




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Practice exam questions for the elearnsecurity certified reverse engineer (ecre) certification. It covers topics such as ia-32 architecture, pe file format, windows api functions, calling conventions, and debugging techniques. Each question is followed by the correct answer and a detailed explanation. This resource is designed to help students prepare for the ecre exam and enhance their understanding of reverse engineering concepts. It includes questions on stack frame base addressing, relative virtual addresses, executable code sections, and more. The practice exam also covers dynamic analysis tools and anti-debugging techniques, providing a comprehensive review of essential reverse engineering skills.
Typology: Exams
1 / 112
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which IA‑32 register conventionally stores a function’s return value? A) EBX B) ECX C) EDX D) EAX Answer: D Explanation: In the standard IA‑32 calling convention, EAX is used to return integer and pointer values from functions. Question 2. In the IA‑32 architecture, which flag indicates that the result of an arithmetic operation is zero? A) CF (Carry Flag) B) ZF (Zero Flag) C) OF (Overflow Flag) D) SF (Sign Flag) Answer: B Explanation: ZF is set to 1 when the result of an operation is zero, allowing conditional jumps like JZ/JE. Question 3. Which of the following is a pointer/index register used for stack frame base addressing?
Answer: B Explanation: EBP (Base Pointer) typically points to the start of the current stack frame, facilitating access to local variables and arguments. Question 4. What does RVA stand for in the context of PE files? A) Relative Virtual Address B) Random Variable Allocation C) Register Value Array D) Runtime Virtual Access Answer: A Explanation: RVA is the offset of an item relative to the image’s base address once loaded into memory. Question 5. In a PE file, which section usually contains executable code? A) .data B) .rdata C) .text
Explanation: In stdcall, the callee removes arguments from the stack before returning. Question 8. Which instruction pushes the value of EAX onto the stack? A) PUSH EAX B) POP EAX C) MOV [ESP], EAX D) CALL EAX Answer: A Explanation: PUSH stores the operand (EAX) at the current top of the stack and decrements ESP. Question 9. Which PE directory contains information about imported functions? A) Export Directory B) Resource Directory C) Import Directory D) Debug Directory Answer: C Explanation: The Import Directory lists DLLs and the functions the executable imports from them.
Question 10. Which tool is primarily used for dynamic analysis of a Windows binary? A) IDA Pro B) Ghidra C) OllyDbg D) Binwalk Answer: C Explanation: OllyDbg is a debugger that enables step‑by‑step execution, breakpoint setting, and register monitoring. Question 11. In the IA‑32 stack, which register points to the next free location for a push operation? A) ESP B) EBP C) EIP D) ESI Answer: A Explanation: ESP (Stack Pointer) always points to the top of the stack; a push first decrements ESP then stores the value. Question 12. Which flag is set when an arithmetic addition results in a signed overflow?
D) .bss Answer: C Explanation: .rdata is designated for constant data that does not change at runtime. Question 15. Which instruction sequence is the typical prologue for a function using the stdcall convention? A) PUSH EBP / MOV EBP, ESP B) MOV ESP, EBP / POP EBP C) CALL EAX / POP EBP D) SUB ESP, 0x10 / PUSH EBX Answer: A Explanation: The prologue saves the previous base pointer and establishes a new stack frame. Question 16. Which tool can be used to edit binary files at the byte level? A) Wireshark B) Hex Workshop C) Process Monitor D) RegEdit Answer: B
Explanation: Hex editors like Hex Workshop allow direct manipulation of file bytes. Question 17. Which of the following is a common anti‑debugging technique? A) Using GetModuleHandle B) Checking the PEB’s BeingDebugged flag C) Calling Sleep D) Opening a file for read Answer: B Explanation: The BeingDebugged flag in the Process Environment Block indicates whether a debugger is attached. Question 18. Which calling convention passes the first two arguments via registers ECX and EDX? A) cdecl B) stdcall C) fastcall D) thiscall Answer: C Explanation: fastcall uses ECX and EDX for the first two parameters, reducing stack usage.
