Highest Voted Questions - Reverse Engineering Stack Exchange

8

votes

1 answer

Reverse engineering the PluginKit MacOS framework

I've been tasked with an assignment requiring a thorough reverse engineering effort on the PluginKit framework in modern Mac operating system, and I'm looking for information to start off, instead of starting from scratch. More specifically, I need…

asked Aug 26 '17 at 12:00

NirIzr

11,765
1
37
87

8

votes

1 answer

How tools like PEiD find out the compiler and its version.

How tools like PEiD and CFF explorer find out the compiler and its version. I am analyzing a executable file. Which shows: Borland Delphi 3.0 But the section names .text .rsrc. Which is usually not get generated by Borland Delphi compiler. I…

asked Aug 11 '17 at 05:33

Dinesh D

81
1
3

8

votes

2 answers

idapython - Get Xrefs to a stack variable

I am trying to write an IDAPython script that will return a list of references to a local stack-frame variable. However, I couldn't find any API that does so. What I am trying to achieve is a code like: xrefs = get_variable_references('arg_4') that…

asked Aug 10 '17 at 15:17

Aviv

337
4
12

8

votes

2 answers

What compression algorithm is this?

I've reversed the following decompression algorithm from a game. It appears to be some variant of LZ77, however none of the descriptions of variants seem quite close enough what I've got. Is this a specific flavor of LZ77, and if not, how would I go…

decompress

asked Aug 06 '17 at 17:22

kirby

83
4

8

votes

3 answers

Is there any tool to visually see program stack in linux while debugging?

By stack I mean the location where local variable, return address etc are stored. Which is pointed to by the esp and ebp.

asked Jul 30 '17 at 23:28

pizzaEatingGuy

181
1
3

8

votes

2 answers

How to document a reverse engineering operation?

Sometime I have to reverse engineer / disassemble some software/firmware/application, how can I keep track of the findings, the application flow I discovered and generally the details I need when I return to work on that project after some time…

documentation

asked Jul 29 '17 at 09:12

Rocco Mancin

178
2
8

8

votes

1 answer

radare2 ascii graph to image?

After analysing a function and pressing VV to go into graph mode, is it somehow possible to export/render the whole graph to an image? I have some huge main functions and it would be nice to have it all in an image.

asked Jun 19 '17 at 07:38

Paul G.

183
1
4

8

votes

2 answers

Automated Static Unpacking Binaries

I am reading the paper Automatic Static Unpacking of Malware Binaries (Kevin Coogan et al.) with the goal of trying to reproduce the given experimental results (with Hybris-C, MyDoom.q, tElock, etc), and studying how it can be expanded for other…

asked May 26 '17 at 13:49

Ta Thanh Dinh

1,410
8
12

8

votes

2 answers

basic reversing question about local variable

I do not understand the following: in a very simple dummy C function: void vulnerable_function(char* string) { char buffer[100]; } When I use gdb to disassemble it, I obtain: 0x08048464 <+0>: push %ebp 0x08048465 <+1>: mov …

asked Mar 11 '17 at 14:16

David Labay

103
6

8

votes

1 answer

Using IDA Python Iterate Through All Functions and Their Instructions

I'm new to IDAPython. Basically I want to iterate through all functions in an IDB file and their instructions using ida python script. The final goal is to export the functions & their instructions from idapro. in certain format. from idautils…

asked Feb 23 '17 at 14:17

Dev.K.

215
1
2
5

8

votes

1 answer

How can I work out which PCB layer a via goes to, without destroying the board?

I'm trying to reverse engineer some boards that have multiple layers, but can't figure out any way of discovering which layer certain vias go to. Unfortunately I can't destroy the board with corrosives, since it's my only one. How can I find out how…

asked Apr 01 '13 at 21:24

Polynomial

1,272
2
12
21

8

votes

1 answer

How is IDAPython API structured?

In IDA's documentation, there are references to modules named ida_*, as well as idc, idaapi and idautils. The former modules seem to be the lower level ones. Almost always it says that IDA Plugin SDK API wrapper: . I have a few…

asked Jan 17 '17 at 22:03

sherlock

1,381
3
23
40

8

votes

2 answers

Register Calling Convention: written in stone, or in mud?

When disassembling an old Delphi 3 executable, I find some routines that pass arguments in registers EAX, EDX, and on the stack – but not in ECX! For those routines, ECX never gets set to a 'reasonable' value. This can be seen inside the code of…

asked Dec 28 '16 at 19:04

Jongware

2,364
2
16
30

8

votes

1 answer

IDA: View stack frame variables

In IDA, how can you view the stack frame for a local function when IDA does not recognize any locals? Normally this would be done by double clicking on a local, but there is no local to start with. It's also absent from the 'Open Subviews' menu.

ida

asked Nov 17 '16 at 17:13

Gdogg

191
1
1
6

8

votes

2 answers

What happens when a DLL is added to AppInit_DLL

I have a malware sample that adds a DLL to the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs. There is malicious functionality in the DLL referenced by the registry key but this malware sample does not load or…

asked Mar 29 '13 at 18:58

amccormack

1,326
2
13
29

Most Popular