Highest Voted Questions - Reverse Engineering Stack Exchange

8

votes

1 answer

GAS/x86 disassembled a bare gs register as an instruction, is it a bug?

I encountered a strange x86-32 instruction (opcode 0x65) decoded by objdump as gs (not %gs but gs). I found it while a full linear sweep of a binary (objdump -D), so the decoding was surely incorrect. But, still, objdump didn't decode it as a (bad)…

asked Aug 23 '13 at 15:01

perror

19,083
29
87
150

8

votes

1 answer

Parsing IDA Pro .asm files

Does anyone know of projects that parse the disassembly from IDA Pro using a lexer and/or parser generator library? But I would also totally be fine with JSON or XML format. So far, I have been able to produce HTML from the GUI, but I am looking for…

asked Aug 12 '13 at 21:16

turnersr

173
8

8

votes

2 answers

Structure Definitions for PEB in IDA

When reversing shellcode, we see the PEB walk fairly often at various stages. I am curious however, if there is any pre-defined standard structure for this in IDA? If so, what is it called? After looking and googling around I haven't been able to…

asked Aug 10 '13 at 00:42

Elias51

183
1
6

8

votes

2 answers

Trace assisted code identification?

I'm working on an RE project and had an idea for a tool that would help me greatly and wanted to see if it already exists. I'd like to find a specific part of code in the binary. Searching for strings, etc is not helping much. So, I had the thought,…

asked Aug 01 '13 at 17:41

mikeazo

1,072
8
16

8

votes

1 answer

Unpack Billion 5102 firmware

I'm trying to unpack this firmware image but I'm getting some issues understanding the structure. First of all I have one image which I called firmware.bin, and the file command shows me that it's a LIF file: firmware.bin: lif file After that I…

asked Jul 29 '13 at 16:48

Nucklear

725
2
8
17

8

votes

3 answers

How to force the loading of a DLL in Windows XP at a particular address

I need to run a debugger on an application and analyze its startup, however the main DLL gets loaded at different addresses every time, which makes my job much harder. How can I disable ASLR completely, or at least force one DLL to be loaded at a…

asked Jul 26 '13 at 14:38

f428329

81
2

8

votes

1 answer

What are general guide lines for reversing COM objects

I'm interested in revers engineer COM objects. How can I find interfaces that a particular object implements if I know what interface it is? Please tell if I need to change or rephrase the question.

windows

asked Jul 23 '13 at 18:02

PhoeniX

3,052
16
30

8

votes

1 answer

Reversing Patches (Binary Diffing)

Does any of you know of a recent tool to bindiff using ImmunityDebugger? I know about BinDiff by Zynamics and PatchDiff for IDA. But I really want a tool like this in ImmDBG. I also know about Radare's bindiffer and the feature in mona.py (but this…

asked Jul 23 '13 at 14:13

Stolas

2,331
14
34

8

votes

2 answers

IDA Pro List of Functions with Instruction

I have a DLL with a large number of functions in IDA Pro. I would like to make a script that can scan the instructions within each of the functions looking for a specific instruction. For my specific case right now, I am looking for functions that…

asked Jul 17 '13 at 04:51

WMIF

183
1
1
5

8

votes

1 answer

Where and how is variable entanglement obfuscation used?

I don't know the exact name of this obfuscation, so I call it variable entanglement for now. I already saw this principle in a few binaries but I never found a complete description of what was possible and what was not. The idea is to confuse the…

asked Jul 16 '13 at 11:50

perror

19,083
29
87
150

8

votes

3 answers

Where can I get reliable tools for RE?

I am looking for a reliable source to download RE tools such as: Lordpe Imprec Peid but it seems all the links in google are not safe, where can I buy or download it from a reliable not malwared source. Can I trust http://www.woodmann.com/ ?

tools

asked Jul 07 '13 at 20:39

0x90

677
2
7
19

8

votes

2 answers

IDA Pro: How to export data to C style array?

While disassembling a malware binary, I came across several arrays of shorts. The size of each array is 1024 members. I would like to export them to C style arrays, as: short array1[1024] = { 2, 5, 8, ... , 4}; /* This is just an example */ I…

asked Jun 27 '13 at 03:23

PSS

3,088
1
21
35

8

votes

1 answer

Setup an IDA (python) callback when an instruction is selected

I am using the IDA python features, and I am trying to setup a callback. When a user selects an instruction in the hex or graph view, I want my callback to be triggered. I have browsed the docs, but I could not find anything to accomplish it. Does…

asked Jun 25 '13 at 09:03

b3nj1

181
1

8

votes

1 answer

How do you optimise AST's or convert them to a real language

I have been interested in automatic vulnerability assessment and decompilation of code for a while now. And as a result I have been building parsers in Python that reads a bin, disassembles it instruction by instruction while tracing the execution…

asked Jun 25 '13 at 08:41

Stolas

2,331
14
34

8

votes

2 answers

NOP instruction

I have recently learned that nop instruction is actually xchg eax, eax... what it does is basically exchanges eax with itself. As far as CPU goes, does the exchange actually happen?

asked Jun 20 '13 at 15:47

Cream Cracker

145
1
6

Most Popular