All Questions
Tagged with pe disassembly
24
questions
0
votes
0
answers
54
views
Executable Opcodes of Windows Image File Seem Offset from My Calculations
Background:
I'm trying to manually disassemble a practice executable file for practice.
https://github.com/stryker2k2/dbg-demo/blob/master/assem/assem_0x00.asm
Issue:
When I take a look at what I ...
2
votes
0
answers
58
views
How to obtain import name from disassembled assembly
I'm trying to create my own tools for reverse engineering PE. I have some assembly codes that I fetched from a clone of objdump for a program. Sometimes I see call instructions such as :
callq *...
- 21
1
vote
1
answer
820
views
Disassembly call function offset from RIP
I am writing a program where I map an .exe PE file in memory and I "dissect" it.
I am disassembling the .text section of the target executable, using the distorm disassembler.
CALL ...
- 31
0
votes
1
answer
104
views
Expanding .data section at particular area
I have a program which creates a hard-coded number of objects. I patched the binary so that now it can attempt to create more objects than the limit allows, however when it does it allocates them to ...
- 61
2
votes
1
answer
266
views
Garbage Assembly Code Generationat at random offsets
Recently I've been working on a project. The main purpose of the project is to generated statically undetectable PE samples. Where each time one generates a PE sample, each generated sample is going ...
- 395
1
vote
1
answer
597
views
What is physical address on a pe reader?
What is physical address on a Pe file? I had search on the microsoft website article about pe files and don't have found anything.
-1
votes
1
answer
1k
views
Best way to find the entropy of an EXE file?
I want to write a script to extract the entropy of each sections of an EXE file. What is the best tool that I can use to do this?
I tried Ghidra but it doesn't have an entropy API which I can use.
1
vote
1
answer
439
views
How to find DOS Header and PE Header with an entry point in Radare2?
I am currently doing byte extraction from PE files using Radare2. I know how to find the byte sequence for DOS Header and PE Header when there is no entry point and the start is defaulted to 0x0. But ...
- 11
0
votes
0
answers
29
views
Understanding obscure function names [duplicate]
I have seen functions like this before in disassembly but don't have a clue what they are. Their names are extremely confusing. Would someone be able to explain what these are?
- 105
1
vote
1
answer
407
views
Adding a static variable to Windows DLL
I'm trying to patch a function in a Windows x86 DLL, however it turned out that I need a static variable to store some state that wasn't correctly preserved by the original executable across calls.
I ...
- 111
1
vote
1
answer
195
views
Static Offset in PE
I am making a crackme, that get's hexadecimal values and converts it to ASCII to get the password.
The problem is I use a part of code into the main function to search the opcodes from .text section ...
- 111
3
votes
2
answers
2k
views
Disassembling at a memory address
I started to use radare2 to debug a PE file because it stops working as soon as I run it. When I attach my debugger and continue execution to the point where the exception is thrown I get a memory ...
- 33
3
votes
3
answers
2k
views
Exports that redirects to other library
I'm writing an analog of GetProcAddress function. When looking inside the export table I see the exports like this in advapi32.dll for example:
.text:4C362BAA aEventregister db 'EventRegister',0 ;...
6
votes
1
answer
5k
views
(bad) opcodes of objdump
I'm trying to write my own disassembler for PE,PE+ and ELF executables but I'm stuck with a big problem on PE and PE+ executables.
I'm checking my work by comparing my output with objdump, and I ...
- 85
1
vote
1
answer
876
views
Suppress IDA welcome dialog in batch mode
I try to disassemble a bunch of PE files with the free version of IDA.
However, I can't figure out how to suppress the beginning welcome message:
My batch command looks like this:
"C:\Program Files (...
- 1,257