0

I’m practicing a bit of reverse engineering right now, and I came across a problem. If I copy an address from Cheat Engine and then want to jump to the same place in Ghidra, I end up in a veerem place. For example, 0x00429D1F is sub [ebx+4],edi in Cheat Engine and jge LAB_00 429d2b in Ghidra. I have already heard that you can reset the base address in the Memory Map window and have tried it, but unfortunately it did not work. Besides, pattern scanning in Ghidra does not work for me. When I search a certain pattern of bytes from Cheat Engine in Ghidra, Ghidra doesn't find the pattern even though it exists. Thanks in advance for any help.

Hydrated Dragon
  • 58
  • 6

1 Answers1

1

Maybe you talking about several modules like this? CE disassembler->view->enumerate dll's and symbols If it so, then you need to import specific module (.dll, .exe, etc.) to your project and set the base address for him.

FirowMD
  • 13
  • 2
  • What exactly do you mean by importing? In the project manager? Are there certain ones that I have to import or are there some that I don’t need, because there are a lot of them. – Hydrated Dragon Dec 13 '20 at 07:23
  • @Christophy Launch your app, open CE, attach app, show CE disassembler, then "view"->"Enumerate dll's and symbols". Next you need to find module, which contents your instruction address. You can look at the picture above, which shows wow64cpu.dll (77A40000 base address) and ntdll.dll (base address 77A50000). There are wow64cpu.dll instructions between 77A40000 and 77A50000 that means you need to find wow64cpu.dll on your PC and import to your Ghidra project , yes in the project manager, File->Import file – FirowMD Dec 13 '20 at 14:30
  • And now? Could be that I'm being extremely stupid right now but I don't quite understand why I should import `wow64cpu.dll` since the region where the dll is loaded is completely different from the region of the instruction. `wow64cpu.dll` starts at address `77310000` and the instruction is `00429D1F`. And would I find the instruction now with the address from Cheat Engine? – Hydrated Dragon Dec 13 '20 at 15:27
  • @Christophy Have you seen your app modules as I said? – FirowMD Dec 13 '20 at 16:41
  • @Christophy If this module is the main you debug, then you just need to change your base address in Ghidra as it set in CE – FirowMD Dec 13 '20 at 16:43
  • [link](https://imgur.com/a/K0trhpE) Those are the Memory Regions of the Process and wow64cpu.dll and those from Cheat Engine. I have set the Memory Regions from Ghidra to the from Cheat Engine. Did i forgot something? – Hydrated Dragon Dec 13 '20 at 18:01
  • what address at CE you need? If it is `00429D1F` at CE, then it will be in Ghidra `ac_client.exe` on the same address – FirowMD Dec 13 '20 at 18:39
  • But the problem is, that it isnt the same address in Ghidra.That was the problem from the beginning. Could this be a mistake by Ghidra? – Hydrated Dragon Dec 13 '20 at 18:50
  • you sure that you took address from CE? – FirowMD Dec 13 '20 at 18:53
  • Yeah, I'm 100% sure. – Hydrated Dragon Dec 13 '20 at 19:44
  • idk, you something do wrong, because it should work. For your situation you need to set base address in Ghidra `00400000`. Copy instruction address from CE, press G in Ghidra disassembler and paste address – FirowMD Dec 13 '20 at 22:03
  • But I didn’t do anything wrong. I entered the base address in Ghidra and even re-imported it, but still not. Couldn’t it be Ghidra’s problem now? – Hydrated Dragon Dec 14 '20 at 13:33
  • @Christophy Try either IDA or objdump, maybe dumpbin or something else if you think so – FirowMD Dec 14 '20 at 14:05
  • Tested it in IDA Free and same problem, still land on the same instruction as in ghidra – Hydrated Dragon Dec 14 '20 at 15:14
  • @Christophy it may be due to self-modifying code – FirowMD Jan 15 '21 at 15:05