Questions tagged [memory]
Part of the computer used to store data and code. Can refer to questions about, both, live memory investigation and ROM investigation.
238 questions
0
votes
0
answers
17
views
HPE Gen10 SmartMemory Authentication Bypass: Need help identifying the secondary Digital Signature/HMAC in SPD
I am currently engaged in a deep reverse engineering challenge concerning the HPE SmartMemory authentication mechanism used in ProLiant Gen10 servers (specifically tested on a DL380 Gen10).
The goal ...
2
votes
1
answer
103
views
What happens to the remaining virtual address space after loading the VirtualSize of a section into the memory?
So I saw in the Microsoft docs the following stated regarding the PE section header:
VirtualSize: The total size of the section when loaded into memory. If this value is greater than SizeOfRawData, ...
- 23
0
votes
0
answers
123
views
cpu rk3588 can ddr memory training blob get reverse engineered?
https://www.collabora.com/news-and-blog/blog/2024/02/21/almost-a-fully-open-source-boot-chain-for-rockchips-rk3588/
My information is that only one file is
stopping the rk3588 from being able to run ...
2
votes
1
answer
97
views
MC6809 disassemble problem related to reset vector. Appears to stop Ghidra finding code
I have a late 1980s item of test equipment Electro-Metrics EMC30 rf emc receiver running a MC6809 processor. I am trying to use Ghidra to reverse engineer the binary code to assembler but I have ...
- 31
1
vote
0
answers
122
views
How to configure Ghidra Memory Map use Script API?
How to configure "Memory Map" for RAM image use Ghidra Script API? For example, here is Memory layout created by python script:
.text start: 0x80004000
.text end: 0x8079e4d0
.text length: ...
- 235
0
votes
0
answers
48
views
Change Mac address
I have read the NAND memory MT29F2G08ABAEAWP contents via the RT809F programmer from IP Camera,
when I have written the program (.bin) to the new NAND memory the Mac address and serial number of ...
- 1
1
vote
0
answers
65
views
Unknown string encoding
I'm new to reverse, my question may be stupid.
I am trying to reverse a function in the application that reads a string at the address and concatenate it to another
char[250] v30;
char[20] v31;
...
...
- 11
0
votes
1
answer
107
views
Buspirate_spi and flashrom opensource software
I have a question about buspirate_spi programmer and flashrom. I have a new Flash rom Boye BY25Q128AS similar to the winbond W25Q128.V in the flashrom list. How can I dump the data from this specific ...
0
votes
1
answer
155
views
Searching for a byte pattern and then hooking all instances of it using frida on iOS
I'm using a frida script to scan for a certain byte pattern when I launch an iOS app.
I can log each offset and confirm these are correct by also printing out the instructions at those locations and ...
- 187
2
votes
0
answers
158
views
UBIFS image weirdness [SOLVED]
So, I dumped old routers ubifs image from memory and apparently it can't be read or mounted, throwing errors like "missing block size" and "missing data" although I see in hexdump ...
3
votes
1
answer
286
views
Load process from memory dump
Are there any tools that can "record" the memory space of a process and then be able to restore it from a certain timestamp? As in, the process is recreated in the exact same state as if &...
- 153
2
votes
0
answers
68
views
WinDbg Preview search is not returning results
I am attempting to manually unpack a malware sample. I am using the new WinDbg Preview (only thing that is available to download now). After letting the malware call VirtualAlloc I am trying to search ...
- 131
3
votes
1
answer
180
views
A few questions about reloc tables and base memory
A friend and I are poking around with some 32-bit Windows binaries and wanted to get some info about relocation tables.
What is the difference between an exe that does not contain a relocation table (...
- 157
3
votes
4
answers
620
views
Reverse Engineering CTF help
I am having trouble figuring out this microcorruption challenge in the link below: https://microcorruption.com/debugger/Halifax
Basically, the 0x7f interrupt has been disabled so I must reenable it ...
- 141
2
votes
0
answers
238
views
How to decrypt data during runtime before executing and then encrypting it back
I was doing some research and came across the term protectors. From my understanding is they encrypt a file to be protected but run it without an issue. During its execution it is able to decrypt the ...
- 21
3
votes
1
answer
277
views
GDB breakpoint crashes at a correct memory location
I'm trying to debug binaries of a a firmware running Linux with no ASLR, binaries are not compiled with PIE either so I have no issue getting the memory locations.
So after including gdbserver in the ...
