Highest Voted Questions - Reverse Engineering Stack Exchange

5

votes

1 answer

How to reverse command line arguments?

I am working on a console windows executable. So far what I figured out is that the executable checks number of command line arguments. Afterwards, it branches out depending on the number of arguments passed (argv). The jumps are looked up using…

asked Jun 20 '13 at 04:16

PSS

3,088
1
21
35

5

votes

1 answer

Ghidra what's the meaning of _0_4_

What does _0_4_ mean in ghidra?

ghidra

asked Jan 13 '20 at 14:43

bon

53
1
3

5

votes

2 answers

Is there a way to confirm and decompress files that I suspect are compressed with a very early format of PKZIP?

I have a very large number of files (tens of thousands) who's binary all begins with 0x00 0x06. They do not open with 7-ZIP. I notice also that all Office files seem to share the same next 32…

asked Jan 07 '20 at 02:16

youcantexplainthat

161
5

5

votes

3 answers

Tool for checking if there is any patch in the loaded module

I'm looking for a tool that is able to check loaded module for any placed patches even on not exported functions. I'm aware of Gmer, RKU and Co. and frankly I don't really trust their results.

asked Jun 17 '13 at 08:23

PhoeniX

3,052
16
30

5

votes

1 answer

Prevent malware from deleting itself during installation on Windows x64

Can anyone suggest a tool to prevent a malware from deleting itself on Windows x64? The purpose is to collect all the components of the whole process of infection. I've looked at CaptureBat, but its drivers are only 32-bit. I also thought about…

asked Jun 16 '13 at 20:24

PhoeniX

3,052
16
30

5

votes

1 answer

Are there existing automated approaches to reverse engineering the data types in a binary data stream?

Consider a stream of data packets of a known and consistent size, i.e., N bytes per packet. Are there existing tools that automatically detect (or estimate) the various data types present and their arrangement in the packet? My goal is to convert…

asked Dec 02 '19 at 15:45

J. Tylka

151
3

5

votes

1 answer

Get FPGA Part Number from bitstream

I've downloaded the .pof bitstream from an Altera Cyclone device. Is there any information I can get from it like, even just the FPGA P/N it is being used to configure?

fpga

asked Jun 13 '13 at 19:02

gigawatt

401
4
11

5

votes

1 answer

Why is fastcall used for replacing thiscall functions in memory instead of cdecl?

Assume I were to be reversing some game which processes all of it's movement client side and have determined some function to be of the type: bool __thiscall Player::CanJump(Player *this) that I have determined to be a member of the Player object's…

asked Nov 09 '19 at 00:13

ahoward

53
3

5

votes

0 answers

Radare2 8051 code bank switching

Some of 8051 chips use bank switching to extend accessible code memory. Good example is Silabs C8051F12x. Another example is here. Code area in range 0x0000..0x7ffff is common always accessible code bank. Upper side of code memory 0x8000..0xffff is…

asked Nov 05 '19 at 17:21

kimstik

159
6

5

votes

2 answers

Trace Method Calls in .NET/C# Binary

I have a heavily obfuscated Windows service binary. Fields, types and methods are renamed. While it is possible to decompile the binary using dnSpy, it is still very cumbersome to identify important/interesting locations statically. Is it possible…

asked Oct 22 '19 at 15:48

DucatiNerd

151
3

5

votes

1 answer

Undocumented Model-Specific Register on Broadwell Microarchitecture

I'm trying to reverse the BIOS of a machine to learn something. The bigger problem I'm facing is that during early initialization, the code is making heavy usage of MSRs, and most of the time, I found those not documented. In a specific point of…

asked Oct 04 '19 at 10:51

Alessandro

335
1
8

5

votes

1 answer

Can a debug-apk be reverse engineered to make it a release-apk?

I am making a system in which the users can create Android applications. I want them to give an option to download a debug apk so that they can try it out first. After that, they have to pay for it to get the apk in release mode, so that it can be…

asked Jun 10 '13 at 16:04

user187

5

votes

1 answer

Is it possible to view and modify process memory without attaching the debugger in x64dbg?

This functionality is available in Cheat Engine where the debugger won't be attached until you set a breakpoint or explicitly ask for the debugger to be attached. I've looked everywhere and couldn't find anything similar for x64dbg. It's very useful…

x64dbg

asked Sep 27 '19 at 20:47

l3240120

53
3

5

votes

1 answer

Simple C program disassembled with Ghidra

I am trying to figure out what is going on with my simple example programs, when I disassemble them with Ghidra. I am not sure whether this is some strange Ghidra behaviour or something that is set by default during compile time which produce a lot…

asked Sep 24 '19 at 13:09

Rebegin

87
2
6

5

votes

1 answer

__security_cookie for function pointers in Windows 10

I'm curious about this __security_cookie that I keep seeing all over the msvcp140.dll from my Windows 10 x64 (insider build.) Here's an example: Note that the address for indirect function call (or qword_18009FBD0) is taken somewhere from the…

asked Sep 24 '19 at 10:38

c00000fd

1,659
3
25
41

Most Popular