Highest Voted Questions - Reverse Engineering Stack Exchange

5

votes

1 answer

How do i fine-tune Hex-Rays decompiler for 16-bit?

It is mentioned on the IDA Pro Hex-Rays site under decompiler error messages 16-bit functions are not supported It goes on to say: The decompiler itself CAN be fine tuned to decompile 16-bit code, however this is not a priority for now. Does…

decompile

asked Mar 03 '14 at 19:22

user4069

151
1
3

5

votes

1 answer

Why is true emulation not possible?

Antiviruses and similar analysis engines often face the problem of identifying whether the file is harmful. They often do so with the use of (partial)emulation and as a result often fall prey to the tricks (anti-emulation) used by the binary.Is it…

asked Feb 13 '14 at 08:52

viv

784
1
4
17

5

votes

3 answers

What ways is there for an application to detect that it has been modified?

I am using ollydbg and a Hex editor. I confirmed that once the application is edited in any way it behaves different than normal. My first thought was that the file is checking the checksum value so I looked at the intermodular calls in olly and did…

asked Feb 10 '14 at 22:12

GuYY

65
1
6

5

votes

1 answer

Ollydbg 'Copy all modifications to executable' doesn't copy all modifications

I'm editing executables on a(n) (almost) daily bases in Ollydbg and it is very annoying that the 'Copy all modifications to executable' doesn't work properly. All the code I edit in the .text section is copied to the new executable, but all the…

ollydbg

asked Jan 29 '14 at 20:43

Dennis van den Berg

193
1
5

5

votes

1 answer

Do you have tips analyzing reported PoC(exploit) files?

My daily job is analyzing reported proof of concept files that exploits document viewers. People who report vulnerabilities in document viewers just give me the PoC and vulnerable version number. They usually fuzz stuff and find offset that leads to…

asked Jan 16 '14 at 13:52

Jaewon Min

329
1
10

5

votes

1 answer

Formatting BinDiff results to a .txt

I have been using BinDiff as a plug-in for IDA Pro. I understand it is not possible to run this plug-in via terminal/batch mode. Is there a way I can export the results to a more readable format such as a .pdf or a .txt? I need a more readable…

asked Jan 02 '14 at 14:42

user3119546

495
4
14

5

votes

2 answers

Decoding the UPX ELF header file

Still on my way to understand how to prevent the usage of the -d (decompress) option of UPX (see this question), I try to identify the header file of UPX in ELF executable files. Looking at the code, all the sources seems to be in the files lx_elf.h…

asked Dec 31 '13 at 21:43

perror

19,083
29
87
150

5

votes

2 answers

IDA PRO Structures Defining negative offset -4 -8 offset repair asm Hex-Rays

How do I fix structures in IDA PRO so they show up properly in Hex-Rays plugin (C decompiler). Similar question to: (But the solution doesn't work for me) Struct with negative offset in IDA possible Pretty much what happened is I compiled a very…

asked Dec 31 '13 at 02:29

SSpoke

759
1
7
19

5

votes

1 answer

Merging elf shared-objects

Let say I have libA.so and libB.so, is there any way for me to combine them into a single shared library libC.so that contains all exported symbols of both libA.so and libB.so?

asked Dec 26 '13 at 07:43

Krypton

191
1
4

5

votes

3 answers

Is learning assembly enough to become a malware analyst?

I am a C/C++ developer and I have started learning assembly language programming with the goal to become a malware analyst. I know it is not enough to just know how to read assembly to become a malware analyst. But won't it help a lot and make the…

asked Dec 22 '13 at 16:17

Pranit Kothari

927
1
10
13

5

votes

1 answer

How to unpack a TFTP file with Firmware

I have 2 files but I have no idea, how to unpack them. 239113254011.ldr 239113254012.krn Inside is a Firmware for ADB(iCan)3800TW used in Italy. We need to unpack it and delete the root password. Can somebody help please?

firmware

asked Dec 19 '13 at 19:21

joseff

51
1

5

votes

3 answers

With a hex editor, can you really examine/modify every piece of code/data encoding in a "file"?

Say I open a 1x1 BMP file with a hex editor. Will the values therein link directly to the specification used to encode the image, and what the decoding image program will also see? If a dig in to Sonic The Hedgehog's bin file, can I really change…

file-format

asked Dec 14 '13 at 22:06

tim mokesy

51
1
3

5

votes

1 answer

Replace a function in a Windows 32-bit binary with a custom C function

I am reverse engineering a Windows game from 1995 using Ghidra, and I'm currently documenting all the decompiled functions. My goal is to replace a function in the original binary with a custom C function, test the game, and proceed incrementally,…

asked Apr 24 '23 at 12:36

Cesar Canassa

191
4

5

votes

2 answers

How can I disassemble/decompile an immediate value to multiplication/summation of two values with IDA Pro?

Is it possible to force IDA to show "5 * 20" instead of "100" in the below disassembled and decompiled lines? MOV R1, #100 -> MOV R1, #(5 * 20) LDR R8, =var | LDR R8, =var STR R1, [R8] | STR R1, [R8] Corresponding…

asked Apr 11 '23 at 12:52

E.A

171
1
1
13

5

votes

3 answers

How to call non-exported functions from dll?

I'm doing some reverse engineering of C++ dll. What I have achieved so far - is have a list of all functions inside and even source code (in pseudo-C or so) for most of them. Reading this source code of most the functions doesn't make sense, because…

asked Dec 13 '13 at 05:26

user3095293

51
1
2

Most Popular