On the image you posted, the directory is a Qt build directory, not a source directory. The folder you showed contains some source files automatically generated by Qt, some compiled .o files and a linked binary, but not the original source code. If the authors didn't publish the original C++...
windows,security,reverse-engineering,exploit,aslr
You are correct, ASLR is little defense against a local attacker. It is primarily designed to thwart hard-coded addresses in remote exploits. Edit: Some details in my previous answer were incorrect, though the point above still stands. An ASLR-enabled DLL's base address is actually a function of both: (1) a...
assembly,reverse-engineering,x86-64,att
Unfortunately you seem to be missing crucial knowledge. You should revisit any material you might have otherwise you won't have much luck with the rest of the assignment which will actually involve some less trivial code. That said, the block you have quoted so far only does the following: int...
python,security,python-2.7,encoding,reverse-engineering
This line of C: unsigned long entropy = *((unsigned long *)buf + 2); should translate to entropy = unpack('I', buf[8:12]) because buf is cast to an unsigned long first before adding 2 to the address, which adds the size of 2 unsigned longs to it, not 2 bytes (assuming an...
debugging,assembly,executable,reverse-engineering,x86-64
You want to replace MOV [0x000000044AB9DA15],AL which is encoded as 88042515DAB94A (7 bytes) with MOV BYTE PTR [0x000000044AB9DA15],1 which is encoded as C6042515DAB94A01 (one byte longer). Try to use RIP-relative encoding. First calculate the difference between the target pointer and the offset of following instruction ($+instruction_size). If it is less...
c,assembly,x86,parameter-passing,reverse-engineering
You have correctly identified the critical region around 80485db. Let's work backwards from the strcmp call. It takes two operands to compare, they are put on the stack in the preceding two lines from the registers %eax and %edx. We can see %eax is the return value from fgets, which...
memory,assembly,reverse-engineering,intel,xor
The numbers displayed are all in hex and you have forgotten to use proper endianness. If the user input was ascii 1234 that means the memory contains the bytes 31 32 33 34. Since x86 is little endian, the operand 1234567 is byte sequence 67 45 23 01. Performing the...
I got a similiar task to do for a couple of days, you just need to extend the FOSUserBundle User Entity with your UserEntity where you're going to add all the Columns you need that the BaseUser doesn't provide. use FOS\UserBundle\Model\User as BaseUser; /** * user * * @ORM\Table(name="user") *...
ios,objective-c,reverse-engineering,jailbreak,dylib
You're right about Entitlements.plist. Problem is very simple - MobileCal.app is using custom sandbox profile. There are actually many sandbox profiles in iOS, not just for AppStore apps. Many iOS system components use them. To know which one you need to look at the app's entitlements. More specifically, seatbelt-profiles key....
linux,format,executable,reverse-engineering,elf
Maybe you could get the position of the section header table and time it with the amount of entries and the entry size? Not entirely sure but that's my best bet.
variables,actionscript,reverse-engineering
Your attempt to solve the puzzle seems to have off-by-one errors. I defined a JavaScript function that should be semantically equivalent to ActionScript's substring function (I based it on the documentation I found here): var substring = function(str, a, b) { var len = Math.abs(b - a); return str.substring(Math.min(a, len),...
c,assembly,reverse-engineering,x86-64,conditional-statements
Don't overthink it. Just gradually replace the assembly with C. Here is a possible sequence of transformations. .LFBO pushq %rbp movq %rsp,%rbp movl %edi,-4(%rbp) movl %esi,-8(%rbp) movl -4(%rbp),%eax compl -8(%rbp),%eax jg .L2 movl -8(%rbp),%eax jmp .L3 .L2: movl -4(%rbp),%eax .L3: popq %rbp ret ---- int LFBO (int edi, int esi)...
assembly,64bit,reverse-engineering,nasm,yasm
I'm not sure what "enhance" is supposed to mean, but assuming the upper half of rax is zero, it sign-extends eax into rax. First, observe that adding 0x80000000 and then xoring with 0x80000000 would do exactly nothing to eax. They both invert the highest bit, and an even number of...
c#,.net,reverse-engineering,decompiling,dotpeek
Firstly you're breaking the licence agreement by trying to reverse engineer their code. f. Disassembly. You may not reverse engineer, decompile, disassemble or in any other way try to gain access to information regarding the construction of THE PRODUCT. This is because .NET allows for a whole lot more than...
