Different decompiler output after relocating image

[Wdestroier]

Describe the bug After relocating the image base to 0x00000000 the decompiler output changes. The files are different, because I thought the problem was because I updated Ghidra...

Screenshots Before relocation After relocation

Expected behavior Display the same output after relocating the image.

Environment (please complete the following information):

• OS: Windows 11
• Java Version: "11.0.10" 2021-01-19 LTS
• Ghidra Version: 10.1.1
• Ghidra Origin: GitHub

[emteere]

Did you re-import with a new image base, or did you just set the image base in memory?

It is best to re-import the binary with a new image base. Setting the image base, especially after analysis can cause issues. The movement can be too simplistic, especially if there are relocations, as the calculation of values can't be easily re-done. Try re-importing and setting the image base offset in the import options. Things should be equivalent.

[emteere]

Also, looking at the code closely, it isn't re-locatable as there are hard-coded addresses in the instructions, for example the PUSH of the address of a string location. Unless the code is relocatable at import with relocations, you can't simply move code without carefully changing all the values in memory/instructions. Setting the image base does not rifle through the code and memory and fix these issues.

[Wdestroier]

it isn't re-locatable as there are hard-coded addresses in the instructions

Ohh, I thought the instructions would point to the correct address. The only reason why I relocate the image base is to jump to an address by specifying only the offset. Example: 7B13 instead of 990000+7B13. Is it possible to replace 990000 by a special character or something shorter?

[emteere]

In the goto dialog and other dialogs you can type in an equation. So one way to do what you want is to put a label at the image base address say IB. Then you can use the following in the goto dialog IB+7b13.

[Wdestroier]

Nice, thanks. Would a check box labeled "Jump relative to base address" be a good feature? I can create a feature request or just close this issue otherwise...