IDA Export view weirdness

roocoon

New member
Still pretty quiet here but glad to see the forum is kept alive.

So, back with another problem that I can't figure out...

At the moment I'm on IDA 7.6 SP1. I'm not sure if the following problem occurred in the 6.x versions.

1. I decompile some PE file.
2. Exports view is fine. If I click on an export, it takes me to the entry point of its code.
3. After working with the program, debugging and what not, the exports usually work fine but sometimes, for an unknown reason, I find their entry points having being modified and they now point to the wrong piece of code.
All of them are offsetted by 0xC00 bytes which is the .text Virtual Address (0x1000) minus Raw Address.(0x400).
4. A fresh decompile of the same program comes out fine of course but it's not very convenient if I have to redo all the notes and breakpoints I had put in it.

The questions are now two (or three):

a) Why would IDA do that offset adjustment since I haven't changed any of the program's structure?

b) How can I force IDA to fix the Exports list? Rebasing the program, or reanalyzing it, doesn't touch the Exports.

c) Transferring my notes/breakpoints from the original decompile to a new one in some automated way, I can't imagine it being easily possible but what do I know? Maybe it can be done with some script so I'll keep this as a 3rd question.

Thanks in advance for any suggestions.
 

roocoon

New member
Thanks for the response.

In my case, the problem is not during execution (which behaves fine with no error messages).
Following one of the suggestions in the 1st link above, I tried rebasing it first with the rebase.exe of Visual Studio 2022. It didn't accept the original default of 180000000 (it claimed it has to be > than 200000000). When I tried 300000000 it told me the dll is not rebasable :)

It looks more like a bug in IDA.
The Export list starts up fine but after the program is rebased on execution, sometimes and for some unknown reason, IDA forgets to adjust the Exports list using whatever offset values it had used initially.

So far I couldn't find a way to transfer the Exports list from a proper decompile into the misadjusted one.
Even for breakpoints it's a hassle. You can export the breakpoints for an IDA decompile and import them into a fresh decompile, but it ignores any comments. Not very user-friendly for lazy typists :)

Your comments/pointers are always appreciated Rip Cord.
Thank you much.


.
 

Rip Cord

Administrator
Staff member
Developer
Could you perhaps have confused me with Storm Shadow?
I am the ferocious bear. :)
 

roocoon

New member
No, I haven't.
You assumed that because he replied to previous messages of mine I suppose :)

I just feel better if I offer appreciation for the time others spend trying to help.
 
Top