Based/Rebased address computation

[Dysphorie]

It's seems that the concept of the based/rebased is not clear to everyone.

Since Windows Vista/Seven, a new feature has been implemented in the OS.
This feature (address space layout randomization) has for goal to make reverse enginering harder by randomizing the memory address at which a module (exec file or dll) is loaded.
To do this, the exe or dll file has a flag set in its header.

Because this feature is 'new', people running with Windows XP doesn't have this problem and then always have wow.exe loaded at the standard address (0x00400000).

But because it is a Windows security feature, if you run on Windows Vista/Seven, you can disable it.
If you have Windows Vista, a registry key allows you to disable it (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages).
If you have Windows Seven, you'll have to download a 5MB Microsoft tool (Enhanced Mitigation Experience Toolkit) downloadable at Download Details - Microsoft Download Center - EMET to configure or disable it.

Once disabled (and after a reboot) your wow.exe will ALWAYS be loaded at 0x00400000.
This means for exemple that IDA addresses can be directly used with any computation.

So please, now, stop computing based/rebased/unbased/reunbased addresses and just go ahead !

Edit by Cypher: Do NOT do this if you value the security of your machine! If you must disable ASLR for WoW, use jjaa's solution, but do not disable it globally.

[jjaa]

I really wouldn't recommend disabling it for the entire system. Its there for a reason. If you really must disable it, disable it for the binary. Just edit the PE header. Remove the 0x0040 flag in the DLL Flags field, in the Optional Header.

[Cypher]

It's seems that the concept of the based/rebased is not clear to everyone.

Since Windows Vista/Seven, a new feature has been implemented in the OS.
This feature (address space layout randomization) has for goal to make reverse enginering harder by randomizing the memory address at which a module (exec file or dll) is loaded.
To do this, the exe or dll file has a flag set in its header.

Because this feature is 'new', people running with Windows XP doesn't have this problem and then always have wow.exe loaded at the standard address (0x00400000).

But because it is a Windows security feature, if you run on Windows Vista/Seven, you can disable it.
If you have Windows Vista, a registry key allows you to disable it (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages).
If you have Windows Seven, you'll have to download a 5MB Microsoft tool (Enhanced Mitigation Experience Toolkit) downloadable at Download Details - Microsoft Download Center - EMET to configure or disable it.

Once disabled (and after a reboot) your wow.exe will ALWAYS be loaded at 0x00400000.
This means for exemple that IDA addresses can be directly used with any computation.

So please, now, stop computing based/rebased/unbased/reunbased addresses and just go ahead !

You're globally disabling a security feature (a VERY important one which makes exploiting vulnerabilities far more difficult), just so you don't have to do a bit of pointer arithmetic?

You're a genius. No, really, you're amazing. Thank you for your insight.

It seems to me what's not "clear" to you is that this is NOT a feature designed to "make reverse engineering harder" (it doesn't make reverse engineering harder at all, unless of course you're an idiot), it's designed to stop code being loaded at a known location so that exploit writers can't easily do ret-to-libc style attacks.

So please, now, stop talking until you've done your research.

I really wouldn't recommend disabling it for the entire system. Its there for a reason. If you really must disable it, disable it for the binary. Just edit the PE header. Remove the 0x0040 flag in the DLL Flags field, in the Optional Header.

Personally I wouldn't even recommend this, but it's definitely a far better solution than disabling a critical security feature on a system-wide scale.

[Azzie2k8]

Okay I am a noob here but what is so terrible about about doing a little math ?

I mean rebasing an offset isn't that hard and you don't have to do it manually so I don't see the reason why I should deactivate ASLR.

[miceiken]

Use patterns and you won't even see the baseadress.

[Cypher]

Okay I am a noob here but what is so terrible about about doing a little math ?

I mean rebasing an offset isn't that hard and you don't have to do it manually so I don't see the reason why I should deactivate ASLR.

Apparently addition is hard, so you should compromise your machine's security to compensate for your failure in kindergarten-level mathematics.

[sitnspinlock]

personally I don't find debuggers like IDA or GDB which rebase the debugee to the defualt imagebase to be that great, there are plenty of other great ring 3 debuggers to use

and as everyone else said, I don't think anything good can come from disabling aslr, let alone globally. Though if you are still interested I put together a little command line tool back in the day to disable it in a target PE

here

the parameters are "aslr example.exe" it will spit out a binary named patch.exe which is of course a binary copy except with aslr disabled. also needs to be used in the target directory ;p

but in all seriousness, this shouldnt need to be done to begin with

[Cypher]

personally I don't find debuggers like IDA or GDB which rebase the debugee to the defualt imagebase to be that great, there are plenty of other great ring 3 debuggers to use

and as everyone else said, I don't think anything good can come from disabling aslr, let alone globally. Though if you are still interested I put together a little command line tool back in the day to disable it in a target PE

here

the parameters are "aslr example.exe" it will spit out a binary named patch.exe which is of course a binary copy except with aslr disabled. also needs to be used in the target directory ;p

but in all seriousness, this shouldnt need to be done to begin with

Just an alternative (includes sauce):
setdllcharacteristics « Didier Stevens

[jjaa]

IDA best debugger eva, no comparison... and i'm not waiting 5 mins every time i attach.....