Highest Voted Questions - Reverse Engineering Stack Exchange

6

votes

2 answers

How to add a function symbol to a stripped executable with radare2?

I am struggling with a stripped binary, and I would like to visualize the main() function with the VVV command (ascii-art CFG representation). Usually, the steps are the following: #> r2 ./crackme (run radare2 on the crackme). [0x00005430]> aaa…

asked Apr 18 '17 at 16:29

perror

19,083
29
87
150

6

votes

1 answer

Should I keep parenthesis information while source modeling?

I'm developing an AST model for a source code reverse engineering platform. My question is, should I keep parenthesis data in my AST? Because I have everything in a tree, I already know which operation will be executed first.

asked Mar 22 '13 at 10:36

Uko

185
1
9

6

votes

1 answer

Why are symbols with local binding present in the symbol table of my ELF files?

I found out that there are symbols with binding=LOCAL and visibility=HIDDEN in the symbol table (.symtab) of ELF executables/libraries. What are they needed for? They are not involved in the relocation process nor can be invoked externally. Are they…

asked Mar 14 '17 at 04:40

user19496

61
1
2

6

votes

3 answers

How to SUCCESSFULLY add a code section to an executable file in Linux?

I am in Linux, and I have seen this question a few times but never, nobody answered how to really make this work. I need to add a section to an already compiled binary. Lets say for a moment is an ELF file. I'm using objcopy so this should be…

asked Mar 01 '17 at 02:21

0xfede7c8

243
2
8

6

votes

1 answer

xor eax, eax in x64

I have following code: sub rsp, 40 ; 00000028H lea rcx, OFFSET FLAT:$SG4237 call printf xor eax, eax add rsp, 40 ; 00000028H ret 0 Why there is xor eax, eax , instead of xor rax, rax?

asked Feb 09 '17 at 18:13

J. Doe

95
1
5

6

votes

1 answer

How to distinguish different compiler codes in ASM?

While reversing an executable with olly, theres compiler code and user code. So how do i recognise the compiler codes ? Lets say if the executable is visual basic, it has a jmp and a call in the first 2 instructions and the winmain comes later.

ollydbg

asked Jan 12 '17 at 14:47

Lian

61
1

6

votes

1 answer

How to know which module am I currently in? (EIP/RIP pointer)

I'm currently learning IDA Pro, that is set up with the WinDbg debugger. So, say, I triggered a breakpoint and began stepping in and out of functions. I prefer to work in the "Graph view" mode: What is the easiest way to see the module name that…

asked Jan 04 '17 at 07:33

c00000fd

1,659
3
25
41

6

votes

1 answer

How to switch to "Graph View" in IDA Pro while debugging with WinDbg inside a system DLL?

While debugging inside a loaded exe process (using IDA Pro as a disassembler, and WinDbg as a debugger) I can right click the code view and select Graph view: That will switch it to this nice code-flow view that is much easier to read: But if I…

asked Dec 28 '16 at 06:24

c00000fd

1,659
3
25
41

6

votes

1 answer

How can I extract the structure of an operand with displacement in IDAPython?

Consider the following instruction: 8D 8C 4E B0 2F FF FF LEA ECX, [ESI+ECX*2-0xD050] Using IDAPython, how can I extract the structure of the second operand? I'd like to know things like: ESI is the base register ECX is the index register 2 is…

asked Dec 21 '16 at 17:33

Willi Ballenthin

185
2
11

6

votes

1 answer

Is there something like DVWA (Damn Vulnerable Web Application) for reverse engineering?

I am learning reverse engineering, and would like a way to try out methods I'm learning. In web security, the way to try out and learn methods is a thing called DVWA. It is an insecure web app made for web security people to exploit. Is there…

decompilation

asked Dec 14 '16 at 18:40

anonmous

63
2

6

votes

1 answer

What does arg_0 = dword ptr 4 mean?

I try to use IDA dissembler and I don't really understand the following text paragraphs appearing at the head of functions: arg_0 = dword ptr 4 Can anyone explain their meaning?

asked Oct 16 '16 at 17:19

QChí Nguyễn

323
1
4
14

6

votes

1 answer

Is reverse engineering legal?

Few weeks ago, I started reverse engineering libraries and binaries from a commercial copyrighted product (a game). And, I would like to post the code on an open source platform like GitHub. I've searched a lot on the Internet, and found that in…

asked Aug 30 '16 at 14:07

Avo18

85
6

6

votes

1 answer

What is the scalability of state of the art static binary analysis techniques?

What is the largest program that has been analyzed by a semantics-based static binary analysis? By semantics-based, I mean an analysis that examines the meaning of the program, and does not simply perform a computation on the syntax of the program,…

asked Mar 27 '13 at 19:05

Ed McMan

944
8
9

6

votes

1 answer

Reversing a 3D file format from 2001

This is a korean MMORPG released back in 2001. The game and the company no longer exists. I've been analyzing the file formats as a personal project for awhile now. I have already decoded the textures and script files. I only have 2 more files left…

asked Aug 21 '16 at 14:31

majidarif

235
2
15

6

votes

1 answer

How make old IDA understand wrap-around mapped 68k RAM?

UPDATE 3: I learned that one way to do it is to simply make a new processor definition, it should be fairly straight forward to port already existing 68k disassemblers to the IDA SDK. Still too cumbersome in my case because I only have a single 68k…

asked Jul 12 '16 at 21:38

user6576405

81
4

Most Popular