Since 9.2 got released, I experienced multiple times (more than I would like) bug with bookmarks not being rebased. After starting process with IDA and initial rebasing, IDA sometimes won’t update bookmarks address which renders all of them invalid. If “Show folders” is enabled in Jump Bookmark window these bookmarks are visible as empty slots, that means the bookmark entry is there, but has no text on it whatsoever.
It’s hard to pinpoint or catch it as sometimes it happens, sometimes not. I’ll post a reply here if I find out but I doubt I’ll do. It’s pretty random. Just wanted to mention it because It’s not some cosmetic little thing.
EDIT
I just reminded myself that it happens after the debugging is done and IDA is back to main view. Bookmarks are valid during debugging. They break after that.
I’m on macOS and use bundled remote intel debugger if it helps.
Thank you. Does it happen to bookmarks added before debugging, during, or both? Are the bookmarked addresses inside the main module from which the idb was created?
Does it happen to bookmarks added before debugging, during, or both?
This I’m not sure but I’m positive it happens to both.
Are the bookmarked addresses inside the main module from which the idb was created?
Bookmarks were in the address range of the dylib (the IDB is for that dylib) which was loaded by the application.
My hypothesis is that during initial rebasing after IDA detected that module has been loaded, it has to update bookmarks addresses to align with those in debugger memory. After debugging stops it doesn’t rebase them back. That’s just my wild take, but it does seem like something like that.
EDIT
After end of debugging, IDA does not rebase the binary back to the default imagebase in effort to speed up the subsequent debug runs
Well I never noticed that. Seems like my hypothesis doesn’t make sense anymore. I’ll keep an eye when the bug occurs.
Bookmarks that were set when not under debugger, after launching process and initial rebasing are broken. So it’s not after debugging ends like I said at first. So it might actually be the thing I said that bookmarks are not rebased during initial rebasing.
Im debugging a dylib for which IDB is for. I’ve option to Disable ASLR enabled, perhaps it doesn’t rebase bookmarks because of it.