Highest Voted Questions - Reverse Engineering Stack Exchange

8

votes

0 answers

Identifying a USB device for a forensics CTF challenge (with no GET DESCRIPTOR)

I'm currently enjoying a forensics CTF challenge. We were provided a PCAPNG file. When opened in Wireshark, the file contains a sequence of URB_INTERRUPT packets from two devices - but no GET_DESCRIPTOR info that identifies either device. The first…

asked Jun 22 '18 at 23:20

BronzeOtter

363
1
4
11

8

votes

3 answers

Working with DOS .COM files

What can I do to reverse engineer a DOS .COM file? As far as debugging goes, I've looked DEBUG and DEBUGX from the creators of FreeDOS, as well as the default DEBUG command that comes with Windows. Sure, I can probably work with them and eventually…

asked Apr 18 '13 at 20:07

JMcAfreak

862
7
25

8

votes

2 answers

Split variable in Hexrays decompiler?

With Microsoft Visual C++ executables, I often run into decompilations like this: void __cdecl Pbdf::ReadString(char *dst, Pbdf *pbdfOrLength) { Pbdf *pbdf; // esi pbdf = pbdfOrLength; Pbdf::ReadBytes(&pbdfOrLength, 1, pbdfOrLength); …

asked May 05 '18 at 10:10

Ray

1,083
9
25

8

votes

3 answers

How does the ldr instruction work on ARM?

ldr r0, #0x28 What is the ldr instruction ? Does it load a string from some offset? How can I find the string/value that is actually loaded ?

asked Mar 12 '18 at 16:52

ldr

89
1
1
2

8

votes

3 answers

Reverse Engineering 8051 firmware

I am looking to reverse engineer an 8051 firmware binary file and am not certain where to start. The firmware is for the Real RTL8188EE wireless card. It is located here: https://github.com/lwfinger/rtlwifi_new/tree/master/firmware/rtlwifi I know…

asked Mar 04 '18 at 18:48

Farhan Yusufzai

271
2
5

8

votes

1 answer

Upgrading IDA Free 5 Database to IDA 7 Freeware

With the release of IDA 7.0 Freeware, I've been wanting to open some of my academic projects I've been doing with IDA 5 in the new version. However, the database format has changed. I have a set of .idb files which will not be opened by IDA 7. What…

ida

asked Feb 06 '18 at 05:48

Kupiakos

181
5

8

votes

1 answer

Radare2: inspecting renamed variables

I'm practicing with Radare2, latest commit. radare2 2.3.0-git 16814 @ linux-x86-64 git.2.2.0-5-g61a903315 During my sessions, I need to rename local variables to a more understandable name, e.g. var int local_110h @ rbp-0x110 :> afvn local_110h…

radare2

asked Dec 27 '17 at 17:51

Kartone

439
4
14

8

votes

5 answers

Is it possible to hide the details of which compiler was used?

The compiler adds system information to the output/object file that is created on compilation. Is there any compiler option that can prevent this information from being added? Can the compiler signature be completely removed so as to make…

asked Mar 23 '13 at 03:47

asheeshr

2,465
8
28
41

8

votes

3 answers

Batch disassembling DLL and EXE files?

In %SYSTEMROOT%, there are about 2000 DLL and EXE files. I am looking into reverse engineering some of them which are dependencies of other applications. However, what I would preferably want is disassembling all of them and get the assembly files…

asked Dec 01 '17 at 21:32

bytecode77

203
3
6

8

votes

4 answers

How to check if an ELF file is UPX packed?

I have an ELF file and want to know if it is UPX packed. How can I detect UPX compression in GNU/Linux?

asked Mar 22 '13 at 23:31

qbi

527
1
4
16

8

votes

2 answers

Are there any project based books that teach reverse engineering?

I want to learn to reverse engineer hardware/firmware as well as software (eventually, i want to focus on hardware/firmware now). I have some experience programming STM32 microcontrollers as well as decent understanding of C. I understand verilog…

asked Oct 26 '17 at 01:49

spetty flakson

83
1
3

8

votes

1 answer

Detecting hardware breakpoints

Since software breakpoints, unlike hardware breakpoints , do change the code, it's relatively easy to write a program that performs a checksum on itself as an anti-debugger technique. Is it possible to do something similar with hardware breakpoints?

asked Oct 14 '17 at 02:31

Trey

417
3
7
20

8

votes

2 answers

Getting the current process in Windows

While reading Practical Reverse Engineering by Bruce Dang, I came across the following. Am I correct in my assumption that the procedures return a pointer to the current thread and current process respectively? In PsCurrentProcess, the offset into…

asked Oct 03 '17 at 06:36

Aswin P J

183
5

8

votes

1 answer

Where ES/GS/FS are pointing to?

As far as I know those segments are extra or general. But at which part of program memory they are actually pointing? If I undestand it correctly DS is poining at entry point of Dump, SS stands for Stack, what is happening with those leftovers from…

asked Sep 13 '17 at 19:51

erexo

263
3
8

8

votes

1 answer

How to investigate Windows 32/64bit (WOW64) transition

There is surprisingly little information about Windows WOW64 mechanism. I'm trying to investigate it. So when we have system call in 32-land, it calls an address that is stored in FS, which leads us to a weird jmp with 033: prefix. If I understand…

asked Aug 28 '17 at 11:22

Shmuel Fomberg

263
2
8

Most Popular