Highest Voted Questions - Reverse Engineering Stack Exchange

7

votes

2 answers

Any way to fix misinterpreted case jump tables in Ida Pro?

I'm disassembling a function that seems to use a switch statement, resulting in an indexed indirect jump, in two different places (same function!): 0005FA58 mov al, [eax+112h] 0005FA5E cmp al, 4 0005FA60 …

asked Apr 15 '14 at 09:51

Guntram Blohm

12,950
2
22
32

7

votes

4 answers

System for reverse engineering RF signals

Lately I've been experimenting with software-defined radio (SDR) and have come up with some heuristics by which I can visually identify certain kinds of signals by looking at their representation on a waterfall diagram. Certain obvious…

asked Mar 25 '14 at 14:19

Edward

2,521
18
25

7

votes

3 answers

No dynamic symbol table but resolution of method from shared libraries is working

I want to find how can I identify calls to shared libraries in GDB only. On a stripped binary, I cannot found the dynamic symbol table: $> objdump -tT crackme-01 crackme-01: file format elf32-i386 objdump: crackme-01: not a dynamic…

elf

asked Mar 07 '14 at 21:45

Kartoch

173
1
5

7

votes

2 answers

\??\C:\ Question Marks in Paths

I often come across paths similar to \??\C:\Windows when looking in memory. I have been unable to understand why the double '?' is appended to some paths. My google-fu is failing me with the ability to find a reason for the double '?'.Any…

asked Mar 05 '14 at 20:16

user4089

73
1
4

7

votes

1 answer

understanding the stack

I have de-assembled a x86 application use ida, it generates the following code .text:1084FF10 push ebp .text:1084FF11 mov ebp, esp .text:1084FF13 and esp, 0FFFFFFF8h .text:1084FF16 …

asked Feb 14 '14 at 02:25

upton

226
1
9

7

votes

1 answer

How to get IDA Pro Free to automatically change segment on retf?

I have been unable to get IDA pro to do a simple disassembly of a flat 16-bit binary (bootloader) file. I'm just getting started, and it seems to be harder than it should be. There's a simple set of instructions, that do seg000:7C5D …

asked Jan 26 '14 at 21:42

Milind R

203
1
8

7

votes

2 answers

Retrieving encryption/encoding logic from dll

I am trying to retrieve a decrypting/deconing logic from a program. Unfortunately I have virtually no experiencing in reverse engineering. I am building an alternative controller application for a multimedia device. The original controller is…

asked Jan 26 '14 at 13:53

leepfrog

171
1
3

7

votes

2 answers

Extracting dynamically constructed strings in IDA

Sometimes strings are dynamically constructed in programs due to compiler optimization or simply to hide the strings (e.g. in malware). For example : When displaying the bytes as chars we can see the string 'INVALID FILE SIZE'. Does anyone know a…

ida

asked Jan 24 '14 at 23:02

ekse

2,208
13
19

7

votes

4 answers

Is there any tool to quantitatively evaluate the difference of binary?

I know some binary diff tool like VBinDiff and others. Currently I have a large number of binary, around 500. So I am looking for a binary tool to quantitatively evaluate the difference of binaries.. Like evaluate the difference of binary 10 and…

asked Jan 21 '14 at 16:31

lllllllllllll

2,485
2
32
50

7

votes

2 answers

Can a Windows process check if it has been injected by another process?

There are many tutorials which show how to detect injected code into process memory. However, this generally requires using a debugger. Is it possible for a process to somehow detect if it has been injected by another process using winapi? If so,…

asked Jan 19 '14 at 18:48

Benny

828
7
18

7

votes

2 answers

How much Cryptography knowledge is important for reverse engineering?

Is understanding of Cryptography really important for a reverse engineer? Thanks.

cryptography

asked Jan 19 '14 at 11:00

Pranit Kothari

927
1
10
13

7

votes

1 answer

Why IDA Pro generated a "j_printf" function call?

Test platform is windows 32 bit. IDA pro 64 So, basically I use IDA pro to disassemble a PE file, and do some transformation work on the asm code I get, to make it re-assemblable. In the transformed code I generated, the system function call like…

asked Jan 11 '14 at 01:33

lllllllllllll

2,485
2
32
50

7

votes

2 answers

Decompiling Modem Firmware (firmware.bin) with unknown results on binwalk

I'm just new to these field. So bare with me. These is the result when I run binwalk. When I try to extract it using binwalk, it just give endless archives and files to analyse. Any ideas if it is a false positive? I just want to access one web…

disassembly

asked Jan 03 '14 at 17:35

Thomson Bobby

71
1
1
2

7

votes

1 answer

Can I evaluate operand values of an instruction currently at breakpoint (while debugging) in IDA using IDAPython?

Let's say I have lots of breakpoints at some push instructions. I am trying to dereference the operand (if address) - get the actual relevant value for each one in a script, handling immediate, base + index, register, etc. Can I do this in any other…

asked Dec 24 '13 at 00:36

algotroll

71
1

7

votes

1 answer

Modules that exist in a process address space

Using volatility to inspect a services.exe process in a memory dump, I built a list of dll's that are loaded in the process space. (The modules are from the InLoadOrder module list) This is just an excerpt (full list:…

asked Dec 18 '13 at 14:02

user3365

197
7

Most Popular