Reverse Engineering Midterm Review

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

The ZF is set: a) When the result of an arithmetic operation is zero, and it is cleared if the result is nonzero. b) when EIP equals zero. c) when EAX equals zero. d) when the result of an arithmetic operation is nonzero, and it is cleared if the result is zero.

a) When the result of an arithmetic operation is zero, and it is cleared if the result is nonzero.

The CMP EAX, EBX instruction: a) Compares the value in EAX and jumps to the value in EBX. b) Stores the current state of the stack in EAX. c) References a null value when set to zero. d) Subtracts EBX from EAX and discards the result.

d) Subtracts EBX from EAX and discards the result.

The EIP register contains: a) The address of the bottom of the current stack frame b) The current execution instruction c) The address of the top of the stack d) The address of the next instruction to execute

d) The address of the next instruction to execute

What is a pretested loop? a) The loops condition is tested after the body is executed. b) The loop has a conditional branch. c) The loop has a naked non-member component. d) The loops condition is tested before the body is executed.

d) The loops condition is tested before the body is executed.

How many operands does the MOV instruction require? a) Three b) One c) One or Two d) Two

d) Two

The E in the EAX register stands for what? a) explosion b) earmark c) extensive d) extended

d) extended

Select the 8 bit register from the list of registers below. a) DI b) BP c) AX d) IP e) SP f) SI g) AH

g) AH

How many bytes are in 32 bits?

4

Where is the results of the following subtraction operation stored? sub <mem>, <req>

<mem>

What register holds the results of the following addition operation? add <reg1>, <reg2>

<reg1>

A software breakpoint in a program can be detected by the program.

True

IDA supports remote debugging.

True

SHL is the same as multiplying by 2. True or False?

True

The CF and OF flags are both overflow indicators.

True

True or False. Debuggers are used for runtime analysis.

True

True or False. IDA provides scripting support.

True

True or False. Information is lost in the compilation process.

True

A null byte is represented by which opcode? a) 0x00 b) 0x90 c) 0x80 d) ox10

a) 0x00

The Intel x86 NOP Instruction is represented by which opcode? a) ox90 b) 0x10 c) 0x80 d) 0x00

a) 0x90

What is the opcode for a software breakpoint? a) 0xCC b) 0xC0 c) 0x00 d) 0xFF

a) 0xCC

The value of 0x0A Hex can be represented in decimal as: a) 10 b) 20 c) 14 d) 24

a) 10

What does (0x400349e) imply? a) An immediate hard-coded memory address b) An immediate number embedded in the code. c) A single reference d) A global variable

a) An immediate hard-coded memory address

When using the debugger in IDA, what key or key combination do you press to step over a function? (Which key should work) a) F8 b) Ctrl+F8 c) Ctrl+F d) F7

a) F8

What does LEA opcode mean? a) Load Effective Address b) Load Every Address c) Load Even Addresses d) Load Empty Addresses

a) Load Effective Address

How many bits is one byte? a) 4 b) 8 c) 32 d) 128

b) 8

The opcode 0xCC is equivalent to what interrupt? a) INT 16 b) INT 3 c) INT 6 d) INT 23

b) INT 3

Which one of these jump instructions will branch if ZF is NOT set? a) JGE b) JNZ c) JZ d) JCC

b) JNZ

Which of the following is NOT a logical operator? a) OR b) TEST c) AND

b) TEST

The FLIRT engine in IDA: a) loads EFLAGS malfunction codes into EAX, subtracts the value stored in the Import Address Table. b) identifies known library functions. c) identifies PE-COFF binaries d) helps IDA meet new and interesting people.

b) identifies known library functions.

PUSH and POP instructions access which data structure? a) the reference pointer null value b) the stack c) the bss d) the heap

b) the stack

How many bytes in a DWORD? a) 8 b) 1 c) 4 d) 2

c) 4

ON IA32 processors, how many hardware breakpoints are available? a) None b) 2 c) At least 4 d) 8

c) At least 4

On Intel IA32 platforms, the stack grows: a) Does not grow because it is fixed size b) Can grow both up and down c) Down d) Up

c) Down

Which register below is used as a loop counter? a) EIP b) EDX c) ECX d) EDI e) ESP f) EBP g) ESI

c) ECX

Which register below is used as the stack pointer? a) EDI b) ESI c) ESP d) EDX e) EBP f) EIP g) ECX

c) ESP

Which of the following is a technique frequently used by DRM (Digital Rights Management) to prevent unauthorized copying of software? a) Regens a) Algogens c) Keygens d) Pathogens

c) Keygens

A pointer is a: a) Equivalent to the MOV EAX, 0 instruction b) Equivalent to the MOV 0, EAX instruction c) Memory address d) Only found in managed programming languages such as C#

c) Memory address

What does the PE in PE-COFF mean? a) Prepared Environment b) Prepared Executable c) Portable executable d) Portable environment

c) Portable Executable

Big endian systems: a) are no longer available for purchase on the open market. b) store the least signification (lowest order) byte first. c) store the most significant (highest order) byte first. d) do not use binary machine code.

c) store the most significant (highest order) byte first.

What does a PUSH instruction place a value on the stack? a) bottom of the heap b) top of the heap c) top of the stack d) bottom of the stack

c) top of the stack


Kaugnay na mga set ng pag-aaral

Florida Statutes and Regulations: Life Insurance

View Set

Chapter 1 Basic biology and what is zoology?

View Set

User and Group Management | "Do I Know This Already?" Quiz

View Set

Chapter 16- Writing and Requirement and Electronic Records

View Set

HAP II: Urinary Tract - Extra Credit

View Set