Highest Voted Questions - Reverse Engineering Stack Exchange

6

votes

2 answers

Trying to decode the Ontario Driver's License #

**The Ontario Driver's License follows the below format:** LXxxx-FFFMY-YMMDD Where: L is the first letter of your last name X is a numeric encoding of the last name (See Chart 1 below) xxx is a numeric coding of the last name. it appears no one…

asked Aug 18 '20 at 19:14

DTS

61
1
1
2

6

votes

1 answer

Why does PE ImageBase address change in memory?

I'm reversing a malicious 32-bit x86 Windows executable. Statically reviewing PE headers in Ghidra, I see that ImageBase is set to 0x400000 as expected. However, when the binary is loaded into memory, the initial RVA does not match the ImageBase…

asked Aug 16 '20 at 23:39

j5bb

61
3

6

votes

2 answers

Embedding URL call into an image / movie

Is there a way to embed a URL call in the raw data of an image or movie file, such that when the image or movie is opened, it makes a call to a webserver? I want to be able to obtain someone's external IP by sending an image to them, and then having…

asked Jul 30 '13 at 19:21

thefragileomen

161
2

6

votes

2 answers

How to unpack files packed with multiple packers?

As I am just getting started in RE, I've mostly faced files packed with a single-layer of packing , such as UPX, ASPack, etc. Unpacking these protections is fully documented online. The problem begins when I deal with multiple layers of packing,…

asked Jul 28 '13 at 17:27

Higet

437
4
8

6

votes

1 answer

Where are program resources stored in a CIL assembly?

In a CIL assembly, where are resources stored? I am trying to reverse engineer a sample that appears to be protected by a .NET crypter. The CIL assembly for the sample does a SHA256 decryption on a blob that is retrieved using…

asked Jul 08 '13 at 16:29

bobby_analog

61
2

6

votes

2 answers

Is there any tool which parses ollydbg run trace?

I'm currently working on a tool to automate several actions which relate to unpacking software. I would like to use the run trace of Ollydbg (1.10 preferred since it has many antidebug/usage/etc plugins). However, I do not seem to know any library…

asked Jul 04 '13 at 16:41

parser

61
2

6

votes

1 answer

How is Hopper on Windows or Linux?

Hopper seems to be focused on Mac, but how does its capabilities on Windows or Linux compares with the free version of IDA for reversing x86/x64 executables? Hopper seems to have all the major features IDA has; a graph view, ability to rename…

tools

asked Jun 28 '13 at 23:19

zer

157
2
6

6

votes

2 answers

Tool for checking for in-memory code modifications of loaded DLLs

A common anti-debugging practice is to overwrite functions such as DbgUiRemoteBreakin within ntdll.dll. Since in-memory representation of common libraries is always the same on each platform, it should be possible for an external tool to connect to…

asked Jun 27 '13 at 15:16

Robert

1,042
6
12

6

votes

0 answers

How to find the symbol table in a TI DSP. (TMS320C5510)

That's it, just want to know how to find the symbol table in a binary I pulled from a DSP chip. I know it could be stripped, just don't know how to tell.

debugging-symbols

asked Jun 26 '13 at 16:48

gigawatt

401
4
11

6

votes

4 answers

Way to get basic blocks of a binary using Ghidra

I am using ghidra to do some reverse engineering of an ARM binary. I am wondering whether there is a way to get the basic blocks related to all the listing. Is there a function through the IDE or a script through the script manager that I could used…

asked Mar 20 '20 at 01:19

hEShaN

281
4
11

6

votes

3 answers

Reverse engineer Listen to this device on Windows - Reverse engineer Windows when there's no API

I'm writing an Autohotkey script to toggle Listen to this device for my microphone, without interacting with a GUI. I thought it would be a simple registry key being modified so I used RegShot to find the…

asked Mar 17 '20 at 06:08

Shayan

111
7

6

votes

3 answers

How to design opaque predicates?

Opaque predicate are used to disrupt automatic analysis of the binary code by reaching the limits of what can do an analyzer. Can somebody give an example (or a few examples) of an opaque predicate found in a real-life case ? And, what are the…

obfuscation

asked Jun 26 '13 at 11:45

perror

19,083
29
87
150

6

votes

1 answer

What can you find out about an unknown CPLD?

Sometimes you can find a CPLD (Complex Programmable Logic Device) on a circuit board. What can you do to find out what it is for? What are the limits and capabilities? What are common applications for a CPLD?

asked Jun 26 '13 at 11:34

samuirai

3,079
4
23
37

6

votes

2 answers

Radare2 Debugging: How do I pipe a program's output to another's input?

I wrote a C program that constructs a ROP payload and sends it to stdout. Using Radare2's debug mode, how would I pipe this output to a binary I am trying to exploit that accepts input on stdin? For example, if my compiled C program is exp and the…

radare2

asked Feb 29 '20 at 04:02

peachykeen

155
1
9

6

votes

2 answers

Call to variable address

I have come across the following instructions: mov ecx, [ebp + var_4] imul ecx, 4 call dword_1423d4[ecx] Can someone explain to me what it possibly means or point me in the right direction? Why is the call made to a variable?

disassembly

asked Jun 25 '13 at 15:18

Cream Cracker

145
1
6

Most Popular