Answer: C Explanation: JMP changes the instruction pointer to the target address without evaluating a condition. Question 22. Which PE section typically contains the Import Address Table (IAT) at runtime? A) .text B) .idata C) .rdata D) .data Answer: B Explanation: .idata holds import descriptors and the IAT that the loader resolves. Question 23. The instruction “MOV EAX, [EBP+8]” most likely accesses what? A) A global variable B) The first function argument (cdecl) C) A local variable D) The return address
Answer: B Explanation: In a standard stack frame, [EBP+8] points to the first argument passed on the stack. Question 24. Which flag is cleared when a subtraction results in a borrow? A) CF B) ZF C) OF D) SF Answer: A Explanation: CF (Carry Flag) is set for unsigned borrow; cleared when no borrow occurs. Question 25. Which Windows API is used to allocate memory from the heap? A) VirtualAlloc B) HeapAlloc C) GlobalAlloc D) LocalAlloc Answer: B Explanation: HeapAlloc allocates a memory block from a specified heap handle.
B) API Monitor C) Nmap D) GDB Answer: B Explanation: API Monitor intercepts and logs calls to Windows APIs in real time. Question 29. Which register holds the current instruction pointer in IA‑32? A) EIP B) ESP C) EBP D) EDX Answer: A Explanation: EIP (Instruction Pointer) points to the next instruction to be executed. Question 30. Which of the following is a characteristic of the cdecl calling convention? A) Callee cleans the stack B) Arguments are passed in registers only C) Caller cleans the stack D) No name mangling
Answer: C Explanation: In cdecl, the caller is responsible for removing arguments from the stack after the call. Question 31. In the PE format, which directory entry contains version information? A) Export Directory B) Resource Directory C) Debug Directory D) Load Config Directory Answer: B Explanation: Version resources are stored in the Resource Directory under VS_VERSIONINFO. Question 32. Which instruction is used to compare two registers and set flags accordingly? A) MOV B) CMP C) ADD D) SUB Answer: B
Question 35. Which instruction sequence implements a simple XOR‑based string decryption loop? A) MOV AL, [ESI]; XOR AL, 0xAA; MOV [EDI], AL; INC ESI; INC EDI; LOOP … B) ADD EAX, EBX; SUB ECX, 1; JNZ … C) PUSH EAX; POP EAX; RET D) CALL EDX; NOP Answer: A Explanation: The pattern loads a byte, XORs it with a constant, stores the result, and repeats—typical of XOR decryption. Question 36. Which flag indicates that the most recent arithmetic operation resulted in a negative value? A) CF B) ZF C) OF D) SF Answer: D Explanation: SF (Sign Flag) mirrors the most significant bit of the result, indicating sign for signed operations. Question 37. Which PE section commonly stores embedded icons and bitmaps?
A) .text B) .rdata C) .rsrc D) .data Answer: C Explanation: The .rsrc (resource) section holds UI resources like icons, dialogs, and version info. Question 38. Which API is used to read data from a file handle? A) WriteFile B) ReadFile C) SetFilePointer D) DeleteFile Answer: B Explanation: ReadFile reads bytes from an opened file handle into a buffer. Question 39. Which instruction can be used to set a hardware breakpoint on a memory address in x86? A) INT 3 B) DB 0xCC C) MOV DR0, address
Explanation: CreateProcess launches a new executable and initializes its primary thread. Question 42. Which of the following is a valid reason to use the fastcall convention? A) To ensure the callee cleans the stack B) To reduce stack traffic for the first two arguments C) To support COM objects D) To enforce Unicode strings only Answer: B Explanation: fastcall passes the first two arguments in registers (ECX, EDX), decreasing memory accesses. Question 43. Which PE header field indicates the entry point of the executable? A) ImageBase B) AddressOfEntryPoint C) BaseOfCode D) SectionAlignment Answer: B Explanation: AddressOfEntryPoint is an RVA that the loader adds to ImageBase to locate the program’s start.
Question 44. Which debugger command would you use to view the current value of EAX in OllyDbg? A) F B) Ctrl+G C) Right‑click → “Follow in Dump” → “EAX” D) Alt+F Answer: C Explanation: OllyDbg lets you right‑click a register and select “Follow in Dump” to view its contents. Question 45. Which API call is typically used to retrieve the command‑line arguments of the current process? A) GetCommandLineA B) GetModuleFileName C) GetCurrentProcessId D) GetEnvironmentVariable Answer: A Explanation: GetCommandLineA returns a pointer to the Unicode/ANSI command‑line string.