Highest Voted Questions - Reverse Engineering Stack Exchange

4

votes

2 answers

adding instructions in IDA

I noticed that you can't simply add an instruction in IDA. Yes, you can modify one, but not add(maybe there is such feature? Can't find it though). So I used HxD to forcibly increase the PE binary where I wanted with nops to then change the nops…

ida

asked Feb 02 '15 at 17:50

savram

207
2
12

4

votes

1 answer

Some help with sprite graphic

I am trying to get the sprites from a game from 1997 called Swing (US: Marble Master). The file is called NORMAL.SET and contains a set of sprites. There is an executable named SHOWSET.EXE that displays the entire set after printing a number on each…

asked Feb 01 '15 at 21:45

Daniel

161
4

4

votes

2 answers

finding a RC4 Encryption function in obfuscated assembly code with no symbols

RC4 encryption is quite basic and its Pseudo random generation algorithm is given at Wikipedia When Looking for a hashing algorithm like MD5 or SHAx it is pretty simple to look for the Hashing constants in the code, for example to find the MD5 code…

asked Feb 01 '15 at 14:55

0xAK

668
6
19

4

votes

2 answers

Looking for the specific text in EXE file

I want to find specific string in the EXE file but when I open the EXE file with OllyDBG and search for the All Referenced Strings I get bunch of texts in the comment area which are like this : ASCII…

asked Jan 30 '15 at 14:09

FreeMind

639
3
9
17

4

votes

5 answers

Making application load dll at start

I've added some functionality to existing application which works through dll injection - my dll loads and patches some stuff. I would like it to be added to this application permanently so I don't have to inject it manually every time - I know…

patching

asked Jan 29 '15 at 17:52

larw

95
2
7

4

votes

2 answers

Purpose of NOP immediately after CALL instruction

There are a lot of ... code ... call sub_... nop ... code ... patterns in an executable dump I am working on. They appear in the middle of subroutines and I believe don't serve alignment purposes. I am curious about the origins of this…

x86-64

asked Jan 16 '15 at 13:34

uranix

143
5

4

votes

1 answer

Unload plugin without closing the .IDB?

IDC has a RunPlugin() function but there seems to be no way to unload a plugin explicitly. I searched high and wide - including the Hex-Rays forums - but found no answers. And judging by this post I'm not the only one. At the moment I'm trying to…

asked Jan 08 '15 at 10:50

DarthGizka

2,010
1
13
30

4

votes

1 answer

What is the benefit or reason of using a static disassembler over a dynamic disassembler in terms of malware analysis?

I know that Dynamic program analysis is the analysis of computer software that is performed by executing programs on a real or virtual processor. while Static program analysis is the analysis of computer software that is performed without…

asked Dec 28 '14 at 17:38

MalwareTeachHead

53
3

4

votes

0 answers

Well-known JSON obfuscator that puts the string "Salted12" in front of obfuscated files?

I have an application that pulls some JSON definition files from the internet. In former versions of the application, these files were genuine json files; now, in a later version, they seem to be encrypted/obfuscated. The files that get downloaded…

asked Dec 28 '14 at 17:33

Guntram Blohm

12,950
2
22
32

4

votes

2 answers

IDA segmentation problem

In the program I'm trying to reverse engineer, originally IDA only created three segments: CODE, DATA and .idata. Using the information from the compiler source code (http://pastebin.com/ParJ3683 lines 30-78), I determined that infact DATA was…

asked Dec 28 '14 at 15:17

Skynet

175
1
5

4

votes

2 answers

Real PE32(+) entry point - is it documented anywhere?

Microsoft documentation gives WinMain() as the entry point for a Windows program, but unlike DllMain() it seems to be a pure fiction arranged by the compiler-provided startup code. I've looked at the output of a few Win32 compilers (32-bit and…

asked Dec 28 '14 at 12:05

DarthGizka

2,010
1
13
30

4

votes

1 answer

How to rebase IDA to match GDB

I would like to debug my elf file on linux using GDB and follow the disassembly in IDA, is this possible? And if it is how would I rebase IDA to match with GDB? Thanks!

asked Dec 17 '14 at 19:39

Hugo Kiiski

187
1
2
6

4

votes

1 answer

Protect a key from being recovered by decompilation

I work in a game editor that develop an online game. In our endless struggle against bots (that have negative impacts on server performances, game economy, game experience, ...), one of ours weapons to detect bots is to send an signed As3 bytecode…

asked Dec 17 '14 at 15:55

Kriss

41
1

4

votes

2 answers

Hints to reverse engineering a QT software

I am facing a little bit of problem during reverse a QT application with Ollydbg or IDA. This software use a protection schema to indetify the number of click made on a QList. After a random amount of click on list rows replace the content of the…

asked Dec 15 '14 at 08:51

itseeder

319
2
6
13

4

votes

2 answers

How to extract N150R firmware from .img file

I'm trying to mount an img file for my wireless router firmware but I can't seem to do it successfully. When I fun the file command on that .img it returns the following: $ file file.img file.img: data When I try to use mount on it I get the…

firmware

asked Nov 26 '14 at 19:53

RNikoopour

143
1
6

Most Popular