Highest Voted Questions - Reverse Engineering Stack Exchange

6

votes

2 answers

Determining CRC algorithm (16 bit?) over RS-232

I give up.... I've tried for two years to determine which CRC algorithm is being using over an RS-232 serial connection between two pieces of equipment. The equipment dates from about 2002. I'm only assuming that its CRC protected but I might be…

asked Nov 17 '14 at 00:06

Enrico Biscotti

121
5

6

votes

1 answer

Segmentation on x86 for stack canaries

I just compiled some C code that reads in input using gets and disassembled the code. The platform is Ubuntu 32-bit. There are these 3 lines that check if the canary value has been tampered with. 0x08048455 <+33>: mov edx,DWORD PTR…

asked Nov 13 '14 at 11:32

user1743

6

votes

2 answers

When was the MOVABS instruction introduced?

When trying to write an instruction set analysis tool for disassembled code (https://superuser.com/a/832440/384221) I have found opcode MOVABS which was not included in my opcode source database (Shirk's gas.vim file) and I am not sure in which…

asked Oct 29 '14 at 12:43

Kyselejsyreček

163
1
3

6

votes

2 answers

(linux) How to debug a "debugger"?

I'm trying to understand a program. This programm implements an antidebug technique. From what I've understand so far, the father ptrace a forked process. An the child does something like that: some code Int 3 some code Int 3 some code Int 3 and so…

asked Oct 15 '14 at 15:27

Reverse

121
4

6

votes

2 answers

Decompiling .NET marshaled code

There's a .NET malware sample I'm trying to analyze, which goes more or less like this: internal static class Class1 { public static byte[] Code = new byte[] { 9, 249, 131, 225, ..., } private…

asked Oct 09 '14 at 09:47

Thomas Chopitea

121
3

6

votes

1 answer

Idapython - undefining an instruction

I have an instructions defined from address+1 onward and a byte at address. I'd like to undefine the instructions from address+1 onward and redefine them from address using MakeCode or something similar. So far I have not found any functions to…

asked Sep 26 '14 at 09:52

user1743

6

votes

1 answer

Handling INT 2D anti-debugger technique in IDA Pro

I'm analyzing a PE file using IDA Pro that is using int 2Dh technique as anti debugging: CODE:00455050 push ebp CODE:00455051 mov ebp, esp CODE:00455053 push ecx CODE:00455054 push ebx CODE:00455055 push esi CODE:00455056 push …

asked Sep 20 '14 at 19:53

Ariyan

235
2
7

6

votes

1 answer

Can I send gdb command from IDA Debugger to gdbserver?

I want to send gdb command (like "backtrace", "b *0xAAAAAAA", "i b", ...) from IDA debugger to gdbserver over gdb remote debugging and receive result and print it to output view of IDA, can I do it? Anyone have tried it before? I found that…

asked Aug 26 '14 at 22:47

user3746442

61
1
3

6

votes

1 answer

Get section's names and headers for a file using C++

I'm implementing a software for performing some PE classification. Among the features values I'm gathering from each PE are, the amount of sections, the name of sections, image section headers. I have been reading about ImageHlp Structures. But…

asked Aug 15 '14 at 14:53

Raydel Miranda

223
3
8

6

votes

3 answers

Segments in IDA. How to overcome NONAME problem

I'm disassembling a packed 16 bit DOS MZ EXE. To deobfuscate it, I've set a breakpoint in DOSbox at the end of the unpacking routine, let it run, and made a memory dump. This way I essentially got the deobfuscated EXE image. Problems started when I…

asked Aug 13 '14 at 14:20

ScumCoder

609
1
7
12

6

votes

2 answers

What time structure is this?

I have an existing software, with no source and possible editing. It contains a grid (looks like an old DevExpress one, the software itself is created in Delphi 7). Grid content is stored in the memory, which I have to read and modify…

asked Jul 28 '14 at 04:09

AlexeiD

61
2

6

votes

1 answer

Immunity Debugger PyPlugin

Immunity Debugger offers a feature called PyPlugin. However there is not enough documentation on it. The help for immdbg says this : PyPlugins are python scripts located at PyPlugins\ directory, PyPlugins are called when F4 or the PyPlugin icon…

asked Jul 19 '14 at 08:10

0xec

6,090
3
23
33

6

votes

3 answers

Python library for assembling x86, x64 and ARM exploits

It would be very useful to have a pure Python library that could assemble x86, x64, and ARM instructions. Do you have a recommendation? I don't mind if they are not pure Python, but that'd be preferred.

asked Jul 13 '14 at 08:27

user1743

6

votes

1 answer

Relocation table patching

Now working on binary analysis of PE and stuck on tricky (for me), ungoogleable question. For instance, I've binary, that needs to be patched. So after doing that will be awesome, if there is way to insert address of my function to relocation table.…

assembly

asked Jul 02 '14 at 05:56

see ya

823
2
8
20

6

votes

1 answer

Ollydbg 2: Breaking after attaching to a suspended process

When analyzing malware, I come across packers that inject the actual malware code into a newly spawned process and execute it that way. For that, they create a process in suspended state, inject the code and resume it using ntdll.NtResumeThread on…

ollydbg

asked Jun 13 '14 at 17:10

j0ker

163
1
5

Most Popular