Highest Voted Questions - Reverse Engineering Stack Exchange

4

votes

1 answer

How to format data exported from BinDiff?

I am using BinDiff 4.0 as a plug-in for IDA Pro 6.5. I know that it is possible to save the results as a .BinDiff file, however is there a way I can format this into a more easily accessible file type? I have been searching for a solution for…

asked Jan 06 '14 at 16:36

user3119546

495
4
14

4

votes

0 answers

funcap not capturing information in IDA debugger

I'm looking for ways to quickly triage applications when I'm reverse engineering and I've been looking at solutions that have already been written before I write my own I saw funcap (https://github.com/deresz/funcap/) mentioned in another question…

asked Jan 03 '14 at 22:55

Fewmitz

1,022
5
16

4

votes

1 answer

PatchDiff2 Outputting results to a Text File

I have attempted working with BinDiff to compare files and save the output, but unfortunately I am unable to save it to anything other than a .BinDiff or .BinExport file type. To try and counter this problem I attempted using another IDA plug-in,…

asked Jan 03 '14 at 13:52

user3119546

495
4
14

4

votes

1 answer

How extract this firmware file?

I need extract this firmware file. I tried firmwaremodkit and binwalk. It founds two trx headers, but cannot open it.( delete start in hexedit and untrx throws segfault, fmk found nothing)... Interesting is the constant repetition of the sequence:…

firmware

asked Dec 27 '13 at 11:34

user2039228

43
4

4

votes

1 answer

IDA debugging API's security

I recently saw funcap, a plugin that captures function calls made by a binary using IDA's debugging API. I have setup IDA on my host machine. My VMs aren't fast enough to run IDA in them. How do you run a plugin like this without having the risk of…

asked Dec 26 '13 at 22:43

Lelouch Lamperouge

323
2
9

4

votes

2 answers

Find the kernel structure that contains device name

I'm using WinDbg to try enumerate drivers and their associated devices. Getting the driver name is very easy. It is found in the _DRIVER_OBJECT structure. Unfortunately, the _DEVICE_OBJECT does not contain the name of the device. Using the !devobj…

asked Dec 20 '13 at 16:13

ben_re

323
1
9

4

votes

2 answers

Recompile the asm file IDA pro created

currently I am trying to use IDA pro to generate assembly code from PE file and recompile it. Firstly basically I know this way: File -> Produce File -> Create ASM File and it seems the asm file it generated cannot be directly recompile. Second use…

asked Dec 16 '13 at 21:03

lllllllllllll

2,485
2
32
50

4

votes

0 answers

Finding the correlation of imported dll's and executable vad's of a process

The memorydumps I work with are from a Windows XP SP2 run inside a VirtualBox VM. I aquire the memorydumps with vboxmanage debugvm dumpguestcore --filename dump.vmem. The windows paging is disabled. My idea is to identify executable vads that were…

asked Dec 16 '13 at 14:36

user3365

197
7

4

votes

1 answer

What is 'standard' CRC-16?

The Linux source code has a routine for calculating CRC-16s. It's described as 'standard CRC-16', but doesn't have a formal name. It seems to be using a polynomial of 8005 but is otherwise…

crc

asked May 21 '23 at 12:01

David Given

255
1
5

4

votes

1 answer

PE ImageBase presence in PDB

Is ImageBase of a PE binary present in its PDB or can it only be retrieved from the binary? I have studied both Microsoft's PDB sources and LLVM docs without much luck finding it. In the DBI stream there exist section headers with section RVAs, but…

asked May 15 '23 at 13:21

mimak

579
1
3
15

4

votes

1 answer

Unexpected value present in IMAGE_THUNK_DATA array

I am attempting to understand the PE File Format and I have come across an unexpected value in the IMAGE_THUNK_DATA Array. Here are the file details: MD5: d82d3e003eb5c728d584e22ce7f36fbf File Name: ChromeSetup.exe Link:…

pe

asked May 04 '23 at 12:52

smellyourbooks

75
4

4

votes

1 answer

Replacing a function in a 1995 Windows 32-bit binary using Frida causes crash

I am working with a 1995 Windows 32-bit binary compiled with Watcom, which uses the Watcom calling convention. I am trying to replace a simple string length calculation function in the binary using Frida. The decompiled version of the function…

asked Apr 28 '23 at 10:39

Cesar Canassa

191
4

4

votes

2 answers

Malware analysis - Debugger hangs at HttpSendRequestA

I'm reverse engineering a malware that at some point tries to connect to http://api.ipify.org in order to get the IP address of the infected PC. I was able to replicate this behaviour with a small Python script, but for some reason, I can't get the…

asked Apr 24 '23 at 16:21

Luca D'Amico

298
1
10

4

votes

0 answers

idapython: variable instruction references (def-use) for data flow analysis

Let's consider a code snippet: I can get disassembler variables- def get_function_vars(function) -> list: frameId = idc.get_frame_id(function) if frameId: varStruct = ida_struct.get_struc(frameId) if varStruct: …

asked Apr 24 '23 at 14:20

R4444

1,807
10
30

4

votes

0 answers

How can I generated the function call graph (with API calls) of a .NET executable?

For native executables, I can use IDA to generate the function call graph (FCG) of that executable (which includes API calls as well, for example function sub_xxx has an arrow to CreateFile which means it calls that API). But FCG generation of IDA…

asked Apr 24 '23 at 04:12

OneAndOnly

518
4
14

Most Popular