Highest Voted Questions - Reverse Engineering Stack Exchange

5

votes

1 answer

How to create a virus signature from decompiled source

I have a problem where I have to create a virus signature for the Stoned Virus (Although this could apply to any virus/file). Let's assume I have a copy of the compiled and decompiled program. I then proceed to identify the most important parts of…

asked May 21 '14 at 06:21

MysteryMan

65
5

5

votes

2 answers

What is stored in typeinfo (GNU C++, Android NDK, ARM)

IDA annotates some items as: typeinfo for _classname_. What is that typeinfo, is it the same as type_info? What information may be extracted from it? (e.g. I'd like to know the object size or virtual function table size). I am particularly…

asked May 12 '14 at 13:54

18446744073709551615

595
1
6
16

5

votes

2 answers

What are the sections of a x86 linux binary?

I want to learn reverse engineering so I was starting to try compiling simple (to start with) C programs and then reading the disassembly. The following file int main(void) { return 0; } compiled with gcc then disassembled with objdump -d ends up…

asked Apr 26 '14 at 00:21

emberfang

53
3

5

votes

2 answers

How can we determine that malware are related?

I am curious to know about how researchers can know when different malware are related. for example: Stuxnet, Flame or Duqu, are told to be written by the same group. Does anyone know how they figure that out? I read some articles but they weren't…

malware

asked Apr 16 '14 at 20:07

user4387

51
1

5

votes

1 answer

Why ther are some many padding/leading nop instructions in my binary code?

The test platform is on Linux 32bit, x86. So basically I wrote a simple C program like this: void main() { double a = 10.0; printf("hello world %f\n", a); } I use gcc to compile to into ELF binary, and use objdump to disassemble…

asked Apr 16 '14 at 15:07

lllllllllllll

2,485
2
32
50

5

votes

2 answers

Assembly Code - GCC optimized vs not

I want to learn more about how GCC optimizes C programs. I have did a disas of a random function both optimized and unoptimized and I want to look at some of the differences. Off the top of my head, the optimized assembly has less jumps, and seems…

asked Apr 03 '14 at 04:03

Terry Schmidt

51
2

5

votes

3 answers

How to break on not-yet-loaded kernel driver

I've been reversing a sample of the Uroborus trojan for my own learning joy. I'm having a hard time following it once it loads a windows kernel driver that implements the rootkit. I've set up my environment for Kernel debugging (using IDA's windbg…

asked Mar 28 '14 at 12:50

Andrew

413
4
8

5

votes

2 answers

Can IDA Pro automatically deal with VM obfuscated binaries?

VM packers like Code Virtualizer and VMProtect seem challenging to existing reverse engineering work, especially static approach like IDA Pro. According to this slides www.hex-rays.com/products/ida/support/ppt/caro_obfuscation.ppt from Hex-rays, IDA…

asked Mar 26 '14 at 15:31

lllllllllllll

2,485
2
32
50

5

votes

2 answers

how to reverse DeviceIoControl?

I have started reversing this piece of malware. At some point it creates a service and starts it, then immediately it calls the function DeviceIoControl and the malware went from "paused" to "running" under ollydbg. I've searched a little bit, and I…

asked Mar 25 '14 at 16:55

user4170

95
1
5

5

votes

1 answer

Using a VMM/hypervisor to monitor guest OS execution?

I would like to set up a virtual machine monitor using Microsoft Hyper-V, VMware vSphere/ESX, Xen, or any other alternative hypervisor solution that is able to monitor the execution of a guest OS (a VM within the VMM). In particular, I'd like to be…

asked Mar 21 '14 at 16:34

KeBugCheck

53
4

5

votes

1 answer

OllyDbg FPU anti-debug

While playing around with FPU instructions I discovered an anti-debugging trick for OllyDbg. I haven't found it in popular references so far. First of all here it is. fnsave [esp-100h] cmp word ptr [esp-0EEh], 07FFh ; 07FFh (all bits set) in…

asked Mar 19 '14 at 12:16

RomeoAndJuliet

53
3

5

votes

1 answer

Find the C++ STL functions in a binary

I have a binary file (actually, an operating system for an ARM embedded device which also contains some high-level apps (hard coded in the user interface)). I know some parts of the operating system are from C++ code, so it is likely the binary…

asked Mar 17 '14 at 16:36

m4524t

53
1
5

5

votes

2 answers

Decoding the wire protocol (over RS232) for custom hardware <-> windows application?

Background I have a hardware device with an RS232 port, and a Windows (XP) application that it talks to. No OS-level drivers beyond basic serial, so all the decoding is done in the app. I have the ability to capture bidirectional wire traffic and…

asked Mar 11 '14 at 01:38

Shabble

151
4

5

votes

2 answers

GCC Loop optimization

I have been looking at some simple C code and the different output from GCC using different optimization levels. C code #include int main() { int i = 0; while(i<10) { printf("Hello\n"); i++; } i =…

disassembly

asked Mar 11 '14 at 01:16

Sindre Smistad

175
7

5

votes

1 answer

IDA Can't load symbols "DIA: No such interface supported"

I'm trying to load symbols for a dll with IDA pro. My _NT_SYMBOL_PATH is SRV*c:\symbols*http://msdl.microsoft.com/download/symbols . I put DBGTOOLS = "C:\\Program Files (x86)\\Windows Kits\\8.1\\Debuggers\x86\\" in my ida.cfg I modified IDA's…

asked Mar 09 '14 at 15:30

MPX

101
1
4

Most Popular