My x64 tool bag continues to grow with this new import reconstructing tool created by TiGa (Sébastien Doucet) and demo’d at the RECon 2008 event. You can read more about this new tool and grab yourself a copy at the Collaborative RCE Tool Library. Also you can download the video of TiGa’s RECon session on x64 unpacking here and see the tool in use.
Monthly Archives: June 2008
Reflector + Deblector + x64 = 0x80131C30
I was trying to debug a problem the other day and I set out using Lutz Roeder’s excellent Reflector for .NET tool, along with Deblector, an addin for debugging within Reflector. I loaded my target into Reflector and started the debugging addin and up popped the following dialog.
Now this dialog contains a lot of information, but to be honest it kind of overwhelmed me and didn’t really give me any good feeling about what had actually gone wrong. Obviously it was related in some way to MDbg, the managed debugger used by Reflector. So I pulled down the Managed Debugger Sample and the Deblector source and set about trying to figure what had really gone wrong. Anyway I tracked this dialog down to the following piece of code
private void DebuggerErrorEventHandler(Object sender, CorDebuggerErrorEventArgs e) { Trace.WriteLine("ManagedCallback::DebuggerError"); if (InternalHandleRawMode(ManagedCallbackType.OnDebuggerError, e)) return; e.Continue = false; InternalSignalRuntimeIsStopped(null, new DebuggerErrorStopReason()); Debug.Assert(false, "Critical failures -- received DebuggerError callback."); }
And examining the CorDebuggerErrorEventArgs object allowed my to actually find the error code 0x80131C30, this wasn’t a number I was familiar with, so I had to Google it, which led me to the fact that ICorPublish does not cross the 32/64 bit boundary. Ah, now were getting somewhere I thought, the .net flags in the header of the target I was trying to debug was set as follows
But for some (presumably good) reason, Reflector’s binary is set to ’32bit required’. As I was running on Vista x64 my target was being run as a 64 bit image, but Relfector + Deblector + the ICorPublish interface they created were running as 32 bit.
The solution to my problem, well I simply ticked the ’32bit required’ tick box in the flags section of the .net header for the target I wished to debug and everything started working.
iHomeServer
And it even look’s like Apple are getting in on all the Home Server goodness coming out of Microsoft at the moment 🙂
Take a look at this link to find out how to turn your Mac Mini into a Windows Home Server (and put it to a good use 😉 )
Windows Home Server Power Pack 1 Release Candidate
Well, I’ve been away on vacation for a week and I’ve come back to find that the release candidate of Power Pack 1 is now available. So I’ve just finished upgrading my server and performing the first backup of my Vista x64 laptop 🙂 using the new x64 WHS Connector software, needless to say, this took a long time as a first backup (of a 250GB drive over wifi) but at least it all worked.