Highest Voted Questions - Reverse Engineering Stack Exchange

8

votes

1 answer

How should I go about investigating an IC's functionality without destroying it?

I found a 14 pin integrated circuit with no visible markings. I have no information about its functioning. How should I go about trying to explore its functionality without destroying it ? I have a lot of analog components such as resistors,…

asked Mar 24 '13 at 13:41

asheeshr

2,465
8
28
41

8

votes

3 answers

windows kernel debugging on Mac host (using VMware fusion)

in windows host we can use WinDBG and serial port communication for connection to windows kernel and the most easiest way is using VirtualKD. now the question is, is there any possibility of doing same thing (VirtualKD/WinDBG alternative) using a…

asked Jun 19 '13 at 20:28

n00b

581
5
5

8

votes

2 answers

Reassembling ELF binary files

I have been doing a number of CTF activities when I came across something I’m unfamiliar with. As I am somewhat new to exploitation and reverse engineering, this was unfamiliar to me. I have 7 pieces of an ELF binary file. I’ve been using readelf to…

elf

asked Dec 23 '19 at 12:11

t3nt0nbr1ck

81
4

8

votes

2 answers

Tracking What Is Done With a Function's Return Value

I wrote a simple IDA plugin that, after a function call, looks for mov MEM_LOCATION eax and adds a name for the memory where the return value is stored. I limit my search to only a few instructions after the function call and bail out if I see…

ida

asked Jun 12 '13 at 17:12

user2142

1,537
2
14
17

8

votes

2 answers

Do I need to have IDA Pro to use the BinDiff tool?

I'm trying to learn how to use BinDiff tool, but I can't figure out how to open two binaries to do the comparison. While skimming through their manual, it seems like I need to have IDA Pro for that. Can I use BinDiff without IDA Pro (say, with just…

asked Oct 23 '19 at 06:16

c00000fd

1,659
3
25
41

8

votes

1 answer

How does services.exe trigger the start of a service?

I'm trying to work out the internals of how a Windows process starts and maintains communication with services.exe. This is on Windows 8 x64, but if you have tips for Windows 7 that is fine too. So far I figure out services.exe does something…

windows

asked Jun 11 '13 at 22:01

chentiangemalc

1,235
8
16

8

votes

2 answers

How can I make IDA see a string reference?

IDA has disassembled the following code: seg019:C0292548 loc_C0292548 ; CODE XREF: sub_C0292414+11Cj seg019:C0292548 02 00 54 E3 CMP R4, #2 seg019:C029254C 0F 00 00 1A BNE …

asked Jun 10 '13 at 20:51

Brendan Dolan-Gavitt

2,888
2
19
37

8

votes

1 answer

What is the integrity check used?

I have the following numbers. It is a 14 digit identification number. The first 13 digits (counting from left) are the number itself, the 14th (the least digit) digit is an integrity check code. I tried many combinations but failed to get the…

decryption

asked Jun 06 '13 at 11:29

Yousf

189
3

8

votes

1 answer

How do I make a hex literal a decimal literal in Ghidra?

There are a few places where the decompiler displays a number as a hex literal when it's much clearer as a decimal literal. How do I change this?

asked May 01 '19 at 12:32

0x777C

183
1
7

8

votes

1 answer

Ghidra rename variable below current line

I have been starting to use Ghidra and I find the decompiler view very useful. However, when I rename a variable, the name propagates through all uses of that register or stack pointer throughout the function. In most cases this is good, however…

ghidra

asked Apr 28 '19 at 17:23

genghiskhan

378
2
10

8

votes

3 answers

buffer overflow exploits - Why is the shellcode put before the return address

The code I'm referring to is found here: Link to code I read that the buffer overflow exploit uses a buffer that looks something like this: | NOP SLED | SHELLCODE | REPEATED RETURN ADDRESS | From what I understand the exploit happens when the…

asked May 28 '13 at 11:47

matanc1

181
1
3

8

votes

1 answer

Detecting protected processes and critical processes from windows driver

I've got a driver that tamper user-space processes by sending APC calls upon process start using the call PsSetCreateProcessNotifyRoutine. I wish to avoid tampering with any process that is critical for the OS stability, since my APC also eventually…

asked Mar 20 '19 at 14:59

Irad K

205
1
4

8

votes

1 answer

Canonical method to circumvent the ZwSetInformationThread antidebugging technique

I'm sure many of you are familiar with this classic antidebug trick accomplished by calling ZwSetInformationThread with ThreadInformationClass set to 0x11. Although many OllyDbg modules exist for the purposes of revealing the existence of threads…

asked Mar 23 '13 at 22:18

zetavolt

1,213
11
12

8

votes

1 answer

Identifying a toner chip and its communication protocol to re-program it

I need help identifying a chip and how to reset it from a new Brother's toner cartridge TN227 and TN223. This comes from the new Brother HL-L3230CDW laser printer. There is currently no information on how to reverse engineer these chips to reset…

asked Mar 05 '19 at 01:09

benjinne

81
1
5

8

votes

1 answer

How to view the instruction pipeline?

Instruction pipelining is used to execute instructions in a parallel fashion by dividing them into several steps .When I pause the execution in a debugger I am only able to see the location of the eip register but not the current pipeline state. Is…

machine-code

asked May 21 '13 at 21:03

viv

784
1
4
17

Most Popular