Bl@ck Virus Posted March 16, 2016 Share Posted March 16, 2016 hello all how can I convert Some DLL Offset address to VA ? Quote i want to convert this address to VA i attach DLL file too can i do it directly by x64dbg ? tnx in advance am.dll Link to comment
crystalboy Posted March 16, 2016 Share Posted March 16, 2016 To convert file offset to VA you should take a look at PE section table and find what of the section contain the raw offset that you need. When you find the section there is a formula to calculate it: your_offset - raw_offset_of_section_that_contain_your_offset + virtual_address_of_section_that_contain_your_offset + IMAGE_BASE = VA Hope it helps regards Link to comment
Bl@ck Virus Posted March 16, 2016 Author Share Posted March 16, 2016 2 minutes ago, crystalboy said: To convert file offset to VA you should take a look at PE section table and find what of the section contain the raw offset that you need. When you find the section there is a formula to calculate it: your_offset - raw_offset_of_section_that_contain_your_offset + virtual_address_of_section_that_contain_your_offset + IMAGE_BASE = VA Hope it helps regards tnx for you answer but is it any application to do it automatically ? Link to comment
crystalboy Posted March 16, 2016 Share Posted March 16, 2016 Yes there is: PETools (Tools -> PE Editor (select your dll) -> FLC -> Select File offset -> insert your value and press Calculate) CFF Explorer (Drag and drop your DLL on it and press on Address Converter) Hope it helps Regards 4 Link to comment
Bl@ck Virus Posted March 16, 2016 Author Share Posted March 16, 2016 Just now, crystalboy said: Yes there is: PETools (Tools -> PE Editor (select your dll) -> FLC -> Select File offset -> insert your value and press Calculate) CFF Explorer (Drag and drop your DLL on it and press on Address Converter) Hope it helps Regards thanks again mate Link to comment
mrexodia Posted March 16, 2016 Share Posted March 16, 2016 x64dbg supports it directly. Use: kernel32.dll:#1234 To go to kernel32.dll at offset 0x1234. You can also go to a relative address like this: x64dbg.exe:$1234 Greetings 2 Link to comment
Bl@ck Virus Posted March 18, 2016 Author Share Posted March 18, 2016 On 3/16/2016 at 11:43 PM, Mr. eXoDia said: x64dbg supports it directly. Use: kernel32.dll:#1234 To go to kernel32.dll at offset 0x1234. You can also go to a relative address like this: x64dbg.exe:$1234 Greetings thanks for your answer Sir but i`m newbie with x64dbg and i don`t know how I can use this " kernel32.dll:#1234 " do you have any video that can help me more ? tnx agian Link to comment
mrexodia Posted March 19, 2016 Share Posted March 19, 2016 Use Ctrl + G (goto) and type it there 1 Link to comment
Bl@ck Virus Posted March 19, 2016 Author Share Posted March 19, 2016 2 hours ago, Mr. eXoDia said: Use Ctrl + G (goto) and type it there tnx very very much I love your Debugger....! 1 Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now