java,linux,postgresql,tomcat,reverse-engineering
Use a decompiler like JD and send the .class or the .jar file you want/need to decompile. But note that you probably won't get the real exact code that generated those files, only a very similar representation of them.
python,datetime,struct,reverse-engineering
If you take the 8 bytes immediately before one of the double, and consider it as an integer (low-endian, like the double), then you get the following numbers: 635040567715583464 635040567741183464 635040567766783464 If you divide these numbers by 10**7, then you get the date as a number of seconds (and fractional...
ios,sockets,networking,bluetooth,reverse-engineering
The best way to get started analyzing the data is finding out where the actual data starts and where it ends. Disclaimer: I have zero experience with Bluetooth but let's give it a try. You have two type of captured packets: Empty PDU (some form of signaling?) and ATT. Searching...
assembly,x86,reverse-engineering,machine-code,ollydbg
Jump (or any instruction) is executed after the instruction is read and IP is incremented by the instruction's size (2 bytes) so the jump is relative to 2005FE38.
java,eclipse,eclipse-plugin,uml,reverse-engineering
StarUML is a good open source tool, I think it have what you desire.
windows,winapi,assembly,x86,reverse-engineering
Hmm I can't see what exactly is wrong in your code. The fact you get a JMP instead of the code of your function is probably due to incremental linking. You shouldn't need to call VirtualProtect since you already have the right page protection flags. A possible way to get...
Set your headers without any quotes around the keys value: curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'Authorization:Token someToken', 'deviceId:someID', // ... all the other headers )); Instead of: curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'Authorization:"Token someToken"', 'deviceId:"someID"', // ... all the other headers )); If you use POSTFIELDS with a string body, you need to urlencode...
android,reverse-engineering,dalvik
There's no way to tell how many times an API call is made by just parsing the code. For example, how many times is foo() called?: public static void bar(int x) { for ( int i = 0; i < x; i++ ) { foo(); } } If you just...
c++,assembly,reverse-engineering,detours
I was able to reproduce the problem (only with detours 1.5 though), so I did some digging. It seems the problem is just that your detour function is empty. When you end your call by returning from another call, the compiler do a specific optimization : it doesn't call the...
php,xmpp,reverse-engineering,openfire,smack
Openfire store the sessions only in memory and don't save that in DB. You could create an openfire plugin, which provide the user sessions (e.g. over REST). Guide, how to create a plugin: http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/plugin-dev-guide.html SessionManager class you need: https://www.igniterealtime.org/builds/openfire/docs/latest/documentation/javadoc/org/jivesoftware/openfire/SessionManager.html ...
c,assembly,struct,reverse-engineering
In 32-bit mode, a pointer is 4 bytes, and typically aligned on a 4-byte boundary. So n + 12 is actually loading & n.next to %eax. e.g., if y is an unsigned short, there are 2 bytes of padding in the structure before next. movl 16(%eax),%eax is dereferencing with a...
reverse-engineering,windbg,disassembling,ida
You have disassembled the 32-bit Notepad in IDA. Did you open notepad.exe from system32? In that case IDA got the 32-bit version (since it's a 32-bit executable and so is subject to WoW64 filesystem redirection). The easiest way to "fix" this is to copy the file out of the system32...
c++,binary,64bit,reverse-engineering,hexdump
Our final workaround reads as follows: x=`hexdump -n 8 -e '2/4 "%08X " "\n"' {FILENAME} | awk 'BEGIN{printf "0x"}{print $2$1}'` echo $(($x)) Explaination for each part: Extract the eight bytes of the 64-bit integer value from file {FILENAME} as two four byte chunks printed as hexadecimal encoded values. hexdump -n...
dos,reverse-engineering,pascal,ida,disassembler
As i can recognize, this function encode file content, by xoring with 0CDh constant, and then write it to buffer in memory.
I fund out it works. I realy had to create a context object for my application. For everyone how is looking for that here is the code with which you can do this: Context context = (Context) XposedHelpers.getObjectField(object, "mContext"); context = context.createPackageContext(packageName, Context.CONTEXT_IGNORE_SECURITY); ...
c++,reverse-engineering,ollydbg
Well, I tried and it worked for me: I compiled the code with onlinecompiler.net, which use mingw as far as I know. Here is the link to the executable. It may be a problem with your compiler, but neither gcc/mingw nor cl.exe are modifying hardcoded strings at compile time. Also,...
reverse-engineering,deobfuscation
I want to prevent client from reverse engineering my program, You can't prevent this fully when software runs on not your hardware. To run the software, CPU must see all instructions of the program, and they will be stored in the computer memory. http://programmers.stackexchange.com/questions/46434/how-can-software-be-protected-from-piracy Code is data. When the...
java,arrays,algorithm,sorting,reverse-engineering
This is a Radix Sort, limited to the least significant eight bits. It does not complete the sort unless you change the loop to go 32 times instead of 8. Each iteration processes a single bit b. It prepares a mask called p by shifting 1 left b times. This...
arm,reverse-engineering,embedded-linux,u-boot,buildroot
First of all, you do not want to replace U-Boot as this may render your device unbootable. On the U-Boot console, check if you can boot from the SD card mmc rescan 0; fatload mmc 0 ${loadaddr} uImage or from the network dhcp ${loadaddr} ${serverip}:uImage. You'll need to look for...
debugging,reverse-engineering,ollydbg
OllyDbg currently does not support debugging 64 bit apps, however the developer stated to start the development of a 64 bit version as soon as his free times allows him. For a 64 bit debugger, take a look at WinDBG.
c,binary,reverse-engineering,x86-64,elf
They are stripped in the output. Use -W [[email protected] osboxes]# readelf -sW /usr/sbin/httpd | grep get_open 540: 000000000027bfc8 8 OBJECT GLOBAL DEFAULT 24 ap_hack_ap_hook_get_open_htaccess 1039: 000000000027c040 8 OBJECT GLOBAL DEFAULT 24 ap_hack_ap_hook_get_open_logs 1072: 000000000003ffb0 8 FUNC GLOBAL DEFAULT 13 ap_hook_get_open_logs 1451: 00000000000404d0 8 FUNC GLOBAL DEFAULT 13 ap_hook_get_open_htaccess ...
sql-server,views,reverse-engineering,visio
You are probably using "wrong" data provider to reverse engineer the database, and that is the reason why views are disabled. There are some issues with Visio not being updated to support newer SQL server versions. Try the following: Start "reverse engineer" wizard Select Generic OleDb data provider (not the...
maven,reverse-engineering,hibernate-tools
I have tried hibernate3-maven-plugin version 3.0 <groupId>org.codehaus.mojo</groupId> <artifactId>hibernate3-maven-plugin</artifactId> <version>3.0</version> Unfortunately I had errors and I didn't succeeded to make it work (messages of exceptions didn't help me a lot neither). So I tried the version 2.2 and it works perfectly, here my pom.xml <build> <plugins> <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>hibernate3-maven-plugin</artifactId>...
assembly,x86,gdb,reverse-engineering
That's basically doing: int array[6]; // at ebp-0x20 int *ebx = &array[2]; // lea -0x18(%ebp),%ebx int *esi = &array[6]; // lea -0x8(%ebp),%esi do { int eax = *(ebx - 1); // mov -0x4(%ebx),%eax eax += *(ebx - 2); // add -0x8(%ebx),%eax if (eax != *ebx) // cmp %eax,(%ebx) explode_bomb(); ebx++;...
java,sql-server,hibernate,netbeans,reverse-engineering
I finally found the way to solve this problem. It looks like the hibernate data types should be forced in some cases (I'm not sure and what does it depend on...), and in my case all string and/or text columns coming from SQL Server should be forced to java.lang.String, by...
memory,reverse-engineering,lldb
Thanks to @MarkPlotnick this works, mem read '*(int **)$r1' If you need to read a mem address at a certain offset, the following can be done, mem read '*(int **)($r1+4)' Tried and tested against Xcode debugging against ARMv7 and ARM64...
php,xmpp,reverse-engineering,openfire,smack
change the system properties to store plain password in openfire server and encrypt the password(as per your need) before sending the password. To change the system property: Go to Server->Server Manager->System Properties Edit the property user.usePlainPassword and give the property value as true. ...
linux,kernel,reverse-engineering,x86-64,disassembling
decoding issue Than you have to look at Intel Development Manuals ff is JMP opcode (Jump near, absolute indirect) [1] 24 is a ModR/M byte [2] which means that SIB byte goes after it (JMP opcode has only one operand, so register field is ignored) d5 is a SIB...
c,assembly,reverse-engineering,ollydbg
how do I follow the pointers in memory to see the data in memory? I think you should be able to just right-click on the pointer and choose "Follow in Dump". Then you can choose 4-byte layout in the dump and again follow the buf pointer via the same...
