Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IDC Generator - access violation #63

Open
nmz787 opened this issue Nov 29, 2020 · 11 comments
Open

IDC Generator - access violation #63

nmz787 opened this issue Nov 29, 2020 · 11 comments

Comments

@nmz787
Copy link

nmz787 commented Nov 29, 2020

Loading this EXE fails autodetection of version, tried using 2 or 4 or 6... loads progress without complaint:
http://diyhpl.us/~nmz787/pdf/smi3200/software/Exec/Smi50.exe

Then clicking Tools, IDC Generator, then clicking "Open" (though this should probably really read "Save") I get a message like:
Access violation at address 00673529 in module 'Idr.exe'. Read of address 00CD3540.

Running inside VirtualBox VM with uXP (micro/slimmed Windows XP) OS, using latest EXE in this github bin dir.

Not sure how to help myself with this one, since I don't have the borland C++ compiler to even attempt to compile IDR with debugging symbols, etc...

@nmz787
Copy link
Author

nmz787 commented Nov 29, 2020

trying it on windows 7, autodetection also fails, using version 2 yields EAccessViolation immediately after saying "yes" to use native knowledge database. Using version 4 loads the file, but using IDC generator produces:
Access violation at address 0067A0AC in module 'Idr.exe'. Write of address 001F6B1C.

@nmz787
Copy link
Author

nmz787 commented Nov 30, 2020

hmm, actually my last attempt on Win7 was using this build https://github.com/huettenhain/dhrake/releases/download/INITIAL/IDR.7z

using the latest build in this repo, on Win7, and using delphi version 4 with the KB files you posted to dropbox in the README... I get this message when trying to dump the IDC:
Access violation at address 77258DA9 in module 'ntdll.dll'. Write of address 00000014.

@nmz787
Copy link
Author

nmz787 commented Nov 30, 2020

running in admin mode doesn't solve, though the addresses change, the message is otherwise the same

@crypto2011
Copy link
Owner

My IDR version (I don't know about private builds you mentioned: ...huettenhain...). I had no exceptions, ids-file created normally, but IDA (version 7.0) coudln't run it - I have message "Bad macro usage" at the end of file. I cannot find any information about this error.
I have changed OpenDialog to SaveDialog (my fault).

@nmz787
Copy link
Author

nmz787 commented Dec 1, 2020

Can you post the IDC somewhere I can download? What OS did you run on? I think I only need the IDC file at this point, as I'm following a tutorial that uses it inside of Ghidra.

@crypto2011
Copy link
Owner

Windows 7. Last binary version of IDR (here). Delphi 7. Do you want multipart idc-file or solid one?

@nmz787
Copy link
Author

nmz787 commented Dec 2, 2020

Is that the binary in the top-level of the repo, or the one in the bin dir? (edit, the commit history shows it's the one in the top-level... is the bin dir meant to be removed from the repo?)

I'm following this blog post, and it doesn't mention anything about multi-part IDC file, so I guess the full one is what I'm after.
https://blag.nullteilerfrei.de/2019/12/23/reverse-engineering-delphi-binaries-in-ghidra-with-dhrake/

Strange you don't get the exception like I do on Win 7. Did you download and run IDR on just the EXE I linked to, or did you download that whole directory and then run IDR on the EXE? (such that IDR would have access to any shared library files in that directory with the EXE)

@nmz787
Copy link
Author

nmz787 commented Dec 2, 2020

When I ask did you run the EXE, I mean the Smi50.exe I posted in my original post. Is that what you are able to generate the IDC file with?

No I don't trust any private builds :) that is why I run in isolated VMs.

@crypto2011
Copy link
Owner

Just the file Smi50.exe.
Here is a link to idc (archive with password: 0123456789ABCDEF).
https://drive.google.com/file/d/1EAD2l-5b5cJXtVKgansDNp4xs64Azeei/view?usp=sharing

@nmz787
Copy link
Author

nmz787 commented Jan 6, 2021

Thanks for the file, it helped with my debugging!

@nmz787
Copy link
Author

nmz787 commented Jan 6, 2021

Windows 7. Last binary version of IDR (here). Delphi 7. Do you want multipart idc-file or solid one?

What did you mean by Delphi 7? I don't have Delphi installed, do you think that has anything to do with the access violation? I was able to export IDC file for another EXE... oh but that might not have been on the same Windows XP virtual machine. Hmm. I will have to try the original EXE I posted with the newer Windows VM (I think it was Win 8 or 10, I can't remember right now).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants