Highest Voted Questions - Reverse Engineering Stack Exchange

19

votes

7 answers

Are there ready-to-go reverse engineering VMs?

In computer forensics & pentesting, there are live CDs that have a bunch of tools installed. This makes it easy to boot a machine and have a variety of tools for examining the HDD (for example). Are there VMs or live CDs with a bunch of RE tools…

tools

asked Mar 26 '13 at 14:58

EfForEffort

638
7
12

19

votes

3 answers

In IDA, is there a way to add a reference to a dynamically imported function into the Imports tab?

The title says most of it. Say I have a Windows PE (x86, 32bit) binary (just so we have case to discuss), the imports list will usually only show the imports found in the import directory. The attributes it shows are address of the function, name…

asked May 29 '13 at 16:04

0xC0000022L

10,908
9
41
79

19

votes

3 answers

Is it possible to access the higher part of the 32-bit and 64-bit registers? If so, which ones?

I don't know whether this is a silly question, but I couldn't find any answer. With the evolution of CPU architecture, register size was extended, from 8, to 16, 32, and eventually 64-bit. I was wondering whether there was any way to access the…

asked Jul 09 '18 at 10:00

Yuriko

295
1
2
7

19

votes

8 answers

How to detect a virtualized environment?

What are the different ways for a program to detect that it executes inside a virtualized environment ? And, would it be possible to detect what kind of virtualization is used ?

asked Apr 09 '13 at 22:12

perror

19,083
29
87
150

19

votes

4 answers

What is an "opaque predicate"?

I saw the term of opaque predicates several times in obfuscation papers. As far as I understand it, it refers to predicates that are hard to evaluate in an automated manner. Placing it at strategical points of the program (jmp, test, ...) can…

obfuscation

asked Apr 09 '13 at 07:48

perror

19,083
29
87
150

19

votes

3 answers

Are there any tools or scripts for identifying compression algorithms in executables?

I know there are tools for identifying common ciphers and hash algorithms in code, but are there any similar scripts / tools / plugins for common compression algorithms such as gzip, deflate, etc? Primarily aimed at x86 and Windows, but answers for…

asked Apr 01 '13 at 22:49

Polynomial

1,272
2
12
21

19

votes

4 answers

Determine Encryption Algorithm

I'm analyzing some software that appears to encrypt its communications over the network, but it does not appear to be SSL. How can I easily determine what encryption algorithm its using, and maybe find the key?

asked Mar 31 '13 at 03:12

omghai2u

758
1
6
11

19

votes

1 answer

What is the protocol for x87 floating point emulation in MS-DOS?

I'm trying to get useful results using the Reko decompiler on a dusty old MS-DOS binary compiled with Borland C++ that appears to be performing a lot of floating point arithmetic. I'm seeing code sequences like mov ax,0x4D8C ; segment…

x86

asked Mar 22 '16 at 10:14

John Källén

1,070
9
17

18

votes

4 answers

Converting assembly code to c

I have the following assembly code over Linux distro: # using the .data section for write permission # instead of .text section .section .data .globl _start _start: # displaying some characters for watermarking :-) xor %eax,%eax #…

asked Feb 24 '14 at 08:18

MLSC

331
1
2
7

18

votes

4 answers

Checking if an .exe is actually a .jar wrapped in an .exe

Let's say I have a .jar file and wrap it into a .exe using any number of free utilities out there, like JSmooth. Would it be possible to tell, given just the .exe, if it was generated using one such utility from a .jar file?

asked Mar 20 '13 at 01:43

APerson

917
2
9
25

18

votes

3 answers

Which IDA Pro Signature should be used for Borland Delphi 6.0-7.0 binaries as reported in PEiD?

I am currently reverse engineering a binary written in Borland Delphi 6.0-7.0 as reported by PEiD. Is there a recommended signature to use when looking at this binary in IDA Pro? I currently am using the bds signature. Thanks !

asked Oct 03 '13 at 12:35

b_r0g

191
1
1
5

18

votes

1 answer

What does the assembly instruction 'REPNE SCAS BYTE PTR ES:[EDI]'?

I disassembled a file with OllyDbg and it had the following instruction: REPNE SCAS BYTE PTR ES:[EDI] What does that exactly mean ?

asked Sep 09 '13 at 19:50

aclowkay

413
2
4
7

18

votes

3 answers

What are nullsub_ functions in IDA?

In nearly every dis-assembly created by IDA, there are several functions that are marked nullsub_ which according to IDA, return null nothing (just ret instruction). So, what are those and why are they in the database?

asked Jul 06 '13 at 10:24

PhoeniX

3,052
16
30

18

votes

1 answer

How to re-analyse a function in IDA Pro?

I am working on an obfuscated binary. IDA did pretty good job distinguishing code from junk. However, I had started messing around with a function changing from code to data and vice versa and completely messed the function up and destroyed the way…

asked Jun 21 '13 at 03:31

PSS

3,088
1
21
35

18

votes

2 answers

Is it possible to get python bytecode without using co_code?

I posted this a while back on stackoverflow (too old to migrate though). Say I am in the python interpreter and define a function as follows: def h(a): return a If I want to look at the bytecode (not a disassembly using dis), I can typically use…

python

asked Apr 26 '13 at 18:36

mikeazo

1,072
8
16

Most Popular