How to break in x64dbg from ghidra's corresponding instructions?

Question

I have x64dbg and ghidra synchronized via ret-sync. I found an interesting point in ghidra:

1800382b1   4d 8b e0      MOV              R12,rebitData
1800382b4   48 63 f2      MOVSXD           packetSize_,packetSize

in the listing view; the file my.dll starts at 180000000. So, then in x64dbg I add a dll break for my.dll, and when I'm in, I go to the file offset with ctrl+shift+g and enter 328b4, but I end up at (first line):

00007FF8B2FB32B4 | 06                       | ???             
00007FF8B2FB32B5 | E9 80000000              | jmp my.7FF8B2FB333A    
00007FF8B2FB32BA | 45:8BC6                  | mov r8d,r14d        
00007FF8B2FB32BD | EB 7B                    | jmp my.7FF8B2FB333A   
00007FF8B2FB32BF | 3BFB                     | cmp edi,ebx 
00007FF8B2FB32C1 | 73 22                    | jae my.7FF8B2FB32E5 
00007FF8B2FB32C3 | 41:3BDB                  | cmp ebx,r11d 
00007FF8B2FB32C6 | 76 18                    | jbe my.7FF8B2FB32E0 

where in x64dbg, the file starts at: 00007FF8B2F81000 (CPU tab, module my.dll, main thread X, PID Y).

Obviously the instructions are not the same. (I believe I did the rebase correctly)

How can I make the correspondance ghidra -> x64dbg and break in x64dbg at the "same place" ie., same instructions ?

Answer 1

• ret-sync allows to add a breakpoint directly from ghidra (to x64dbg) with F2: https://github.com/bootleg/ret-sync#ghidra-usage

However, this does not work with ret-sync being built in release, only in debug version. This is a bug.

• For manual rebase+jump, from x64dbg it is possible to enter the offset (current offset - base offset) in expression in x64dbg calculator, and ask follow in disassembler to jump directly to the offset. One can calculate an expression that does a rebase or a more complex function (eg., offset + sizeof X * Ntimes).

• If the final offset is known, another way to jump to the desired offset in x64dbg is ctrl+shift+g (go to file offset), if the desired module is in the CPU disassembly. If not, one need to go to symbols, and follow the module of interest in the CPU disassembly and then go to file offset.

Answer 2

You said you wanted to go to 328b4 but your second snippet is at ...32B4 and looks like you ended up in the middle of an instruction. I would expect the correct address to be 0x00007FF8B2F81000 + 0x328b4 = 0x7ff8b2fb38b4.

I am not aware of ret-sync supporting setting breakpoints, but you can do the address translation more easily by either getting the relative offset by hovering

Source: https://twitter.com/dev747368/status/1347360276476293125

and then adding the x64dbg offset of 00007FF8B2F81000 to offset (2008h in the screenshot, in your case 328b4h )

Or you can script this by running currentAddress.subtract(currentProgram.imageBase) in the shell to get the relative offset for the current address (again 328b4h in your example) and then adding the x64dbg offset. So the complete command would be: currentAddress.subtract(currentProgram.imageBase).add(0x00007FF8B2F81000) Run this in the Python REPL and the correct x64dbg address for the current address should result.