reverse-engineering

I am currently trying to reverse a program under Linux that has a bunch of anti-debug tricks. I was able to defeat some of them, but I am still fighting against the remaining ones. Sadly since I am mediocre, it is taking me more time than expected. Anyway, the programs runs without any pain in a VM (I tried with VMWare and VBox), so I was thinking about taking a trace of its execution in the VM, then a trace under the debugger (gdb) and diff them to see were the changes are and find out the anti-debug tricks more easily. However, I did some kernel debugging with vmware a long time ago, it was

My first question here, hopefully I'm not doing it wrong. My problem is that I have a certain old DOS program which has quite much hacked the file format to the extreme to save space. (Yes, it's a demoscene prod for those who know.) Objdump doesn't want to help me with it; quick Googling yielded no real results for the problem and the manpage doesn't seem too generous in this regard either. There are others yes, like lida. However, for some reason I couldn't get lida to work; I believe there are alternatives. Anyone have any experience of disassembling DOS executables on Linux? Or should I

I'm currently working on analyzing some android malwares and i need to decompile APK files. Reading an answer and many other answers like it, i know that we can extract java source code and other resources, create a new project and put those files in, make some modifications and compile the project. Is this approach applicable to every APK file ? If we aim to make very little or no modifications in the java source code, does this approach work for every APK file? If not, what is the main reason? As another question, i remember i read somewhere (can not find it now) that said converting dex to

so Im doing a variation of the binary bomb. Heres what the phase is 0x0000000000401205 <+0>: sub $0x8,%rsp 0x0000000000401209 <+4>: cmp $0x3,%rdi #rdi = 3 0x000000000040120d <+8>: je 0x40121d <phase_2+24> #if(rdi == 3) skip explosion 0x000000000040120f <+10>: callq 0x401c01 <bomb_ignition> 0x0000000000401214 <+15>: mov $0xffffffffffffffff,%rax 0x000000000040121b <+22>: jmp 0x40124c <phase_2+71> 0x000000000040121d <+24>: xor $0xffffffffffffff1c,%rsi #rsi ^= 0xffffffffffffff1c 0x0000000000401224 <+31>: and %rsi,%rdx #rdx &= rsi 0x0000000000401227 <+34>: add $0x1c8,%rdx #rdx += 456

While dumping heap of a win32 processes (Mostly in process which has high heap memory consumption like IE ) using !heap -a 004e0000 I find multiple segments of a particular heap like , Heap entries for Segment00 in Heap 004e0000 Heap entries for Segment01 in Heap 004e0000 Heap entries for Segment02 in Heap 004e0000 My questions are Question 1. Why its necessory to divide single heap into multiple segments ? Question 2. Most of the times I find a large gap between two segments. For example in below image Segment00 actually ends @ 0x005e0000 (Where un-commited bytes started) and Segment01