Highest Voted Questions - Reverse Engineering Stack Exchange

7

votes

1 answer

How to compile Hex-Rays decompiler generated code?

I need help to compile Pseudo-C code generated with IDA Pro and the Hex-Rays decompiler plugin. It shows an error on this line: int (__thiscall *off_401F14)(void *, char); // weak Error: error C2143: syntax error : missing ')' before '*' I don't…

asked Apr 30 '13 at 12:50

user1898

71
1
2

7

votes

2 answers

Understanding branch delay slots for reversing MIPS

I am statically reversing some software compiled for an Atheros AR7161 using radare2. This processor implements MIPS, and I do recall that MIPS has a branch delay slot. This is indeed noticeable in the disassembly because I can see instructions that…

asked Oct 12 '18 at 15:16

user25972

113
8

7

votes

1 answer

WHY and WHEN do we need SEH for buffer overflowing

In our course in university, we recently moved on from standard buffer-overflows to SEH based ones. My exploit is already ready and working thanks to some nice tutorials, although I am still not sure I completely understand, when and why we need the…

asked Sep 17 '18 at 12:24

SuperSpitter

173
4

7

votes

2 answers

Why do obfuscators remove line numbers, and can I safely leave them in?

Application security engineer here. When we compile our java code, we obfuscate it using KlassMaster and have it remove line numbers (see KlassMaster docs) because of a handwavy explanation "it makes reverse engineering harder". I'd like to…

asked Sep 06 '18 at 20:01

Mike Ounsworth

173
4

7

votes

2 answers

Why is it "safe" to write to ModuleBase.exe+0x100, and possibly other header offsets after PE is mapped to memory?

Typically when I write a game-hacking executable after reversing a game, I go about code-caving to find where I can inject my code as need be. Well, while reversing a few such executables from someone else, I've noticed they choose to always inject…

asked Aug 12 '18 at 02:12

dsasmblr

2,234
10
18

7

votes

3 answers

Debugging NewExecutable binaries

I'm trying to debug a 16-bit Windows executable (format: New Executable). The problem is that all the standard tools (W32DASM, IDA, Olly) don't seem to support 16-bit debugging. Can you suggest any win16-debuggers?

asked Apr 22 '13 at 09:49

heinrich5991

627
11
21

7

votes

4 answers

Can AI be used to write better decompilers/disassemblers?

In the past for years I used some disassembler and tried some decompiler, nowadays there's so much talking and stuff about deep learning and AI, I wonder if some can be used with those tasks (given some human training) and if there's some tool using…

asked Jul 22 '18 at 13:05

Alex

189
1
4

7

votes

2 answers

How can I access an internal DLL function or piece of data externally?

I'm writing in C++ and doing an exercise to familiarize myself with DLLs and shared objects (.so). How can I access internals without exporting them? GetProcAddress returns null on a call of an unexported function. I wrote the DLL so I know all of…

asked Jul 03 '18 at 20:46

theTheodidact

380
4
16

7

votes

1 answer

What is the info displayed by radare2's afl?

I can't figure out what afl actually outputs. The docs are surprisingly uninformative. So, I've got address on the first column and symbol on the last. What is on the 2nd, 3rd and 4th columns? Example: :> afl 0x08048000 29 988 -> 937 …

asked Jun 26 '18 at 07:45

rgcalsaverini

173
1
4

7

votes

1 answer

Determine if an ELF file is signed or not

I need some help in determining if an ELF file is signed or with a valid signature or not. I have used the readelf tool with -S option in order to view the section headers and more specifically, the sig section header. This is the result I got: [30]…

asked Jun 17 '18 at 12:39

user9248612

71
3

7

votes

1 answer

Shellcode challenge - shellcode works in test program, segfaults in actual binary

Currently working through an introductory shellcoding challenge, and having trouble getting the shellcode to work consistently. I'm working on a 32bit Linux binary. I found this shellcode: http://shell-storm.org/shellcode/files/shellcode-827.php xor…

shellcode

asked Jun 09 '18 at 17:18

BronzeOtter

363
1
4
11

7

votes

3 answers

Can't access process memory when dumping

I'm trying to analyse a piece of malware and after finding the OEP I'm having trouble dumping the process. Using LordPE (and IDA) I get an error saying "Couldn't grab process memory", I searched for this and resolved it by using the intellidump…

asked Apr 17 '13 at 19:45

James

71
1
2

7

votes

3 answers

What exactly is binary disassembly and what it produces?

The first time I heard about binary disassembly I thought that it is something what can be called as perfect decompilation tool to assembly code and I still don't understand why it is not. I thought that assembly opcodes can be translated directly…

asked May 15 '18 at 18:51

Daro

73
1
1
3

7

votes

2 answers

Best Way to Identify Statically Linked Functions in Firmware

I have a piece of firmware that I pulled off an NXP LPC17XX series chip. Through reviewing the processor manual, I was able to identify the entry point of the code and disassemble the code without any issue in IDA Pro. After a short bit of reversing…

asked May 04 '18 at 14:06

Bit Twiddler

71
1

7

votes

2 answers

Radare2 Find command line arguments and location in stack

This might have a simple solution but I can't find it anywhere. $> ./be1 11 AAAAA With gdb, finding argv[] and argc is simple: (gdb) print argv[0]@argc $7 = {0xbffff872 "be1", 0xbffff89a "11", 0xbffff89d "AAAAA"} But, how can we do this with…

asked Apr 25 '18 at 00:00

Corey

175
6

Most Popular