Highest Voted Questions - Reverse Engineering Stack Exchange

6

votes

1 answer

I need quick correction on this x86 opcode conundrum

I am trying to figure out how to encode the instruction MOV DS, AX, but I am confused from the opcode table as follows: Is MOV DS all one byte, or is MOV one byte, DS the second, and the AX the third? Is the table implying that the binary value of…

asked Feb 12 '14 at 21:26

Jonas' River

61
3

6

votes

2 answers

OllyDbg: Automatically extract string when breakpoint is hit

Given a breakpoint at an expression MOV EDI, EAX, how can you automatically log/write to file the referenced string whenever the breakpoint is hit?

asked Feb 07 '14 at 14:22

Martin Vogel

63
1
3

6

votes

1 answer

Turning Technologies RF receiver

At my university we're required to purchase these RF clickers with an lcd screen so professors who choose to take attendance can do so in an automated fashion, and occasionally administer simple quizzes without having to take time to grade them. The…

asked Feb 07 '14 at 02:02

Cyclone

161
4

6

votes

0 answers

Shotcuts in immunity debugger

Recently I started using Immunity Debugger instead of Olly where I got really got used to my custom keybidings. I could not seem to find an option to configure shortcuts/keybindings in immunity debugger. Do you know how to use custom keybinds in…

asked Feb 05 '14 at 08:44

Dominik Antal

2,038
22
39

6

votes

1 answer

How to efficiently simplify obfuscated formula in QF_BV logic with Z3?

I would like to know if there are efficient ways to simplify arithmetic formula expression over bit-vectors with Microsoft Z3. But, first, I would like to explain a bit the problem. Lets start with an example: x + y == (x ^ y) + 2 * (x & y) Both x…

deobfuscation

asked Feb 02 '14 at 17:57

perror

19,083
29
87
150

6

votes

3 answers

RE Compressed backup file,router linux based so is it compresed with zlib?

so I have backup from my router its zte zxv10h201l and its linux based but I can not identify type of compression of this file. Here is couple of first "lines" of it 00000000 99 99 99 99 44 44 44 44 55 55 55 55 aa aa aa aa …

linux

asked Feb 01 '14 at 03:51

Vido

515
8
22

6

votes

2 answers

Static Analysis - Scope Changes

I am looking for an algorithm or some tips on how to find scope changes when doing static analysis of a decompiled ASM source. I need to know the scope changes for tracking stack usage and reaching definitions for variables. If I have a program…

static-analysis

asked Jan 30 '14 at 16:52

Vitaly Omelchenko

163
5

6

votes

1 answer

ARM debugging interesting behavior

I was just disassembling and debugging an ARM binary for fun and I noticed something unusual. Consider the following set of instructions:- 0x00008058 <+4>: mov r1, pc 0x0000805c <+8>: add r1, r1, #24 0x00008060 <+12>: mov r0, #1 I tried…

asked Jan 24 '14 at 12:12

user1743

6

votes

3 answers

Does code injected into process memory always belong to a page with RWX access?

I've seen a few memory forensics tutorials, which start by looking for injected code in the "victim's" process memory. They always seem to find the injected code in pages which have RWX access (i.e. PAGE_EXECUTE_READWRITE). Does this assumption…

asked Jan 19 '14 at 11:57

Benny

828
7
18

6

votes

2 answers

What is the difference between static disassembly and dynamic disassembly?

I am told that tools like IDA Pro are static disassembly tool, and tools like OllyDbg are dynamic disassembly tool. But from the using experiences on these tools, I don't think there is any difference between the tools in disassembly…

asked Jan 17 '14 at 19:16

lllllllllllll

2,485
2
32
50

6

votes

3 answers

Is it possible to convert MIPS ASM to code?

IDA can disassemble to assembly. But, reading large assembly blocks with byte shifts, etc, is tedious work. I rather would read pseudo-code. Are there any documents, tutorials or tools for this work targeting MIPS platform? What methods are you…

asked Jan 14 '14 at 12:50

user3155036

145
1
2
8

6

votes

1 answer

Unsquashfs fails

I'm trying to unsquash a file I retrieved with binwalk. DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------------------- 43892 0xAB74 U-Boot boot…

firmware

asked Jan 13 '14 at 19:41

Lucas Kauffman

231
2
6

6

votes

2 answers

Break on returning to a specific module

I'm debugging an application in OllyDbg, I pause the program at a specific place. Now I am deep inside ntdll and other gui related module calls, judging from the stack. I'ld like to break as soon as the application returns to any function within a…

asked Jan 08 '14 at 08:24

Dominik Antal

2,038
22
39

6

votes

4 answers

How antiviruses name malwares

While analyzing a binary online through the virustotal service , I found out that different AVs named the binaries differently.For instance, for that same binary Norman named it Obfuscated_A, Symantec named it WS.Reputation.1 and another AV named…

malware

asked Jan 07 '14 at 18:39

viv

784
1
4
17

6

votes

2 answers

IDA Pro/IDAPython automation through IDAPython

I have been trying to use IDA Pro (with bindiff) via IDAPython to automate the analysis process of a bios.dump file while outputting the results to a .txt / .asm file. From here I want to use the bindiff functions to compare this database with…

asked Dec 30 '13 at 17:38

user3119546

495
4
14

Most Popular