I'm reversing a target with Olly & SoftIce. Olly saysbut everything runs ok.

However, when I try to load it into Ida 4.1.5, it saysIf I say no or cancel, Ida quits. If I say yes, it says
Any idea what's going on or how to fix it?

IDA can't find the file offset for virtual address FFD39470.

Inspect the PE header carefully, especially the section table. One of the entries is probably corrupt.

Another cause is that your file is packed.

as far as i have seen msvcrt.dlls always complained about ep not on code section in ollydbg i havent loaded msvcrt in ida so i dont know

thats because entry point is in .text section

Memory map, item 12
Address=7FC31000
Size=0002D000 (184320.)
Owner=MSVCRT20 7FC30000
Section=.text
Type=Priv 00021002
Access=R
Initial access=



7FC300A8 D9100000 DD 000010D9 ; AddressOfEntryPoint = 10D9
7FC300AC 00E00200 DD 0002E000 ; BaseOfCode = 2E000
7FC300B0 00D00200 DD 0002D000 ; BaseOfData = 2D000
7FC300B4 0000C37F DD 7FC30000 ; ImageBase = 7FC30000

ollydbg never had any problems loading it

i have used the msvcrt dlls to implement those ,merge,fnsplit,atoi,strtool,wcstombcs functions in asm programs via loadlib,getproc

nope they are not packed

yup,



i can confirm - ida always pops this up, when the EP is ie in a non .text section.
this happens on ELF, too, but doesnt really disturb if u know th EP.

the other msgs i never saw to be honest, but have the feeling there could be a manipulated PE header?

regards, 0xf001

This makes me tend to agree that something really wierd is going on in the PE Header - assuming you don't have any hardware problems.

SiGiNT



Just an added note, I disassembled an unpacked .exe earlier today using IDA 4.9XX and got the same error, I haven't been using this latest version as it takes longer and can create huge files, and I don't really see anything new that compels me to use it, try disassembling your target using IDA 3.6 or an earlier version of the non-free version. I think that error will probably disappear.

x

It just occurred to me (duh) that -2911120 is FFD39470. So I'll get rid of the second error if I get rid of the first. Is there some way to tell Ida not to bother with the dll or to tell her to load MSVCRT20.dll at that address?

There must be a section entry in the PE header with a virtual address of FFD39470 and a physical address of the same... check the PE header carefully again. IDA is attempting to load the section, and attempts to seek to file offset -2911120 to get the data for that section. That is obviously out of the file (the use of signed file pointers surprises me - even so, I doubt your PE is more than 4.2Gb in size) so IDA complains.

Yes, I'm aware of that. Is there some way to tell IDA to ignore that, or to edit the PE header so IDA won't crash & burn?

This wasn't a rhetorical question! Do get IDA to load this, what should I do to that entry in the PE table? Remove it? Change it to some other value? Edit: Also, what tool should I use to do it?

So IDA is a woman when it's bitching errors at you? Hahaha...

Hi mike, what does the section header look like in a PE editor such as LordPE DLX or CFF Explorer? If a virtual or raw address entry is confusing the disassembler you could try changing it to something more 'normal'.

Oh yes she is!
A tender lover and a Bitch she can be.

See:

http://www.woodmann.com/forum/showthread.php?t=5972&highlight=lovelace

"A tender lover and a Bitch she can be."

A capacity built into many models of the female species.

Regards,

I like IDA, but I don't like-like her.