Highest Voted Questions - Reverse Engineering Stack Exchange

5

votes

1 answer

How can I get the inferred register value for an instruction in Ghidra scripting?

I'd like to get the inferred value of a register at a particular point in the disassembly listing in a Ghidra script. In my case the target instruction is a rdmsr or wrmsr instruction, which reads or writes the MSR at ecx. While I could walk back…

asked Nov 30 '20 at 02:14

Polynomial

1,272
2
12
21

5

votes

1 answer

IDA stack depth differences when branching

I'm decompiling some Direct3D code that makes a lot of indirect calls to __stdcall functions. For example: call dword ptr [edx+0xC8h] which is really: pD3DDevice->SetRenderState(); IDA doesn't correctly guess the stack pointer change of these…

asked Nov 14 '20 at 20:41

quitegiddy

53
5

5

votes

2 answers

Unable to unsquash from a FW dump

After trying to unsquash a firmware dump from a router without success, I am asking for help. I have a router with a BCM68380 CPU. After desoldering the TOSHIBA NAND chip I dumped the firmware (link to the FW) and proceed to extract it. Binwalk…

asked Nov 03 '20 at 12:54

Ismael

51
2

5

votes

3 answers

Modern tools for reversing binary network protocols

What are some modern tools or techniques for attempting to reverse a binary protocol sent over UDP? I've been trying to do research on this, and it seems like almost everything is obselete. Previous answers on this site and other resources mention a…

protocol

asked Oct 04 '20 at 10:08

Thiery Jacobson

51
2

5

votes

1 answer

Pydasm: Disassembling limited length executable shellcode

How to disassemble first 200 bytes of an executable code using pydasm library in Python? I want to know how to set size of buffer to disassemble it.

asked Aug 06 '13 at 21:05

in3o

265
2
5

5

votes

1 answer

How to reverse CGI file for MIPS?

I'm trying to load a CGI file to IDA in order to disassemble it and understand it's behaviour but I can't do it. According to the strings command I can see some interesting words like system, sprintf, etc. And I know it's a MIPS file, But I'm not…

asked Aug 05 '13 at 09:58

Nucklear

725
2
8
17

5

votes

2 answers

Difference between Main and Entry

Sometimes, I see while disassembling a binary that there is the main function. but sometimes, instead of main, there is entry function. I want to know what is the difference between entry and main.

asked Sep 07 '20 at 06:50

lucky thandel

143
7

5

votes

0 answers

Deobfuscating Unknown C# obfuscator?

Hello, I am having an exe file that I am trying to deobfuscate and debug using dnspy. The exe file was written in C# and obfuscated with unknown deobfuscate according to de4dot! I tried to all my known methods to procced but still I was not able to…

asked Aug 19 '20 at 17:22

mo5br

51
1
1
3

5

votes

2 answers

What kind of function creates this code pattern?

Apologies if this is a duplicate. Don't know what words to search for as that's what the question is about. I'm relatively new to reverse engineering binaries and while using Ghidra I've noticed that it frequently decompiles the binary to produce…

asked Jun 23 '20 at 02:52

That Guy

65
8

5

votes

1 answer

What does the code keyword in Ghidra mean?

I'm reversing a binary and I found this strange keyword I haven't seen before called 'code'. I looked up the C++ keywords and there doesn't seem to be one. Could anyone provide me with more information about this keyword? if (*(int *)(param_1…

asked Jun 14 '20 at 22:42

DohnJoe

65
2
4

5

votes

1 answer

ARM bx instruction branches to address not specified as argument

I'm debugging an ARM cortex M4 (STM32F4) running FreeRTOS. Inside the assembly FreeRTOS function vPortSVCHandler, there's a branch instruction bx r14 using GDB, I step through instruction by instruction and find that r14 (lr) contains the value…

arm

asked Jun 09 '20 at 05:10

RemarkableBucket

153
3

5

votes

2 answers

What is replay debugging?

I've read some info here but looks like the site concerned itself only with vmware and moreover it has abandoned the idea. How can this concept be used with existing debugging environments like IDA and gdb.If it has already been implemented, I would…

debugging

asked Jul 18 '13 at 03:23

viv

784
1
4
17

5

votes

1 answer

How to improve Ghidra decompilation of SSE instructions?

In practicing Ghidra on a few standard library functions in some executable, I have generally had trouble getting good decompilation output where SSE registers are used as an optimization. I've tried searching for a variety of keyword combinations…

asked May 11 '20 at 00:05

NurTuring

51
5

5

votes

1 answer

How to use fastloghook in immunity debugger

How does fastloghook work in immunity debugger pycommand section? i cant figure it out. Everything i try does not work and i know this code is a mess. I seriously dont understand fastloghook which makes me crazy when bphook worked so nicely. I need…

asked Jul 17 '13 at 02:26

user2464

126
5

5

votes

2 answers

How to obtain decrypted virus body of Bolzano virus using Ollydbg 1.10 debugging on windows OS

I installed windows NT 4.0 service pack 6 on vmware player. Then I added Ollydbg 2 from vmware shared folder into windows NT. I extracted ollydbg zip and run ollydbg.exe. I am getting this error : PSAPI.DLL is not found. This library contains…

ollydbg

asked Jul 15 '13 at 00:59

user1744108

161
6

Most Popular