Highest Voted Questions - Reverse Engineering Stack Exchange

10

votes

2 answers

Mixed 16/32-bit code reversing using IDA

I am trying to reverse engineer a binary blob I expect to transition from 16-bit real mode into 32-bit protected mode (it is boot time code), so I expect the code to contain code of both sorts. When I launch IDA, I am given the option of 16 or…

asked Jul 09 '13 at 20:36

user1797

10

votes

2 answers

Attaching GDB to a specific fork

I am trying to reverse engineer a Linux binary that makes several fork() calls. I am using GDB 7.5 on Ubuntu. What I am trying to do with GDB is attach to a certain fork() (say the second call). Is the only way to do this to set follow-fork-mode to…

asked Jun 21 '13 at 17:41

Compster

369
2
9

10

votes

0 answers

Ghidra loading Linux kernel function signatures

TLTR I want to load Linux kernel headers vs. 4.19 to Ghidra so that it recognizes kernel structures and function signatures. Full description I'm trying to reverse engineer a Linux kernel module (kernel version 4.19). Ghidra does recognize correctly…

ghidra

asked Dec 05 '19 at 16:12

Rob D

123
1
7

10

votes

1 answer

How to handle exceptions in a debugger when reversing malware?

I came across some malware that raised an exception while I was single stepping through it. IDA gives me the option to pass the exception to the application or not. What exactly is going on here? When would I not want to pass the exception to the…

asked Jun 12 '13 at 03:12

user2142

1,537
2
14
17

10

votes

3 answers

Why does the function pointer get overwritten even though is declared before the vulnerable buffer?

I am working on io-wargames for fun right now, level3: I do understand why there is a stack-overflow in this code (strlen(argv[1])), but what I don't understand is why it overflows the function pointer functionpointer. functionpointer is declared…

asked Jun 08 '13 at 16:43

0x90

677
2
7
19

10

votes

1 answer

How to identify function calls in IDA Pro's disassembly?

I am reverse engineering some code from which IDA has generated the following disassembly. These specific lines of code are just for illustrative purposes. Notice that the third line does not call a specifc function by its name but rather by its…

asked May 28 '13 at 16:36

clark

215
1
3
9

10

votes

1 answer

Can I define custom enum-type to be used in Ghidra as a data type?

I'm trying to learn Ghidra. Say, if it generated the following code for loading functions from an array of function names from gpfnCommCtrlAPI: I was able to retype gpfnCommCtrlAPI into char*[14] which made it quite readable: But then is it…

asked Apr 11 '19 at 06:42

c00000fd

1,659
3
25
41

10

votes

2 answers

How to load symbols from a symbol server in Ghidra?

I've been trying to learn Ghidra by attempting to reverse the comctl32.dll system library, which has many of its functions documented. I started the de-compilation analysis in it, and after a while it showed this error message: (I don't know how…

asked Mar 24 '19 at 09:32

c00000fd

1,659
3
25
41

10

votes

1 answer

Common Lisp bytecode or machine code decompiler

Does anyone know of a decompiler for Common Lisp? I know most lisp environments include a disassembler. But I don't know of any decompilers. I would think it should be possible to make a decompiler using the output of the various lisp environment…

asked May 16 '13 at 15:20

cb88

2,320
2
18
33

10

votes

3 answers

Academic journals for latest RE/Malware/Exploitation research?

I am looking for journals to keep track of the latest advances in reverse engineering, binary analysis, malware, binary exploitation, etc.

malware

asked Jan 17 '19 at 19:31

Chase Kanipe

131
4

10

votes

3 answers

How to reverse engineer an ATM?

This question is using ATMs as an example, but it could apply to any number of 'secure' devices such as poker machines, E-voting machines, payphones etc. Given that ATMs are relatively hardened (in comparison to say, most consumer electronics for…

asked May 08 '13 at 13:31

NULLZ

343
1
16

10

votes

3 answers

Unable to set breakpoints in keygen

I like security as a hobby and I not so often I read and play with a few simple KeyGen games and I enjoy it. Reversing and KeyGen is very interesting but I'm a beginner and my questions are probably very dumb but I will be very thankful if you could…

asked May 04 '13 at 04:03

Araujo

109
1
4

10

votes

2 answers

What does the text in angle brackets refer to (From objdump)

I constantly see the text () as seen in the snippet below, but I am not sure if its making a call to perror of if the disassembler was having issues. Since it would be odd if the first thing the main function did was to call the…

asked May 03 '13 at 06:16

RC1140

200
5

10

votes

2 answers

How can I analyze a program that uses a JIT compiled code?

A lot of code I encounter today has a considerable amount of code generated at runtime, making analysis extremely laborious and time consuming. Is there any way I can create symbolic names for the various functions introduced by the JIT compiler…

debuggers

asked Mar 23 '13 at 18:38

zetavolt

1,213
11
12

10

votes

3 answers

Trying to reverse engineer C code that is 64bit assembly

This is the code I am looking at 0x0000000000401048 <+70>: mov 0x401ba0(,%rax,4),%eax This is an array of 15 integers. Just wondering how I can access indices 0 to 15 in gdb Thanks

asked Apr 28 '13 at 03:46

user2303586

Most Popular