Eibon
January 18th, 2011, 06:40
Hello
I just registered on these forum, so I guess a little introductory background will be in its place.
Ive been reversing on and off for the last 10 years, on an amateurish hobby level, this includes programming more or less only in assembler.
Recently within the last couple of years, ive been picking up a few higher level languages in Delphi(pascal), and a tiny bit C (kinda hard not to, with all the "minor" languages using alike syntax etc). and getting into the win32 enviroment. Ive grown familiar with some of more common tools like OllyDbg, and my current project is learning IDA, which leads me to my problem.
The pickle:
As mentioned im currently goofing around IDA, with the sole reason being to learn its capabilities. My plan is/was to totally disect a simple little application, hence also forcing me to get familiar with alot of different APIs and structures etc.
It all went well so far; I was commenting and renaming everything for easier comprehension, up untill I was digging around for a resource reference I couldnt find, and got the the bright idea to dump the entire process. I read somewhere that the "Memory Snapshot" could be used to dump a process, so I did. To make everything better I included "All Segments", ending up with a database file(.idb) of ½GB.... *sigh*
Well, to try and fix this little mess, I started to remove some of the extra segments, and resaved my database (including garbage).....
My database file is still around ½GB, and now my BPs aint working (in static analysis the BPs are referencing allright, but at runtime they dont) - IDA aint doing any rebasing when the program is run.
The easiest way would be to reanalyze the program, but Id hate to lose all my comments, names and BPs.
I wasnt able to locate much similar info anywhere (in general, info on the .idb file format seem rather sparse)
So my question(s) is:
- Any tips on fixing my problem? (eg. reducing the database size, getting the BPs/any reference to properly work again)
- Is there some way of generally removing "garbage" from .idb files?
- On the tricking subject: I was looking for a resource, not visible in a PE resource inspector (more precise an Accelerator Table), and it wasnt generated at runtime. Any tips on where this table could be stored?
Regards
Eibon
Ps.
Sorry about any spelling/sentence errors, english aint my native language.
I just registered on these forum, so I guess a little introductory background will be in its place.
Ive been reversing on and off for the last 10 years, on an amateurish hobby level, this includes programming more or less only in assembler.
Recently within the last couple of years, ive been picking up a few higher level languages in Delphi(pascal), and a tiny bit C (kinda hard not to, with all the "minor" languages using alike syntax etc). and getting into the win32 enviroment. Ive grown familiar with some of more common tools like OllyDbg, and my current project is learning IDA, which leads me to my problem.
The pickle:
As mentioned im currently goofing around IDA, with the sole reason being to learn its capabilities. My plan is/was to totally disect a simple little application, hence also forcing me to get familiar with alot of different APIs and structures etc.
It all went well so far; I was commenting and renaming everything for easier comprehension, up untill I was digging around for a resource reference I couldnt find, and got the the bright idea to dump the entire process. I read somewhere that the "Memory Snapshot" could be used to dump a process, so I did. To make everything better I included "All Segments", ending up with a database file(.idb) of ½GB.... *sigh*
Well, to try and fix this little mess, I started to remove some of the extra segments, and resaved my database (including garbage).....
My database file is still around ½GB, and now my BPs aint working (in static analysis the BPs are referencing allright, but at runtime they dont) - IDA aint doing any rebasing when the program is run.
The easiest way would be to reanalyze the program, but Id hate to lose all my comments, names and BPs.
I wasnt able to locate much similar info anywhere (in general, info on the .idb file format seem rather sparse)
So my question(s) is:
- Any tips on fixing my problem? (eg. reducing the database size, getting the BPs/any reference to properly work again)
- Is there some way of generally removing "garbage" from .idb files?
- On the tricking subject: I was looking for a resource, not visible in a PE resource inspector (more precise an Accelerator Table), and it wasnt generated at runtime. Any tips on where this table could be stored?
Regards
Eibon
Ps.
Sorry about any spelling/sentence errors, english aint my native language.