Finding function in IDA from x64dbg

Question

I've found a function I want to call in x64dbg, and wanted to see it's prototype and how it looks like in IDA. However, I was expecting to see a function in IDA but land in the middle of one.
The function I want to call in x64dbg:
I was expecting I could find the static address in IDA doing like so:
RVA: 881C0000
Finding this statically in IDA: 0000000140000000 (base) + 1C88 (RVA) yielding: 140001C88
When seaching for address 140001C88 in IDA I land in the middle of a function, sub_140001B80. I was expecting to land at something like sub_140001C88 Can someone see what I'm doing wrong?

(FYI: I'm trying to call a function that presses a button)

Rolf Rolles · Accepted Answer

Calls on x86/x64 are encoded based on how far the target is from the source, not as an RVA into the image. I.e., the number 0x1C88 is a distance, not an RVA. To find the RVA, follow the call to its destination, and then subtract that address by the module imagebase. Then, in IDA, press G and enter 0x140000000+[RVA HERE].

Correct answer by Rolf Rolles on July 21, 2021

Tony · Answer

If you want to use x64dbg for debugging and at the same time IDA Pro for static analysis, I recommend you one of my favourite plugin: https://github.com/bootleg/ret-sync
You can for example run your binary program in a VM with x64dbg and synchronize it to highlight the current instruction in IDA Pro and much more like auto rebase, controlling/BP from IDA, Windbg...

Finding function in IDA from x64dbg

2 Answers

Add your own answers!

Ask a Question