3
votes
0
answers
561
views
Anti Dumping Techniques (C++)
how would I go about blocking Memory Dumps by corrupting the PE Header or blocking the Debugger to get an Handle?
I tried this already but it didnt work. Scylla could still dump it fine.
- 31
3
votes
0
answers
62
views
Data placement in memory
I am playing with buffer overflow attacks in C. I have the following code:
int foo(void*, void*); // Calculates the distance (in bytes) between two addresses in memory
int main(int argc, char**...
- 31
1
vote
0
answers
53
views
How to prevent dynamic loader from modifying binary in memory?
I have patched a loadable object (an .so file) from this:
xor eax,0x304b7c0
to this:
mov eax,0x0
When I try to run my binary with these modifications, the application loads the .so file and then it ...
- 11
2
votes
1
answer
2k
views
ghidra returning wrong function address
I am reverse engineering a android app shared library (.so file) and I am trying to use frida to hook a non exported native function
I am using this hook
const ghidraImageBase = 0x00100000;
const ...
- 191
1
vote
0
answers
54
views
Is it possible for different dynamic memory addresses to share the same offset value?
I am currently using cheat engine to hack a game. I used the pointer scanner to find some pointers to the pistol ammo memory location. I then went to look for pointers to the shotgun ammo memory ...
- 131
1
vote
1
answer
144
views
Help starting with UEFI/SMM exploits
I have a 845 g7 with a bios 1.06, which has a load of CVEs which allow SMM and DXE exploits:
https://support.hp.com/ca-en/drivers/selfservice/hp-elitebook-845-g7-notebook-pc/37506818 (under the UEFI ...
- 13
2
votes
2
answers
379
views
Examining memory without attaching to the process by using /proc/$PID/mem?
I have a gap in my understanding and tooling. Now I would prefer to use Radare2, but will consider any answer. Let's use this program as an example.
#include <stdio.h>
#include <unistd.h>
...
- 1,789
1
vote
0
answers
250
views
How do I align a memory dump hex file so that a pointer address matches its location in the memory dump file?
I'm learning C and trying to understand how things like buffer overflows and other memory issues work. I am doing this on Windows for convenience reasons but would have no problem doing it on WSL or a ...
- 111
1
vote
1
answer
1k
views
ARM - Understanding a "base address" when reversing firmware
I've read that when reversing firmware from an embedded system it's important to get the right base address of the firmware to make sure cross references to things such as strings work when looking at ...
1
vote
1
answer
741
views
How to extract specific data from memory
I'm totally new to this reverse engineering stuff.
I'm working on my own project and trying to parse poker games from PokerStars application. I have already done with injecting my DLL to the app, but ...
0
votes
1
answer
305
views
Extract certificate information of a process from memory dump
I have a .dmp file for googleupdate.exe process. I wanted to check in WinDbg this process has a certificate or not in order to detect this process has modified or not because this process has tried ...
1
vote
0
answers
266
views
ReadProcessMemory from host to Hyper-V Windows Guest VM
Is it possible to use ReadProcessMemory or some other form of it maybe via a library to read memory from a virtual machine running inside Hyper-V?
The host is running Windows 11 the Guest is running ...
- 11
1
vote
0
answers
65
views
Scraping data from an audio analyzer application
Briefly:
I have an app that analyzes audio files and classifies them into 4 or 5 categories, how would one go about scraping the category each audio file belongs to? What is a good place to start?
...
1
vote
1
answer
1k
views
How does Cheat Engine offset calculation work?
I have this memory address 0F58F478 and this offset 5C. I'm using memory sharp and it works perfectly when I'm adding this number.
IntPtr address = _mSharp.Read<IntPtr>(0F58F478, false) + 0x5C;
/...
- 153
2
votes
0
answers
556
views
calculate memory address from IDA to use with Frida
I saw an interesting value in IDA at address 0xf8766; I want to view the value at that address.
I debug an Android application with Frida, how can I put this address in Frida to watch this value?
I ...
- 41
1
vote
1
answer
3k
views
How can I find out the size of heap allocations?
While I debug with GDB I see the address of a buffer that's located on the heap.
How can I know what is the size of this buffer? Or where (in the code) this buffer was originally allocated?
When I ...
5
votes
1
answer
403
views
How to reverse engineer a setjmp/longjmp sequence?
I'm trying to reverse engineer the GNU libc x86 (32 bit) setjmp / longjmp (re a vuln which may allow arbitrary overwrite of the jmp_buf env.
There's a great writeup of the musl setjmp but I can find ...
- 287
3
votes
1
answer
385
views
How is lite hash rate (LHR) of Nvidia implemented?
Nvidia limited some of their GPUs with LHR to decrease the performance of Ethereum mining. What in detail is LHR doing? It seems to limit non sequential memory operations (which is actually not what ...
- 131
0
votes
2
answers
118
views
Not Understanding the FU540 Boot Process
I'm reading the manual for the SiFive FU540-C000 trying to understand the boot process, and I'm not making sense of the initial steps after power on.
I'm using MSEL = 1111 based on the recommendation ...
1
vote
1
answer
648
views
Log input data and resulting hash for CC_MD5 calls in an iOS app with Frida
I am trying to understand the usage of calls to CC_MD5 in an iOS application.
From Apple's man page I can see that when it is called it requires 3 arguments:
extern unsigned char *
CC_MD5(const void *...
- 187
0
votes
1
answer
723
views
How can I get the correct offset from that instruction?
I have the following instructions:
The registers' values in the First instruction are:
RAX=0000000033307EE0
RCX=0000000000000000
The registers' values in the Second instruction are:
RAX=...
- 269
2
votes
1
answer
244
views
How to jump to a new empty memory that related to the program to write another code there?
I have a line of code like that ex:MOV EAX, 100, I want to write a little bigger code instead of that code but I can't, so I want to write a jump instruction ex:jmp 0x123456 that jumps to another ...
- 269
0
votes
0
answers
357
views
How can I get a value from a memory address that changes almost every millisecond?
After a lot of time, I found an address in the memory that has the target value but there is something unusual in that address! that address changes every millisecond.
ScreenShot:
I did a hardware ...
- 269
1
vote
1
answer
287
views
macOS under M1, cannot find library
I'm looking for the following dylib file which is included from process loginwindow.
If I run vmmap to inspect loginwindow while it's up and running I get :
user@mycomp / % sudo vmmap -I ``pgrep ...
- 293
0
votes
1
answer
6k
views
In x64dbg, how to set software breakpoint on specific memory address?
This is something I know how to do in Olly Debugger, and can't figure out how to do in x64dbg.
In Olly Debugger, it's possible to set a hardware or software breakpoint, either on access or on write, ...
- 137
-1
votes
2
answers
987
views
How does cheat engine's "dissect data structures" work?
In Cheat Engine there is function for analyse memory. The result of this analysis is types of memory bytes. I can't understand the algorithm of this analysis. How can it define that these bytes are ...
0
votes
1
answer
138
views
Expanding .data section at particular area
I have a program which creates a hard-coded number of objects. I patched the binary so that now it can attempt to create more objects than the limit allows, however when it does it allocates them to ...
- 61
1
vote
0
answers
63
views
API-Monitor not logging buffer
I have a problem with API-Monitor.
When I try to capture data (here: network traffic), API-Monitor doesn't log the buffer from the recieved data. For send() it works well, but for recv() it doesn't ...
- 31
2
votes
2
answers
210
views
error shmat function when simulating MIPS file in Qemu
I want to run (simulating) MIPS file with Qemu:
$file httpd
httpd: ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, no section header
...
- 197
0
votes
1
answer
207
views
What is copy_block struct in Tricore Arch?
Recently I work on Tricore Arch to reverse an algorithm. But I had a problem to find a constant value(4 byte). the line of code shown below:
ld32.w d4, [a0]-0x68D4
I know a0 = 0xD00032E0 but ...
- 149
0
votes
1
answer
187
views
How can a debugger break on dynamic loaded libraries?
I think I have a massive understanding problem with the following issue:
Usually the loader will fix the Import Table for the modules that have been loaded, right, so if I set a breakpoint on ...
- 35
0
votes
1
answer
291
views
How does radare2 create its memory layout?
Firstly Hello,
this is my first post on this forum even though im reading alot here.
Im trying to get into reversing and Low-Level stuff in general lately, and im a bit stuck right here.
I did read ...
- 3
3
votes
2
answers
2k
views
find cheat engine pointers in ghidra
I find a pointer of my health so a function would have made the pointer and put the health in it (tell me if I'm wrong) how do I look for the function?
Note,
as comments point out: health - I talk ...
- 31
1
vote
0
answers
53
views
Strange memory allocation behaviour
I'm currently working on a modding library for a particular game, and I have come across a part of the menu system that I can't figure out the purpose of.
The expression in question is this:
unsigned ...
- 23