Cannot set breakpoints

[pcopissa]

This template is meant for bug reports, if you have a feature request, please be as descriptive as possible and delete the template

Make sure you are testing using the latest git version of radare2 before submitting any issue.

If you would like to report a bug, please fill the template bellow

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Win10
File format of the file you reverse (mandatory)	PE
Architecture/bits of the file (mandatory)	x86/64 bits
r2 -v full output, not truncated (mandatory)	radare2 3.2.1 1 @ windows-x86-64 git.

commit: 25913f4745cb3b635d52f1aafc4d8ff2aad3988a build: Tue 01/08/2019__16:15:53.21

Expected behavior

Setting a breakpoint

Actual behavior

w32_dbg_maps/w32_OpenProcess: The parameter is incorrect
Cannot place a breakpoint on 0x14001af68 unmapped memory.See e? dbg.bpinmaps

Steps to reproduce the behavior

>radare2 c:\Windows\System32\notepad.exe
 -- EXPLICIT CONTENT

[0x140019180]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[[anal.jmptbl] Missing cjmp bb in predecessor at 0x140019bd6
[anal.jmptbl] Missing cjmp bb in predecessor at 0x140016a32
Invalid instruction of 16377 bytes at 0x14003be3b
Invalid instruction of 16384 bytes at 0x14003be43
Invalid instruction of 16383 bytes at 0x14003be45
Invalid instruction of 16384 bytes at 0x14003be54
Invalid instruction of 16365 bytes at 0x14003bdf5
[anal.jmptbl] Missing cjmp bb in predecessor at 0x140019bd0
[anal.jmptbl] Missing cjmp bb in predecessor at 0x140019bdc
[anal.jmptbl] Missing cjmp bb in predecessor at 0x14001976b
[anal.jmptbl] Missing cjmp bb in predecessor at 0x140019879
[anal.jmptbl] Missing cjmp bb in predecessor at 0x140019a25
[anal.jmptbl] Missing cjmp bb in predecessor at 0x14001943d
[anal.jmptbl] Missing cjmp bb in predecessor at 0x140019a33
[anal.jmptbl] Missing cjmp bb in predecessor at 0x140019a3f
[anal.jmptbl] Missing cjmp bb in predecessor at 0x140019a39
[anal.jmptbl] Missing cjmp bb in predecessor at 0x140019abb
[anal.jmptbl] Missing cjmp bb in predecessor at 0x140019ab5
[anal.jmptbl] Missing cjmp bb in predecessor at 0x1400197d8
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[x] Type matching analysis for all functions (aaft)
[x] Use -AA or aaaa to perform additional experimental analysis.

[0x140019180]> s fcn.1400014d8

[0x1400014d8]> db fcn.1400014d8
w32_dbg_maps/w32_OpenProcess: Parameter is not correct.
Cannot place a breakpoint on 0x1400014d8 unmapped memory.See e? dbg.bpinmaps
[0x1400014d8]>

Also tried to ood first and then aaa then db but this does not create the fcn.* symbols/functions. Any symbol inside the program that was calculated by radare cannot be used in db (eg. db sub.msvcrt.dll_memset_140019bd6, db sym.imp.msvcrt.dll_memset,...)

FWIW: Other simpler command fails with the same error message, like dm, but ood fixes it. Issue #10025 reports the same error message in another situation (older radare 2.6, 32 bits, a game DLL ...) I also got the same behavior when trying to debug a 32-bits exe (which is actually what I need to do). I tried both with radare2.exe 32-bits in a 32-bits cmd shell and radare2.exe 64-bits in a 64-bits cmd shell. Both fails.

Additional Logs, screenshots, source-code, configuration dump, ...

Drag and drop zip archives containing the Additional info here, don't use external services or link.

[radare]

You must be debugging in order to set a breakpoint

On 16 Jan 2019, at 15:05, pcopissa notifications@github.com wrote:

This template is meant for bug reports, if you have a feature request, please be as descriptive as possible and delete the template

Make sure you are testing using the latest git version of radare2 before submitting any issue.

If you would like to report a bug, please fill the template bellow

Work environment

Questions Answers OS/arch/bits (mandatory) Win10 File format of the file you reverse (mandatory) PE Architecture/bits of the file (mandatory) x86/64 bits r2 -v full output, not truncated (mandatory) radare2 3.2.1 1 @ windows-x86-64 git. commit: 25913f4 build: Tue 01/08/2019__16:15:53.21
Expected behavior

Setting a breakpoint

Actual behavior

w32_dbg_maps/w32_OpenProcess: The parameter is incorrect Cannot place a breakpoint on 0x14001af68 unmapped memory.See e? dbg.bpinmaps Steps to reproduce the behavior

radare2 c:\Windows\System32\notepad.exe -- EXPLICIT CONTENT

[0x140019180]> aaa �[32m[x]�[0m Analyze all flags starting with sym. and entry0 (aa) [�[0m[anal.jmptbl] Missing cjmp bb in predecessor at 0x140019bd6 [anal.jmptbl] Missing cjmp bb in predecessor at 0x140016a32 Invalid instruction of 16377 bytes at 0x14003be3b Invalid instruction of 16384 bytes at 0x14003be43 Invalid instruction of 16383 bytes at 0x14003be45 Invalid instruction of 16384 bytes at 0x14003be54 Invalid instruction of 16365 bytes at 0x14003bdf5 [anal.jmptbl] Missing cjmp bb in predecessor at 0x140019bd0 [anal.jmptbl] Missing cjmp bb in predecessor at 0x140019bdc [anal.jmptbl] Missing cjmp bb in predecessor at 0x14001976b [anal.jmptbl] Missing cjmp bb in predecessor at 0x140019879 [anal.jmptbl] Missing cjmp bb in predecessor at 0x140019a25 [anal.jmptbl] Missing cjmp bb in predecessor at 0x14001943d [anal.jmptbl] Missing cjmp bb in predecessor at 0x140019a33 [anal.jmptbl] Missing cjmp bb in predecessor at 0x140019a3f [anal.jmptbl] Missing cjmp bb in predecessor at 0x140019a39 [anal.jmptbl] Missing cjmp bb in predecessor at 0x140019abb [anal.jmptbl] Missing cjmp bb in predecessor at 0x140019ab5 [anal.jmptbl] Missing cjmp bb in predecessor at 0x1400197d8 �[32m[x]�[0m Analyze function calls (aac) �[32m[x]�[0m Analyze len bytes of instructions for references (aar) �[32m[x]�[0m Constructing a function name for fcn. and sym.func. functions (aan) �[32m[x]�[0m Type matching analysis for all functions (aaft) �[32m[x]�[0m Use -AA or aaaa to perform additional experimental analysis.

[0x140019180]> s fcn.1400014d8

[0x1400014d8]> db fcn.1400014d8 w32_dbg_maps/w32_OpenProcess: Parameter is not correct. Cannot place a breakpoint on 0x1400014d8 unmapped memory.See e? dbg.bpinmaps [0x1400014d8]> Also tried to ood first and then aaa then db but this does not create the fcn.* symbols/functions. Any symbol inside the program that was calculated by radare cannot be used in db (eg. db sub.msvcrt.dll_memset_140019bd6, db sym.imp.msvcrt.dll_memset,...)

FWIW: Other simpler command fails with the same error message, like dm, but ood fixes it. Issue #10025 reports the same error message in another situation (older radare 2.6, 32 bits, a game DLL ...) I also got the same behavior when trying to debug a 32-bits exe (which is actually what I need to do). I tried both with radare2.exe 32-bits in a 32-bits cmd shell and radare2.exe 64-bits in a 64-bits cmd shell. Both fails.

Additional Logs, screenshots, source-code, configuration dump, ...

Drag and drop zip archives containing the Additional info here, don't use external services or link.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[pcopissa]

??? Isn't oodsupposed to enter the debugging mode ?

ood?
Usage: ood [args]   # reopen in debugger mode (with args)

If I do that, that still does not work. Specifically:

>radare2 -AA c:\Windows\SysWOW64\notepad.exe
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[x] Enable constraint types analysis for variables
 -- If you want to open the file in read-write mode, invoke r2 with '-w'

#### Find something I am likely to hit
[0x0041b2b0]> s sym.imp.USER32.dll_CreateDialogParamW
[0x0041f2b8]> axt
sub.USER32.dll_SetCursor_415761 0x415ae2 [CALL] call dword sym.imp.USER32.dll_CreateDialogParamW

#### I am not debugging so this will fail...
[0x0041f2b8]> db 0x415ae2 
w32_dbg_maps/w32_OpenProcess: Parameter is incorrect.

Cannot place a breakpoint on 0x00415ae2 unmapped memory.See e? dbg.bpinmaps

#### Enter debuggging (presumably)
[0x0041f2b8]>ood
Spawned new process with pid 9408, tid = 7652
File dbg://c:\\Windows\\SysWOW64\\notepad.exe  reopened in read-write mode
= attach 9408 7652
9408
#### Try again to set the breakpoint
[0x7723ce30]>db 0x415ae2
Cannot place a breakpoint on 0x00415ae2 unmapped memory.See e? dbg.bpinmaps

### Maybe the program must be running too ?
[0x7723ce30]> dc
(9408) loading library at 771D0000 (C:\Windows\SysWOW64\ntdll.dll) ntdll.dll
(9408) unloading library at 03220000 (not cached) not cached
[...]
(9408) loading library at 726F0000 (C:\Windows\SysWOW64\bcrypt.dll) bcrypt.dll
(9408) loading library at 6D090000 (C:\Windows\SysWOW64\iertutil.dll) iertutil.dll

[0x77277d3a]> db 0x415ae2
Cannot place a breakpoint on 0x00415ae2 unmapped memory.See e? dbg.bpinmaps

[radare]

The process is probably relocatable and its mapped somewhere else. Check the output of dm or dmm

On 16 Jan 2019, at 20:55, pcopissa notifications@github.com wrote:

??? Isn't ood supposed to enter the debugging mode ?

ood? Usage: ood [args] # reopen in debugger mode (with args)

If I do that, that still does not work. Specifically:

radare2 -AA c:\Windows\SysWOW64\notepad.exe �[32m[x]�[0m Analyze all flags starting with sym. and entry0 (aa) �[32m[x]�[0m Analyze function calls (aac) �[32m[x]�[0m Analyze len bytes of instructions for references (aar) �[32m[x]�[0m Constructing a function name for fcn. and sym.func. functions (aan) �[32m[x]�[0m Enable constraint types analysis for variables -- If you want to open the file in read-write mode, invoke r2 with '-w'

Find something I am likely to hit

[0x0041b2b0]> s sym.imp.USER32.dll_CreateDialogParamW [0x0041f2b8]> axt sub.USER32.dll_SetCursor_415761 0x415ae2 [CALL] call dword sym.imp.USER32.dll_CreateDialogParamW

I am not debugging so this will fail...

[0x0041f2b8]> db 0x415ae2 w32_dbg_maps/w32_OpenProcess: Parameter is incorrect.

Cannot place a breakpoint on 0x00415ae2 unmapped memory.See e? dbg.bpinmaps

Enter debuggging (presumably)

[0x0041f2b8]>ood Spawned new process with pid 9408, tid = 7652 File dbg://c:\Windows\SysWOW64\notepad.exe reopened in read-write mode = attach 9408 7652 9408

Try again to set the breakpoint

[0x7723ce30]>db 0x415ae2 Cannot place a breakpoint on 0x00415ae2 unmapped memory.See e? dbg.bpinmaps

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[pcopissa]

>radare2  c:\Windows\SysWOW64\notepad.exe
 -- Set 'e bin.dbginfo=true' to load debug information at startup.

[0x0041b2b0]> dm
w32_dbg_maps/w32_OpenProcess: Parameter is not correct.

[0x0041b2b0]> dmm
w32_dbg_maps/w32_OpenProcess: Parameter is not correct.

[pcopissa]

If I also run ood, I have:

radare2  c:\Windows\SysWOW64\notepad.exe
 -- Remember that word: C H A I R
[0x0041b2b0]> ood
Spawned new process with pid 11204, tid = 7596
File dbg://c:\\Windows\\SysWOW64\\notepad.exe  reopened in read-write mode
= attach 11204 7596
11204
[0x7723ce30]> dm
0x00120000 - 0x00121000 - usr     4K u r-- PRIVATE   ?
0x00130000 - 0x00150000 - usr   128K u rw- PRIVATE   ?
0x00150000 - 0x00152000 - usr     8K u rw- PRIVATE   ?
0x00160000 - 0x00179000 - usr   100K s r-- MAPPED    ?
0x00180000 - 0x001b5000 - usr   212K u --- PRIVATE   ?
0x001b5000 - 0x001b8000 - usr    12K u --- PRIVATE   ?
0x001b8000 - 0x001c0000 - usr    32K u rw- PRIVATE   ?
0x001c0000 - 0x001c1000 - usr     4K u --x PRIVATE   ? ; map.PRIVATE__.__x
0x001d0000 - 0x001d1000 - usr     4K u rw- PRIVATE   ?
0x001e0000 - 0x001e1000 - usr     4K s r-- IMAGE     ?
0x001e1000 - 0x001fc000 - usr   108K s r-x IMAGE     ?
0x001fc000 - 0x001ff000 - usr    12K s -w- IMAGE     ?
0x001ff000 - 0x0021e000 - usr   124K s r-- IMAGE     ?
0x00220000 - 0x00227000 - usr    28K s --- MAPPED    ?
0x00227000 - 0x00229000 - usr     8K s r-- MAPPED    ?
0x00229000 - 0x017ac000 - usr  21.5M s --- MAPPED    ?
0x017ac000 - 0x01fe4000 - usr   8.2M s --- MAPPED    ?
0x01fe4000 - 0x01fe7000 - usr    12K s --- MAPPED    ?
0x01fe7000 - 0x01fee000 - usr    28K s r-- MAPPED    ?
0x01fee000 - 0x02220000 - usr   2.2M s --- MAPPED    ? ; map.MAPPED___.
0x02220000 - 0x0224d000 - usr   180K u --- PRIVATE   ?
0x0224d000 - 0x0224f000 - usr     8K u --- PRIVATE   ?
0x0224f000 - 0x02260000 - usr    68K u rw- PRIVATE   ?
0x02260000 - 0x02264000 - usr    16K s r-- MAPPED    ?
0x02270000 - 0x02273000 - usr    12K s r-- MAPPED    ?
0x02280000 - 0x02281000 - usr     4K u rw- PRIVATE   ?
0x02400000 - 0x02409000 - usr    36K u --- PRIVATE   ?
0x02409000 - 0x0240e000 - usr    20K u rw- PRIVATE   ? ; map.PRIVATE__.rw
0x0240e000 - 0x02600000 - usr   1.9M u --- PRIVATE   ? ; map.PRIVATE__.
0x771d0000 - 0x771d1000 - usr     4K s r-- IMAGE     ?
0x771d1000 - 0x772e5000 * usr   1.1M s r-x IMAGE     ? ; map.IMAGE____.r_x
0x772e5000 - 0x772e7000 - usr     8K s -w- IMAGE     ?
0x772e7000 - 0x772e8000 - usr     4K s rw- IMAGE     ?
0x772e8000 - 0x772eb000 - usr    12K s -w- IMAGE     ?
0x772eb000 - 0x772ec000 - usr     4K s rw- IMAGE     ? ; map.IMAGE____.rw
0x772ec000 - 0x772ee000 - usr     8K s -w- IMAGE     ? ; map.IMAGE____._w
0x772ee000 - 0x77360000 - usr   456K s r-- IMAGE     ? ; map.IMAGE____.r
0x7f010000 - 0x7f033000 - usr   140K s r-- MAPPED    ? ; map.MAPPED___.r
0x7ffe0000 - 0x7ffe1000 - usr     4K u r-- PRIVATE   ? ; map.PRIVATE__.r
[0x7723ce30]> dmm
[0x7723ce30]>

[pcopissa]

Here is the largish output I get if I use ood and dcu entry0 (attached as file failed for whatever reason)

radare2  c:\Windows\SysWOW64\notepad.exe
 -- You can redefine descriptive commands in the hud file and using the 'V_' command.
[0x0041b2b0]> ood
Spawned new process with pid 12520, tid = 9564
File dbg://c:\\Windows\\SysWOW64\\notepad.exe  reopened in read-write mode
= attach 12520 9564
12520
[0x7723ce30]> dcu entry0
Continue until 0x0041b2b0 using 1 bpsize
(12520) loading library at 771D0000 (C:\Windows\SysWOW64\ntdll.dll) ntdll.dll
(12520) unloading library at 03000000 (not cached) not cached
(12520) unloading library at 757D0000 (not cached) not cached
(12520) unloading library at 03000000 (not cached) not cached
(12520) loading library at 757D0000 (C:\Windows\SysWOW64\kernel32.dll) kernel32.dll
(12520) loading library at 769D0000 (C:\Windows\SysWOW64\KernelBase.dll) KernelBase.dll
(12520) loading library at 758B0000 (C:\Windows\SysWOW64\advapi32.dll) advapi32.dll
(12520) loading library at 73E10000 (C:\Windows\SysWOW64\msvcrt.dll) msvcrt.dll
(12520) Created thread 6364 (start @ 77221440)
(12520) loading library at 73DB0000 (C:\Windows\SysWOW64\sechost.dll) sechost.dll
(12520) loading library at 76BC0000 (C:\Windows\SysWOW64\rpcrt4.dll) rpcrt4.dll
(12520) loading library at 73A90000 (C:\Windows\SysWOW64\sspicli.dll) sspicli.dll
(12520) loading library at 73A80000 (C:\Windows\SysWOW64\cryptbase.dll) cryptbase.dll
(12520) loading library at 73F20000 (C:\Windows\SysWOW64\bcryptprimitives.dll) bcryptprimitives.dll
(12520) Created thread 10180 (start @ 77221440)
(12520) Created thread 9312 (start @ 77221440)
(12520) loading library at 76D80000 (C:\Windows\SysWOW64\gdi32.dll) gdi32.dll
(12520) loading library at 75560000 (C:\Windows\SysWOW64\gdi32full.dll) gdi32full.dll
(12520) loading library at 760D0000 (C:\Windows\SysWOW64\msvcp_win.dll) msvcp_win.dll
(12520) loading library at 76DB0000 (C:\Windows\SysWOW64\ucrtbase.dll) ucrtbase.dll
(12520) loading library at 73B40000 (C:\Windows\SysWOW64\user32.dll) user32.dll
(12520) loading library at 75450000 (C:\Windows\SysWOW64\win32u.dll) win32u.dll
(12520) loading library at 761B0000 (C:\Windows\SysWOW64\combase.dll) combase.dll
(12520) loading library at 73CD0000 (C:\Windows\SysWOW64\comdlg32.dll) comdlg32.dll
(12520) loading library at 6B770000 (C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.523_none_42edd4b044e3535c\comctl32.dll) comctl32.dll
(12520) loading library at 73AB0000 (C:\Windows\SysWOW64\SHCore.dll) SHCore.dll
(12520) loading library at 76C80000 (C:\Windows\SysWOW64\shlwapi.dll) shlwapi.dll
(12520) loading library at 74010000 (C:\Windows\SysWOW64\shell32.dll) shell32.dll
(12520) loading library at 73EE0000 (C:\Windows\SysWOW64\cfgmgr32.dll) cfgmgr32.dll
(12520) loading library at 76410000 (C:\Windows\SysWOW64\windows.storage.dll) windows.storage.dll
(12520) loading library at 770D0000 (C:\Windows\SysWOW64\kernel.appcore.dll) kernel.appcore.dll
(12520) loading library at 76F40000 (C:\Windows\SysWOW64\profapi.dll) profapi.dll
(12520) loading library at 75950000 (C:\Windows\SysWOW64\powrprof.dll) powrprof.dll
(12520) loading library at 759A0000 (C:\Windows\SysWOW64\fltLib.dll) fltLib.dll
(12520) loading library at 71F40000 (C:\Windows\SysWOW64\propsys.dll) propsys.dll
(12520) loading library at 6D2C0000 (C:\Windows\SysWOW64\urlmon.dll) urlmon.dll
(12520) loading library at 6EFD0000 (C:\Windows\SysWOW64\winspool.drv) winspool.drv
(12520) loading library at 75470000 (C:\Windows\SysWOW64\oleaut32.dll) oleaut32.dll
(12520) loading library at 724C0000 (C:\Windows\SysWOW64\IPHLPAPI.DLL) IPHLPAPI.DLL
(12520) loading library at 6D090000 (C:\Windows\SysWOW64\iertutil.dll) iertutil.dll
(12520) loading library at 726F0000 (C:\Windows\SysWOW64\bcrypt.dll) bcrypt.dll
[0x77277d3a]> dm
0x001e0000 - 0x001e1000 - usr     4K s r-- IMAGE    notepad.exe ?
0x001e1000 - 0x001fc000 - usr   108K s r-x IMAGE    notepad.exe | .text ?
0x001fc000 - 0x001fd000 - usr     4K s rw- IMAGE    notepad.exe | .data ?
0x001fd000 - 0x001ff000 - usr     8K s -w- IMAGE    notepad.exe | .data ?
0x001ff000 - 0x00202000 - usr    12K s r-- IMAGE    notepad.exe | .idata ?
0x00202000 - 0x0021c000 - usr   104K s r-- IMAGE    notepad.exe | .rsrc ?
0x0021c000 - 0x0021e000 - usr     8K s r-- IMAGE    notepad.exe | .reloc ?
0x00c30000 - 0x00c31000 - usr     4K u r-- PRIVATE   ?
0x00c40000 - 0x00c41000 - usr     4K u rw- PRIVATE   ?
0x00c50000 - 0x00c57000 - usr    28K s --- MAPPED    ?
0x00c57000 - 0x00c59000 - usr     8K s r-- MAPPED    ?
0x00c59000 - 0x00d10000 - usr   732K s --- MAPPED    ?
0x00d10000 - 0x00d17000 - usr    28K s r-- MAPPED    ?
0x00d17000 - 0x00d4f000 - usr   224K s --- MAPPED    ?
0x00d4f000 - 0x00d50000 - usr     4K s r-- MAPPED    ?
0x00d50000 - 0x021dc000 - usr  20.5M s --- MAPPED    ?
0x021dc000 - 0x0272d000 - usr   5.3M s --- MAPPED    ?
0x0272d000 - 0x02736000 - usr    36K s r-- MAPPED    ?
0x02736000 - 0x02792000 - usr   368K s --- MAPPED    ?
0x02792000 - 0x027a2000 - usr    64K s r-- MAPPED    ?
0x027a2000 - 0x0280f000 - usr   436K s --- MAPPED    ?
0x0280f000 - 0x02811000 - usr     8K s r-- MAPPED    ?
0x02811000 - 0x028cd000 - usr   752K s --- MAPPED    ?
0x028cd000 - 0x028d3000 - usr    24K s r-- MAPPED    ?
0x028d3000 - 0x028e3000 - usr    64K s --- MAPPED    ?
0x028e3000 - 0x028e4000 - usr     4K s r-- MAPPED    ?
0x028e4000 - 0x028eb000 - usr    28K s --- MAPPED    ?
0x028eb000 - 0x028ed000 - usr     8K s r-- MAPPED    ?
0x028ed000 - 0x0293a000 - usr   308K s --- MAPPED    ?
0x0293a000 - 0x0294e000 - usr    80K s r-- MAPPED    ?
0x0294e000 - 0x02950000 - usr     8K s --- MAPPED    ?
0x02950000 - 0x0299e000 - usr   312K s r-- MAPPED    ?
0x0299e000 - 0x029a1000 - usr    12K s --- MAPPED    ?
0x029a1000 - 0x029ac000 - usr    44K s r-- MAPPED    ?
0x029ac000 - 0x029af000 - usr    12K s --- MAPPED    ?
0x029af000 - 0x029b7000 - usr    32K s r-- MAPPED    ?
0x029b7000 - 0x029d3000 - usr   112K s --- MAPPED    ?
0x029d3000 - 0x02a04000 - usr   196K s r-- MAPPED    ?
0x02a04000 - 0x02a06000 - usr     8K s --- MAPPED    ?
0x02a06000 - 0x02a0c000 - usr    24K s r-- MAPPED    ?
0x02a0c000 - 0x02a0d000 - usr     4K s --- MAPPED    ?
0x02a0d000 - 0x02a0e000 - usr     4K s r-- MAPPED    ?
0x02a0e000 - 0x02a13000 - usr    20K s --- MAPPED    ?
0x02a13000 - 0x02a1e000 - usr    44K s r-- MAPPED    ?
0x02a1e000 - 0x02c50000 - usr   2.2M s --- MAPPED    ? ; map.MAPPED___.
0x02c50000 - 0x02c60000 - usr    64K s rw- MAPPED    ?
0x02c80000 - 0x02c99000 - usr   100K s r-- MAPPED    ?
0x02ca0000 - 0x02cd5000 - usr   212K u --- PRIVATE   ?
0x02cd5000 - 0x02cd8000 - usr    12K u --- PRIVATE   ?
0x02cd8000 - 0x02ce0000 - usr    32K u rw- PRIVATE   ?
0x02ce0000 - 0x02d0d000 - usr   180K u --- PRIVATE   ?
0x02d0d000 - 0x02d0f000 - usr     8K u --- PRIVATE   ?
0x02d0f000 - 0x02d20000 - usr    68K u rw- PRIVATE   ?
0x02d20000 - 0x02d24000 - usr    16K s r-- MAPPED    ?
0x02d30000 - 0x02d33000 - usr    12K s r-- MAPPED    ?
0x02d40000 - 0x02d41000 - usr     4K u rw- PRIVATE   ?
0x02d50000 - 0x02d85000 - usr   212K u --- PRIVATE   ?
0x02d85000 - 0x02d88000 - usr    12K u --- PRIVATE   ?
0x02d88000 - 0x02d90000 - usr    32K u rw- PRIVATE   ?
0x02da0000 - 0x02da7000 - usr    28K u rw- PRIVATE   ?
0x02da7000 - 0x02db0000 - usr    36K u --- PRIVATE   ?
0x02db0000 - 0x02ddd000 - usr   180K u --- PRIVATE   ?
0x02ddd000 - 0x02ddf000 - usr     8K u --- PRIVATE   ?
0x02ddf000 - 0x02df0000 - usr    68K u rw- PRIVATE   ?
0x02e00000 - 0x02f1e000 - usr   1.1M u --- PRIVATE   ?
0x02f1e000 - 0x02f2c000 - usr    56K u rw- PRIVATE   ? ; map.PRIVATE__.rw
0x02f2c000 - 0x03000000 - usr   848K u --- PRIVATE   ?
0x03000000 - 0x03035000 - usr   212K u --- PRIVATE   ?
0x03035000 - 0x03038000 - usr    12K u --- PRIVATE   ?
0x03038000 - 0x03040000 - usr    32K u rw- PRIVATE   ?
0x03040000 - 0x0306d000 - usr   180K u --- PRIVATE   ?
0x0306d000 - 0x0306f000 - usr     8K u --- PRIVATE   ?
0x0306f000 - 0x03080000 - usr    68K u rw- PRIVATE   ?
0x03090000 - 0x0309d000 - usr    52K u rw- PRIVATE   ?
0x0309d000 - 0x03190000 - usr   972K u --- PRIVATE   ?
0x03190000 - 0x03255000 - usr   788K s r-- MAPPED   \Device\HarddiskVolume3\Windows\System32\locale.nls ?
0x03260000 - 0x03295000 - usr   212K u --- PRIVATE   ?
0x03295000 - 0x03298000 - usr    12K u --- PRIVATE   ?
0x03298000 - 0x032a0000 - usr    32K u rw- PRIVATE   ?
0x032a0000 - 0x032cd000 - usr   180K u --- PRIVATE   ?
0x032cd000 - 0x032cf000 - usr     8K u --- PRIVATE   ?
0x032cf000 - 0x032e0000 - usr    68K u rw- PRIVATE   ?
0x03ff0000 - 0x03ff1000 - usr     4K u --x PRIVATE   ? ; map.PRIVATE__.__x
0x6b770000 - 0x6b771000 - usr     4K s r-- IMAGE    COMCTL32.dll ?
0x6b771000 - 0x6b90c000 - usr   1.6M s r-x IMAGE    COMCTL32.dll | .text ?
0x6b90c000 - 0x6b90d000 - usr     4K s rw- IMAGE    COMCTL32.dll | .data ?
0x6b90d000 - 0x6b90f000 - usr     8K s -w- IMAGE    COMCTL32.dll | .data ?
0x6b90f000 - 0x6b914000 - usr    20K s r-- IMAGE    COMCTL32.dll | .idata ?
0x6b914000 - 0x6b915000 - usr     4K s r-- IMAGE    COMCTL32.dll | .didat ?
0x6b915000 - 0x6b95e000 - usr   292K s r-- IMAGE    COMCTL32.dll | .rsrc ?
0x6b95e000 - 0x6b974000 - usr    88K s r-- IMAGE    COMCTL32.dll | .reloc ?
0x6d090000 - 0x6d091000 - usr     4K s r-- IMAGE    iertutil.dll ?
0x6d091000 - 0x6d28d000 - usr   2.0M s r-x IMAGE    iertutil.dll | .text ?
0x6d28d000 - 0x6d290000 - usr    12K s -w- IMAGE    iertutil.dll | .data ?
0x6d290000 - 0x6d291000 - usr     4K s rw- IMAGE    iertutil.dll | .data ?
0x6d291000 - 0x6d295000 - usr    16K s -w- IMAGE    iertutil.dll | .data ?
0x6d295000 - 0x6d298000 - usr    12K s r-- IMAGE    iertutil.dll | .idata ?
0x6d298000 - 0x6d299000 - usr     4K s r-- IMAGE    iertutil.dll | .didat ?
0x6d299000 - 0x6d29a000 - usr     4K s -w- IMAGE    iertutil.dll | .isoapis¿ ?
0x6d29a000 - 0x6d29b000 - usr     4K s r-- IMAGE    iertutil.dll | .rsrc ?
0x6d29b000 - 0x6d2b8000 - usr   116K s r-- IMAGE    iertutil.dll | .reloc ?
0x6d2c0000 - 0x6d2c1000 - usr     4K s r-- IMAGE    urlmon.dll ?
0x6d2c1000 - 0x6d3e8000 - usr   1.2M s r-x IMAGE    urlmon.dll | .text ?
0x6d3e8000 - 0x6d3ea000 - usr     8K s rw- IMAGE    urlmon.dll | .data ?
0x6d3ea000 - 0x6d3f3000 - usr    36K s -w- IMAGE    urlmon.dll | .data ?
0x6d3f3000 - 0x6d3f8000 - usr    20K s r-- IMAGE    urlmon.dll | .idata ?
0x6d3f8000 - 0x6d3f9000 - usr     4K s r-- IMAGE    urlmon.dll | .didat ?
0x6d3f9000 - 0x6d3fa000 - usr     4K s -w- IMAGE    urlmon.dll | .isoapis¿ ?
0x6d3fa000 - 0x6d44c000 - usr   328K s r-- IMAGE    urlmon.dll | .rsrc ?
0x6d44c000 - 0x6d45d000 - usr    68K s r-- IMAGE    urlmon.dll | .reloc ?
0x6efd0000 - 0x6efd1000 - usr     4K s r-- IMAGE    WINSPOOL.DRV ?
0x6efd1000 - 0x6f01c000 - usr   300K s r-x IMAGE    WINSPOOL.DRV | .text ?
