#773: bug in IDA-Pro [fails to debug zero-based PE]
IDA-Pro embedded debugger doesn’t support PE files with zero image base.
the debugger says (I quote):
“IDA Pro couldn’t automatically determine if the program should be rebased in the database because the database format is too old and doesn’t contain enough information. Create a new database if you want automated rebasing to work properly. Notice you can always manually rebase the program by using the Edit, Segments, Rebase program command”.
I have checked 4.7 (standard) and 5.2 (advanced) versions – they are both buggy.
after pressing F9 debugger loses the control, ignores breakpoints (!!!) allowing to the process running on its own, breaking through the debugger!!! really bad news for malware researchers!
to know your enemy – write a simple “hello, world” application and build it as follows:
# ida-bug-773.c
main()
{
ExitProcess (MessageBox (0, “after one bad thing another follows”, “sudah jatuh, ditimpa tangga”, 0));
}
# building ida-bug-773
cl.exe /c /Ox ida-bug-773.c
link.exe ida-bug-773.obj /FIXED:NO /BASE:0 USER32.LIB
ignore linker warning! (after all, it’s just a warning). the file has zero image base, but works fine, coz windows automatically rebases it to the appropriately place. IDA-Pro does rebases files by default, since she doesn’t reserve lowest part of address space like windows does.
to debug the file with IDA-Pro debugger we have to rebase it before debugging: /Edit/Segments/Rebase program/Target, where Target is 0×40000 or something like that. we can use ms editbin.exe tool (if IDA-Pro is unable to rebase the program, however, if the program checks PE-header, it definitely find out that the file was rebased).
