Results 1 to 4 of 4

Thread: Question about debugging in realtime application and in dll without loading it in app

  1. #1

    Question about debugging in realtime application and in dll without loading it in app

    Well i got a question why olly dbg addreses are so different when i load the application and attach there debugger i get compleltly different addresses compared to that when i open just a dll without loading it in the application (disasembling it)?

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Planet Earth
    Hi Nah. I thought I did answer this question but forgot to post it. The Keyword answer to your question is relocation: When you analyze a .dll by itself, either by IDA disassembly or by directly loading it in Olly using the load .dll feature, it's image base and memory location is determined by the default, typically 01000000 or whatever is written in the PE header.

    When the Application is loader, meaning the windows loader is loading the App and all its .dlls and all the systems .dll, it is obvious that not all of them can me mapped to the default address 01000000, so they are relocated to upper, free segments in the memory. That is why all the code in a .dll HAS to be relocatable, ie, relative to the image base. there cannot be hard coded references to memory addresses of variables or pointers. A compiler takes care of this automatically, but if you write or modify a .dll manually, you have to mind that relocation phenomenon: a MOV EAX, [23456789] instruction may have unpredictable consequences if the variable pointed by [23456789] is located in a .dll that would be loaded, next time, into 30000000 image base memory address.

  3. #3
    Hmm thnx for a answer but still my question is how do determine the address in dissassembling without debugging it in realtime. Are the bytes in the Dump the same or not ?

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    what address yes you can determine the address
    but are you ready to calculate address'es that can possibly lie in the whole address space
    for example
    the dll should reallly load at 1000000
    but due to some conflict
    it can load on the next page boundary onwards till MmUserHigestAddress (can vary from 7fffffff upto cfffffff on a /3gb switched machine)

    so if there is call like
    call 1001000

    after being relocated it could be say
    call 1002000 and so on

    you have to understand the 1000, 2000 etc are relative to the imagebase where loader mapped it

    if loader mapped it to say 7000000
    then the same call would look like

    call 7001000

    hope you get the general idea

Similar Threads

  1. Replies: 10
    Last Post: February 1st, 2013, 09:13
  2. Problem debugging DirectX application
    By LOPAN in forum The Newbie Forum
    Replies: 4
    Last Post: March 1st, 2010, 19:16
  3. An example of loading an Vista only application.
    By xtc in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: June 21st, 2007, 21:55
  4. Help - problem loading a program for debugging
    By pepak in forum Plugins (General)
    Replies: 5
    Last Post: October 10th, 2006, 01:17
  5. multithread application debugging
    By crkzone in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: November 7th, 2004, 17:32


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts