Highest Voted Questions - Reverse Engineering Stack Exchange

22

votes

3 answers

Anti-debug techniques on Unix platforms?

I am trying to scan all possible techniques to disrupt the usage of a debugger on a Unix platform (ie POSIX and a bit more). I am thinking about techniques such as the PTRACE test at the beginning of a program (or at various points of its…

asked Mar 20 '13 at 09:13

perror

19,083
29
87
150

22

votes

3 answers

What are the qualitative differences in reverse engineering x64/Win64 code versus x32/Win32 code?

Many professional reverse engineers spend their days looking at 32-bit code compiled for Windows, and familiarity breeds proficiency. What are the high-level differences between reverse engineering 64-bit Windows programs versus 32-bit ones? I am…

x86-64

asked Mar 27 '13 at 01:16

Rolf Rolles

9,198
1
23
33

22

votes

1 answer

How to dump flash memory with SPI?

Often flash memory is connected via SPI (Serial Peripheral Interface Bus) to a processing unit like an ARM core or a micro controller. How can one dump the memory? Can there be protection mechanisms? Are there pitfalls to avoid?

asked Jun 26 '13 at 11:30

samuirai

3,079
4
23
37

22

votes

3 answers

Detecting tracing in Linux

Under Linux it's possible to trace exactly the kernel system calls with strace. ltrace can be used also to trace library calls. I wonder if it's possible to detect if my executable is running under strace or ltrace ? Here's an example of the output…

asked Apr 25 '13 at 08:07

Mellowcandle

4,795
6
34
47

21

votes

4 answers

OllyDbg vs x64dbg - Does OllyDbg have any particular advantage over x64dbg?

OllyDbg had been nice in the past, but it stopped development a decade ago, x32dbg/x64dbg era came. However, some people still use OllyDbg. Are there any reasons to use the old OllyDbg still? Doesn't x32dbg/64dbg covers all needed things?

asked Nov 29 '18 at 16:46

T.Todua

643
2
9
20

21

votes

1 answer

Windows Wiki : Books and Tutorials

This post is for collecting all the best books and tutorials that exist dealing with windows specific reverse engineering techniques and concepts. The content will be added to the Windows wiki. Any suggestions of books and tutorials should be added…

windows

asked Apr 13 '13 at 16:32

Mellowcandle

4,795
6
34
47

20

votes

4 answers

Set a breakpoint on GDB entry point for stripped PIE binaries without disabling ASLR

Given a position-independent, statically-linked, stripped binary, there does not appear to be a way in GDB to set a breakpoint at the entry point without disabling ASLR. break start and similar functions do not work, because there is no symbolic…

asked Apr 18 '15 at 20:04

Zach Riggle

2,337
1
16
28

20

votes

2 answers

Why are GOT and PLT still present in Linux static stripped binaries?

I am looking at statically linked linux x86 stripped binary. I noticed that there are .got and .plt sections. I wonder what does a statically linked binary need got and plt sections for ? Anyone ?

asked Jun 02 '13 at 13:57

daehee

603
1
6
7

20

votes

1 answer

How do you search for unicode strings?

In all versions of IDA, I can't seem to be able to search for unicode strings. When reversing programs, I constantly see unicode strings that could have really helped if I could see them in the strings window, but I can't. Anyone have a solution?

ida

asked Apr 20 '18 at 05:25

user24091

20

votes

10 answers

Determining if a file is managed code or not

How can I quickly tell if a EXE or DLL I have is managed code or not? I spent some time recently trying to disassemble a file and then later learned through some traces in the code that I could have skipped all that work and just used ILspy. How can…

asked Apr 05 '13 at 17:54

Jannu

373
2
6

20

votes

2 answers

What techniques are used in reverse engineering a serial protocol?

I'm working with a small public transit agency on a neat open-source project that will help us to offer realtime data to local developers. A key piece of data we need is the current bus route a given vehicle is on. Currently, there is only a single…

asked Apr 02 '13 at 23:15

drewbug

419
4
7

20

votes

4 answers

How common are virtualized packers in the wild?

I'm just getting into the RE field, and I learned about virtualized packers (like VMProtect or Themida) in a class about a year ago. How often is malware in the wild really packed with virtualized packers, and what is the state of the art in…

asked Apr 02 '13 at 12:14

Andrew

413
4
8

20

votes

1 answer

What is the state of art in LLVM IR decompilation?

LLVM IR is a fairly high-level, typed bitcode which can be directly executed by LLVM and compiled to JIT on the fly. It would not surprise me if a new executable format or programming language was designed directly on top of LLVM, to be executed as…

asked Mar 31 '13 at 08:27

nneonneo

1,283
10
15

20

votes

2 answers

Managing inputs for payload injection?

I am looking for a complete list of the ways to inject a payload in a vulnerable program in a Unix (Linux) context depending on the inputs opened by the program. I know that there are several tricks and tips but an exhaustive list would definitely…

asked Nov 14 '16 at 16:13

perror

19,083
29
87
150

19

votes

2 answers

How to predict address space layout differences between real and gdb-controlled executions?

It's something that puzzle me for a long time. I can observe that there is a difference between the real execution of a program and the gdb-controlled one. But, here is an example: First, here is the example code (we use an automatic variable to…

asked Oct 30 '13 at 11:15

perror

19,083
29
87
150

Most Popular