Highest Voted Questions - Reverse Engineering Stack Exchange

9

votes

2 answers

Why does `ldd` and `(gdb) info sharedlibrary` show a different library base address?

I see three different outputs for where libc should be loaded. ldd shows the loading address of libc at 0xf7e9e000 $ ldd ~/my_tool linux-gate.so.1 => (0xf7ffe000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7e9e000) …

asked Nov 18 '14 at 22:54

samuirai

3,079
4
23
37

9

votes

1 answer

Red Alert 2 Windows 8 DirectDraw compatibility

The game Red Alert 2 runs on Windows 8, but as soon as I inject a DLL (via ddraw.dll or an extra DLL) it stops drawing buttons on the main menu. With the DLL it still work fine in windowed mode and it still works fine on Windows 7. The DLL is…

asked Sep 19 '14 at 14:06

XTF

241
1
3

9

votes

1 answer

How to find the location of the vtable?

Actually, I am trying to learn a little about vtable overflows. So, my learning documents state the following: The main point to realize is that whenever we declare a C++ class with virtual methods, the pool of memory where it exists (the…

asked Jul 28 '14 at 12:26

Dirk

443
1
5
13

9

votes

1 answer

Understanding segment prefixes in assembly for Linux

In looking at some assembly, I have come across a few instructions using segment prefixes. For example

: .... mov eax,DWORD PTR gs:0x20 I understand the basics of memory segments, but how could I get the 'absolute' memory address…

asked Jul 11 '14 at 00:46

HenryC

91
1

9

votes

2 answers

Setting an USB Emulation and Fuzzing Platform?

I would like to analyze (and fuzz) a USB device and I need a bit of guidance to setup a full platform to discuss with the device. First, I would like to know what are the most used hardware cards to emulate and perform fuzzing on USB devices. I've…

asked Jun 05 '14 at 07:56

perror

19,083
29
87
150

9

votes

2 answers

Where is ntdll.dll?

I am trying to get the base address of ntdll.dll over the PEB. So, what I did was to dump the PEB (d fs:[30]). Then, I tried to get to PEB_LDR_DATA over the offset 0xC. Over the offset 0x1C of PEB_LDR_DATA I found the the pointer of…

asked May 27 '14 at 12:15

Dirk

443
1
5
13

9

votes

3 answers

Guessing CRC checksum algorithm

I am trying to reverse engineer a 16 bit checksum algorithm of one relatively old (10 years) LAN game that is no longer supported nor has source code available. As it seems, data packets don't have standard structure when it comes to placing…

asked May 27 '14 at 09:02

astralmaster

145
1
1
8

9

votes

1 answer

How to find main() in binary?

Given a binary and only using a tool like ndisasm, how can I find main()? I don't want to use smart tools like IDA Pro because I'm doing this exercise to learn.

disassembly

asked Apr 25 '14 at 21:37

drum

284
1
2
9

9

votes

2 answers

Importing list of functions and addresses into WinDbg

When I have a kernel module without symbols, I'd typically first open it in IDA and give names to some of the subroutines (those I'm interested in). Since I prefer my kernel debugging with plain WinDbg (and not the IDA-integrated WinDbg), I'd like…

asked Mar 11 '14 at 10:45

Ilya

193
6

9

votes

3 answers

Did somebody start to reverse engineer the proprietary Linux Brother Cups drivers?

I'm not very experienced with graphic or printer formats. My first (and only try yet) was to print a Tux.png with 265 x 314 pixel via the Chromium browser and see what Wireshark shows as USB transfer. I turns out that the image became a 1.540.598…

asked Mar 09 '14 at 19:20

Sven

191
1
3

9

votes

3 answers

Get jar back from wrapped(into exe) jar

Is there any way to get a jar file from a jar wrapped using a exe wrapper. I have an exe file and I know that it was wrapper using exe wrapper (launch4j to be precise). How do I unwrap this jar to get back the jar. I have seen that I can unwrap it…

asked Jan 24 '14 at 07:42

meain

243
1
2
9

9

votes

1 answer

How to convert this one-liner asm to C

I want to convert this to C: SHR CL,1 rECX is the name of the (32bit unsigned int)register variable. It should be simple, but I can't figure out the proper pointer magic :/

asked Jan 08 '14 at 19:35

user3590

101
3

9

votes

3 answers

Reversing Apple Airport Express firmware updates

Apple provides firmware updates for their Airport products through 'Airport Utility'. Firmware files can be downloaded with the help of ~/Library/Application\ Support/Apple/AirPort/Firmware/version.xml which contains all products and their available…

asked Jan 05 '14 at 22:51

kaazoo

91
1
3

9

votes

1 answer

How can I find the Thread Local Storage (TLS) of a Windows Process Thread?

The Thread Local Storage (TLS) contains static or global values for a thread. Those values can be very important to find reliable references to memory structures when the memory locations are not static. I would like to get the Thread Local Storage…

asked Dec 07 '13 at 00:14

samuirai

3,079
4
23
37

9

votes

1 answer

Loading Windows executable - unexpected data appended at beginning sections after loading in memory

Few days after asking the question I realised I misinterpreted my original findings. It seems .rdata section on file is copied directly to memory, but then first 36 bytes are overwritten by loader with IAT RVA. The erroneous question about added 96…

asked Nov 28 '13 at 18:11

ruby_object

293
1
6

Most Popular