Highest Voted Questions - Reverse Engineering Stack Exchange

6

votes

1 answer

Returning value from faux DLL

A bit of background; I'm trying to inject my own code into the old game SimTower with the ultimate goal of reverse engineering it in the same way that OpenRCT2 was created. Since SimTower is distributed as a 16-bit NE executable I'm having a bit of…

asked Nov 06 '17 at 23:16

Linus Unnebäck

165
5

6

votes

1 answer

Decoding LZSS buffer lookup indices

I'm working on unpacking a camera firmware file which consists of various sections that I am able to correctly split and validate. One section within this file is additionally compressed with a form of LZSS as described here, of which I cannot…

asked Nov 01 '17 at 20:18

Mario Gu

191
6

6

votes

3 answers

Reverse engineering USB peripheral driver

I'm looking to reverse engineer a Windows driver for a printer I have here. I found out a bit about USB sniffing but I don't think Snoopy runs on Windows 7. I know the driver is on my computer somewhere but it's location is not obvious. Can someone…

asked Oct 18 '17 at 21:59

Jasong

71
1
3

6

votes

3 answers

Help reversing end-of-life'd Logitech Link. How to get Flash Contents

See Update below. I got an email from Logitech that they are End of Lifing their Harmony Link product (see https://community.logitech.com/s/question/0D55A0000745EkCSAU/harmony-link-eos-or-eol). So I took it upon myself to start taking it apart.…

asked Oct 02 '17 at 02:15

justin

475
6
13

6

votes

1 answer

Debugging a deadlock when the mutex owner thread is dead?

Intro I'm facing a peculiar deadlock scenario I never saw before. I'm trying to debug this deadlock from 3 days and couldn't find how to fix it in a proper way. Hopefully someone would help me out. We don't have the application's source code so this…

asked Oct 01 '17 at 15:35

André Oliveira

63
1
4

6

votes

2 answers

How find all subroutine calls using Hopper?

How one can find all subroutine calls once an iOS app has been load into Hopper ? If I understand correctly, a subroutine is identified by a unique address. So in the binary, all calls to this subroutine should point to this address. Thus, it should…

hopper

asked Sep 25 '17 at 20:25

Hector

61
2

6

votes

1 answer

Reconstructing Assembly Truth Map

So I recently read [1] which evaluates several disassemblers. The truth/test binaries are generated by the SPEC CPU 2006 Benchmark suite. The authors provide detailed build instructions for the ELF set inside a VirtualBox. However, reconstructing…

asked Sep 10 '17 at 11:21

fxorf

61
3

6

votes

1 answer

How to Make .text Section in Assembly Writeable for Win7-64 EXE

I have a basic XOR decoder that functions perfectly in Linux, but when I try to move it over to an exe in windows, it fails. I am leaving this question open for historical reference since the issue persists.here It has been suggested that in the…

asked Sep 06 '17 at 02:30

hexhatchet

87
8

6

votes

1 answer

How can I get the shared libraries' function calls using angr

I am trying to get all the library function calls that a binary performs in a preorder-DFT traversal of the CFG. I'm able to get the CFG like: import sys, angr import networkx as nx proj = angr.Project(sys.argv[1],auto_load_libs=False) cfg =…

asked Aug 15 '17 at 22:05

anon

63
4

6

votes

2 answers

IDA Proximity viewer not finding obvious paths?

Using IDA 6.2 (and also with IDA 6.4), I'm trying out the Proximity viewer to find the path between 2 functions as described at the hexblog post here. Using the Xrefs From/To (old option) it shows the clear path: AllocateVolume -> VolumeSortCmp ->…

ida

asked Apr 04 '13 at 16:18

ixje

1,733
14
25

6

votes

1 answer

Changing strings in Hopper Disassembler

I am currently learning and I wanted to ask, how can I change a text (string) from inside an app I am reversing? For example "To begin, please login". I have found the XREF to the string location but I don't know how to change it. I am using Hopper…

asked Jun 27 '17 at 08:48

szoszu

63
1
6

6

votes

3 answers

Is it possible for a .exe PE file to do something without any imports at all?

All Portable Executable files that I've found with zero imports in the Import Address Table have not functioned. I also know that while .NET files often do not have the typical OS imports, they must still import either _CorExeMain or…

asked Jun 26 '17 at 18:49

the_endian

1,860
17
39

6

votes

2 answers

What PE anomalies can crash the Windows Loader or cause a file to not load?

I do malware analysis on Windows. I run hundreds of Windows PEs per day and it is actually relatively common for a file to not run (or sometimes not run on just one specific version of Windows) and I get an error message such as "This is not a valid…

asked Jun 03 '17 at 08:45

the_endian

1,860
17
39

6

votes

1 answer

getting function address by reading ADRP and ADD instruction values

Hello reverse engineers, I'm analysing a fat Macho-O binary, and it has an ADRP and an ADD instruction in it. I'm talking about these instructions: __text:00000001002E050C ADRP X8,…

asked May 24 '17 at 11:53

exploiter

95
1
6

6

votes

3 answers

Running a binary identified as an ARM excutable by binwalk --disasm

I have a Philips 10FF2 picture frame I'm trying to reverse engineer. In the firmware download from the Philips website (http://download.p4c.philips.com/files/1/10ff2cme_00/10ff2cme_00_fus_aen.zip) I can find a file called UBLDM350.bin which when…

asked May 07 '17 at 13:50

Walter Heck

163
1
5

Most Popular