Highest Voted Questions - Reverse Engineering Stack Exchange

14

votes

4 answers

Creating IDA Pro debugger plugins - API documentation and examples?

Are there any good resources for developing debugger plugins in IDA Pro using the SDK that describe the IDA debugger API? An example of this is the IDA Pro ARM debugger plugin on Sourceforge. There seem to be few projects that have accomplished…

asked Apr 22 '13 at 19:50

dingo_kinznerhook

1,016
8
34

14

votes

5 answers

How to capture an "in-memory" malware in MS-Windows?

I have an infected MS-Windows 7 machine with an in-memory malware, shutting it down will probably make it disappear and I would like to get the malware in a more convenient format to perform some analysis on it. What are the different in-memory…

asked Apr 14 '13 at 09:41

perror

19,083
29
87
150

14

votes

2 answers

What causes the need for NOP sleds?

So when taking a simple scenario and exploiting a stack buffer overflow in which I can execute code on the stack, my payload simply is: NOP Sled -> Shellcode -> Padding -> New RET Address (Pointing to the NOP Sled) What I get is that we need to…

asked Nov 04 '17 at 12:57

L. Heldt

173
2
5

14

votes

1 answer

What does the `TEST` instruction do

I'm having trouble understanding the TEST instruction and its use. I'm looking at the following code at the end of a loop 0040A3D1 A9 00010181 TEST EAX,81010100 0040A3D6 74 E8 JE SHORT JinKu_ke.0040A3C0 I understand…

asked Apr 18 '17 at 21:12

Marek

147
1
1
7

14

votes

2 answers

How do I know the bytes corresponding to an instruction in Hex view in IDA?

When I select an assembly instruction in IDA graph view, I want to see the exact bytes corresponding to the selected instruction when I switch to He view in IDA. How do I do that?

ida

asked Jan 16 '17 at 18:17

sherlock

1,381
3
23
40

14

votes

2 answers

Find reference to string in radare2

In this crackme solution, first the strings are found: $ rabin2 -z crackserial_linux addr=0x00000aa0 off=0x00000aa0 ordinal=000 sz=7 len=7 section=.rodata type=A string=User: addr=0x00000aa7 off=0x00000aa7 ordinal=001 sz=11 len=11 section=.rodata…

radare2

asked Dec 18 '15 at 15:50

robert

887
2
12
28

13

votes

2 answers

How can I find the source of a string in an old DOS game?

I am attempting to amend some strings in an old DOS game (FIFA International Soccer), specifically the names of players. In the past it hasn't been too hard to pull off such a task on post-DOS games as either the strings are easy to track down in…

asked Mar 07 '15 at 07:23

user11826

13

votes

4 answers

Recovering .NET sources into full blown project

I wonder if total decompilation of arbitrary non packed project .NET is possible? If no, what is the conditions that should be met to make it possible? If yes, is there tools that can automate this? I'm wondering not about basic decompilers, but…

asked Feb 12 '15 at 13:40

see ya

823
2
8
20

13

votes

2 answers

How do the internals of a Windows update security patch work?

Wasn't sure where to ask this on stack exchange, so vote to close if you think it is in the wrong place. I am analyzing a Windows security patch. Having never examined a windows security patch, and being unaware of their structure I am trying to…

asked Sep 12 '14 at 14:33

MrSynAckSter

1,258
1
10
24

13

votes

2 answers

Should I switch from WinDbg to OllyDbg?

I am fairly familiar with WinDbg and didn't know about OllyDbg before. From the statistics in this forum, it seems that OllyDbg is twice as popular as WinDbg. Sometimes WinDbg can be frustrating, so I wonder whether I should switch. To make this…

asked Jan 09 '14 at 23:20

Thomas Weller

970
6
19

13

votes

4 answers

Inverting functions HOWTO

I just read some code that applies a series of transformations to a 4 byte integer. I'm curious to know if the following function is invertible. f(y) = y^(y>>11) A general doubt I have, is the thought process involved when trying to find the…

asked Jan 03 '14 at 10:07

user1743

13

votes

2 answers

How to prevent "upx -d" on an UPX packed executable?

I recently read a tweet from Ange about a technique to fool UPX when the option -d (decompress) is called. I would like to know how this is working and, what are the technique to prevent an UPX packed executable to be decompressed through upx -d (if…

asked Dec 30 '13 at 11:04

perror

19,083
29
87
150

13

votes

3 answers

How should I determine the format of this audio file?

I have an audio file in an unknown format. How should I try to determine its format ? Also, is it possible to do this by manual observation and not using any automated tool ?

file-format

asked Mar 27 '13 at 14:20

asheeshr

2,465
8
28
41

13

votes

2 answers

How are vulnerabilities (especially buffer overruns) found in the wild?

I hope this question is not OT for RE, but I'm rather curious as to how vulnerabilities are usually found. Of course I'm aware that companies are doing code audits to identify security problems but I doubt that the results of such audits are…

exploit

asked Dec 17 '13 at 09:17

Devolus

963
1
10
21

13

votes

3 answers

Totally unknown file analysis approaches

I guess this is the worst case. I have a file which was initially base64 encoded. This step was easy. But now all I can see is a bunch of rubbish. No structure, nearlly a maximum of entropy, no periods nothing. I have no more information…

asked Sep 01 '13 at 11:06

Andre

231
2
6

Most Popular