upload whole .ida file , if it's easier to track this.
From the top of IDA dissasm:
[00001000 BYTES: COLLAPSED SEGMENT HEADER. PRESS CTRL-NUMPAD+ TO EXPAND]
.text:0000000140001000 ; File Name : C:\Program Files\PilotEdit x64\PilotEdit.exe
.text:0000000140001000 ; Format : Portable executable for AMD64 (PE)
.text:0000000140001000 ; Imagebase : 140000000
.text:0000000140001000 ; Section 1. (virtual address 00001000)
.text:0000000140001000 ; Virtual size : 0053B898 (5486744.)
.text:0000000140001000 ; Section size in file : 0053BA00 (5487104.)
.text:0000000140001000 ; Offset to raw data for section: 00000400
.text:0000000140001000 ; Flags 60000020: Text Executable Readable
.text:0000000140001000 ; Alignment : default
.text:0000000140001000 ; ===========================================================================
.text:0000000140001000
.text:0000000140001000 ; Segment type: Pure code
.text:0000000140001000 ; Segment permissions: Read/Execute
.text:0000000140001000 _text segment para public 'CODE' use64
.text:0000000140001000 assume cs:_text
.text:0000000140001000 ;org 140001000h
.text:0000000140001000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:0000000140001000 ; [0000003C BYTES: COLLAPSED FUNCTION wmemcpy_s. PRESS CTRL-NUMPAD+ TO EXPAND]
.text:000000014000103C algn_14000103C: ; DATA XREF: .pdata:ExceptionDir�o
.text:000000014000103C align 20h
.text:0000000140001040 ; [00000053 BYTES: COLLAPSED FUNCTION AfxCrtErrorCheck(int). PRESS CTRL-NUMPAD+ TO EXPAND]
.text:0000000140001093 algn_140001093: ; DATA XREF: .pdata:00000001409A200C�o
.text:0000000140001093 align 20h
.ida file link: https://drive.google.com/open?id=0B1gPVgT74q9Lai1jS09VZk13X2s
ah , you mean infobox is in X64dbg?
When I highlight the adress 14009B8D0(where __tmainCRTstartup begins) , in that small box under dissasembly in X64dbg it's written:
qword [rsp+10]=[000000000013FF68]=0
rbx=<pilotedit.EntryPoint>
.text:000000014009B8D0 pilotedit.exe:$9B8D0 #9ACD0
The program I was analyzing is PilotEdit 10.0.0 64bit http://www.pilotedit.com/
In case there's anything else you want me to do , please ask.
Did you find the source of the problem?
Thanks
It's case sensitive @mrexodia.
"module": "PilotEdit.exe", does not work.
"module": "pilotedit.exe", works.
Mr Exodia , I confirm it works, it's about case sensitive exe filename.
It means that x64dbgida should be patched to lowercase the filenames?
Nukem9++ , thanks very much ;-)