Highest Voted Questions - Reverse Engineering Stack Exchange

8

votes

4 answers

Modify code with ILSpy

I want to modify an exe a little bit. With ILSpy I see all the code that I need but I don't know how to modify the code. I tried "save code" on ILSpy that exports a .cs file, but when I open the .cs file in Visual Studio and change the code I can't…

asked Jun 19 '15 at 20:30

sivlab

81
1
1
2

8

votes

2 answers

IL for decompiler to human-readable format

After writing my own disassembler, I am now looking to making its assembly listing more human readable, e.g. from an (artificial) example push ebp mov ebp, esp sub esp, 10h mov eax, dword ptr [55431824h] imul eax, dword ptr…

asked May 07 '15 at 10:44

Jongware

2,364
2
16
30

8

votes

1 answer

Reverse Engineering of a packet encryption function of a game

I am trying to make a game server emulator for a specific MMORPG (Perfect World). I know the basics of how the network of the game works and the structure for some packets, but they all are encrypted, except for the username in the login packet. I…

asked May 05 '15 at 00:48

Renan Moura

81
1
1
5

8

votes

1 answer

How was the Zero Flag implemented on Z80 ALU?

Z80 was a popular 8-bit processor with a 4-bit ALU. Implementing a zero flag for a register should be straight forward, it would be a logical NOR of all the bits on the register. Something like that would work for a small number of inputs. As for…

hardware

asked Apr 24 '15 at 02:09

GabrielOshiro

143
9

8

votes

1 answer

How to map a variable to multiple names in Hex-Rays decompiler

Compilers often optimize variables usage, so multiple variables in the source code can be mapped to the same register (or stack variable) in the resulting assembly. I know that registers can be renamed within a start and end addresses in the…

asked Apr 05 '15 at 18:40

mbrt

183
7

8

votes

3 answers

Writeup of reverse engineering VM based obfuscation

I've seen quite a few crackmes on reverse engineering VM's. I've also come across "Unpacking Virtualization Obfuscators". Are there any other writeups that you could point me to that discuss the RE'ing of a VM based obfuscation from scratch? Also,…

obfuscation

asked Jan 09 '15 at 21:56

user1743

8

votes

3 answers

Reverse Engineering Quebec Canada PDF417 restaurant bills

Let me explain what I'm trying to do, and then where I am at... As you can see on this image : There is a PDF417 at the end containing a string that at my best guess is some base64 string. Here it is…

decryption

asked Dec 19 '14 at 17:05

user66792

183
4

8

votes

1 answer

Why are those instructions generated?

After disassembling a program, I see the following asm code generated : .text:004D5911 mov [ebp+var_4], ecx .text:004D5914 mov ecx, [ebp+var_4] .text:004D5917 test ecx, ecx .text:004D5919 jnz short loc_4D591F I don't get why…

asked Dec 07 '14 at 02:19

Eric

439
2
11

8

votes

2 answers

Hopper on Linux -- how to use GDBserver

I'm looking for a good front-end to GDB and looks like Hopper is a good alternative. Unfortunately, I wasted several hours but still couldn't make it working with gdbserver. Here are the steps I'm following: Note that, I actually need to attach the…

asked Oct 14 '14 at 15:24

sinan

233
3
7

8

votes

2 answers

Hooking Java APIs

In native code on windows functions can be hooked by replacing their prologue with a JMP instruction. Is there a way to do something similar with an application written in java? In the end I want to record all data sent to/from a…

asked Jun 12 '14 at 06:50

Avery3R

1,258
1
12
31

8

votes

1 answer

Why are values passed through useless copies?

So, say that I have the following code, which gives three examples of what I believe to be unnecessary copies of values. mov QWORD PTR [rbp-0x18],rdi mov rdx,QWORD PTR [rbp-0x18] lea rax,[rbp-0x10] mov rsi,rdx mov rdi,rax call …

asked Jun 04 '14 at 23:28

David

285
1
7

8

votes

1 answer

Reversing .Net CLR exceptions handlers chain

I investigating .Net Framework JITter compilation results and I want to get programmatically exceptions handlers chain. May be somebody can help me with this investigation? To make task easier, I debug following code: class Program { static…

asked Jun 04 '14 at 06:05

Alexus

181
1

8

votes

1 answer

Why two virtual destructors?

The beginning of the virtual function table (VFT, also virtual method table, VMT) disasembled by IDA goes as: _ZTV13QSystemLocale DCD 0, _ZTI13QSystemLocale, _ZN13QSystemLocaleD2Ev+1, _ZN13QSystemLocaleD0Ev+1 and c++filt decodes it as vtable for…

asked May 13 '14 at 07:50

18446744073709551615

595
1
6
16

8

votes

2 answers

How to deal with Static Memory Allocation while modifying an executable?

I'm not new to StackExchange, but I'm quite new to reverse engineering, so please be patient with me! :P At present I'm dealing with an executable that I would like to modify a little bit, for personal use; the source code of the application is not…

asked May 08 '14 at 00:59

Zarathos

185
2
8

8

votes

1 answer

Understanding PAIR macro from IDA PRO Pseudo Decompiler to look better

When I decompile using IDA PRO I get code which could look like both of these Understanding the __PAIR__ macro. Macro itself. // The following definition is not quite correct because it always returns // uint64. The above C++ functions are good,…

asked May 05 '14 at 10:17

user3435580

243
2
8

Most Popular