unix,reverse-engineering,code-injection,ram,dylib
Before you get started with reverse engeneering you'll need more than a theoretical knowledge of the C language. Forget C++ for now, C is simpler and it's so low level that once you master it you'll understand how programs work under the hood. Get you a copy of The C...
c++,assembly,g++,obfuscation,reverse-engineering
Obfuscation will only help for the source code. The executable, with no debugging information, does not contain variable names or function names. The process of reverse engineering would involve: Converting the executable to assembly language code. Converting the assembly code to a high level language code. Making sense of the...
debugging,reverse-engineering,disassembling,ida
If you want to "watch for the value 'Error when trying to download (...)'" - then you'd probably find out that it is very complicated, resource heavy, although possible. You'd have to "trace" into every opcode that the processor executes and check where ever you need (e.g - the stack)...
reverse-engineering,checksum,crc,crc16
Here you go, in C: #include <stddef.h> unsigned crc16old(unsigned crc, unsigned char *buf, size_t len) { int k; if (buf == NULL) return 0xffff; while (len--) { crc ^= *buf++; for (k = 0; k < 8; k++) crc = crc & 1 ? (crc >> 1) ^ 0x8408 :...
windows,reverse-engineering,ida
IDA PRO is used mostly as disassembler, for static analysis purposes. I'd suggest you to use Ollydbg (or some other debugger, if you want to) because it will suit better to debugging purposes. I don't know if you can set a breakpoint on an API like that. But you can...
.net,vb.net,clr,reverse-engineering,cil
Because your original code is incorrect. It should be If ErrorCode = ProcessErrors.NONE OrElse ErrorCode = ProcessErrors.SUBSCRIBER_BUSY_FOR_MT_SMS Then ^^^^^^^^^^^^ You can't use OrElse to test if some value (ErrorCode) is one of two other values....
reverse-engineering,url-encoding
A java.lang.ArrayOutOfBoundsException caused by the Java backend of the page. This exception occurs when a java application is trying to access an element in a Java Array that does not exist. How and why exactly this occurs or how the url parameters are processed is impossible to say without having...
java,reverse-engineering,code-signing,keytool,jarsigner
Generally speaking signing includes the following steps: Create a hash value over the data to be signed Do a private key operation operation on the hash value The result ("the signature") can then be verified by anyone who has the public key. Usually the signature is packaged in a data...
generics,jpa,entity,reverse-engineering,generic-programming
I found that: AuditReader.getAuditReader().createQuery().forRevisionsOfEntity(EntityClass.class, false, true).getResultList(); to get All data of an Entity X in the Audit Table...
java,reverse-engineering,bit-shift
You can reverse it with : X = (config >> 6) & 0b11 Y = config & 0b11111; & 0b11 and & 0b11111 are bitwise operations. They respectively gives you the last 2 bits and the last 5 bits of the number they are apply on. What about arbitrary lengths...
debugging,firefox,reverse-engineering,jit,disassembling
or something else is wrong with my understanding Yes: something else is wrong with your understanding. Sections (such as .text and .data) only make sense at static link time (the static linker groups .text from multiple .o files together into a single .text in the final executable). They are...
objective-c,c,static-libraries,reverse-engineering
First of all: Why do you need that? Obviously the author of that framework did not see any need for this and things can break, if a method is executed directly. However: Write a category on the receiver with that method and just do it. Objective-C binds dynamically, so this...
android,cordova,apk,proguard,reverse-engineering
You need to uncomment below lines from your project.properties file To enable ProGuard to shrink and obfuscate your code, uncomment this (available properties: sdk.dir, user.home): proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt Also, if you are using Webview with JS, uncomment following lines in proguard-project.txt and specify the fully qualified class name to the JavaScript interface...
assembly,x86,gdb,reverse-engineering
The $1 there is an immediate value, it's just the number 1. It's not an address. It's checking the return value of sscanf, that is the number of items processed. The converted values are of course placed in memory at the pointers that have been passed to sscanf as arguments....
