eLearnSecurity eCRE Practice Exam Questions, Exams of Technology

Practice exam questions for the elearnsecurity certified reverse engineer (ecre) certification. It covers topics such as ia-32 architecture, pe file format, windows api functions, calling conventions, and debugging techniques. Each question is followed by the correct answer and a detailed explanation. This resource is designed to help students prepare for the ecre exam and enhance their understanding of reverse engineering concepts. It includes questions on stack frame base addressing, relative virtual addresses, executable code sections, and more. The practice exam also covers dynamic analysis tools and anti-debugging techniques, providing a comprehensive review of essential reverse engineering skills.

Typology: Exams

2024/2025

Available from 12/03/2025

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 112

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
eLearnSecurity Certified Reverse Engineer eCRE
Practice Exam
**Question 1.** Which IA32 register conventionally stores a function’s return
value?
A) EBX
B) ECX
C) EDX
D) EAX
Answer: D
Explanation: In the standard IA32 calling convention, EAX is used to return integer
and pointer values from functions.
**Question 2.** In the IA32 architecture, which flag indicates that the result of
an arithmetic operation is zero?
A) CF (Carry Flag)
B) ZF (Zero Flag)
C) OF (Overflow Flag)
D) SF (Sign Flag)
Answer: B
Explanation: ZF is set to 1 when the result of an operation is zero, allowing
conditional jumps like JZ/JE.
**Question 3.** Which of the following is a pointer/index register used for stack
frame base addressing?
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download eLearnSecurity eCRE Practice Exam Questions and more Exams Technology in PDF only on Docsity!

Practice Exam

Question 1. Which IA‑32 register conventionally stores a function’s return value? A) EBX B) ECX C) EDX D) EAX Answer: D Explanation: In the standard IA‑32 calling convention, EAX is used to return integer and pointer values from functions. Question 2. In the IA‑32 architecture, which flag indicates that the result of an arithmetic operation is zero? A) CF (Carry Flag) B) ZF (Zero Flag) C) OF (Overflow Flag) D) SF (Sign Flag) Answer: B Explanation: ZF is set to 1 when the result of an operation is zero, allowing conditional jumps like JZ/JE. Question 3. Which of the following is a pointer/index register used for stack frame base addressing?

Practice Exam

A) EAX

B) EBP

C) ESI

D) EDX

Answer: B Explanation: EBP (Base Pointer) typically points to the start of the current stack frame, facilitating access to local variables and arguments. Question 4. What does RVA stand for in the context of PE files? A) Relative Virtual Address B) Random Variable Allocation C) Register Value Array D) Runtime Virtual Access Answer: A Explanation: RVA is the offset of an item relative to the image’s base address once loaded into memory. Question 5. In a PE file, which section usually contains executable code? A) .data B) .rdata C) .text

Practice Exam

Explanation: In stdcall, the callee removes arguments from the stack before returning. Question 8. Which instruction pushes the value of EAX onto the stack? A) PUSH EAX B) POP EAX C) MOV [ESP], EAX D) CALL EAX Answer: A Explanation: PUSH stores the operand (EAX) at the current top of the stack and decrements ESP. Question 9. Which PE directory contains information about imported functions? A) Export Directory B) Resource Directory C) Import Directory D) Debug Directory Answer: C Explanation: The Import Directory lists DLLs and the functions the executable imports from them.

Practice Exam

Question 10. Which tool is primarily used for dynamic analysis of a Windows binary? A) IDA Pro B) Ghidra C) OllyDbg D) Binwalk Answer: C Explanation: OllyDbg is a debugger that enables step‑by‑step execution, breakpoint setting, and register monitoring. Question 11. In the IA‑32 stack, which register points to the next free location for a push operation? A) ESP B) EBP C) EIP D) ESI Answer: A Explanation: ESP (Stack Pointer) always points to the top of the stack; a push first decrements ESP then stores the value. Question 12. Which flag is set when an arithmetic addition results in a signed overflow?

Practice Exam

D) .bss Answer: C Explanation: .rdata is designated for constant data that does not change at runtime. Question 15. Which instruction sequence is the typical prologue for a function using the stdcall convention? A) PUSH EBP / MOV EBP, ESP B) MOV ESP, EBP / POP EBP C) CALL EAX / POP EBP D) SUB ESP, 0x10 / PUSH EBX Answer: A Explanation: The prologue saves the previous base pointer and establishes a new stack frame. Question 16. Which tool can be used to edit binary files at the byte level? A) Wireshark B) Hex Workshop C) Process Monitor D) RegEdit Answer: B

Practice Exam

Explanation: Hex editors like Hex Workshop allow direct manipulation of file bytes. Question 17. Which of the following is a common anti‑debugging technique? A) Using GetModuleHandle B) Checking the PEB’s BeingDebugged flag C) Calling Sleep D) Opening a file for read Answer: B Explanation: The BeingDebugged flag in the Process Environment Block indicates whether a debugger is attached. Question 18. Which calling convention passes the first two arguments via registers ECX and EDX? A) cdecl B) stdcall C) fastcall D) thiscall Answer: C Explanation: fastcall uses ECX and EDX for the first two parameters, reducing stack usage.

