Highest Voted Questions - Reverse Engineering Stack Exchange

5

votes

1 answer

Need help identifying main processor for Roland synthesizer

I desperately need help figuring out the ic chips in this unit so I can view the firmware in ida pro. So the unit is a roland gr-55 guitar synthesizer and i'm trying to disassemble the firmware into assembly language, but I have no info on the…

asked Oct 02 '18 at 21:52

Dukes Mayonnaise

103
7

5

votes

0 answers

How do I perform concolic execution with Angr and collect constraints on input?

I have a program that takes a string (with some structure) as input. My aim is to collect information on what values each character in input is compared to as it gets parsed using concolic execution. What is the right way to go about it? My subject…

asked Sep 13 '18 at 13:01

Rahul Gopinath

151
2

5

votes

2 answers

Where can I find documentation for the name mangling scheme used by SunPro CC

I have a few SPARC binaries that have been compiled with what seems to be the SunPro CC compiler. The symbols in the binary are referring to a very early C++ implementation (pre-namespaces) and look like…

asked Sep 09 '18 at 11:44

John Källén

1,070
9
17

5

votes

1 answer

What kind of date stamp is this?

I'm looking at the OLK files created by Outlook for Mac, and these appear to be the date fields, but I cannot figure out what kind of binary dates they are. There are 2 values in one file (reversed from LE): DATE1: 41 C0 A0 72 E7 F5 F6 A9 DATE2: 41…

binary-format

asked Sep 07 '18 at 04:23

Matt Hovey

53
2

5

votes

0 answers

Instruction counting anti-debug

I recently came across this anti-debug technique being used in the wild. In The Ultimate Anti-Debugging Reference, the author wrote in the "Instruction Counting" section A debugger will interfere with the single-stepping, resulting in a…

asked Sep 03 '18 at 00:44

P. Private

180
3
14

5

votes

1 answer

How to avoid the load file dialog in IDA GUI

I would like IDA to remember my default load file settings instead of presenting the load file dialog on every start. The documentation says there is a -T command line switch that should take a 'file type prefix' argument and then not display the…

ida

asked Apr 24 '13 at 09:28

Ohajo Zanajo

103
2

5

votes

1 answer

How can you explore behavior in malware that is not being performed?

I have a malware sample that I know is acting as a bot and connects to a botnet. The problem is that it uses no known protocol that I am familiar with (it's IRC-like) and doesn't actually do anything until it is issued commands. How can I explore…

malware

asked Aug 12 '18 at 02:23

Jeremy

51
1

5

votes

1 answer

Passing a (string) argument via the return address?

I'm debugging an old PC BIOS and it has most of its constant strings interspersed directly with the code, like this: As the comment notes, the function putsc will take the string as its argument, finding it via the return address! After iterating…

asked Aug 05 '18 at 11:57

pesco

187
1
8

5

votes

1 answer

What is SCARE (Side-Channel Attacks Reverse-Engineering)?

When reversing smart-cards, the side-channel attacks are known to be quite effective on hardware. But, what is it, and can it be used in software reverse-engineering and how?

asked Apr 22 '13 at 19:24

perror

19,083
29
87
150

5

votes

1 answer

What's the meaning of dword_XXXX and offset dword_XXXX in IDA?

Consider the following code: In C++: SomeClass* globalPointer; // we don't know what it points to, but it's not null a pointer, it's initialized void someFunction() { globalPointer->someVirtualFunction(); } In IDA (inside someFunction): mov …

asked Jul 31 '18 at 14:41

anx199

175
10

5

votes

1 answer

Moving integer to xmm register

I was looking at a game code, and I saw the following: 0x171 mov [rbp-30],r12w .... 0x210 movups xmm0,[rbp-30] I am pretty sure that r12 is an integer here (equals 5). So, is it moving an integer to a float register at 0x171 using movups? I…

asked Jul 09 '18 at 15:53

sebastien finor

163
1
7

5

votes

1 answer

Is IDA pulling my leg - or can REX.W sometimes not be determined in static analysis?

NB: I normally dabble with disassembly (i.e. mnemonics) and only ever look at the raw opcodes when I can't avoid it. I have the following line of disassembly of a Windows x64 kernel mode driver, created by IDA Pro 7.1.180227: xor edx, edx Now I…

asked Jul 05 '18 at 14:16

0xC0000022L

10,908
9
41
79

5

votes

1 answer

Search strings in multiple files/processes/modules (x64dbg)

when you click String references in x64dbg, it only lists strings from current module/file. Is that possible to search strings in multiple (selected) files/modules?

x64dbg

asked Jun 29 '18 at 10:01

T.Todua

643
2
9
20

5

votes

1 answer

Import symbols containing strange characters

I am analyzing a macOS app with radare2, and the app depends on a number of Qt frameworks. When I printed out the import symbols of the app's main executable, the names of the frameworks' functions have strange characters in them. For example, if a…

asked Jun 29 '18 at 04:57

Thanh Bui

161
4

5

votes

2 answers

Why does an executable give an error when opened in $tool?

I have an executable that runs in the operating system, but when when I open it in $tool I get an error. What is going on?

asked Apr 18 '13 at 18:26

Vehm Stark

325
1
5

Most Popular