You are going wrong with your initial assumption: As I cannot access the archive, my idea was to import the module and have it decompiled with uncompyle2. Uncompiling an already loaded module is unfortunately not possible. A loaded Python module is not a mirror of the on-disk representation of a...
linux,reverse-engineering,ar.drone
I don't know the answer to the first part of your question, but I can address the second part. Yes, the AR.Drone uses TCP and UDP for all communications between the drone and the controller app, including commands, telemetry and video. You can use a standard network sniffer, like tcpdump...
javascript,methods,reverse-engineering
That is a label, which is used as a target for break and continue statements. It is unrelated to the function argument with the same name. ...
c++,assembly,x86,reverse-engineering
Not sure where the data_ prefix comes from, but the ? is the standard marker of decorated (mangled) names and you can use the undname tool to decipher them: >undname [email protected]@@[email protected] Microsoft (R) C++ Name Undecorator Copyright (C) Microsoft Corporation. All rights reserved. Undecoration of :- "[email protected]@@[email protected]" is :- "const...
assembly,reverse-engineering,instrumentation,intel-pin
I was able to achieve my goal by using frida (http://www.frida.re). Very cool and powerful tool!
windows,security,reverse-engineering,pe,malware-detection
There are no fields or metadata within the PE/COFF format which gives away any indication of a program's country of origin. The PE specification is available here: http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx - it does contain a timestamp field which should be set by the compiler, but this is easily forged. I understand (though...
security,pdf,reverse-engineering,acrobat,exploit
First of all, these objects look completely innocent. Secondly, the difference between direct and indirect objects is exactly what you would expect. If you look at the line: <</XFA 1 0 R >> That's the use of an indirect object. The object is defined elsewhere and in this dictionary it's...
pdf,adobe,reverse-engineering,malware,exploit
"Two xref tables and two %%EOF"? This alone is not an indication of a malicious PDF file. There can by two or even more instances of each, if the file was generated via the "incremental update" feature. (Each digitally signed PDF file is like that, and each file which...
As a reverse engineer, I wouldn't trust any "build date" type literal strings that you would find in the disassembly. What you want is the TimeDateStamp from EXE header (PE Header). If you go to http://msdn.microsoft.com/en-us/library/ms809762.aspx you can see a good guide on what information is located in this header....
Not very complicated and quite malicius if you ask me... the principle is to eval() that base64 encoded string, it doesn't look like something an user would like to happen. Just reverse the string and base64 decode it, here you go: if(function_exists('get_url_999')===false){function get_url_999($url){$content="";[email protected]_999($url);if($content!==false)return $content;[email protected]_999($url);if($content!==false)return $content;[email protected]_999($url);if($content!==false)return...
debugging,heap,reverse-engineering,windbg,heap-memory
Summary: heap entries are now encoded, the key is in the heap itself. Let's say I have a heap at 0x00d60000: 0:000> !heap -a 00d60000 Index Address Name Debugging options enabled 2: 00d60000 Segment at 00d60000 to 00d70000 (00001000 bytes committed) Flags: 40000061 ForceFlags: 40000061 Granularity: 8 bytes Segment Reserve:...
c,for-loop,assembly,reverse-engineering
In pseudo-code, this is: // ecx <- int *a; edx <- int val; eax <- int n; n = n - 1; if (n < 0) goto end; loop: if (a[n] != val) goto end; n = n - 1; if (n >= 0) goto loop; end: return; // return...
assembly,reverse-engineering,ida,ollydbg
ida should have declared STRING to be a LOCAL variable with a value of -60h look at the start of function / procedure ( 68 + STRING ) == ( 68 + (- 60 ) ) == (68-60) == 8 it is same as what ollydbg shows . IDA's disassembly...
If user has root, or he able to use his custom kernel (or even kernel modules), he can do anything - dump memory, stop process, attach debugger - to start reverse engineering. If user has access to hardware, he also can get root or custom kernel. The only way to...
encryption,reverse-engineering,ollydbg
You should open the file in a dissembler, find where it makes the call to IsDebuggerPresent and then ultimately closes the application (or shows an error or what ever), this piece of code you can NOP in order to disable the check. You can read the ASM code with dissemblers...
.net,cryptography,reverse-engineering,tripledes
Sorry, not fluent with VB. In C# encryption code could look like this: byte[] serial = { 2, 0x4e, 160, 0xc5, 0xfd, 0xe0, 0x99, 0xf6, 0x9d, 0xad, 0x7a, 0x2f, 0x16, 11, 0xa2, 0xa7, 220, 0x23, 0x9f, 0x3f, 230, 40, 0xc4, 0x5d, 0x36, 0x76, 0x88, 0xc3, 0x86, 230, 0x72, 0xd7, 0x5e,...
file,structure,padding,reverse-engineering
It seems to me that the number of 00 padding bytes should be calculated like follows: padding(num_bytes)=ceil(num_bytes/32)*32-num_bytes then we get for first case padding(2*36) = 24 24 additional padding bytes (and 96 in total) and for second case padding(36) = 28 28 additional padding bytes (and 64 in total)....