Still pretty quiet here but glad to see the forum is kept alive.
So, back with another problem that I can't figure out...
At the moment I'm on IDA 7.6 SP1. I'm not sure if the following problem occurred in the 6.x versions.
1. I decompile some PE file.
2. Exports view is fine. If I click on an export, it takes me to the entry point of its code.
3. After working with the program, debugging and what not, the exports usually work fine but sometimes, for an unknown reason, I find their entry points having being modified and they now point to the wrong piece of code.
All of them are offsetted by 0xC00 bytes which is the .text Virtual Address (0x1000) minus Raw Address.(0x400).
4. A fresh decompile of the same program comes out fine of course but it's not very convenient if I have to redo all the notes and breakpoints I had put in it.
The questions are now two (or three):
a) Why would IDA do that offset adjustment since I haven't changed any of the program's structure?
b) How can I force IDA to fix the Exports list? Rebasing the program, or reanalyzing it, doesn't touch the Exports.
c) Transferring my notes/breakpoints from the original decompile to a new one in some automated way, I can't imagine it being easily possible but what do I know? Maybe it can be done with some script so I'll keep this as a 3rd question.
Thanks in advance for any suggestions.
So, back with another problem that I can't figure out...
At the moment I'm on IDA 7.6 SP1. I'm not sure if the following problem occurred in the 6.x versions.
1. I decompile some PE file.
2. Exports view is fine. If I click on an export, it takes me to the entry point of its code.
3. After working with the program, debugging and what not, the exports usually work fine but sometimes, for an unknown reason, I find their entry points having being modified and they now point to the wrong piece of code.
All of them are offsetted by 0xC00 bytes which is the .text Virtual Address (0x1000) minus Raw Address.(0x400).
4. A fresh decompile of the same program comes out fine of course but it's not very convenient if I have to redo all the notes and breakpoints I had put in it.
The questions are now two (or three):
a) Why would IDA do that offset adjustment since I haven't changed any of the program's structure?
b) How can I force IDA to fix the Exports list? Rebasing the program, or reanalyzing it, doesn't touch the Exports.
c) Transferring my notes/breakpoints from the original decompile to a new one in some automated way, I can't imagine it being easily possible but what do I know? Maybe it can be done with some script so I'll keep this as a 3rd question.
Thanks in advance for any suggestions.