All Questions
36
questions
0
votes
0
answers
45
views
How do I force IDA to reload PE Header and/or segments?
Introduction
I started analyzing an exe, added many comments, structs, byte patches, etc.
After 2 months of working on this file I used CFF Explorer to add a new section at the end of it called "....
- 1
3
votes
2
answers
297
views
Inspect executable binary similarity
I've found a company in China selling a software that is clearly a copy of my own work. For context, this is actually a physical product that comes with a Ubuntu computer and the software pre-...
- 131
0
votes
1
answer
151
views
How to convert variable to struct member in IDA?
I'm working on a windows program which is walking PEB Ldr list. the related types are as follows:
struct LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks; // offset = 0, size = 0x10
...
- 3
2
votes
1
answer
153
views
What are latest research in reverse engineering?
I am searching research papers related to reverse engineering between 2020 and 2022 but did not found good papers with latest research in the direction of reverse engineering.
So, what are the latest ...
1
vote
0
answers
20
views
How to use IDA pro to convert a batch of binary PE files into assembly code? [duplicate]
I have a batch of binary PE files, and I want to convert them into assembly code using IDA pro. Do you know IDA command/plugin to automatically convert all of them?
- 113
1
vote
0
answers
114
views
In IDA is there a way to load the PE headers after the initial loading?
This question is loosely related to this one. So I know of manual loading and how to achieve loading the PE headers using it.
But suppose I have already worked on an IDB for a while and realize that ...
- 10.9k
0
votes
0
answers
272
views
How can i reconstruct a full PE from a memory injected PE that only has IAT + sections content?
I have a injected PE (kernel mode rootkit to be exact) that only has the IAT table, which basically only stores the addresses of some kernel functions in an array which is referenced inside its code, ...
- 518
1
vote
2
answers
468
views
How do I find where in the code a particular Windows Resource is used?
I'm trying to reverse engineer a Windows program. Using PE Editor, I find that the string in question - which I'm interested in - has got id 2820. The string is in this format: "Some text, some ...
- 111
-1
votes
2
answers
977
views
Parse offset to PE struct
Im trying make my idb beautier. I want to parse the offset to PE structure. Here is some example:
I want to parse (module + 60) to (module_base->e_lfanew) but when i change the type of module_base ...
- 67
0
votes
1
answer
104
views
Expanding .data section at particular area
I have a program which creates a hard-coded number of objects. I patched the binary so that now it can attempt to create more objects than the limit allows, however when it does it allocates them to ...
- 61
0
votes
1
answer
2k
views
idb file and IDA
I've just received from a friend a *.idb file concerning the pe file i'd like to disassemble in IDA. What the file is and how can i load/use it with the exe linked with it in IDA?
- 115
0
votes
2
answers
719
views
Pe file code starting address
When i load an exe in the IDA the assembled code always starts at 00401000 address. Does it mean that in pe files the code always starts at that specific address?
- 115
2
votes
2
answers
3k
views
Hex-Rays not properly showing strings
Here's the difference between Hex_Rays and the debugger:
Note that I've synchronized the views, so they are showing the same operations in both the debugger and the decompiler. I've tried Edit -> ...
- 99
4
votes
2
answers
2k
views
How can I get xrefs to class member variables in IDA?
I'm working on a decompilation of a windows PE (with its full debug symbols in a PDB) and I'm using IDA to help with it.
I want to know how I can get a list of all references to a given class member ...
- 315
2
votes
0
answers
265
views
What is the meaning of call ds:ApiName[registry*constant] in IDA .asm files?
I have a dataset of .ASM files generated by IDA (dont have the corresponding file)
And there are a lot of calls like this :
.text:00637114 5F pop edi
.text:...
- 518