MapConv fails to apply IDA .MAP labels or comments

[5Alive]

Hello,
I'm experiencing a rather strange problem when using the MapConv v1.4 plugin for OllyDbg.

I have produced a MAP file using IDA which includes Autogenerated names and Demangled names. From IDAs Options\Demangled names... menu and selecting Setup shortnames, I checked the option "Inhibit everything except the main name".

I have sucessfully applied this MAP to an attached EXE process and confirmed that either Labels or Comments are present by right clicking in the CPU window and selecting either search for/user-defined label or search for/user-defined comment

When I try to do the same for a DLL, no labels or comments can be seen.
Any ideas what can be wrong? In Olly, I selected from the menu Optiions\Debugging options and selecting the Events tab I checked the Break on new module (DLL) option.

Once the attached process loads, I would expect Olly to break when the DLLs are loaded, this doesn't appear to happen though.
Next, I press Alt+E to view the executable modules of the attached process.
I highlight the desired DLL and right click and select Follow entry.
I then apply the .MAP file only to find no comments or labels present.
NOTE: I can succesfully convert this .MAP file to a .NMS and view all the labels and comments in softICE. I would prefer to work on this app using Olly thats all.

I hope someone can help me solve this interesting problem. Thanks for all your help.
Thankyou,
5aLIVE

[_Servil_]

Quote:

Originally Posted by 5Alive

When I try to do the same for a DLL, no labels or comments can be seen.
Any ideas what can be wrong? In Olly, I selected from the menu Optiions\Debugging options and selecting the Events tab I checked the Break on new module (DLL) option.

The plugin by godfather/TBD should works for relocated modules just make sure you stay within the imported module code in CPU window, If it wont work try mapgen (its only mapconv modified to handle relocated modules imagebase correctly).

[5Alive]

Hi Servil_, I don't pretend to have a great deal of knowledge on the subject of relocation, though I can say with some certainty that the DLL is relocated with respect to the attached applications image base.

I know I am in the code area of the imported module as I can recognise some of the code compared with that of the IDA dissasembly listing.
How do I translate from dissambler addresses to degugger addresses? I have tried reading tutorials on this but just get confused by the examples.

I did a Google search for "mapgen", but I cannot seem to find anything related to .MAP files. Is this an OllyDbg plugin?

Thanks for the reply?

[_Servil_]

If the module is relocated it means that its loaded at address different from base given in its header (usual for dlls).
If mapconv still dont work, export symbols with mapgen and import by modified mapconv plugin, it may works.
both at sharemation.com/servil/idaplugs/

[5Alive]

I've changed the image base of the DLL file to that of the relocated DLL, now the addresses in my IDA listing are the same as the attached DLL in Olly.

I am still unable to view comments or labels using a Map file produced from IDA directly or with your plugin. Nice looking tool BTW.

This is driving me to distraction. What else could possibly be wrong?
Thanks again,
5aLIVE

[5Alive]

UPDATE:
Up until now I've been using Olly 1.09d, I thought I try using Olly 1.10 since it supports the loading of DLLs.
Using this tool still didn't give the expected results.


I changed the image base of the DLL using LordPE to make dissassembled addresses match those of the relocated DLL.

As soon as I try and apply a label or comment MAP, I gey the application error 'The instruction at "0x2c6172b" referenced memory at "0x0000000c". The memory could not be "read".

This suggests to me that there is a problem with the new image base of the DLL(loading the original DLL with the original map, doesn't produce this error, neither does it produce labels or comments ).

Another "clue" that tells me the rebased DLL structure is in error is that previous string references shown in IDA like:

.text:10002E6F 68+ push offset aMyString ; "MyString"
.data:1000924C 41+aMyString db 'MyString',0 ; DATA XREF: .text:10002E6F

Now become:
.text:02042E6F 68+ push 1000924Ch
.data:0204924C 41+aMyString db 'MyString'

So the new code section appears to be addressing the old data section.
As I've said before, tinkering with PE section is new to me. Do I need to change the start and end adresses of the .data section to fix this?

I hope someone can help me reach a solution.
Many Thanks.
5aLIVE