EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 05-27-2015, 22:55
cyberbob's Avatar
cyberbob cyberbob is offline
VIP
 
Join Date: Aug 2004
Posts: 90
Rept. Given: 23
Rept. Rcvd 116 Times in 27 Posts
Thanks Given: 2
Thanks Rcvd at 8 Times in 4 Posts
cyberbob Reputation: 100-199 cyberbob Reputation: 100-199
v.1.1.0 released - www.arkdasm.com

+ added debugger memory snapshot feature
+ added debugger exception handling settings
+ added new command: bpdll
+ improvements, bug fixes
Reply With Quote
The Following 3 Users Gave Reputation+1 to cyberbob For This Useful Post:
chessgod101 (05-28-2015), dj-siba (06-01-2015), mr.exodia (05-29-2015)
The Following 3 Users Say Thank You to cyberbob For This Useful Post:
giv (10-11-2015), sh3dow (10-11-2015), Storm Shadow (10-11-2015)
  #32  
Old 10-11-2015, 00:33
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,637
Rept. Given: 799
Rept. Rcvd 1,272 Times in 557 Posts
Thanks Given: 203
Thanks Rcvd at 365 Times in 120 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Hi.
I see that the debugger do a analysis like IDA do before starting to debug itself the target.
That analysis is done each time the executable is loaded even is the same and not modified. Can you do a file that keep the analysis and if the CRC change analyse again else is a waste of time to wait each time for the analysis to complete.
Or i am wrong?
Reply With Quote
  #33  
Old 10-11-2015, 17:04
cyberbob's Avatar
cyberbob cyberbob is offline
VIP
 
Join Date: Aug 2004
Posts: 90
Rept. Given: 23
Rept. Rcvd 116 Times in 27 Posts
Thanks Given: 2
Thanks Rcvd at 8 Times in 4 Posts
cyberbob Reputation: 100-199 cyberbob Reputation: 100-199
Hi giv, you're wrong cause its not analysis its mostly rebasing hash maps (comments, labels, xref, etc.) to new imagebase, creating a new debugger database and stashing the current one cause it will be restored when debugger exits (assuming you don't use memory snapshot feature). Full analysis is done only at the beginning that is when you load a new file into disassembly.
Reply With Quote
  #34  
Old 10-11-2015, 19:15
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,637
Rept. Given: 799
Rept. Rcvd 1,272 Times in 557 Posts
Thanks Given: 203
Thanks Rcvd at 365 Times in 120 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Oh i see.
I have made a quick test.
Load a file twice.
But it seems that ASLR is the fault witch make the program rebase all times the hash maps.
The hash maps are stored relative to VA or RVA of the file or is another pointer?
Reply With Quote
  #35  
Old 10-11-2015, 20:50
cyberbob's Avatar
cyberbob cyberbob is offline
VIP
 
Join Date: Aug 2004
Posts: 90
Rept. Given: 23
Rept. Rcvd 116 Times in 27 Posts
Thanks Given: 2
Thanks Rcvd at 8 Times in 4 Posts
cyberbob Reputation: 100-199 cyberbob Reputation: 100-199
Quote:
Originally Posted by giv View Post
The hash maps are stored relative to VA or RVA of the file or is another pointer?
VA but if your file is big and it takes too much time to rebase I'd suggest to use another debugger
Reply With Quote
  #36  
Old 10-12-2015, 00:37
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,637
Rept. Given: 799
Rept. Rcvd 1,272 Times in 557 Posts
Thanks Given: 203
Thanks Rcvd at 365 Times in 120 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
VA is a bad option concerning ASLR.
I have made a simple test.
Load Total Commander 64 bit executable.
It have few MB as you may know.
The process take about one minute one a Core 2 Quad Q6666 at 2.4x4Mhz and 6 Gb RAM under Win 8.1.
The rebasing is done every time i load the file even is small.
The referencing to the RVA as pointer will avoid this issue IMHO.
Reply With Quote
  #37  
Old 10-12-2015, 01:06
cyberbob's Avatar
cyberbob cyberbob is offline
VIP
 
Join Date: Aug 2004
Posts: 90
Rept. Given: 23
Rept. Rcvd 116 Times in 27 Posts
Thanks Given: 2
Thanks Rcvd at 8 Times in 4 Posts
cyberbob Reputation: 100-199 cyberbob Reputation: 100-199
well, it all depends on your hardware I just check totalcmd64.exe on my 4 year old laptop i7-2620M @ 2.70 Ghz, 8 GB RAM Win7 it takes about 3-4 seconds.
Reply With Quote
  #38  
Old 10-12-2015, 17:58
giv's Avatar
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,637
Rept. Given: 799
Rept. Rcvd 1,272 Times in 557 Posts
Thanks Given: 203
Thanks Rcvd at 365 Times in 120 Posts
giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299 giv Reputation: 1100-1299
Ah.
I have a i7 3.3Ghz quad laptop with Win 8.1 X64, 12 GB DDR3 and 256GB SSD but i did not tested because is only for Tom&Jerry kids games.
I thougth is not suitable to reverse on a laptop.
And my 2.4 Ghz Q6660 Quad is suitable for reverse a 3 MB program....
I will test on the laptop when is free and i will tell you the result.
Reply With Quote
  #39  
Old 08-15-2018, 19:11
MarcElBichon MarcElBichon is offline
VIP
 
Join Date: Jan 2002
Posts: 198
Rept. Given: 182
Rept. Rcvd 154 Times in 55 Posts
Thanks Given: 63
Thanks Rcvd at 104 Times in 27 Posts
MarcElBichon Reputation: 100-199 MarcElBichon Reputation: 100-199
Even if nothing changed, re-uploaded on 2018-08-04.
Never forget this tool!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 15:50.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX