Chapter 34 Quiz: Reverse Engineering

Open Assembly Language Project

Chapter 34 Quiz: Reverse Engineering

Instructions: Choose the best answer for each question. Questions marked ⭐ have answers in Appendix B.

Question 1 ⭐ Which objdump flag produces Intel-syntax disassembly instead of AT&T syntax?

A) -i intel B) -M intel C) --syntax=intel D) -S intel

Question 2 What does objdump -T binary display?

A) The static symbol table B) The dynamic symbol table (imported/exported functions) C) The text section contents D) The type information for all variables

Question 3 ⭐ In a stripped x86-64 ELF binary, what is the most reliable way to find the address of main()?

A) Look at the symbol table B) Find the third argument to __libc_start_main in the _start code C) Assume it is at a fixed offset from the entry point D) Search for the string "main" in the binary

Question 4 You see this instruction in a disassembly: lea rdi, [rip+0x1a34] The instruction is at address 0x401200 and is 7 bytes long. What address does RDI receive?

A) 0x401200 + 0x1a34 B) 0x401207 + 0x1a34 C) 0x401200 - 0x1a34 D) Cannot be determined without running the binary

Question 5 ⭐ Which compiler pattern indicates a virtual method call in C++?

A) A direct CALL to a known address B) Two loads from memory followed by an indirect CALL C) A JMP to a computed address D) A CALL through the PLT

Question 6 What is the signature of a jump table (switch/case with dense cases) in x86-64 assembly?

A) A series of CMP instructions followed by conditional jumps B) A bounds check, followed by array indexing, followed by an indirect JMP C) A CALL instruction with a register operand D) A loop with a counter and a CMP at the top

Question 7 ⭐ The constant 0x67452301 appears in an unknown function's disassembly. This most likely indicates:

A) A null-terminated string ending B) The MD5 algorithm's initial hash state C) A JPEG file signature D) A random seed value

Question 8 What does Ghidra's decompiler produce from disassembly?

A) The original C source code, with all variable names recovered B) Approximate C-like pseudocode that represents the function's logic C) An executable recompilation of the binary D) Assembly with added type annotations only

Question 9 In the context of reverse engineering, what is a "cross-reference" (xref)?

A) A pointer that crosses between code sections B) A record of every location that accesses a particular symbol or address C) A comparison between two different assembly implementations D) A jump that crosses from one function to another

Question 10 ⭐ What GDB command displays the contents of memory at address 0x7ffd1234 as 16 bytes in hex?

A) print *0x7ffd1234 B) x/16xb 0x7ffd1234 C) dump 16 0x7ffd1234 D) mem 0x7ffd1234 16

Question 11 You see this in a disassembly:

55 48 89 e5 48 83 ec 10

What is this?

A) A NOP sled B) A standard function prologue (push rbp; mov rbp, rsp; sub rsp, 0x10) C) A function epilogue D) A system call sequence

Question 12 Which tool was originally developed by the NSA and released as open-source in 2019?

A) IDA Pro B) radare2 C) Ghidra D) Binary Ninja

Question 13 ⭐ A function in a stripped binary accesses a pointer argument at offsets [rdi+0], [rdi+8], [rdi+16], and [rdi+24]. This most likely indicates:

A) The function is indexing an array of int64_t B) The function is accessing fields of a struct passed by pointer C) The function is iterating through a linked list D) The function is reading from the stack

Question 14 What does the strings tool find in a binary file?

A) All symbol names in the symbol table B) Sequences of printable characters above a minimum length C) Only null-terminated strings in the .rodata section D) Encrypted strings after decryption

Question 15 Which pwndbg feature is specifically useful for exploit development but not present in standard GDB?

A) The ability to set breakpoints B) Heap chunk visualization and bin inspection C) Python scripting support D) Register display

Question 16 ⭐ What assembly pattern identifies a while loop compiled with optimization?

A) A JMP to the condition check, then the loop body B) The loop body first, with the condition check at the bottom C) Always uses a counter register (ECX/RCX) D) Always uses the LOOP instruction

Question 17 In AT&T syntax, movl %eax, %ebx means:

A) Move EBX into EAX B) Move EAX into EBX C) Move the address of EAX into EBX D) Exchange EAX and EBX

Question 18 What is an "opaque predicate" in the context of code obfuscation?

A) A function pointer that is hidden in a struct B) A conditional branch that always takes the same path, confusing static analysis C) A return address that has been encrypted D) A loop that never terminates

Question 19 ⭐ Which command shows dynamic library dependencies of a Linux ELF binary?

A) objdump -T binary B) ldd binary C) nm binary D) readelf -s binary

Question 20 You encounter an ELF binary where the entry point immediately jumps to code that decodes itself into memory before jumping to the real code. What type of protection is this?

A) A stack canary B) ASLR C) A packed/self-unpacking executable D) Control Flow Integrity