0x6f01c000 - 0x6f01d000 - usr     4K s rw- IMAGE    WINSPOOL.DRV | .data ?
0x6f01d000 - 0x6f01e000 - usr     4K s -w- IMAGE    WINSPOOL.DRV | .data ?
0x6f01e000 - 0x6f021000 - usr    12K s r-- IMAGE    WINSPOOL.DRV | .idata ?
0x6f021000 - 0x6f022000 - usr     4K s r-- IMAGE    WINSPOOL.DRV | .didat ?
0x6f022000 - 0x6f038000 - usr    88K s r-- IMAGE    WINSPOOL.DRV | .rsrc ?
0x6f038000 - 0x6f03d000 - usr    20K s r-- IMAGE    WINSPOOL.DRV | .reloc ?
0x71f40000 - 0x71f41000 - usr     4K s r-- IMAGE    PROPSYS.dll ?
0x71f41000 - 0x71ff3000 - usr   712K s r-x IMAGE    PROPSYS.dll | .text ?
0x71ff3000 - 0x71ff4000 - usr     4K s rw- IMAGE    PROPSYS.dll | .data ?
0x71ff4000 - 0x71ff7000 - usr    12K s r-- IMAGE    PROPSYS.dll | .idata ?
0x71ff7000 - 0x71ff8000 - usr     4K s r-- IMAGE    PROPSYS.dll | .didat ?
0x71ff8000 - 0x720b4000 - usr   752K s r-- IMAGE    PROPSYS.dll | .rsrc ?
0x720b4000 - 0x720c0000 - usr    48K s r-- IMAGE    PROPSYS.dll | .reloc ?
0x724c0000 - 0x724c1000 - usr     4K s r-- IMAGE    IPHLPAPI.DLL ?
0x724c1000 - 0x724ea000 - usr   164K s r-x IMAGE    IPHLPAPI.DLL | .text ?
0x724ea000 - 0x724eb000 - usr     4K s rw- IMAGE    IPHLPAPI.DLL | .data ?
0x724eb000 - 0x724ec000 - usr     4K s r-- IMAGE    IPHLPAPI.DLL | .idata ?
0x724ec000 - 0x724ed000 - usr     4K s r-- IMAGE    IPHLPAPI.DLL | .didat ?
0x724ed000 - 0x724ee000 - usr     4K s r-- IMAGE    IPHLPAPI.DLL | .rsrc ?
0x724ee000 - 0x724f0000 - usr     8K s r-- IMAGE    IPHLPAPI.DLL | .reloc ?
0x726f0000 - 0x726f1000 - usr     4K s r-- IMAGE    bcrypt.dll ?
0x726f1000 - 0x72704000 - usr    76K s r-x IMAGE    bcrypt.dll | .text ?
0x72704000 - 0x72705000 - usr     4K s rw- IMAGE    bcrypt.dll | .data ?
0x72705000 - 0x72706000 - usr     4K s r-- IMAGE    bcrypt.dll | .idata ?
0x72706000 - 0x72707000 - usr     4K s r-- IMAGE    bcrypt.dll | .didat ?
0x72707000 - 0x72708000 - usr     4K s r-- IMAGE    bcrypt.dll | .rsrc ?
0x72708000 - 0x72709000 - usr     4K s r-- IMAGE    bcrypt.dll | .reloc ?
0x73a80000 - 0x73a81000 - usr     4K s r-- IMAGE    CRYPTBASE.dll ?
0x73a81000 - 0x73a85000 - usr    16K s r-x IMAGE    CRYPTBASE.dll | .text ?
0x73a85000 - 0x73a86000 - usr     4K s rw- IMAGE    CRYPTBASE.dll | .data ?
0x73a86000 - 0x73a87000 - usr     4K s r-- IMAGE    CRYPTBASE.dll | .idata ?
0x73a87000 - 0x73a88000 - usr     4K s r-- IMAGE    CRYPTBASE.dll | .didat ?
0x73a88000 - 0x73a89000 - usr     4K s r-- IMAGE    CRYPTBASE.dll | .rsrc ?
0x73a89000 - 0x73a8a000 - usr     4K s r-- IMAGE    CRYPTBASE.dll | .reloc ?
0x73a90000 - 0x73a91000 - usr     4K s r-- IMAGE    SspiCli.dll ?
0x73a91000 - 0x73aaa000 - usr   100K s r-x IMAGE    SspiCli.dll | .text ?
0x73aaa000 - 0x73aab000 - usr     4K s rw- IMAGE    SspiCli.dll | .data ?
0x73aab000 - 0x73aad000 - usr     8K s r-- IMAGE    SspiCli.dll | .idata ?
0x73aad000 - 0x73aae000 - usr     4K s r-- IMAGE    SspiCli.dll | .rsrc ?
0x73aae000 - 0x73ab0000 - usr     8K s r-- IMAGE    SspiCli.dll | .reloc ?
0x73ab0000 - 0x73ab1000 - usr     4K s r-- IMAGE    SspiCli.dll ?
0x73ab1000 - 0x73b29000 - usr   480K s r-x IMAGE    shcore.dll | .text ?
0x73b29000 - 0x73b2a000 - usr     4K s rw- IMAGE    shcore.dll | .data ?
0x73b2a000 - 0x73b2d000 - usr    12K s r-- IMAGE    shcore.dll | .idata ?
0x73b2d000 - 0x73b2e000 - usr     4K s r-- IMAGE    shcore.dll | .didat ?
0x73b2e000 - 0x73b2f000 - usr     4K s r-- IMAGE    shcore.dll | .rsrc ?
0x73b2f000 - 0x73b38000 - usr    36K s r-- IMAGE    shcore.dll | .reloc ?
0x73b40000 - 0x73b41000 - usr     4K s r-- IMAGE    USER32.dll ?
0x73b41000 - 0x73bd9000 - usr   608K s r-x IMAGE    USER32.dll | .text ?
0x73bd9000 - 0x73bda000 - usr     4K s rw- IMAGE    USER32.dll | .data ?
0x73bda000 - 0x73bdb000 - usr     4K s -w- IMAGE    USER32.dll | .data ?
0x73bdb000 - 0x73be4000 - usr    36K s r-- IMAGE    USER32.dll | .idata ?
0x73be4000 - 0x73be5000 - usr     4K s r-- IMAGE    USER32.dll | .didat ?
0x73be5000 - 0x73cc7000 - usr   904K s r-- IMAGE    USER32.dll | .rsrc ?
0x73cc7000 - 0x73ccd000 - usr    24K s r-- IMAGE    USER32.dll | .reloc ?
0x73cd0000 - 0x73cd1000 - usr     4K s r-- IMAGE    COMDLG32.dll ?
0x73cd1000 - 0x73d53000 - usr   520K s r-x IMAGE    COMDLG32.dll | .text ?
0x73d53000 - 0x73d54000 - usr     4K s rw- IMAGE    COMDLG32.dll | .data ?
0x73d54000 - 0x73d57000 - usr    12K s -w- IMAGE    COMDLG32.dll | .data ?
0x73d57000 - 0x73d5c000 - usr    20K s r-- IMAGE    COMDLG32.dll | .idata ?
0x73d5c000 - 0x73d5d000 - usr     4K s r-- IMAGE    COMDLG32.dll | .didat ?
0x73d5d000 - 0x73d9e000 - usr   260K s r-- IMAGE    COMDLG32.dll | .rsrc ?
0x73d9e000 - 0x73da6000 - usr    32K s r-- IMAGE    COMDLG32.dll | .reloc ?
0x73db0000 - 0x73db1000 - usr     4K s r-- IMAGE    sechost.dll ?
0x73db1000 - 0x73de9000 - usr   224K s r-x IMAGE    sechost.dll | .text ?
0x73de9000 - 0x73dea000 - usr     4K s rw- IMAGE    sechost.dll | .data ?
0x73dea000 - 0x73dec000 - usr     8K s -w- IMAGE    sechost.dll | .data ?
0x73dec000 - 0x73def000 - usr    12K s r-- IMAGE    sechost.dll | .idata ?
0x73def000 - 0x73df0000 - usr     4K s r-- IMAGE    sechost.dll | .didat ?
0x73df0000 - 0x73df1000 - usr     4K s r-- IMAGE    sechost.dll | .rsrc ?
0x73df1000 - 0x73df4000 - usr    12K s r-- IMAGE    sechost.dll | .reloc ?
0x73e10000 - 0x73e11000 - usr     4K s r-- IMAGE    msvcrt.dll ?
0x73e11000 - 0x73ec2000 - usr   708K s r-x IMAGE    msvcrt.dll | .text ?
0x73ec2000 - 0x73ec5000 - usr    12K s -w- IMAGE    msvcrt.dll | .data ?
0x73ec5000 - 0x73ec7000 - usr     8K s rw- IMAGE    msvcrt.dll | .data ?
0x73ec7000 - 0x73ec8000 - usr     4K s -w- IMAGE    msvcrt.dll | .data ?
0x73ec8000 - 0x73eca000 - usr     8K s r-- IMAGE    msvcrt.dll | .idata ?
0x73eca000 - 0x73ecb000 - usr     4K s r-- IMAGE    msvcrt.dll | .rsrc ?
0x73ecb000 - 0x73ecf000 - usr    16K s r-- IMAGE    msvcrt.dll | .reloc ?
0x73ee0000 - 0x73ee1000 - usr     4K s r-- IMAGE    cfgmgr32.dll ?
0x73ee1000 - 0x73f12000 - usr   196K s r-x IMAGE    cfgmgr32.dll | .text ?
0x73f12000 - 0x73f13000 - usr     4K s rw- IMAGE    cfgmgr32.dll | .data ?
0x73f13000 - 0x73f15000 - usr     8K s r-- IMAGE    cfgmgr32.dll | .idata ?
0x73f15000 - 0x73f16000 - usr     4K s r-- IMAGE    cfgmgr32.dll | .didat ?
0x73f16000 - 0x73f17000 - usr     4K s r-- IMAGE    cfgmgr32.dll | .rsrc ?
0x73f17000 - 0x73f19000 - usr     8K s r-- IMAGE    cfgmgr32.dll | .reloc ?
0x73f20000 - 0x73f21000 - usr     4K s r-- IMAGE    bcryptPrimitives.dll ?
0x73f21000 - 0x73f72000 - usr   324K s r-x IMAGE    bcryptPrimitives.dll | .text ?
0x73f72000 - 0x73f73000 - usr     4K s rw- IMAGE    bcryptPrimitives.dll | .data ?
0x73f73000 - 0x73f74000 - usr     4K s r-- IMAGE    bcryptPrimitives.dll | .idata ?
0x73f74000 - 0x73f75000 - usr     4K s r-- IMAGE    bcryptPrimitives.dll | .rsrc ?
0x73f75000 - 0x73f78000 - usr    12K s r-- IMAGE    bcryptPrimitives.dll | .reloc ?
0x74010000 - 0x74011000 - usr     4K s r-- IMAGE    SHELL32.dll ?
0x74011000 - 0x74509000 - usr   5.0M s r-x IMAGE    SHELL32.dll | .text ?
0x74509000 - 0x7450a000 - usr     4K s -w- IMAGE    SHELL32.dll | .data ?
0x7450a000 - 0x7450c000 - usr     8K s rw- IMAGE    SHELL32.dll | .data ?
0x7450c000 - 0x74510000 - usr    16K s -w- IMAGE    SHELL32.dll | .data ?
0x74510000 - 0x7451a000 - usr    40K s r-- IMAGE    SHELL32.dll | .idata ?
0x7451a000 - 0x7451c000 - usr     8K s r-- IMAGE    SHELL32.dll | .didat ?
0x7451c000 - 0x75308000 - usr  13.9M s r-- IMAGE    SHELL32.dll | .rsrc ?
0x75308000 - 0x7535a000 - usr   328K s r-- IMAGE    SHELL32.dll | .reloc ?
0x75450000 - 0x75451000 - usr     4K s r-- IMAGE    win32u.dll ?
0x75451000 - 0x75463000 - usr    72K s r-x IMAGE    win32u.dll | .text ?
0x75463000 - 0x75464000 - usr     4K s rw- IMAGE    win32u.dll | .data ?
0x75464000 - 0x75465000 - usr     4K s r-- IMAGE    win32u.dll | .idata ?
0x75465000 - 0x75466000 - usr     4K s r-- IMAGE    win32u.dll | .rsrc ?
0x75466000 - 0x75467000 - usr     4K s r-- IMAGE    win32u.dll | .reloc ?
0x75470000 - 0x75471000 - usr     4K s r-- IMAGE    OLEAUT32.dll ?
0x75471000 - 0x754f8000 - usr   540K s r-x IMAGE    OLEAUT32.dll | .text ?
0x754f8000 - 0x754f9000 - usr     4K s rw- IMAGE    OLEAUT32.dll | .data ?
0x754f9000 - 0x754fa000 - usr     4K s -w- IMAGE    OLEAUT32.dll | .data ?
0x754fa000 - 0x754fd000 - usr    12K s r-- IMAGE    OLEAUT32.dll | .idata ?
0x754fd000 - 0x754fe000 - usr     4K s r-- IMAGE    OLEAUT32.dll | .didat ?
0x754fe000 - 0x754ff000 - usr     4K s r-- IMAGE    OLEAUT32.dll | .rsrc ?
0x754ff000 - 0x75506000 - usr    28K s r-- IMAGE    OLEAUT32.dll | .reloc ?
0x75560000 - 0x75561000 - usr     4K s r-- IMAGE    gdi32full.dll ?
0x75561000 - 0x7569e000 - usr   1.2M s r-x IMAGE    gdi32full.dll | .text ?
0x7569e000 - 0x7569f000 - usr     4K s rw- IMAGE    gdi32full.dll | .data ?
0x7569f000 - 0x756a1000 - usr     8K s -w- IMAGE    gdi32full.dll | .data ?
0x756a1000 - 0x756a9000 - usr    32K s r-- IMAGE    gdi32full.dll | .idata ?
0x756a9000 - 0x756aa000 - usr     4K s r-- IMAGE    gdi32full.dll | .didat ?
0x756aa000 - 0x756bc000 - usr    72K s r-- IMAGE    gdi32full.dll | .rsrc ?
0x756bc000 - 0x756c4000 - usr    32K s r-- IMAGE    gdi32full.dll | .reloc ?
0x757d0000 - 0x757d1000 - usr     4K s r-- IMAGE    KERNEL32.DLL ?
0x757d1000 - 0x757e0000 - usr    60K s --- IMAGE    KERNEL32.DLL ?
0x757e0000 - 0x75841000 - usr   388K s r-x IMAGE    KERNEL32.DLL | .text ?
0x75841000 - 0x75850000 - usr    60K s --- IMAGE    KERNEL32.DLL ?
0x75850000 - 0x75878000 - usr   160K s r-- IMAGE    KERNEL32.DLL | .rdata ?
0x75878000 - 0x75880000 - usr    32K s --- IMAGE    KERNEL32.DLL ?
0x75880000 - 0x75881000 - usr     4K s rw- IMAGE    KERNEL32.DLL | .data ?
0x75881000 - 0x75890000 - usr    60K s --- IMAGE    KERNEL32.DLL ?
0x75890000 - 0x75891000 - usr     4K s r-- IMAGE    KERNEL32.DLL | .rsrc ?
0x75891000 - 0x758a0000 - usr    60K s --- IMAGE    KERNEL32.DLL ?
0x758a0000 - 0x758a5000 - usr    20K s r-- IMAGE    KERNEL32.DLL | .reloc ?
0x758a5000 - 0x758b0000 - usr    44K s --- IMAGE    KERNEL32.DLL ?
0x758b0000 - 0x758b1000 - usr     4K s r-- IMAGE    KERNEL32.DLL ?
0x758b1000 - 0x75917000 - usr   408K s r-x IMAGE    ADVAPI32.dll | .text ?
0x75917000 - 0x75918000 - usr     4K s rw- IMAGE    ADVAPI32.dll | .data ?
0x75918000 - 0x7591b000 - usr    12K s -w- IMAGE    ADVAPI32.dll | .data ?
0x7591b000 - 0x75921000 - usr    24K s r-- IMAGE    ADVAPI32.dll | .idata ?
0x75921000 - 0x75922000 - usr     4K s r-- IMAGE    ADVAPI32.dll | .didat ?
0x75922000 - 0x75923000 - usr     4K s r-- IMAGE    ADVAPI32.dll | .rsrc ?
0x75923000 - 0x75928000 - usr    20K s r-- IMAGE    ADVAPI32.dll | .reloc ?
0x75950000 - 0x75951000 - usr     4K s r-- IMAGE    powrprof.dll ?
0x75951000 - 0x75966000 - usr    84K s r-x IMAGE    powrprof.dll | .text ?
0x75966000 - 0x75967000 - usr     4K s rw- IMAGE    powrprof.dll | .data ?
0x75967000 - 0x75969000 - usr     8K s r-- IMAGE    powrprof.dll | .idata ?
0x75969000 - 0x7596a000 - usr     4K s r-- IMAGE    powrprof.dll | .didat ?
0x7596a000 - 0x75993000 - usr   164K s r-- IMAGE    powrprof.dll | .rsrc ?
0x75993000 - 0x75995000 - usr     8K s r-- IMAGE    powrprof.dll | .reloc ?
0x759a0000 - 0x759a1000 - usr     4K s r-- IMAGE    FLTLIB.DLL ?
0x759a1000 - 0x759a4000 - usr    12K s r-x IMAGE    FLTLIB.DLL | .text ?
0x759a4000 - 0x759a5000 - usr     4K s rw- IMAGE    FLTLIB.DLL | .data ?
0x759a5000 - 0x759a6000 - usr     4K s r-- IMAGE    FLTLIB.DLL | .idata ?
0x759a6000 - 0x759a7000 - usr     4K s r-- IMAGE    FLTLIB.DLL | .rsrc ?
0x759a7000 - 0x759a8000 - usr     4K s r-- IMAGE    FLTLIB.DLL | .reloc ?
0x760d0000 - 0x760d1000 - usr     4K s r-- IMAGE    msvcp_win.dll ?
0x760d1000 - 0x76141000 - usr   448K s r-x IMAGE    msvcp_win.dll | .text ?
0x76141000 - 0x76142000 - usr     4K s -w- IMAGE    msvcp_win.dll | .data ?
0x76142000 - 0x76143000 - usr     4K s rw- IMAGE    msvcp_win.dll | .data ?
0x76143000 - 0x76144000 - usr     4K s -w- IMAGE    msvcp_win.dll | .data ?
0x76144000 - 0x76146000 - usr     8K s r-- IMAGE    msvcp_win.dll | .idata ?
0x76146000 - 0x76147000 - usr     4K s r-- IMAGE    msvcp_win.dll | .didat ?
0x76147000 - 0x76148000 - usr     4K s r-- IMAGE    msvcp_win.dll | .rsrc ?
0x76148000 - 0x7614d000 - usr    20K s r-- IMAGE    msvcp_win.dll | .reloc ?
0x761b0000 - 0x761b1000 - usr     4K s r-- IMAGE    combase.dll ?
0x761b1000 - 0x763c5000 - usr   2.1M s r-x IMAGE    combase.dll | .text ?
0x763c5000 - 0x763ca000 - usr    20K s r-x IMAGE    combase.dll | .proxy ?
0x763ca000 - 0x763cb000 - usr     4K s -w- IMAGE    combase.dll | .data ?
0x763cb000 - 0x763cc000 - usr     4K s rw- IMAGE    combase.dll | .data ?
0x763cc000 - 0x763ce000 - usr     8K s -w- IMAGE    combase.dll | .data ?
0x763ce000 - 0x763d3000 - usr    20K s r-- IMAGE    combase.dll | .idata ?
0x763d3000 - 0x763d4000 - usr     4K s r-- IMAGE    combase.dll | .didat ?
0x763d4000 - 0x763e8000 - usr    80K s r-- IMAGE    combase.dll | .rsrc ?
0x763e8000 - 0x7640c000 - usr   144K s r-- IMAGE    combase.dll | .reloc ?
0x76410000 - 0x76411000 - usr     4K s r-- IMAGE    windows.storage.dll ?
0x76411000 - 0x76959000 - usr   5.3M s r-x IMAGE    windows.storage.dll | .text ?
0x76959000 - 0x7695a000 - usr     4K s -w- IMAGE    windows.storage.dll | .data ?
0x7695a000 - 0x7695b000 - usr     4K s rw- IMAGE    windows.storage.dll | .data ?
0x7695b000 - 0x7695c000 - usr     4K s -w- IMAGE    windows.storage.dll | .data ?
0x7695c000 - 0x7695d000 - usr     4K s rw- IMAGE    windows.storage.dll | .data ?
0x7695d000 - 0x7695f000 - usr     8K s -w- IMAGE    windows.storage.dll | .data ?
0x7695f000 - 0x76965000 - usr    24K s r-- IMAGE    windows.storage.dll | .idata ?
0x76965000 - 0x76966000 - usr     4K s r-- IMAGE    windows.storage.dll | .didat ?
0x76966000 - 0x7696a000 - usr    16K s r-- IMAGE    windows.storage.dll | .rsrc ?
0x7696a000 - 0x769ca000 - usr   384K s r-- IMAGE    windows.storage.dll | .reloc ?
0x769d0000 - 0x769d1000 - usr     4K s r-- IMAGE    KERNELBASE.dll ?
0x769d1000 - 0x76b7f000 - usr   1.7M s r-x IMAGE    KERNELBASE.dll | .text ?
0x76b7f000 - 0x76b82000 - usr    12K s rw- IMAGE    KERNELBASE.dll | .data ?
0x76b82000 - 0x76b83000 - usr     4K s -w- IMAGE    KERNELBASE.dll | .data ?
0x76b83000 - 0x76b89000 - usr    24K s r-- IMAGE    KERNELBASE.dll | .idata ?
0x76b89000 - 0x76b8a000 - usr     4K s r-- IMAGE    KERNELBASE.dll | .didat ?
0x76b8a000 - 0x76b8b000 - usr     4K s r-- IMAGE    KERNELBASE.dll | .rsrc ?
0x76b8b000 - 0x76bb4000 - usr   164K s r-- IMAGE    KERNELBASE.dll | .reloc ?
0x76bc0000 - 0x76bc1000 - usr     4K s r-- IMAGE    RPCRT4.dll ?
0x76bc1000 - 0x76c6f000 - usr   696K s r-x IMAGE    RPCRT4.dll | .text ?
0x76c6f000 - 0x76c70000 - usr     4K s rw- IMAGE    RPCRT4.dll | .data ?
0x76c70000 - 0x76c73000 - usr    12K s r-- IMAGE    RPCRT4.dll | .idata ?
0x76c73000 - 0x76c74000 - usr     4K s r-- IMAGE    RPCRT4.dll | .didat ?
0x76c74000 - 0x76c79000 - usr    20K s r-- IMAGE    RPCRT4.dll | .rsrc ?
0x76c79000 - 0x76c80000 - usr    28K s r-- IMAGE    RPCRT4.dll | .reloc ?
0x76c80000 - 0x76c81000 - usr     4K s r-- IMAGE    RPCRT4.dll ?
0x76c81000 - 0x76cbb000 - usr   232K s r-x IMAGE    SHLWAPI.dll | .text ?
0x76cbb000 - 0x76cbc000 - usr     4K s rw- IMAGE    SHLWAPI.dll | .data ?
0x76cbc000 - 0x76cc0000 - usr    16K s r-- IMAGE    SHLWAPI.dll | .idata ?
0x76cc0000 - 0x76cc1000 - usr     4K s r-- IMAGE    SHLWAPI.dll | .didat ?
0x76cc1000 - 0x76cc2000 - usr     4K s r-- IMAGE    SHLWAPI.dll | .rsrc ?
0x76cc2000 - 0x76cc5000 - usr    12K s r-- IMAGE    SHLWAPI.dll | .reloc ?
0x76d80000 - 0x76d81000 - usr     4K s r-- IMAGE    GDI32.dll ?
0x76d81000 - 0x76d9a000 - usr   100K s r-x IMAGE    GDI32.dll | .text ?
0x76d9a000 - 0x76d9b000 - usr     4K s rw- IMAGE    GDI32.dll | .data ?
0x76d9b000 - 0x76d9e000 - usr    12K s r-- IMAGE    GDI32.dll | .idata ?
0x76d9e000 - 0x76d9f000 - usr     4K s r-- IMAGE    GDI32.dll | .didat ?
0x76d9f000 - 0x76da0000 - usr     4K s r-- IMAGE    GDI32.dll | .rsrc ?
0x76da0000 - 0x76da2000 - usr     8K s r-- IMAGE    GDI32.dll | .reloc ?
0x76db0000 - 0x76db1000 - usr     4K s r-- IMAGE    ucrtbase.dll ?
0x76db1000 - 0x76ebe000 - usr   1.1M s r-x IMAGE    ucrtbase.dll | .text ?
0x76ebe000 - 0x76ebf000 - usr     4K s rw- IMAGE    ucrtbase.dll | .data ?
0x76ebf000 - 0x76ec0000 - usr     4K s -w- IMAGE    ucrtbase.dll | .data ?
0x76ec0000 - 0x76ec2000 - usr     8K s r-- IMAGE    ucrtbase.dll | .idata ?
0x76ec2000 - 0x76ec3000 - usr     4K s r-- IMAGE    ucrtbase.dll | .rsrc ?
0x76ec3000 - 0x76ece000 - usr    44K s r-- IMAGE    ucrtbase.dll | .reloc ?
0x76f40000 - 0x76f41000 - usr     4K s r-- IMAGE    profapi.dll ?
0x76f41000 - 0x76f52000 - usr    68K s r-x IMAGE    profapi.dll | .text ?
0x76f52000 - 0x76f53000 - usr     4K s rw- IMAGE    profapi.dll | .data ?
0x76f53000 - 0x76f55000 - usr     8K s r-- IMAGE    profapi.dll | .idata ?
0x76f55000 - 0x76f56000 - usr     4K s r-- IMAGE    profapi.dll | .didat ?
0x76f56000 - 0x76f57000 - usr     4K s r-- IMAGE    profapi.dll | .rsrc ?
0x76f57000 - 0x76f58000 - usr     4K s r-- IMAGE    profapi.dll | .reloc ?
0x770d0000 - 0x770d1000 - usr     4K s r-- IMAGE    kernel.appcore.dll ?
0x770d1000 - 0x770d8000 - usr    28K s r-x IMAGE    kernel.appcore.dll | .text ?
0x770d8000 - 0x770d9000 - usr     4K s rw- IMAGE    kernel.appcore.dll | .data ?
0x770d9000 - 0x770dc000 - usr    12K s r-- IMAGE    kernel.appcore.dll | .idata ?
0x770dc000 - 0x770dd000 - usr     4K s r-- IMAGE    kernel.appcore.dll | .didat ?
0x770dd000 - 0x770de000 - usr     4K s r-- IMAGE    kernel.appcore.dll | .rsrc ?
0x770de000 - 0x770df000 - usr     4K s r-- IMAGE    kernel.appcore.dll | .reloc ?
0x770e0000 - 0x770e1000 - usr     4K s r-- IMAGE     ?
0x770e1000 - 0x770e4000 - usr    12K s r-x IMAGE     ?
0x770e4000 - 0x770e5000 - usr     4K s r-- IMAGE     ?
0x770e5000 - 0x770e6000 - usr     4K s rw- IMAGE     ?
0x770e6000 - 0x770e7000 - usr     4K s r-- IMAGE     ?
0x770e7000 - 0x770e8000 - usr     4K s r-x IMAGE     ?
0x770e8000 - 0x770ea000 - usr     8K s r-- IMAGE     ?
0x770f0000 - 0x770f1000 - usr     4K s r-- IMAGE     ?
0x770f1000 - 0x77125000 - usr   208K s r-x IMAGE     ?
0x77125000 - 0x77139000 - usr    80K s r-- IMAGE     ?
0x77139000 - 0x7713a000 - usr     4K s rw- IMAGE     ?
0x7713a000 - 0x77142000 - usr    32K s r-- IMAGE     ?
0x77150000 - 0x77151000 - usr     4K s r-- IMAGE     ?
0x77151000 - 0x7718e000 - usr   244K s r-x IMAGE     ?
0x7718e000 - 0x771b6000 - usr   160K s r-- IMAGE     ?
0x771b6000 - 0x771b7000 - usr     4K s rw- IMAGE     ?
0x771b7000 - 0x771b9000 - usr     8K s -w- IMAGE     ?
0x771b9000 - 0x771c8000 - usr    60K s r-- IMAGE     ?
0x771d0000 - 0x771d1000 - usr     4K s r-- IMAGE    ntdll.dll ?
0x771d1000 - 0x772e4000 * usr   1.1M s r-x IMAGE    ntdll.dll | .text ? ; map.IMAGE____.r_x
0x772e4000 - 0x772e5000 - usr     4K s r-x IMAGE    ntdll.dll | RT ?
0x772e5000 - 0x772eb000 - usr    24K s rw- IMAGE    ntdll.dll | .data ?
0x772eb000 - 0x772ee000 - usr    12K s r-- IMAGE    ntdll.dll | .mrdata ? ; map.IMAGE____.rw
0x772ee000 - 0x772ef000 - usr     4K s r-- IMAGE    ntdll.dll | .00cfg ? ; map.IMAGE____.r
0x772ef000 - 0x7735b000 - usr   432K s r-- IMAGE    ntdll.dll | .rsrc ?
0x7735b000 - 0x77360000 - usr    20K s r-- IMAGE    ntdll.dll | .reloc ?
0x7fd20000 - 0x7fd25000 - usr    20K s r-- MAPPED    ?
0x7fd25000 - 0x7fe20000 - usr  1004K s --- MAPPED    ?
0x7fe20000 - 0x7fe28000 - usr    32K u --- PRIVATE   ?
0x7fe28000 - 0x7fe29000 - usr     4K u rw- PRIVATE   ?
0x7fe30000 - 0x7fe31000 - usr     4K u --- PRIVATE   ?
0x7fe31000 - 0x7fe32000 - usr     4K u rw- PRIVATE   ?
0x7fe40000 - 0x7fe50000 - usr    64K u --- PRIVATE   ?
0x7fe50000 - 0x7fe51000 - usr     4K u rw- PRIVATE   ?
0x7fe60000 - 0x7fe61000 - usr     4K u --- PRIVATE   ?
0x7fe61000 - 0x7fe62000 - usr     4K u rw- PRIVATE   ?
0x7fe70000 - 0x7fe93000 - usr   140K s r-- MAPPED    ? ; map.MAPPED___.r
0x7ffe0000 - 0x7ffe1000 - usr     4K u r-- PRIVATE   ? ; map.PRIVATE__.r
[0x77277d3a]> dmm
0x001e0000 c:\Windows\SysWOW64\notepad.exe
0x771d0000 C:\WINDOWS\SYSTEM32\ntdll.dll
0x757d0000 C:\WINDOWS\System32\KERNEL32.DLL
0x769d0000 C:\WINDOWS\System32\KERNELBASE.dll
0x758b0000 C:\WINDOWS\System32\ADVAPI32.dll
0x73e10000 C:\WINDOWS\System32\msvcrt.dll
0x73db0000 C:\WINDOWS\System32\sechost.dll
0x76bc0000 C:\WINDOWS\System32\RPCRT4.dll
0x73a90000 C:\WINDOWS\System32\SspiCli.dll
0x73a80000 C:\WINDOWS\System32\CRYPTBASE.dll
0x73f20000 C:\WINDOWS\System32\bcryptPrimitives.dll
0x76d80000 C:\WINDOWS\System32\GDI32.dll
0x75560000 C:\WINDOWS\System32\gdi32full.dll
0x760d0000 C:\WINDOWS\System32\msvcp_win.dll
0x76db0000 C:\WINDOWS\System32\ucrtbase.dll
0x73b40000 C:\WINDOWS\System32\USER32.dll
0x75450000 C:\WINDOWS\System32\win32u.dll
0x761b0000 C:\WINDOWS\System32\combase.dll
0x73cd0000 C:\WINDOWS\System32\COMDLG32.dll
0x6b770000 C:\WINDOWS\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.523_none_42edd4b044e3535c\COMCTL32.dll
0x73ab0000 C:\WINDOWS\System32\shcore.dll
0x76c80000 C:\WINDOWS\System32\SHLWAPI.dll
0x74010000 C:\WINDOWS\System32\SHELL32.dll
0x73ee0000 C:\WINDOWS\System32\cfgmgr32.dll
0x76410000 C:\WINDOWS\System32\windows.storage.dll
0x770d0000 C:\WINDOWS\System32\kernel.appcore.dll
0x76f40000 C:\WINDOWS\System32\profapi.dll
0x75950000 C:\WINDOWS\System32\powrprof.dll
0x759a0000 C:\WINDOWS\System32\FLTLIB.DLL
0x71f40000 c:\Windows\System32\PROPSYS.dll
0x6efd0000 c:\Windows\System32\WINSPOOL.DRV
0x6d2c0000 c:\Windows\System32\urlmon.dll
0x75470000 C:\WINDOWS\System32\OLEAUT32.dll
0x724c0000 c:\Windows\System32\IPHLPAPI.DLL
0x6d090000 c:\Windows\System32\iertutil.dll
0x726f0000 c:\Windows\System32\bcrypt.dll
[0x77277d3a]>

[radare]

Thats pretty boring to read.

Try with r2 -d ... instead of doing the ood and see if the bug is in ood or not

On 17 Jan 2019, at 00:50, pcopissa notifications@github.com wrote:

Here is the largish output I get if I use ood and dcu entry0 (attached as file failed for whatever reason)

radare2 c:\Windows\SysWOW64\notepad.exe -- You can redefine descriptive commands in the hud file and using the 'V_' command. [0x0041b2b0]> ood Spawned new process with pid 12520, tid = 9564 File dbg://c:\Windows\SysWOW64\notepad.exe reopened in read-write mode = attach 12520 9564 12520 [0x7723ce30]> dcu entry0 Continue until 0x0041b2b0 using 1 bpsize (12520) loading library at 771D0000 (C:\Windows\SysWOW64\ntdll.dll) ntdll.dll (12520) unloading library at 03000000 (not cached) not cached (12520) unloading library at 757D0000 (not cached) not cached (12520) unloading library at 03000000 (not cached) not cached (12520) loading library at 757D0000 (C:\Windows\SysWOW64\kernel32.dll) kernel32.dll (12520) loading library at 769D0000 (C:\Windows\SysWOW64\KernelBase.dll) KernelBase.dll (12520) loading library at 758B0000 (C:\Windows\SysWOW64\advapi32.dll) advapi32.dll (12520) loading library at 73E10000 (C:\Windows\SysWOW64\msvcrt.dll) msvcrt.dll (12520) Created thread 6364 (start @ 77221440) (12520) loading library at 73DB0000 (C:\Windows\SysWOW64\sechost.dll) sechost.dll (12520) loading library at 76BC0000 (C:\Windows\SysWOW64\rpcrt4.dll) rpcrt4.dll (12520) loading library at 73A90000 (C:\Windows\SysWOW64\sspicli.dll) sspicli.dll (12520) loading library at 73A80000 (C:\Windows\SysWOW64\cryptbase.dll) cryptbase.dll (12520) loading library at 73F20000 (C:\Windows\SysWOW64\bcryptprimitives.dll) bcryptprimitives.dll (12520) Created thread 10180 (start @ 77221440) (12520) Created thread 9312 (start @ 77221440) (12520) loading library at 76D80000 (C:\Windows\SysWOW64\gdi32.dll) gdi32.dll (12520) loading library at 75560000 (C:\Windows\SysWOW64\gdi32full.dll) gdi32full.dll (12520) loading library at 760D0000 (C:\Windows\SysWOW64\msvcp_win.dll) msvcp_win.dll (12520) loading library at 76DB0000 (C:\Windows\SysWOW64\ucrtbase.dll) ucrtbase.dll (12520) loading library at 73B40000 (C:\Windows\SysWOW64\user32.dll) user32.dll (12520) loading library at 75450000 (C:\Windows\SysWOW64\win32u.dll) win32u.dll (12520) loading library at 761B0000 (C:\Windows\SysWOW64\combase.dll) combase.dll (12520) loading library at 73CD0000 (C:\Windows\SysWOW64\comdlg32.dll) comdlg32.dll (12520) loading library at 6B770000 (C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.523_none_42edd4b044e3535c\comctl32.dll) comctl32.dll (12520) loading library at 73AB0000 (C:\Windows\SysWOW64\SHCore.dll) SHCore.dll (12520) loading library at 76C80000 (C:\Windows\SysWOW64\shlwapi.dll) shlwapi.dll (12520) loading library at 74010000 (C:\Windows\SysWOW64\shell32.dll) shell32.dll (12520) loading library at 73EE0000 (C:\Windows\SysWOW64\cfgmgr32.dll) cfgmgr32.dll (12520) loading library at 76410000 (C:\Windows\SysWOW64\windows.storage.dll) windows.storage.dll (12520) loading library at 770D0000 (C:\Windows\SysWOW64\kernel.appcore.dll) kernel.appcore.dll (12520) loading library at 76F40000 (C:\Windows\SysWOW64\profapi.dll) profapi.dll (12520) loading library at 75950000 (C:\Windows\SysWOW64\powrprof.dll) powrprof.dll (12520) loading library at 759A0000 (C:\Windows\SysWOW64\fltLib.dll) fltLib.dll (12520) loading library at 71F40000 (C:\Windows\SysWOW64\propsys.dll) propsys.dll (12520) loading library at 6D2C0000 (C:\Windows\SysWOW64\urlmon.dll) urlmon.dll (12520) loading library at 6EFD0000 (C:\Windows\SysWOW64\winspool.drv) winspool.drv (12520) loading library at 75470000 (C:\Windows\SysWOW64\oleaut32.dll) oleaut32.dll (12520) loading library at 724C0000 (C:\Windows\SysWOW64\IPHLPAPI.DLL) IPHLPAPI.DLL (12520) loading library at 6D090000 (C:\Windows\SysWOW64\iertutil.dll) iertutil.dll (12520) loading library at 726F0000 (C:\Windows\SysWOW64\bcrypt.dll) bcrypt.dll [0x77277d3a]> dm 0x001e0000 - 0x001e1000 - usr 4K s r-- IMAGE notepad.exe ? 0x001e1000 - 0x001fc000 - usr 108K s r-x IMAGE notepad.exe | .text ? 0x001fc000 - 0x001fd000 - usr 4K s rw- IMAGE notepad.exe | .data ? 0x001fd000 - 0x001ff000 - usr 8K s -w- IMAGE notepad.exe | .data ? 0x001ff000 - 0x00202000 - usr 12K s r-- IMAGE notepad.exe | .idata ? 0x00202000 - 0x0021c000 - usr 104K s r-- IMAGE notepad.exe | .rsrc ? 0x0021c000 - 0x0021e000 - usr 8K s r-- IMAGE notepad.exe | .reloc ? 0x00c30000 - 0x00c31000 - usr 4K u r-- PRIVATE ? 0x00c40000 - 0x00c41000 - usr 4K u rw- PRIVATE ? 0x00c50000 - 0x00c57000 - usr 28K s --- MAPPED ? 0x00c57000 - 0x00c59000 - usr 8K s r-- MAPPED ? 0x00c59000 - 0x00d10000 - usr 732K s --- MAPPED ? 0x00d10000 - 0x00d17000 - usr 28K s r-- MAPPED ? 0x00d17000 - 0x00d4f000 - usr 224K s --- MAPPED ? 0x00d4f000 - 0x00d50000 - usr 4K s r-- MAPPED ? 0x00d50000 - 0x021dc000 - usr 20.5M s --- MAPPED ? 0x021dc000 - 0x0272d000 - usr 5.3M s --- MAPPED ? 0x0272d000 - 0x02736000 - usr 36K s r-- MAPPED ? 0x02736000 - 0x02792000 - usr 368K s --- MAPPED ? 0x02792000 - 0x027a2000 - usr 64K s r-- MAPPED ? 0x027a2000 - 0x0280f000 - usr 436K s --- MAPPED ? 0x0280f000 - 0x02811000 - usr 8K s r-- MAPPED ? 0x02811000 - 0x028cd000 - usr 752K s --- MAPPED ? 0x028cd000 - 0x028d3000 - usr 24K s r-- MAPPED ? 0x028d3000 - 0x028e3000 - usr 64K s --- MAPPED ? 0x028e3000 - 0x028e4000 - usr 4K s r-- MAPPED ? 0x028e4000 - 0x028eb000 - usr 28K s --- MAPPED ? 0x028eb000 - 0x028ed000 - usr 8K s r-- MAPPED ? 0x028ed000 - 0x0293a000 - usr 308K s --- MAPPED ? 0x0293a000 - 0x0294e000 - usr 80K s r-- MAPPED ? 0x0294e000 - 0x02950000 - usr 8K s --- MAPPED ? 0x02950000 - 0x0299e000 - usr 312K s r-- MAPPED ? 0x0299e000 - 0x029a1000 - usr 12K s --- MAPPED ? 0x029a1000 - 0x029ac000 - usr 44K s r-- MAPPED ? 0x029ac000 - 0x029af000 - usr 12K s --- MAPPED ? 0x029af000 - 0x029b7000 - usr 32K s r-- MAPPED ? 0x029b7000 - 0x029d3000 - usr 112K s --- MAPPED ? 0x029d3000 - 0x02a04000 - usr 196K s r-- MAPPED ? 0x02a04000 - 0x02a06000 - usr 8K s --- MAPPED ? 0x02a06000 - 0x02a0c000 - usr 24K s r-- MAPPED ? 0x02a0c000 - 0x02a0d000 - usr 4K s --- MAPPED ? 0x02a0d000 - 0x02a0e000 - usr 4K s r-- MAPPED ? 0x02a0e000 - 0x02a13000 - usr 20K s --- MAPPED ? 0x02a13000 - 0x02a1e000 - usr 44K s r-- MAPPED ? 0x02a1e000 - 0x02c50000 - usr 2.2M s --- MAPPED ? ; map.MAPPED_. 0x02c50000 - 0x02c60000 - usr 64K s rw- MAPPED ? 0x02c80000 - 0x02c99000 - usr 100K s r-- MAPPED ? 0x02ca0000 - 0x02cd5000 - usr 212K u --- PRIVATE ? 0x02cd5000 - 0x02cd8000 - usr 12K u --- PRIVATE ? 0x02cd8000 - 0x02ce0000 - usr 32K u rw- PRIVATE ? 0x02ce0000 - 0x02d0d000 - usr 180K u --- PRIVATE ? 0x02d0d000 - 0x02d0f000 - usr 8K u --- PRIVATE ? 0x02d0f000 - 0x02d20000 - usr 68K u rw- PRIVATE ? 0x02d20000 - 0x02d24000 - usr 16K s r-- MAPPED ? 0x02d30000 - 0x02d33000 - usr 12K s r-- MAPPED ? 0x02d40000 - 0x02d41000 - usr 4K u rw- PRIVATE ? 0x02d50000 - 0x02d85000 - usr 212K u --- PRIVATE ? 0x02d85000 - 0x02d88000 - usr 12K u --- PRIVATE ? 0x02d88000 - 0x02d90000 - usr 32K u rw- PRIVATE ? 0x02da0000 - 0x02da7000 - usr 28K u rw- PRIVATE ? 0x02da7000 - 0x02db0000 - usr 36K u --- PRIVATE ? 0x02db0000 - 0x02ddd000 - usr 180K u --- PRIVATE ? 0x02ddd000 - 0x02ddf000 - usr 8K u --- PRIVATE ? 0x02ddf000 - 0x02df0000 - usr 68K u rw- PRIVATE ? 0x02e00000 - 0x02f1e000 - usr 1.1M u --- PRIVATE ? 0x02f1e000 - 0x02f2c000 - usr 56K u rw- PRIVATE ? ; map.PRIVATE.rw 0x02f2c000 - 0x03000000 - usr 848K u --- PRIVATE ? 0x03000000 - 0x03035000 - usr 212K u --- PRIVATE ? 0x03035000 - 0x03038000 - usr 12K u --- PRIVATE ? 0x03038000 - 0x03040000 - usr 32K u rw- PRIVATE ? 0x03040000 - 0x0306d000 - usr 180K u --- PRIVATE ? 0x0306d000 - 0x0306f000 - usr 8K u --- PRIVATE ? 0x0306f000 - 0x03080000 - usr 68K u rw- PRIVATE ? 0x03090000 - 0x0309d000 - usr 52K u rw- PRIVATE ? 0x0309d000 - 0x03190000 - usr 972K u --- PRIVATE ? 0x03190000 - 0x03255000 - usr 788K s r-- MAPPED \Device\HarddiskVolume3\Windows\System32\locale.nls ? 0x03260000 - 0x03295000 - usr 212K u --- PRIVATE ? 0x03295000 - 0x03298000 - usr 12K u --- PRIVATE ? 0x03298000 - 0x032a0000 - usr 32K u rw- PRIVATE ? 0x032a0000 - 0x032cd000 - usr 180K u --- PRIVATE ? 0x032cd000 - 0x032cf000 - usr 8K u --- PRIVATE ? 0x032cf000 - 0x032e0000 - usr 68K u rw- PRIVATE ? 0x03ff0000 - 0x03ff1000 - usr 4K u --x PRIVATE ? ; map.PRIVATE.__x 0x6b770000 - 0x6b771000 - usr 4K s r-- IMAGE COMCTL32.dll ? 0x6b771000 - 0x6b90c000 - usr 1.6M s r-x IMAGE COMCTL32.dll | .text ? 0x6b90c000 - 0x6b90d000 - usr 4K s rw- IMAGE COMCTL32.dll | .data ? 0x6b90d000 - 0x6b90f000 - usr 8K s -w- IMAGE COMCTL32.dll | .data ? 0x6b90f000 - 0x6b914000 - usr 20K s r-- IMAGE COMCTL32.dll | .idata ? 0x6b914000 - 0x6b915000 - usr 4K s r-- IMAGE COMCTL32.dll | .didat ? 0x6b915000 - 0x6b95e000 - usr 292K s r-- IMAGE COMCTL32.dll | .rsrc ? 0x6b95e000 - 0x6b974000 - usr 88K s r-- IMAGE COMCTL32.dll | .reloc ? 0x6d090000 - 0x6d091000 - usr 4K s r-- IMAGE iertutil.dll ? 0x6d091000 - 0x6d28d000 - usr 2.0M s r-x IMAGE iertutil.dll | .text ? 0x6d28d000 - 0x6d290000 - usr 12K s -w- IMAGE iertutil.dll | .data ? 0x6d290000 - 0x6d291000 - usr 4K s rw- IMAGE iertutil.dll | .data ? 0x6d291000 - 0x6d295000 - usr 16K s -w- IMAGE iertutil.dll | .data ? 0x6d295000 - 0x6d298000 - usr 12K s r-- IMAGE iertutil.dll | .idata ? 0x6d298000 - 0x6d299000 - usr 4K s r-- IMAGE iertutil.dll | .didat ? 0x6d299000 - 0x6d29a000 - usr 4K s -w- IMAGE iertutil.dll | .isoapis¿ ? 0x6d29a000 - 0x6d29b000 - usr 4K s r-- IMAGE iertutil.dll | .rsrc ? 0x6d29b000 - 0x6d2b8000 - usr 116K s r-- IMAGE iertutil.dll | .reloc ? 0x6d2c0000 - 0x6d2c1000 - usr 4K s r-- IMAGE urlmon.dll ? 0x6d2c1000 - 0x6d3e8000 - usr 1.2M s r-x IMAGE urlmon.dll | .text ? 0x6d3e8000 - 0x6d3ea000 - usr 8K s rw- IMAGE urlmon.dll | .data ? 0x6d3ea000 - 0x6d3f3000 - usr 36K s -w- IMAGE urlmon.dll | .data ? 0x6d3f3000 - 0x6d3f8000 - usr 20K s r-- IMAGE urlmon.dll | .idata ? 0x6d3f8000 - 0x6d3f9000 - usr 4K s r-- IMAGE urlmon.dll | .didat ? 0x6d3f9000 - 0x6d3fa000 - usr 4K s -w- IMAGE urlmon.dll | .isoapis¿ ? 0x6d3fa000 - 0x6d44c000 - usr 328K s r-- IMAGE urlmon.dll | .rsrc ? 0x6d44c000 - 0x6d45d000 - usr 68K s r-- IMAGE urlmon.dll | .reloc ? 0x6efd0000 - 0x6efd1000 - usr 4K s r-- IMAGE WINSPOOL.DRV ? 0x6efd1000 - 0x6f01c000 - usr 300K s r-x IMAGE WINSPOOL.DRV | .text ? 0x6f01c000 - 0x6f01d000 - usr 4K s rw- IMAGE WINSPOOL.DRV | .data ? 0x6f01d000 - 0x6f01e000 - usr 4K s -w- IMAGE WINSPOOL.DRV | .data ? 0x6f01e000 - 0x6f021000 - usr 12K s r-- IMAGE WINSPOOL.DRV | .idata ? 0x6f021000 - 0x6f022000 - usr 4K s r-- IMAGE WINSPOOL.DRV | .didat ? 0x6f022000 - 0x6f038000 - usr 88K s r-- IMAGE WINSPOOL.DRV | .rsrc ? 0x6f038000 - 0x6f03d000 - usr 20K s r-- IMAGE WINSPOOL.DRV | .reloc ? 0x71f40000 - 0x71f41000 - usr 4K s r-- IMAGE PROPSYS.dll ? 0x71f41000 - 0x71ff3000 - usr 712K s r-x IMAGE PROPSYS.dll | .text ? 0x71ff3000 - 0x71ff4000 - usr 4K s rw- IMAGE PROPSYS.dll | .data ? 0x71ff4000 - 0x71ff7000 - usr 12K s r-- IMAGE PROPSYS.dll | .idata ? 0x71ff7000 - 0x71ff8000 - usr 4K s r-- IMAGE PROPSYS.dll | .didat ? 0x71ff8000 - 0x720b4000 - usr 752K s r-- IMAGE PROPSYS.dll | .rsrc ? 0x720b4000 - 0x720c0000 - usr 48K s r-- IMAGE PROPSYS.dll | .reloc ? 0x724c0000 - 0x724c1000 - usr 4K s r-- IMAGE IPHLPAPI.DLL ? 0x724c1000 - 0x724ea000 - usr 164K s r-x IMAGE IPHLPAPI.DLL | .text ? 0x724ea000 - 0x724eb000 - usr 4K s rw- IMAGE IPHLPAPI.DLL | .data ? 0x724eb000 - 0x724ec000 - usr 4K s r-- IMAGE IPHLPAPI.DLL | .idata ? 0x724ec000 - 0x724ed000 - usr 4K s r-- IMAGE IPHLPAPI.DLL | .didat ? 0x724ed000 - 0x724ee000 - usr 4K s r-- IMAGE IPHLPAPI.DLL | .rsrc ? 0x724ee000 - 0x724f0000 - usr 8K s r-- IMAGE IPHLPAPI.DLL | .reloc ? 0x726f0000 - 0x726f1000 - usr 4K s r-- IMAGE bcrypt.dll ? 0x726f1000 - 0x72704000 - usr 76K s r-x IMAGE bcrypt.dll | .text ? 0x72704000 - 0x72705000 - usr 4K s rw- IMAGE bcrypt.dll | .data ? 0x72705000 - 0x72706000 - usr 4K s r-- IMAGE bcrypt.dll | .idata ? 0x72706000 - 0x72707000 - usr 4K s r-- IMAGE bcrypt.dll | .didat ? 0x72707000 - 0x72708000 - usr 4K s r-- IMAGE bcrypt.dll | .rsrc ? 0x72708000 - 0x72709000 - usr 4K s r-- IMAGE bcrypt.dll | .reloc ? 0x73a80000 - 0x73a81000 - usr 4K s r-- IMAGE CRYPTBASE.dll ? 0x73a81000 - 0x73a85000 - usr 16K s r-x IMAGE CRYPTBASE.dll | .text ? 0x73a85000 - 0x73a86000 - usr 4K s rw- IMAGE CRYPTBASE.dll | .data ? 0x73a86000 - 0x73a87000 - usr 4K s r-- IMAGE CRYPTBASE.dll | .idata ? 0x73a87000 - 0x73a88000 - usr 4K s r-- IMAGE CRYPTBASE.dll | .didat ? 0x73a88000 - 0x73a89000 - usr 4K s r-- IMAGE CRYPTBASE.dll | .rsrc ? 0x73a89000 - 0x73a8a000 - usr 4K s r-- IMAGE CRYPTBASE.dll | .reloc ? 0x73a90000 - 0x73a91000 - usr 4K s r-- IMAGE SspiCli.dll ? 0x73a91000 - 0x73aaa000 - usr 100K s r-x IMAGE SspiCli.dll | .text ? 0x73aaa000 - 0x73aab000 - usr 4K s rw- IMAGE SspiCli.dll | .data ? 0x73aab000 - 0x73aad000 - usr 8K s r-- IMAGE SspiCli.dll | .idata ? 0x73aad000 - 0x73aae000 - usr 4K s r-- IMAGE SspiCli.dll | .rsrc ? 0x73aae000 - 0x73ab0000 - usr 8K s r-- IMAGE SspiCli.dll | .reloc ? 0x73ab0000 - 0x73ab1000 - usr 4K s r-- IMAGE SspiCli.dll ? 0x73ab1000 - 0x73b29000 - usr 480K s r-x IMAGE shcore.dll | .text ? 0x73b29000 - 0x73b2a000 - usr 4K s rw- IMAGE shcore.dll | .data ? 0x73b2a000 - 0x73b2d000 - usr 12K s r-- IMAGE shcore.dll | .idata ? 0x73b2d000 - 0x73b2e000 - usr 4K s r-- IMAGE shcore.dll | .didat ? 0x73b2e000 - 0x73b2f000 - usr 4K s r-- IMAGE shcore.dll | .rsrc ? 0x73b2f000 - 0x73b38000 - usr 36K s r-- IMAGE shcore.dll | .reloc ? 0x73b40000 - 0x73b41000 - usr 4K s r-- IMAGE USER32.dll ? 0x73b41000 - 0x73bd9000 - usr 608K s r-x IMAGE USER32.dll | .text ? 0x73bd9000 - 0x73bda000 - usr 4K s rw- IMAGE USER32.dll | .data ? 0x73bda000 - 0x73bdb000 - usr 4K s -w- IMAGE USER32.dll | .data ? 0x73bdb000 - 0x73be4000 - usr 36K s r-- IMAGE USER32.dll | .idata ? 0x73be4000 - 0x73be5000 - usr 4K s r-- IMAGE USER32.dll | .didat ? 0x73be5000 - 0x73cc7000 - usr 904K s r-- IMAGE USER32.dll | .rsrc ? 0x73cc7000 - 0x73ccd000 - usr 24K s r-- IMAGE USER32.dll | .reloc ? 0x73cd0000 - 0x73cd1000 - usr 4K s r-- IMAGE COMDLG32.dll ? 0x73cd1000 - 0x73d53000 - usr 520K s r-x IMAGE COMDLG32.dll | .text ? 0x73d53000 - 0x73d54000 - usr 4K s rw- IMAGE COMDLG32.dll | .data ? 0x73d54000 - 0x73d57000 - usr 12K s -w- IMAGE COMDLG32.dll | .data ? 0x73d57000 - 0x73d5c000 - usr 20K s r-- IMAGE COMDLG32.dll | .idata ? 0x73d5c000 - 0x73d5d000 - usr 4K s r-- IMAGE COMDLG32.dll | .didat ? 0x73d5d000 - 0x73d9e000 - usr 260K s r-- IMAGE COMDLG32.dll | .rsrc ? 0x73d9e000 - 0x73da6000 - usr 32K s r-- IMAGE COMDLG32.dll | .reloc ? 0x73db0000 - 0x73db1000 - usr 4K s r-- IMAGE sechost.dll ? 0x73db1000 - 0x73de9000 - usr 224K s r-x IMAGE sechost.dll | .text ? 0x73de9000 - 0x73dea000 - usr 4K s rw- IMAGE sechost.dll | .data ? 0x73dea000 - 0x73dec000 - usr 8K s -w- IMAGE sechost.dll | .data ? 0x73dec000 - 0x73def000 - usr 12K s r-- IMAGE sechost.dll | .idata ? 0x73def000 - 0x73df0000 - usr 4K s r-- IMAGE sechost.dll | .didat ? 0x73df0000 - 0x73df1000 - usr 4K s r-- IMAGE sechost.dll | .rsrc ? 0x73df1000 - 0x73df4000 - usr 12K s r-- IMAGE sechost.dll | .reloc ? 0x73e10000 - 0x73e11000 - usr 4K s r-- IMAGE msvcrt.dll ? 0x73e11000 - 0x73ec2000 - usr 708K s r-x IMAGE msvcrt.dll | .text ? 0x73ec2000 - 0x73ec5000 - usr 12K s -w- IMAGE msvcrt.dll | .data ? 0x73ec5000 - 0x73ec7000 - usr 8K s rw- IMAGE msvcrt.dll | .data ? 0x73ec7000 - 0x73ec8000 - usr 4K s -w- IMAGE msvcrt.dll | .data ? 0x73ec8000 - 0x73eca000 - usr 8K s r-- IMAGE msvcrt.dll | .idata ? 0x73eca000 - 0x73ecb000 - usr 4K s r-- IMAGE msvcrt.dll | .rsrc ? 0x73ecb000 - 0x73ecf000 - usr 16K s r-- IMAGE msvcrt.dll | .reloc ? 0x73ee0000 - 0x73ee1000 - usr 4K s r-- IMAGE cfgmgr32.dll ? 0x73ee1000 - 0x73f12000 - usr 196K s r-x IMAGE cfgmgr32.dll | .text ? 0x73f12000 - 0x73f13000 - usr 4K s rw- IMAGE cfgmgr32.dll | .data ? 0x73f13000 - 0x73f15000 - usr 8K s r-- IMAGE cfgmgr32.dll | .idata ? 0x73f15000 - 0x73f16000 - usr 4K s r-- IMAGE cfgmgr32.dll | .didat ? 0x73f16000 - 0x73f17000 - usr 4K s r-- IMAGE cfgmgr32.dll | .rsrc ? 0x73f17000 - 0x73f19000 - usr 8K s r-- IMAGE cfgmgr32.dll | .reloc ? 0x73f20000 - 0x73f21000 - usr 4K s r-- IMAGE bcryptPrimitives.dll ? 0x73f21000 - 0x73f72000 - usr 324K s r-x IMAGE bcryptPrimitives.dll | .text ? 0x73f72000 - 0x73f73000 - usr 4K s rw- IMAGE bcryptPrimitives.dll | .data ? 0x73f73000 - 0x73f74000 - usr 4K s r-- IMAGE bcryptPrimitives.dll | .idata ? 0x73f74000 - 0x73f75000 - usr 4K s r-- IMAGE bcryptPrimitives.dll | .rsrc ? 0x73f75000 - 0x73f78000 - usr 12K s r-- IMAGE bcryptPrimitives.dll | .reloc ? 0x74010000 - 0x74011000 - usr 4K s r-- IMAGE SHELL32.dll ? 0x74011000 - 0x74509000 - usr 5.0M s r-x IMAGE SHELL32.dll | .text ? 0x74509000 - 0x7450a000 - usr 4K s -w- IMAGE SHELL32.dll | .data ? 0x7450a000 - 0x7450c000 - usr 8K s rw- IMAGE SHELL32.dll | .data ? 0x7450c000 - 0x74510000 - usr 16K s -w- IMAGE SHELL32.dll | .data ? 0x74510000 - 0x7451a000 - usr 40K s r-- IMAGE SHELL32.dll | .idata ? 0x7451a000 - 0x7451c000 - usr 8K s r-- IMAGE SHELL32.dll | .didat ? 0x7451c000 - 0x75308000 - usr 13.9M s r-- IMAGE SHELL32.dll | .rsrc ? 0x75308000 - 0x7535a000 - usr 328K s r-- IMAGE SHELL32.dll | .reloc ? 0x75450000 - 0x75451000 - usr 4K s r-- IMAGE win32u.dll ? 0x75451000 - 0x75463000 - usr 72K s r-x IMAGE win32u.dll | .text ? 0x75463000 - 0x75464000 - usr 4K s rw- IMAGE win32u.dll | .data ? 0x75464000 - 0x75465000 - usr 4K s r-- IMAGE win32u.dll | .idata ? 0x75465000 - 0x75466000 - usr 4K s r-- IMAGE win32u.dll | .rsrc ? 0x75466000 - 0x75467000 - usr 4K s r-- IMAGE win32u.dll | .reloc ? 0x75470000 - 0x75471000 - usr 4K s r-- IMAGE OLEAUT32.dll ? 0x75471000 - 0x754f8000 - usr 540K s r-x IMAGE OLEAUT32.dll | .text ? 0x754f8000 - 0x754f9000 - usr 4K s rw- IMAGE OLEAUT32.dll | .data ? 0x754f9000 - 0x754fa000 - usr 4K s -w- IMAGE OLEAUT32.dll | .data ? 0x754fa000 - 0x754fd000 - usr 12K s r-- IMAGE OLEAUT32.dll | .idata ? 0x754fd000 - 0x754fe000 - usr 4K s r-- IMAGE OLEAUT32.dll | .didat ? 0x754fe000 - 0x754ff000 - usr 4K s r-- IMAGE OLEAUT32.dll | .rsrc ? 0x754ff000 - 0x75506000 - usr 28K s r-- IMAGE OLEAUT32.dll | .reloc ? 0x75560000 - 0x75561000 - usr 4K s r-- IMAGE gdi32full.dll ? 0x75561000 - 0x7569e000 - usr 1.2M s r-x IMAGE gdi32full.dll | .text ? 0x7569e000 - 0x7569f000 - usr 4K s rw- IMAGE gdi32full.dll | .data ? 0x7569f000 - 0x756a1000 - usr 8K s -w- IMAGE gdi32full.dll | .data ? 0x756a1000 - 0x756a9000 - usr 32K s r-- IMAGE gdi32full.dll | .idata ? 0x756a9000 - 0x756aa000 - usr 4K s r-- IMAGE gdi32full.dll | .didat ? 0x756aa000 - 0x756bc000 - usr 72K s r-- IMAGE gdi32full.dll | .rsrc ? 0x756bc000 - 0x756c4000 - usr 32K s r-- IMAGE gdi32full.dll | .reloc ? 0x757d0000 - 0x757d1000 - usr 4K s r-- IMAGE KERNEL32.DLL ? 0x757d1000 - 0x757e0000 - usr 60K s --- IMAGE KERNEL32.DLL ? 0x757e0000 - 0x75841000 - usr 388K s r-x IMAGE KERNEL32.DLL | .text ? 0x75841000 - 0x75850000 - usr 60K s --- IMAGE KERNEL32.DLL ? 0x75850000 - 0x75878000 - usr 160K s r-- IMAGE KERNEL32.DLL | .rdata ? 0x75878000 - 0x75880000 - usr 32K s --- IMAGE KERNEL32.DLL ? 0x75880000 - 0x75881000 - usr 4K s rw- IMAGE KERNEL32.DLL | .data ? 0x75881000 - 0x75890000 - usr 60K s --- IMAGE KERNEL32.DLL ? 0x75890000 - 0x75891000 - usr 4K s r-- IMAGE KERNEL32.DLL | .rsrc ? 0x75891000 - 0x758a0000 - usr 60K s --- IMAGE KERNEL32.DLL ? 0x758a0000 - 0x758a5000 - usr 20K s r-- IMAGE KERNEL32.DLL | .reloc ? 0x758a5000 - 0x758b0000 - usr 44K s --- IMAGE KERNEL32.DLL ? 0x758b0000 - 0x758b1000 - usr 4K s r-- IMAGE KERNEL32.DLL ? 0x758b1000 - 0x75917000 - usr 408K s r-x IMAGE ADVAPI32.dll | .text ? 0x75917000 - 0x75918000 - usr 4K s rw- IMAGE ADVAPI32.dll | .data ? 0x75918000 - 0x7591b000 - usr 12K s -w- IMAGE ADVAPI32.dll | .data ? 0x7591b000 - 0x75921000 - usr 24K s r-- IMAGE ADVAPI32.dll | .idata ? 0x75921000 - 0x75922000 - usr 4K s r-- IMAGE ADVAPI32.dll | .didat ? 0x75922000 - 0x75923000 - usr 4K s r-- IMAGE ADVAPI32.dll | .rsrc ? 0x75923000 - 0x75928000 - usr 20K s r-- IMAGE ADVAPI32.dll | .reloc ? 0x75950000 - 0x75951000 - usr 4K s r-- IMAGE powrprof.dll ? 0x75951000 - 0x75966000 - usr 84K s r-x IMAGE powrprof.dll | .text ? 