Highest Voted Questions - Reverse Engineering Stack Exchange

5

votes

3 answers

Finding a malware object inside PE file

Today my AV found an antique piece of malware called Win9X.CIH.dam. Instead of just removing it I would like to make a little research for fun. What does "data0513" exactly mean? I can't understand what the 0513 is. I suppose it's some kind of…

asked Jun 10 '18 at 23:28

Ian Smuga

51
1

5

votes

1 answer

How to simplify C++ standard template library in IDA?

I've a X64 DLL file which uses C++ standard library heavily. I've loaded the PDB symbol file in IDA and all the subroutines names sub_xxyz changes to std::xyz, which is as expected. But there are many subroutines, for example one name is like…

asked Jun 05 '18 at 19:19

Biswapriyo

1,569
1
16
34

5

votes

1 answer

Is there a way to explicitly connect r2pipe to an existing radare2 session that I have open?

I understand that I can execute my script within a session using [0x401000]> . server.py and the pipe will be connected to it when I call r2pipe.open() with no arguments. Ideally I would like to spawn a simple tcp server in python which waits for…

asked May 23 '18 at 17:18

Nux

133
6

5

votes

1 answer

How to specify stack-based return values in IDA Pro (GoLang)

tl;dr: I am reversing a GoLang 1.10 executable, compiled for Windows. I am trying to make IDA correctly recognize the calling convention. Details: I am looking at an x86 executable where the following (nonstandard) calling convention is used.…

asked May 17 '18 at 21:05

james

61
5

5

votes

2 answers

How can i add plugins in x64dbg?

I am trying to add 'xAnalyzer' plugin into it but after copying the files, I can't see it in debugger. Its installation instructions are not working.

asked May 12 '18 at 12:17

crotonain

51
1
1
2

5

votes

2 answers

IDA Pro: "File is apple protected"

I'm trying to disassemble Dock.app on macOS Sierra, and IDA is giving me this error message: What does this mean?

asked May 09 '18 at 21:32

tbodt

223
1
7

5

votes

1 answer

Why do many imported functions jump to addresses that do not contain instructions?

I am learning to analyze binaries using radare2 and have been confused about what occurs within imported functions. In the binary below, titled Lab2B, I statically disassembled the binary and then disassembled one of the imported library functions,…

asked May 08 '18 at 04:18

Darien Springer

225
2
7

5

votes

2 answers

What does XREF mean?

I have been learning about the x86 assembly language by analyzing a binary using radare2 that is stored on a Intel 80386 machine. When I have been analyzing functions on the binary, I noticed that "XREF" is repeatedly called from various addresses…

asked Apr 24 '18 at 04:55

Darien Springer

225
2
7

5

votes

2 answers

Game cheating: Pointers vs Static memory editing

Why do most hackers/modders use pointers instead of editing the static region of the game executable? For example I downloaded so many trainers and I can see most of them are using pointers. I prefer to set a break point on the value and track the…

pointer

asked Apr 20 '18 at 16:42

Cyb3r

157
9

5

votes

2 answers

Tracing function calls in x64dbg

I'm new with x64dbg and want to know if there is any way to get the trace of a functions inside a module? I've used trace over option, but basically it just traces all the insturctions but doesn't "step in" into a call statement. Here I found a way…

asked Mar 19 '18 at 19:29

Ojs

203
3
10

5

votes

2 answers

IDA 7.0 not recognizing plugins (Eg. ScyllaHide, IDAStealth)

The problem I'm facing with the latest version of IDA (as of now) which is 7.0 is that it doesn't recognizes plugins, not even adding them in its Edit > Plugins menu tho this was not happening in IDA 6.x versions for me. As an example, my good old…

ida

asked Mar 15 '18 at 19:43

Gas Can

51
1
1
6

5

votes

1 answer

How to identify SWD (Serial Wire Debug) pinout?

When trying to access firmware, JTAG and SWD can be really helpful to the reverse engineer. When looking at an unknown board/device tools such as JTAGEnum or JTAGulator are really helpful in identifying JTAG pinouts or pads. What techniques exist…

asked Feb 19 '18 at 18:25

pzirkind

437
1
5
9

5

votes

1 answer

How does this EB F2 x86 instruction work?

In the following code snippet, the EB F2 instruction is causing execution to jump back up to the line indicated by the arrow. How is this the case given that there is no address supplied to EB and the jmp is less than F2 away in terms of address…

asked Feb 15 '18 at 04:16

the_endian

1,860
17
39

5

votes

1 answer

Difference between 'readelf' and 'radare2' addresses

I have an MIPS binary file that I want to analyze. I am having a little trouble understanding the way elfread and r2 interpret the adressing scheme from a binary. For example, r2 finds a function named bcmVlan_setDefaultAction at the location…

asked Jan 17 '18 at 17:24

Fulcrum

53
3

5

votes

2 answers

Flare-ON#3: Problem understanding some parts in the program

I was trying the flare on challenge. When trying the challenge#3 I got into some trouble and could not solve it. After looking into solutions wrote by other I now do know how the program works, but i have confusion in the following line. mov …

asked Dec 31 '17 at 04:49

Nishan Maharjan

53
3

Most Popular