Practice Exam

B) JNE

C) JMP

D) JG

Answer: C Explanation: JMP changes the instruction pointer to the target address without evaluating a condition. Question 22. Which PE section typically contains the Import Address Table (IAT) at runtime? A) .text B) .idata C) .rdata D) .data Answer: B Explanation: .idata holds import descriptors and the IAT that the loader resolves. Question 23. The instruction “MOV EAX, [EBP+8]” most likely accesses what? A) A global variable B) The first function argument (cdecl) C) A local variable D) The return address

Practice Exam

Answer: B Explanation: In a standard stack frame, [EBP+8] points to the first argument passed on the stack. Question 24. Which flag is cleared when a subtraction results in a borrow? A) CF B) ZF C) OF D) SF Answer: A Explanation: CF (Carry Flag) is set for unsigned borrow; cleared when no borrow occurs. Question 25. Which Windows API is used to allocate memory from the heap? A) VirtualAlloc B) HeapAlloc C) GlobalAlloc D) LocalAlloc Answer: B Explanation: HeapAlloc allocates a memory block from a specified heap handle.

Practice Exam

B) API Monitor C) Nmap D) GDB Answer: B Explanation: API Monitor intercepts and logs calls to Windows APIs in real time. Question 29. Which register holds the current instruction pointer in IA‑32? A) EIP B) ESP C) EBP D) EDX Answer: A Explanation: EIP (Instruction Pointer) points to the next instruction to be executed. Question 30. Which of the following is a characteristic of the cdecl calling convention? A) Callee cleans the stack B) Arguments are passed in registers only C) Caller cleans the stack D) No name mangling

Practice Exam

Answer: C Explanation: In cdecl, the caller is responsible for removing arguments from the stack after the call. Question 31. In the PE format, which directory entry contains version information? A) Export Directory B) Resource Directory C) Debug Directory D) Load Config Directory Answer: B Explanation: Version resources are stored in the Resource Directory under VS_VERSIONINFO. Question 32. Which instruction is used to compare two registers and set flags accordingly? A) MOV B) CMP C) ADD D) SUB Answer: B

Practice Exam

Question 35. Which instruction sequence implements a simple XOR‑based string decryption loop? A) MOV AL, [ESI]; XOR AL, 0xAA; MOV [EDI], AL; INC ESI; INC EDI; LOOP … B) ADD EAX, EBX; SUB ECX, 1; JNZ … C) PUSH EAX; POP EAX; RET D) CALL EDX; NOP Answer: A Explanation: The pattern loads a byte, XORs it with a constant, stores the result, and repeats—typical of XOR decryption. Question 36. Which flag indicates that the most recent arithmetic operation resulted in a negative value? A) CF B) ZF C) OF D) SF Answer: D Explanation: SF (Sign Flag) mirrors the most significant bit of the result, indicating sign for signed operations. Question 37. Which PE section commonly stores embedded icons and bitmaps?

Practice Exam

A) .text B) .rdata C) .rsrc D) .data Answer: C Explanation: The .rsrc (resource) section holds UI resources like icons, dialogs, and version info. Question 38. Which API is used to read data from a file handle? A) WriteFile B) ReadFile C) SetFilePointer D) DeleteFile Answer: B Explanation: ReadFile reads bytes from an opened file handle into a buffer. Question 39. Which instruction can be used to set a hardware breakpoint on a memory address in x86? A) INT 3 B) DB 0xCC C) MOV DR0, address

Practice Exam

Explanation: CreateProcess launches a new executable and initializes its primary thread. Question 42. Which of the following is a valid reason to use the fastcall convention? A) To ensure the callee cleans the stack B) To reduce stack traffic for the first two arguments C) To support COM objects D) To enforce Unicode strings only Answer: B Explanation: fastcall passes the first two arguments in registers (ECX, EDX), decreasing memory accesses. Question 43. Which PE header field indicates the entry point of the executable? A) ImageBase B) AddressOfEntryPoint C) BaseOfCode D) SectionAlignment Answer: B Explanation: AddressOfEntryPoint is an RVA that the loader adds to ImageBase to locate the program’s start.

Practice Exam

Question 44. Which debugger command would you use to view the current value of EAX in OllyDbg? A) F B) Ctrl+G C) Right‑click → “Follow in Dump” → “EAX” D) Alt+F Answer: C Explanation: OllyDbg lets you right‑click a register and select “Follow in Dump” to view its contents. Question 45. Which API call is typically used to retrieve the command‑line arguments of the current process? A) GetCommandLineA B) GetModuleFileName C) GetCurrentProcessId D) GetEnvironmentVariable Answer: A Explanation: GetCommandLineA returns a pointer to the Unicode/ANSI command‑line string.