0x75966000 - 0x75967000 - usr 4K s rw- IMAGE powrprof.dll | .data ? 0x75967000 - 0x75969000 - usr 8K s r-- IMAGE powrprof.dll | .idata ? 0x75969000 - 0x7596a000 - usr 4K s r-- IMAGE powrprof.dll | .didat ? 0x7596a000 - 0x75993000 - usr 164K s r-- IMAGE powrprof.dll | .rsrc ? 0x75993000 - 0x75995000 - usr 8K s r-- IMAGE powrprof.dll | .reloc ? 0x759a0000 - 0x759a1000 - usr 4K s r-- IMAGE FLTLIB.DLL ? 0x759a1000 - 0x759a4000 - usr 12K s r-x IMAGE FLTLIB.DLL | .text ? 0x759a4000 - 0x759a5000 - usr 4K s rw- IMAGE FLTLIB.DLL | .data ? 0x759a5000 - 0x759a6000 - usr 4K s r-- IMAGE FLTLIB.DLL | .idata ? 0x759a6000 - 0x759a7000 - usr 4K s r-- IMAGE FLTLIB.DLL | .rsrc ? 0x759a7000 - 0x759a8000 - usr 4K s r-- IMAGE FLTLIB.DLL | .reloc ? 0x760d0000 - 0x760d1000 - usr 4K s r-- IMAGE msvcp_win.dll ? 0x760d1000 - 0x76141000 - usr 448K s r-x IMAGE msvcp_win.dll | .text ? 0x76141000 - 0x76142000 - usr 4K s -w- IMAGE msvcp_win.dll | .data ? 0x76142000 - 0x76143000 - usr 4K s rw- IMAGE msvcp_win.dll | .data ? 0x76143000 - 0x76144000 - usr 4K s -w- IMAGE msvcp_win.dll | .data ? 0x76144000 - 0x76146000 - usr 8K s r-- IMAGE msvcp_win.dll | .idata ? 0x76146000 - 0x76147000 - usr 4K s r-- IMAGE msvcp_win.dll | .didat ? 0x76147000 - 0x76148000 - usr 4K s r-- IMAGE msvcp_win.dll | .rsrc ? 0x76148000 - 0x7614d000 - usr 20K s r-- IMAGE msvcp_win.dll | .reloc ? 0x761b0000 - 0x761b1000 - usr 4K s r-- IMAGE combase.dll ? 0x761b1000 - 0x763c5000 - usr 2.1M s r-x IMAGE combase.dll | .text ? 0x763c5000 - 0x763ca000 - usr 20K s r-x IMAGE combase.dll | .proxy ? 0x763ca000 - 0x763cb000 - usr 4K s -w- IMAGE combase.dll | .data ? 0x763cb000 - 0x763cc000 - usr 4K s rw- IMAGE combase.dll | .data ? 0x763cc000 - 0x763ce000 - usr 8K s -w- IMAGE combase.dll | .data ? 0x763ce000 - 0x763d3000 - usr 20K s r-- IMAGE combase.dll | .idata ? 0x763d3000 - 0x763d4000 - usr 4K s r-- IMAGE combase.dll | .didat ? 0x763d4000 - 0x763e8000 - usr 80K s r-- IMAGE combase.dll | .rsrc ? 0x763e8000 - 0x7640c000 - usr 144K s r-- IMAGE combase.dll | .reloc ? 0x76410000 - 0x76411000 - usr 4K s r-- IMAGE windows.storage.dll ? 0x76411000 - 0x76959000 - usr 5.3M s r-x IMAGE windows.storage.dll | .text ? 0x76959000 - 0x7695a000 - usr 4K s -w- IMAGE windows.storage.dll | .data ? 0x7695a000 - 0x7695b000 - usr 4K s rw- IMAGE windows.storage.dll | .data ? 0x7695b000 - 0x7695c000 - usr 4K s -w- IMAGE windows.storage.dll | .data ? 0x7695c000 - 0x7695d000 - usr 4K s rw- IMAGE windows.storage.dll | .data ? 0x7695d000 - 0x7695f000 - usr 8K s -w- IMAGE windows.storage.dll | .data ? 0x7695f000 - 0x76965000 - usr 24K s r-- IMAGE windows.storage.dll | .idata ? 0x76965000 - 0x76966000 - usr 4K s r-- IMAGE windows.storage.dll | .didat ? 0x76966000 - 0x7696a000 - usr 16K s r-- IMAGE windows.storage.dll | .rsrc ? 0x7696a000 - 0x769ca000 - usr 384K s r-- IMAGE windows.storage.dll | .reloc ? 0x769d0000 - 0x769d1000 - usr 4K s r-- IMAGE KERNELBASE.dll ? 0x769d1000 - 0x76b7f000 - usr 1.7M s r-x IMAGE KERNELBASE.dll | .text ? 0x76b7f000 - 0x76b82000 - usr 12K s rw- IMAGE KERNELBASE.dll | .data ? 0x76b82000 - 0x76b83000 - usr 4K s -w- IMAGE KERNELBASE.dll | .data ? 0x76b83000 - 0x76b89000 - usr 24K s r-- IMAGE KERNELBASE.dll | .idata ? 0x76b89000 - 0x76b8a000 - usr 4K s r-- IMAGE KERNELBASE.dll | .didat ? 0x76b8a000 - 0x76b8b000 - usr 4K s r-- IMAGE KERNELBASE.dll | .rsrc ? 0x76b8b000 - 0x76bb4000 - usr 164K s r-- IMAGE KERNELBASE.dll | .reloc ? 0x76bc0000 - 0x76bc1000 - usr 4K s r-- IMAGE RPCRT4.dll ? 0x76bc1000 - 0x76c6f000 - usr 696K s r-x IMAGE RPCRT4.dll | .text ? 0x76c6f000 - 0x76c70000 - usr 4K s rw- IMAGE RPCRT4.dll | .data ? 0x76c70000 - 0x76c73000 - usr 12K s r-- IMAGE RPCRT4.dll | .idata ? 0x76c73000 - 0x76c74000 - usr 4K s r-- IMAGE RPCRT4.dll | .didat ? 0x76c74000 - 0x76c79000 - usr 20K s r-- IMAGE RPCRT4.dll | .rsrc ? 0x76c79000 - 0x76c80000 - usr 28K s r-- IMAGE RPCRT4.dll | .reloc ? 0x76c80000 - 0x76c81000 - usr 4K s r-- IMAGE RPCRT4.dll ? 0x76c81000 - 0x76cbb000 - usr 232K s r-x IMAGE SHLWAPI.dll | .text ? 0x76cbb000 - 0x76cbc000 - usr 4K s rw- IMAGE SHLWAPI.dll | .data ? 0x76cbc000 - 0x76cc0000 - usr 16K s r-- IMAGE SHLWAPI.dll | .idata ? 0x76cc0000 - 0x76cc1000 - usr 4K s r-- IMAGE SHLWAPI.dll | .didat ? 0x76cc1000 - 0x76cc2000 - usr 4K s r-- IMAGE SHLWAPI.dll | .rsrc ? 0x76cc2000 - 0x76cc5000 - usr 12K s r-- IMAGE SHLWAPI.dll | .reloc ? 0x76d80000 - 0x76d81000 - usr 4K s r-- IMAGE GDI32.dll ? 0x76d81000 - 0x76d9a000 - usr 100K s r-x IMAGE GDI32.dll | .text ? 0x76d9a000 - 0x76d9b000 - usr 4K s rw- IMAGE GDI32.dll | .data ? 0x76d9b000 - 0x76d9e000 - usr 12K s r-- IMAGE GDI32.dll | .idata ? 0x76d9e000 - 0x76d9f000 - usr 4K s r-- IMAGE GDI32.dll | .didat ? 0x76d9f000 - 0x76da0000 - usr 4K s r-- IMAGE GDI32.dll | .rsrc ? 0x76da0000 - 0x76da2000 - usr 8K s r-- IMAGE GDI32.dll | .reloc ? 0x76db0000 - 0x76db1000 - usr 4K s r-- IMAGE ucrtbase.dll ? 0x76db1000 - 0x76ebe000 - usr 1.1M s r-x IMAGE ucrtbase.dll | .text ? 0x76ebe000 - 0x76ebf000 - usr 4K s rw- IMAGE ucrtbase.dll | .data ? 0x76ebf000 - 0x76ec0000 - usr 4K s -w- IMAGE ucrtbase.dll | .data ? 0x76ec0000 - 0x76ec2000 - usr 8K s r-- IMAGE ucrtbase.dll | .idata ? 0x76ec2000 - 0x76ec3000 - usr 4K s r-- IMAGE ucrtbase.dll | .rsrc ? 0x76ec3000 - 0x76ece000 - usr 44K s r-- IMAGE ucrtbase.dll | .reloc ? 0x76f40000 - 0x76f41000 - usr 4K s r-- IMAGE profapi.dll ? 0x76f41000 - 0x76f52000 - usr 68K s r-x IMAGE profapi.dll | .text ? 0x76f52000 - 0x76f53000 - usr 4K s rw- IMAGE profapi.dll | .data ? 0x76f53000 - 0x76f55000 - usr 8K s r-- IMAGE profapi.dll | .idata ? 0x76f55000 - 0x76f56000 - usr 4K s r-- IMAGE profapi.dll | .didat ? 0x76f56000 - 0x76f57000 - usr 4K s r-- IMAGE profapi.dll | .rsrc ? 0x76f57000 - 0x76f58000 - usr 4K s r-- IMAGE profapi.dll | .reloc ? 0x770d0000 - 0x770d1000 - usr 4K s r-- IMAGE kernel.appcore.dll ? 0x770d1000 - 0x770d8000 - usr 28K s r-x IMAGE kernel.appcore.dll | .text ? 0x770d8000 - 0x770d9000 - usr 4K s rw- IMAGE kernel.appcore.dll | .data ? 0x770d9000 - 0x770dc000 - usr 12K s r-- IMAGE kernel.appcore.dll | .idata ? 0x770dc000 - 0x770dd000 - usr 4K s r-- IMAGE kernel.appcore.dll | .didat ? 0x770dd000 - 0x770de000 - usr 4K s r-- IMAGE kernel.appcore.dll | .rsrc ? 0x770de000 - 0x770df000 - usr 4K s r-- IMAGE kernel.appcore.dll | .reloc ? 0x770e0000 - 0x770e1000 - usr 4K s r-- IMAGE ? 0x770e1000 - 0x770e4000 - usr 12K s r-x IMAGE ? 0x770e4000 - 0x770e5000 - usr 4K s r-- IMAGE ? 0x770e5000 - 0x770e6000 - usr 4K s rw- IMAGE ? 0x770e6000 - 0x770e7000 - usr 4K s r-- IMAGE ? 0x770e7000 - 0x770e8000 - usr 4K s r-x IMAGE ? 0x770e8000 - 0x770ea000 - usr 8K s r-- IMAGE ? 0x770f0000 - 0x770f1000 - usr 4K s r-- IMAGE ? 0x770f1000 - 0x77125000 - usr 208K s r-x IMAGE ? 0x77125000 - 0x77139000 - usr 80K s r-- IMAGE ? 0x77139000 - 0x7713a000 - usr 4K s rw- IMAGE ? 0x7713a000 - 0x77142000 - usr 32K s r-- IMAGE ? 0x77150000 - 0x77151000 - usr 4K s r-- IMAGE ? 0x77151000 - 0x7718e000 - usr 244K s r-x IMAGE ? 0x7718e000 - 0x771b6000 - usr 160K s r-- IMAGE ? 0x771b6000 - 0x771b7000 - usr 4K s rw- IMAGE ? 0x771b7000 - 0x771b9000 - usr 8K s -w- IMAGE ? 0x771b9000 - 0x771c8000 - usr 60K s r-- IMAGE ? 0x771d0000 - 0x771d1000 - usr 4K s r-- IMAGE ntdll.dll ? 0x771d1000 - 0x772e4000 * usr 1.1M s r-x IMAGE ntdll.dll | .text ? ; map.IMAGE__.r_x 0x772e4000 - 0x772e5000 - usr 4K s r-x IMAGE ntdll.dll | RT ? 0x772e5000 - 0x772eb000 - usr 24K s rw- IMAGE ntdll.dll | .data ? 0x772eb000 - 0x772ee000 - usr 12K s r-- IMAGE ntdll.dll | .mrdata ? ; map.IMAGE.rw 0x772ee000 - 0x772ef000 - usr 4K s r-- IMAGE ntdll.dll | .00cfg ? ; map.IMAGE.r 0x772ef000 - 0x7735b000 - usr 432K s r-- IMAGE ntdll.dll | .rsrc ? 0x7735b000 - 0x77360000 - usr 20K s r-- IMAGE ntdll.dll | .reloc ? 0x7fd20000 - 0x7fd25000 - usr 20K s r-- MAPPED ? 0x7fd25000 - 0x7fe20000 - usr 1004K s --- MAPPED ? 0x7fe20000 - 0x7fe28000 - usr 32K u --- PRIVATE ? 0x7fe28000 - 0x7fe29000 - usr 4K u rw- PRIVATE ? 0x7fe30000 - 0x7fe31000 - usr 4K u --- PRIVATE ? 0x7fe31000 - 0x7fe32000 - usr 4K u rw- PRIVATE ? 0x7fe40000 - 0x7fe50000 - usr 64K u --- PRIVATE ? 0x7fe50000 - 0x7fe51000 - usr 4K u rw- PRIVATE ? 0x7fe60000 - 0x7fe61000 - usr 4K u --- PRIVATE ? 0x7fe61000 - 0x7fe62000 - usr 4K u rw- PRIVATE ? 0x7fe70000 - 0x7fe93000 - usr 140K s r-- MAPPED ? ; map.MAPPED_.r 0x7ffe0000 - 0x7ffe1000 - usr 4K u r-- PRIVATE ? ; map.PRIVATE.r [0x77277d3a]> dmm 0x001e0000 c:\Windows\SysWOW64\notepad.exe 0x771d0000 C:\WINDOWS\SYSTEM32\ntdll.dll 0x757d0000 C:\WINDOWS\System32\KERNEL32.DLL 0x769d0000 C:\WINDOWS\System32\KERNELBASE.dll 0x758b0000 C:\WINDOWS\System32\ADVAPI32.dll 0x73e10000 C:\WINDOWS\System32\msvcrt.dll 0x73db0000 C:\WINDOWS\System32\sechost.dll 0x76bc0000 C:\WINDOWS\System32\RPCRT4.dll 0x73a90000 C:\WINDOWS\System32\SspiCli.dll 0x73a80000 C:\WINDOWS\System32\CRYPTBASE.dll 0x73f20000 C:\WINDOWS\System32\bcryptPrimitives.dll 0x76d80000 C:\WINDOWS\System32\GDI32.dll 0x75560000 C:\WINDOWS\System32\gdi32full.dll 0x760d0000 C:\WINDOWS\System32\msvcp_win.dll 0x76db0000 C:\WINDOWS\System32\ucrtbase.dll 0x73b40000 C:\WINDOWS\System32\USER32.dll 0x75450000 C:\WINDOWS\System32\win32u.dll 0x761b0000 C:\WINDOWS\System32\combase.dll 0x73cd0000 C:\WINDOWS\System32\COMDLG32.dll 0x6b770000 C:\WINDOWS\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.523_none_42edd4b044e3535c\COMCTL32.dll 0x73ab0000 C:\WINDOWS\System32\shcore.dll 0x76c80000 C:\WINDOWS\System32\SHLWAPI.dll 0x74010000 C:\WINDOWS\System32\SHELL32.dll 0x73ee0000 C:\WINDOWS\System32\cfgmgr32.dll 0x76410000 C:\WINDOWS\System32\windows.storage.dll 0x770d0000 C:\WINDOWS\System32\kernel.appcore.dll 0x76f40000 C:\WINDOWS\System32\profapi.dll 0x75950000 C:\WINDOWS\System32\powrprof.dll 0x759a0000 C:\WINDOWS\System32\FLTLIB.DLL 0x71f40000 c:\Windows\System32\PROPSYS.dll 0x6efd0000 c:\Windows\System32\WINSPOOL.DRV 0x6d2c0000 c:\Windows\System32\urlmon.dll 0x75470000 C:\WINDOWS\System32\OLEAUT32.dll 0x724c0000 c:\Windows\System32\IPHLPAPI.DLL 0x6d090000 c:\Windows\System32\iertutil.dll 0x726f0000 c:\Windows\System32\bcrypt.dll [0x77277d3a]> — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[pcopissa]

