Skip to main content
Reverse Engineering

All Questions

Ask Question
Tagged with
10 questions
Newest Active Bountied Unanswered
3 votes
1 answer
874 views

How to resolve illegal instruction for this ARM stack exploitation?

Summary I am trying to write a stack overflow exploit for ARM Cortex-A72 running Raspberry Pi OS (32-bit). Because of my choice of OS, I am restricted to the ARMv7 (32-bit) instruction set. I have ...
RosterPantyhose's user avatar
RosterPantyhose
  • 31
4 votes
1 answer
757 views

gdb - searching for pointers to a given memory region

Let's suppose there is a memory region that is m'mapped in memory, we need to find its address (which randomly changes, because of ASLR) by following a pointer path, basically, I'm trying to find a ...
Redouane Red's user avatar
Redouane Red
  • 161
3 votes
1 answer
2k views

Extract firmware images from COTS embedded devices

I am on the hook to collect some of legacy firmware images from real-world embedded devices. Before digging into it, I am trying to confirm some high-level points. Is it in general possible to ...
lllllllllllll's user avatar
lllllllllllll
  • 2,495
1 vote
0 answers
151 views

Using the AND operator to find a heap allocation size, Fermin's formula

I came across this technique, leveraging the HPA feature (Heap Page Allocator, known as PageHeap) in gflags from Windows debugging tools, to find the size of a heap allocation: Lets say you have ...
Steve's user avatar
Steve
  • 11
0 votes
1 answer
631 views

How to find vulnerabilities in stripped binaries?

Do you just use tools like strace and a debugger to disassemble and find syscalls and then read the disassembly to find say for example a buffer overflow? Is that all you can do? I mean after all you ...
user209343's user avatar
user209343
  • 1
7 votes
2 answers
377 views

Lego NXT Exploitation and Vulnerabilities?

First, I wasn't sure if I should post this on the Lego Stack Exchange site or here, and I decided this site had more to do with the question (I hope I don't get bad rep for this). OK, my friends and I ...
Starwarsfan2099's user avatar
Starwarsfan2099
  • 345
4 votes
1 answer
744 views

Where to start with iOS debugging?

Long story short, I have always had a jailbroken device, I have written and ported multiple tools to iOS, and have a fair knowledge of objective-C, ROP, and Linux exploitation. I have begun to take an ...
Starwarsfan2099's user avatar
Starwarsfan2099
  • 345
1 vote
1 answer
336 views

iOS exploit hunting environment

Suppose, I have a new iPhone 6s with latest iOS, and I want to find vulnerabilities in iOS itself. iPhone is not jailbroken. How do I set up the proper environment for this? What software and/or ...
assp1r1n3's user avatar
assp1r1n3
  • 53
3 votes
1 answer
2k views

Use After Free - Example

Use After Free bugs a getting more severe these days. I'm planning to demonstrate Use After Free bug exploitation using VTable overwrite. So, I'm trying to create a ATL ActiveX Control which is ...
john4tech's user avatar
john4tech
  • 595
4 votes
2 answers
1k views

gdb on FreeBSD and follow-fork-mode child

Long time ago I noticed that using set follow-fork-mode child in GDB on FreeBSD doesn't really work. This problem occurs very often with some challenges on various Capture The Flag contests. For ...
0xea's user avatar
0xea
  • 4,924