Highest Voted Questions - Reverse Engineering Stack Exchange

10

votes

2 answers

What impact does noninvasive debugging have?

What impact does noninvasive user mode debugging with WinDbg have on the process? Will it be detectable by the process? Of course I could imagine that if the threads are suspended, differences in execution time of a function could be detected by…

asked Dec 13 '13 at 08:35

Thomas Weller

970
6
19

10

votes

1 answer

Mapping an external module's source code to assembly - extracting information from source code

The situation is the following: I'm reversing an application, In which I found a lot of functions that belongs to the OpenSSL library. Since I have the source code for this module, I was wondering if it's possible to somehow "extract" the variable…

asked Dec 12 '13 at 04:51

Dominik Antal

2,038
22
39

10

votes

3 answers

Converting a virtual table from .rdata into an IDA struct

Is there a way to convert a .rdata vtable entry to an IDA struct? An example of the vtable entry: And what the resulting struct should look like (but with all entries - this vtable specifically, should have 109 vfuncs): I would assume there's some…

asked Dec 01 '13 at 09:38

Jarryd Le Breton

101
1
1
5

10

votes

3 answers

Physically auditing the layout of transistors inside a processor made at 22mm process die

What is necessary to check that the layout of all the 35000 transistors on a given physical processor was not tampered with, assuming the normal layout and its dispositions on the die are extensively documented? Microscope ? Specialized imaging…

asked Nov 29 '13 at 09:28

user2987828

201
1
5

10

votes

1 answer

GDB via JTAG on ARM Hardware target without source code

Does anyone have other solutions for connecting to a remote ARM target without IDA? This is the question and below I give examples of setup's i have tried, should anyone be interested. Update: updated Codeworks test for remote gdb Update: GDB setup…

asked Nov 06 '13 at 10:52

cyphunk

101
4

10

votes

1 answer

Where could one find a collection of mid-file binary signatures?

While reading an answer to another question, it was mentioned that "78 9C" was a well-known pattern for Zlib compressed data. Intrigued, I decided to search up the signature on the file signature database to see if there were any related numbers. It…

asked Nov 02 '13 at 11:20

Archenoth

1,475
13
17

10

votes

1 answer

What does this memory pattern pointing from the thread-local storage mean?

An application I am currently looking add is using Threads and accessing something via the thread-local storage. It is compiled with Visual C++ (probably 6.0). First question would be, where can I find more information what the thread-local storage…

asked Oct 16 '13 at 23:17

samuirai

3,079
4
23
37

10

votes

2 answers

Moving from Windows to Linux for Malware analysis. What should I consider?

I currently use Windows 7 as my host machine and want to move to Fedora. I have IDA Pro + hexrays decompiler, VMWare Workstation, Hiew, Visual Studio, Olly, and several other smaller tools that should run just fine in wine. I know I can get the…

asked Oct 01 '13 at 16:42

Lelouch Lamperouge

323
2
9

10

votes

2 answers

Detecting an emulator using the windows api

I've been given a program that emulates the Windows API. I'm attempting to find flaws in this emulator where it either: Always returns a constant value, regardless of the host system (Useful for fingerprinting) For example, calls to get the…

winapi

asked Sep 18 '13 at 04:55

drewb

103
5

10

votes

2 answers

Connecting to jtag-openocd-gdb to arm11 device with IDA gets no control

I have a binary chunk from a piece of hardware I've been deciphering with IDA for a couple days now. Today I finally got a probe connected via JTAG and have openocd start up a GDB server. IDA is connecting to the GDB service but when I attach to…

asked Sep 10 '13 at 14:19

frunk420

151
6

10

votes

1 answer

Filling C++ interface method names in the disassembly in IDA

I have a C++ header with interfaces (classes with all methods pure virtual). I also have a binary which returns pointers to these interfaces. I debugged while running and received the virtual table addresses for these interfaces' implementation. Is…

asked Aug 04 '13 at 20:38

Asaf

201
2
3

10

votes

2 answers

What is a correct disassembler?

A disassembler is supposed to produce a human readable representation of the binary program. But the most well known techniques: linear sweep and recursive traversal (see this comment for more) are known to be easily mislead by specific tricks. Once…

asked Mar 25 '13 at 17:02

perror

19,083
29
87
150

10

votes

1 answer

Is there a list of Ghidra's variable prefixes?

In Ghidra, the decompiler prepends various prefixes to variable names. For instance, iVar1 is an integer. However, there are a lot of prefixes that aren't immediately obvious, find some below, but I'm looking for a complete dictionary if anyone…

asked Jun 09 '20 at 11:57

Axel Persinger

201
2
4

10

votes

2 answers

Binary instrumentation with Python

I'm interested in performing (dynamic) binary instrumentation using Python to be able to analyze the binary by instructions during execution for Windows Linux Can someone suggest such tool/framework? Does it even exist or possible?

binary-analysis

asked Jul 22 '13 at 21:45

PhoeniX

3,052
16
30

10

votes

2 answers

Android bytecode verifier

One of the things that makes Java bytecode (.class) so easy to reverse engineer is that the JVM's verifier ensures that bytecode can always be disassembled via linear sweep. Instructions have to be consecutive starting at offset 0, and you can't…

asked Jul 15 '13 at 05:26

Antimony

2,012
11
16

Most Popular