Thats pretty boring to read.

Well... you asked for it.

Try with r2 -d ... instead of doing the ood and see if the bug is in ood or not

If I do that, I am unable to get the fcn.* symbols, which makes the whole exercise mostly meaningless. That would force me to have one session started with -d and another one started with -A ... Not even sure I can apply what I see in one session to the other.

At any rate, here is the result:

radare2 -A -d c:\Windows\SysWOW64\notepad.exe
Spawned new process with pid 1604, tid = 5228
= attach 1604 5228
bin.baddr 0x00c60000
Using 0xc60000
asm.bits 32
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[TOFIX: aaft can't run in debugger mode.tions (aaft)
[x] Type matching analysis for all functions (aaft)
[x] Use -AA or aaaa to perform additional experimental analysis.
 -- I nodejs so hard my exams. What a nodejs!
[0x7723ce30]> db 0x415ae2
Cannot place a breakpoint on 0x00415ae2 unmapped memory.See e? dbg.bpinmaps
[0x7723ce30]>

Now, if I omit the -A, I get the same result. If I run radares2 -d, then issue aaa, same again. Note that at the very first startup this morning, it did work. Namely db caused no error. All subsequent attempts caused the error above. It did this precisely once. I started Windows 10 and tried again, but db ended again with an error.

Now, it occured to me that I also have Kaspersky Endpoint Security thing running. Disabled most of it but result is the same. Uninstalling it is not an option at the moment.

I think you are right in one respect: The image seems to get remapped elsewhere (I get current location above 0x77d00000 when started with -d or after ood), but all the symbols that were gathered during the analysis phase remain unchanged and below 0x77d00000. Plus, as I said already, the fcn.* and sub.* symbols are gone.

[radare]

you are trying to set a breakponit in the wrong place, just see the list of maps you shared before

also i think bin.baddr is wrongly computed on windows. because it says 0xc60000 but it should be 0x1e0000.. but again if thats aslr one just one list of maps i cant see that. but you shuold be able to determine if this baddr is correct or not

On 17 Jan 2019, at 09:43, pcopissa notifications@github.com wrote:

Thats pretty boring to read. Well... you asked for it.

Try with r2 -d ... instead of doing the ood and see if the bug is in ood or not If I do that, I am unable to get the fcn.* symbols, which makes the whole exercise mostly meaningless. That would force me to have one session started with -d and another one started with -A ... Not even sure I can apply what I see in one session to the other.

At any rate, here is the result:

radare2 -A -d c:\Windows\SysWOW64\notepad.exe Spawned new process with pid 1604, tid = 5228 = attach 1604 5228 bin.baddr 0x00c60000 Using 0xc60000 asm.bits 32 �[32m[x]�[0m Analyze all flags starting with sym. and entry0 (aa) �[32m[x]�[0m Analyze function calls (aac) �[32m[x]�[0m Analyze len bytes of instructions for references (aar) �[32m[x]�[0m Constructing a function name for fcn. and sym.func. functions (aan) [�[0mTOFIX: aaft can't run in debugger mode.tions (aaft) �[32m[x]�[0m Type matching analysis for all functions (aaft) �[32m[x]�[0m Use -AA or aaaa to perform additional experimental analysis. -- I nodejs so hard my exams. What a nodejs! [0x7723ce30]> db 0x415ae2 Cannot place a breakpoint on 0x00415ae2 unmapped memory.See e? dbg.bpinmaps [0x7723ce30]> Now, if I omit the -A, I get the same result. If I run radares2 -d, then issue aaa, same again. Note that at the very first startup, it did work. Namely db caused no error. All subsequent attempts caused the error above.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/12811#issuecomment-455088781, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lmIZJLTMgTG-Tv94HfIQs6AphFLaks5vEDe0gaJpZM4aDI53.

[pcopissa]

you are trying to set a breakponit in the wrong place

So how do I determine the right place to set the breakpoint then ? Because if I run aaa, I do get 0x415ae2 as the call site for the indirect address I am interested in:

...
|           0x00415ada      6a0b           push 0xb                    ; 11
|           0x00415adc      ff35d8df4100   push dword [0x41dfd8]
|           0x00415ae2      ff15b8f24100   call dword [sym.imp.USER32.dll_CreateDialogParamW] ;[1] ; 0x41f2b8
|           0x00415ae8      a3acd54100     mov dword [0x41d5ac], eax    ; [0x41d5ac:4]=0
|           0x00415aed      85c0           test eax, eax
|       ,=< 0x00415aef      0f8439020000   je 0x415d2e                 ;[2]
...

[radare]

did you verified if the value in bin.baddr is the same as the one displayed in maps in the same run? sorry i dont have windows. last windows i had was the windows 98 ,so i cant test much stuff, probably someone else could test better, but telegram/irc s probablya better place to discuss this than github.

On 17 Jan 2019, at 10:26, pcopissa notifications@github.com wrote:

you are trying to set a breakponit in the wrong place

So how do I determine the right place to set the breakpoint then ? Because if I run aaa, I do get 0x415ae2 as the call site for the indirect address I am interested in:

... | 0x00415ada 6a0b push 0xb ; 11 | 0x00415adc ff35d8df4100 push dword [0x41dfd8] | 0x00415ae2 ff15b8f24100 call dword [sym.imp.USER32.dll_CreateDialogParamW] ;[1] ; 0x41f2b8 | 0x00415ae8 a3acd54100 mov dword [0x41d5ac], eax ; [0x41d5ac:4]=0 | 0x00415aed 85c0 test eax, eax | ,=< 0x00415aef 0f8439020000 je 0x415d2e ;[2] ... — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/12811#issuecomment-455101711, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-ls40tqTqF7gCyHX3pZq0amfcRsXmks5vEEGzgaJpZM4aDI53.

[pcopissa]

Unfortunately I have to do something more urgent (read: work-related...) ATM. Be back ASAP, maybe tomorrow...

[radare]

at any time, irc/tg works 24/7

On 17 Jan 2019, at 10:50, pcopissa notifications@github.com wrote:

Unfortunately I have to do something more urgent (read: work-related...) ATM. Be back ASAP, maybe tomorrow...

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/12811#issuecomment-455109731, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lnr2dxFrxqB_bCphT9m-qEBydTGyks5vEEd6gaJpZM4aDI53.

[jorgeventura]

I am having the same issue and here is what I observed under Windows 7, if I enter the command without debug mode, everything works as expected when 'aaft' works properly for all functions.

[x] Type matching analysis for all functions (aaft)

When I start in debug mode, 'aaft' fails and many commands doesn't present information like iM, ie and so on. It seems that this is something known because the message says TOFIX.

[TOFIX: aaft can't run in debugger mode.ions (aaft)

I did the same test using the 'hello' program compiled to run on Linux and the problem is similar but not exactly the same. Commands like iM and ie works but the important 'axt' doesn't.

Here is what happen:

[0x00001110]> fs strings [0x00001110]> f 0x00002008 13 str.Hello_World 0x00002015 9 str.08i:s [0x00001110]> axt str.08i:s main 0x10bc [DATA] lea rsi, str.08i:__s <==== I get the address but I can't set the break because not in debug mode.

In debug mode, I don't have any response from 'axt str.08i:__s'.

Is there any workaround for that?

[radare]

its not about worakrounds check the value of the anal.in variable, run the program until the entrypoint is hit at least, because r2 starts debugging way before the main executable is loaded in memory, i dont have any windows to test, but all that stuff is generic and may affect that stuff

On 24 Jan 2019, at 17:59, Jorge Ventura notifications@github.com wrote:

I am having the same issue and here is what I observed under Windows 7, if I enter the command without debug mode, everything works as expected when 'aaft' works properly for all functions.

[x] Type matching analysis for all functions (aaft)

When I start in debug mode, 'aaft' fails and many commands doesn't present information like iM, ie and so on. It seems that this is something known because the message says TOFIX.

[TOFIX: aaft can't run in debugger mode.ions (aaft)

Is there any workaround for that?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/12811#issuecomment-457273907, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-ljTk9ExLRFwNMMgY1TItN6lZmVGdks5vGeaFgaJpZM4aDI53.

[jorgeventura]

Maybe I am not understand the idea behind radare2, specially between non-debug and debug mode. Here is what I did to get the best results:

[1] Start in non-debug mode and do every analysis required including aaft. Get the entry point using iM (won't be available in debug mode). [2] Switch to ood when the program is reloaded and assign break point to 'main' from [1]. At this point the fs command includes 'strings'. You don't have that if you don't do [1] first.

Does it make any sense for you?

[radare]

On 24 Jan 2019, at 20:22, Jorge Ventura notifications@github.com wrote:

Maybe I am not understand the idea behind radare2, specially between non-debug and debug mode. Here is what I did to get the best results:

[1] Start in non-debug mode and do every analysis required including aaft. Get the entry point using iM (won't be available in debug mode).

you dont need to analyze anything to get the address of main, entrypoint or symbols, this info comes in the bin headers.

the entrypoint is shown with ie. the iM is the main and should work in debug and non-debug, otherwise its a bug.

[2] Switch to ood when the program is reloaded and assign break point to 'main' from [1]. At this point the fs command includes 'strings'. You don't have that if you don't do [1] first.

you can just open with -d and do everything directly in there, all the flags, analysis info and such is not always rebased when in aslr situations, so it's better to do the analysis in debug mode directly or disable aslr.

you can also use anal.strings=true and take the strings from the analysis instead of carving the binary

Does it make any sense for you?

at the moment of starting the debugger the program counter is in the linker, not in the program itself. so depending on the system and the binary it is necessary to run 'dcu entry0' to continue until the entrypoint. This way you are sure the binary is loaded.

at this point check 'e anal.in=?' and set the value that makes sense to you. this is, which code do you want to analyze? probably dbg.map should be the right value to use here because you want to ananlyze the code mapped in the current offset.

r2 should probably set this value by default when cfg.debug is set

[jorgeventura]

Understood. I am not the original author of this ticket but for my side it's closed. Thank you for your time.

[Maijin]

Next time @jorgeventura open another issue.

[radare]

Cool. So it works as expected I guess. Thanks

On 24 Jan 2019, at 23:59, Maijin notifications@github.com wrote:

Next time @jorgeventura open another issue.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[Maijin]

@pcopissa Can you please confirm it works?

[jorgeventura]

The original statement from the tkt is working for me. I can load as non-debug mode and using ood to reload in debug mode and insert breakpoints. I have other issues but as you suggested, I'll open in a new tkt.

[XVilka]

So? Can this one be closed?

[radare]

Yeah

On 30 Jul 2019, at 05:53, Anton Kochkov notifications@github.com wrote:

So? Can this one be closed?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.