Questions tagged [static-analysis]
Static analysis is the analysis code without actually executing it. This is in contrast to dynamic analysis which executes the code.
223 questions
1
vote
0
answers
53
views
Patching an objective C method with NOPs in a Mach-O library
So I am targeting an arm64 Mach-O dynamic library (.dylib), and I want to patch a specific objc method using nops. Here’s the view from binary-ninja:
As you can see, the name of the method is ...
- 11
1
vote
0
answers
67
views
Argument section recovery for binaries
I am developing a static analysis automation tool to help me on CTFs. It would be nice for me to discover from where a certain argument of certain functions is coming from (does it come from a ...
- 11
1
vote
0
answers
58
views
Retrieve functionality to button - game patching
I'm patching an old game, and I want the retrieve the toggle fullscreen functionality it's supposed to have.
In the menu, in the display tab, there is a disabled option of fullscreen mode that you can ...
- 21
5
votes
1
answer
687
views
Disassembling a DOS game with dynamic code/overlays in IDA Pro
I'm working on a disassembly of an old DOS game. (Real old: 16-bit, real mode.) The bulk of the game is in a large resource file of mixed binary and data; the executable basically just loads a chunk ...
2
votes
0
answers
139
views
Ghidra python - retrieve the name of the called method
I am using Ghidra to build the function call graph of a method in java and therefore I am analyzing the bytecode of java and when I read an "invoke" instruction I have to go back to the name ...
- 21
2
votes
0
answers
61
views
How to get the APIs present in a particular block in a CFG using Angr?
I'm doing binary analysis based on Control Flow Graph (CFG). As I suppose to get the APIs from every block in the CFG. I'm finding it very difficult to do so using Angr as I don't have enough grip on ...
- 39
1
vote
0
answers
120
views
IDA Pro maps wrong variable for offset
I hope there is a proper way to fix my issue.
Here's memory layout:
.data:004F3D10 char * * gTownObjNames dd offset aMage ; DATA XREF: townManager::SetupTown(void)+245↑r
.data:004F3D10 ...
- 33
2
votes
1
answer
606
views
Nice documentation of the binary analysis tool "angr", to analyse system calls in statically linked binary and hence possibly draw a system call graph
I am a new master's student in CS. I am into the computer systems domain. I was just thinking of analyzing a statically linked binary to get a sort of database of system calls made in the binary and ...
- 121
2
votes
0
answers
288
views
How this data can be referenced in Ghidra?
I reverse engineered libil2cpp.so using ghidra. I found these lines of code in a function in the decompiler view:
UnityEngine.PlayerPrefs$$GetInt(*(undefined4 *)(*(int *)(Class$ItemPref + 0x5c) + 8),5,...
- 309
1
vote
1
answer
340
views
Static Code Analysis of a C166 function
I am trying to understand a piece of code, working on a C166 MCU. IDA correctly loads and displays the disassembly. Below is the code snippet I am trying to analyze. I don't understand the following ...
- 61
1
vote
2
answers
251
views
Identifying rating algorithm
I'm trying to identify the rating algorithm used to calculate the displayed average of a 1 star to 5 stars rating system. To analyze the data I collated the first and last 1000 ranks and added the ...
- 11
3
votes
1
answer
708
views
What is "nullsub_XXX" in vtable in IDA
When I looking in a vtable structure in IDA pro, I know that ___cxa_pure_virtual means that the function is virtual.
But what does nullsub_XXX mean in a vtable structure?
- 183
1
vote
0
answers
396
views
Pascal string representation in Hex-Rays Decompiler of IDA Pro
I'm trying to prettify a representation of Pascal-string "Could not access file "" in Hex-Rays decompiler's output. As you can see below,
now its type is char[25] due to inclusion of ...
- 11
0
votes
1
answer
259
views
How do I interpret this double offset?
While looking at that old game I've found a class CStr that is used in an unusual (to me) manner. Most of the times a member of CStr is used, it's done as follows. In both cases, this is a CStr *.
...
- 149
0
votes
2
answers
406
views
Format of data in the .code/.text section
I'm attempting to dissect/disassemble a windows PE file under Linux using objdump. On surface analysis, the .code section was disassembled to :
tmp.exe: file format pei-i386
Disassembly of ...
- 135
3
votes
1
answer
211
views
Determine if the function has try/catch statement via the static analysis
I need to determine if the function has exception handler via static analysis. Initially I thought that if there's SEH handler prolog in the function, then the function should have try /catch. I.e. I ...
- 1,870
2
votes
1
answer
578
views
Help regarding XOR game decryption algorithm
I'm currently trying to reverse engineer the decryption algorithm for an old online game, using a chat message packet, as it contains text which is easily recognizable.
I used a packet sniffer to get ...
- 23
1
vote
1
answer
243
views
Arrays assembly
I'm reversing my C array's programs where I'm storing numbers in arrays like this...
int marks[5];
marks[0] = 1;
marks[1] = 3;
marks[2] = 2;
marks[3] = 7;
marks[4] = 9;
so the compiler showing me the ...
- 323
2
votes
1
answer
549
views
Not able to understand the C-switch statement in disassembly
While I'm trying to disassemble my own C code I am stuck in a problem of not understanding how this Switch statement is implemented in assembly code. Can anyone please help to figure it out? This the ...
- 323
0
votes
0
answers
741
views
Using GDB to find the address of a buffer in a stripped C binary
I am working with a crackmes binary called Simple Overflow. It has two buffers with sizes 0x10 and 0x8, and it uses malloc to allocate two contiguous memory blocks (see <+25> and <+39> on ...
0
votes
1
answer
205
views
Is it possible to make a dynamic memory allocated .data segment to static in a file?
Sorry if this is a dumb question I'm new to assembly.
Basically I want to modify a function in a .exe file to return with a different data, but my issue is that the memory location of the data segment ...
- 3
1
vote
2
answers
245
views
Lifting exported function instructions in PE files
I am trying to automate analysis of instructions within exported functions for a .DLL and need to be able to lift the first few instructions for the entry point of each exported function statically ...
- 11
1
vote
1
answer
393
views
How can I find a value in Tricore(TC1766) Arch?
I recently work on Tricore Processor, but I have some problems.
With reading memory value. I do not know if I am right or not, but I think a part of flash memory copied to RAM and now in my algorithm ...
- 149
2
votes
0
answers
51
views
How can I tell whether or not a given library method is being referenced by a consumer program statically in OOP languages?
Preface: This question is about source code reverse engineering and static analysis. Meaning, there is no built code available but I have access to the source code of the program.
Imagine I'm looking ...
- 1,890
0
votes
1
answer
979
views
Static Binary in Windows
I am learning more about binary exploitation on windows. But I saw while revering a binary that you can create static binaries in windows too just like in Linux. It was really ugly. if I would be on ...
- 143