Highest Voted Questions - Reverse Engineering Stack Exchange

5

votes

1 answer

Decoding a time format

I'm reverse engineering a hardware device which stores time a strange format: 32-bit word H:MM:SS…

binary-format

asked Apr 01 '23 at 16:47

Canis Lupus

153
4

5

votes

1 answer

Reverse engineering in pairs - is it possible?

I'm interested if anyone can share from his experience how to analyze complex binaries in pairs - 2 RE engineers. Are there any suitable methodologies, tools to help in such work? UPDATE This is indeed partly a duplicated question regarding tools,…

asked Dec 12 '13 at 08:11

PhoeniX

3,052
16
30

5

votes

2 answers

Grouping functions based on their placement/order in the binary

Can I group functions based on their place in the binary? Can I assume functions next to each othe belong to the same logical group, or at least they have similar functionality? I suspect that the ordering/layout of the functions are decided compile…

asked Dec 12 '13 at 05:16

Dominik Antal

2,038
22
39

5

votes

0 answers

Reverse Engineering XORed string

I am trying to reverse engineer some data received over serial port. The hardware sending the data consists of a gps, compass and a power monitoring unit (which sends information about the battery). I received three types of messages of varying…

asked Dec 10 '13 at 15:59

Majid Khan

59
1

5

votes

1 answer

Check if libc.so use tcache

I have ARM libc.so (GLIBC), How can I check if that libc.so used tcache, and what is the value of arena_max? Can I check that information offline?

asked Jan 27 '23 at 14:36

Kokomelom

281
1
4

5

votes

1 answer

IDA: setting a register as a basepointer to struct

I read that question here (How do you set registers as structs within a function in IDA?) but this applies only to individual lines. Is it possible to set a register as a basepointer for a scope so that all usages of this register will be using the…

asked Dec 08 '13 at 17:38

Devolus

963
1
10
21

5

votes

1 answer

How to use dnSpyEx or some other .NET debugger to attach to a .NET process started with a process-hollowing technique?

I have a .NET executable that is started using the process-hollowing technique. Here's how it looks from the Detect-It-Easy tool: I can open the image file for that process (from disk) with dnSpyEx, but when I try to attach to it with a debugger…

asked Jan 25 '23 at 08:55

c00000fd

1,659
3
25
41

5

votes

1 answer

Why is function in kernel32.dll jumping into a api-ms-win-core stub

I was trying to look into the implementation of GetVersion function in kernel32.dll. I was surprised to see that the GetVersion thunk is issuing a jump to API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL::GetVersion, and in turn…

asked Jan 13 '23 at 17:19

caramel1995

205
1
4

5

votes

1 answer

How 10 IS HEX 5 bytes?

I am stuck in this video. Please solve this issue. This video is about Encryption and Decryption using Win32 API. https://www.youtube.com/watch?v=OQuRwpUTBpQ In this video 27:07 it's saying "10 IS HEX 5 bytes?" But how? Please watch this video to…

malware

asked Jan 11 '23 at 05:41

David L. Wilson

105
5

5

votes

1 answer

Zlib structure inside a GCC static library

I'm trying to analyze a GCC static library which is a part of a commercial software. First, I used IDA Pro to analyze entire Lib file, but it could find only object files and was unable to disassemble objects. So, I extracted all of the inside…

asked Dec 28 '22 at 12:18

HamidReza

151
5

5

votes

0 answers

Cannot find references to functions in vtables

First time doing RE work and I am working on a rather large C++ binary. In Ghidra, there are many functions that do not appear to have any meaningful references to them (unlike some functions where there is a list of places where the function is…

asked Dec 28 '22 at 01:13

micheal65536

151
5

5

votes

1 answer

Obfuscated JPEG

This might be a bit of a narrow question but I think it is interesting. HP Photo Creations has made a thumbnail file that seems to contain an obfuscated JPEG inside it. I'm not sure why they would bother to obfuscate it but each byte seems to be…

file-format

asked Dec 05 '13 at 05:46

Luke Quinane

291
1
8

5

votes

1 answer

Disassembling a DOS game with dynamic code/overlays in IDA Pro

I'm working on a disassembly of an old DOS game. (Real old: 16-bit, real mode.) The bulk of the game is in a large resource file of mixed binary and data; the executable basically just loads a chunk of "resource manager" code from the binary, and…

asked Dec 10 '22 at 19:23

Peter Malamud Smith

51
2

5

votes

1 answer

Figuring out a (possibly 16-bit) CRC algorithm

So, I wanted repurpose some old boarding gate scanners and I'm trying to make use of their commands. Now, I have a dump from an actual boarding gate PC and I've noticed that the commands only work if I send them as they are on the dump. If I change…

crc

asked Nov 28 '22 at 15:28

Gavouli

73
3

5

votes

1 answer

Cannot trace an MS-DOS COM file

When debugging the following com file in MS-DOS, I can successfully run the program with -g and it terminates normally, but when I trace it -t 1000, the program throws an illegal operation exception and terminates after +/- 800 instructions. I…

asked Nov 30 '13 at 17:11

Johnny Cache

51
1

Most Popular