I have a dll linked for a nominal load address of 400000, but the application always loads it at C590000. Can I tell IDA to produce a disassembly that shows the addresses that I see in a running system? I tried changing the image base in the dll header, and IDA then showed the correct addresses for the code, but literals (variable offsets, call target addresses, etc) still appeared with values based on a load address of 400000. I could probably keep tweaking the header in the file, but surely IDA can do all that for me??

Regards,

Hello laserman !

You might want to rebase the DLL.
This can be done both with LINK.EXE from MASM as well as with REBASE.EXE, included in several SDKs/DDKs.

I don't know how IDA could do this itself.

Thanks DakienDX,

I'll look into your suggestion. But am I missing something? When the dll gets loaded and the system decides that it has to reside at a different address in the callee's address space, I thought that it just went through a fix-up of all the relocatables, just like when an exe is loaded. And if the info for the system to be able to do that is in the file, why couldn't IDA do it? Do I not understand the way a dll is loaded and mapped into the callee's address space? Can you enlighten me, please?

Thanks again,

Hello laserman !

A DLL is basically loaded the same way as an EXE when you compare the relocation part. The only problem is that many EXE files don't have relocations any more and they're "based" to some address which is never occupied by some other program, so they don't need to relocate.

You must not ask yourself why can't IDA relocate the DLL, you must ask yourself why should IDA do it. IDA is meant to be a disassembler. It shows how the code is arranged in the program, how the jumps and calls work and how the data is accessed. It is not important at which base address this happens, since it will always work the same way.

I just told you how I would handle your question, but I will never do it since there's no need for it.

If you're planning to somehow "use" the address the DLL is loaded to, you can never be sure that it is loaded at the same address, not on your computer and not on any other computer.

Hmmm,

Ok. First, Rebase.exe worked a treat. I now have an IDA listing on paper with numbers in it that are the same as I see when running the app under the debugger. It just means that I can easily glance at referenced locations (and areas nearby to them) without having to go through mental gymnastics to do the relocation in my head. Maybe I'm not making myself clear, but I find it useful... thanks for the pointer.

Now, if I could switch in and out of SI to look at IDA, it would all be un-necessary...


Regards,

We all have run into that annoyance of DLLs being based at a different memory address but a simple displacement and quick calculation(I hope you have a calculator that can do hex easily like a TI-34 ) can do the trick quite easily. At least I dont have trouble using the on the fly displacement method ehhe.

Snatch