Highest Voted Questions - Reverse Engineering Stack Exchange

6

votes

1 answer

In Ghidra what do I need to set so disassembler is in Thumb mode instead of ARM

In IDA I would press Alt+G and set the T register to 1 to first the code to be Thumb, but in Ghidra am not not sure how to force it. The context is I have some functions pointed to by a data structure, I have set those to have a data type of a new…

asked Apr 20 '19 at 04:41

Simeon Pilgrim

942
6
15

6

votes

2 answers

How the CMP instruction uses condition flags?

I am trying to figure out the behavior of conditional jumps (JE/JNE, JZ/JNZ) in the x86 instruction set familly. Which condition flags CMP instruction sets and how, if the result is equal and if it is not? For example: CMP eax, 0 (true) CMP eax, 0…

asked Mar 10 '19 at 08:09

PaHa

145
1
3
7

6

votes

1 answer

Returning to usermode shellcode from windows kernel (Win10)

I have written a kernel exploit (for the latest Win10 64bit) that executes (or returns to from the kernel) token stealing shellcode, which is placed in the VirtulAlloc'ed memory in the userland. The problem is, when the exploit is executed by admin…

asked Mar 04 '19 at 06:42

Jaewon Min

329
1
10

6

votes

2 answers

IDA [call $+5 / pop reg] cleaning

Can anyone tell me how to clean up the code which contains the following blocks: call $+5 pop reg add reg, 08BE96h [...] In other words I need to change all such blocks to: mov reg, offset Edit # 1 List all block EA's: ea = ScreenEA() for funcea…

asked May 22 '13 at 10:24

Ilya Matveychikov

169
4

6

votes

1 answer

Simplifying assembly

I'm analysing some binary trace, it's pretty much obfuscated. What I need to do is to understand work flow of its alghoritms. However I cannot find any reliable tool which would help me with that. I was trying to convert these functions to LLVM IR…

asked Dec 30 '18 at 21:57

kozera2137

103
4

6

votes

1 answer

What does %reg:value mean in ATT assembly?

When I disassemble a function, I encounter from time to time an expression of the form %reg:value. Typically, I encounter this syntax when I activate the canaries in GCC (-fstack-protector), as in the following example: (gdb) disas Dump of assembler…

asked May 03 '13 at 07:13

perror

19,083
29
87
150

6

votes

1 answer

Reverse-engineering a weird 24-bit possibly not CRC checksum

Yes, it's one of these! I have a 199mumble Brother integrated word processor, with a very weird non-PC floppy format. I've built a floppy controller and have successfully read the flux off the disk, decoded both kinds of GCR, and reassembled the…

crc

asked Oct 22 '18 at 13:14

David Given

255
1
5

6

votes

2 answers

How to break on an Android JNI function with IDA Pro Debugger

I have an android application that uses a shared library which I would like to step through with a debugger. I've had success using IDA 6.3 to debug executables with the android_server debug server included with IDA but haven't gotten it to work…

asked Apr 29 '13 at 18:57

amccormack

1,326
2
13
29

6

votes

1 answer

Strange GDB behavior in OSX

I'm reversing some malware on an OSX VM when I noticed something peculiar. While stepping through the instructions, the instruction just after a int 0x80 gets skipped i.e. gets executed without me stepping through this. Example: int 0x80 inc eax ;…

asked Apr 29 '13 at 16:28

user1743

6

votes

2 answers

Disassemble ELF - PC is set to 0?

I tried to disassemble a ELF file which is a shared object file executed on armv7a (Android). I saw a strange block. It seems that the PC, program counter register, is set to 0. Did I miss something or do something wrong? The process goes into…

asked Sep 18 '18 at 05:49

IvanaGyro

195
7

6

votes

2 answers

How can my plugin get notified of anterior or posterior comments (and more) changes to an IDA database?

IDA Pro allows plugins to receive notifications for a number of events. These are defined in the hook_type_t enumeration inside loader.hpp in the SDK from what I saw. If I subscribe to HT_IDB events, I have a host of options for notifications I can…

asked Apr 22 '13 at 23:19

0xC0000022L

10,908
9
41
79

6

votes

3 answers

What does ds mean in mov instruction?

I am reversing a 32-bits ELF executable. I see something like: mov al, byte ptr ds:xxxxx xxxxx is an absolute address. What is the meaning of ds here?

assembly

asked Aug 05 '18 at 14:54

Bob5421

797
1
9
20

6

votes

1 answer

Radare2 - How to save/restore metadata in debug session (BPs, flag, comments..)?

How can i save/reuse/preserve Radare2 metadata (BPs, comments, flags..) of a debug session for a new debug session? I restart the debugger alot and preserving environment would be very helpful. I start with r2 -d binary -r myenv.rr2 -i myscript.r2s,…

asked Jul 19 '18 at 18:39

Maniaxx

173
1
7

6

votes

1 answer

How to make type libraries from Windows 10 SDK and DDK?

I want to make type libraries from Windows 10 SDK and DDK version 16299 and/or 17134. I saw this tutorial TILIB - utility to create type libraries for IDA. Then I downloaded it from IDA Support: Download Center and placed it in IDA installation…

asked Jul 02 '18 at 19:25

Biswapriyo

1,569
1
16
34

6

votes

1 answer

Printing Unicode strings in Gdb in OSX

Are there any useful snippets or Gdb functions that you guys normally use to print out Unicode strings? I'm trying to debug Mach-O binaries and x/s seems to be printing out junk. I believe the default encoding for Objective C strings is UTF-16.

asked Apr 19 '13 at 04:02

user1743

Most Popular