MRE Certified Reverse Engineer Practice Exam, Exams of Technology

A practice exam for the mre certified reverse engineer certification. It includes 26 multiple-choice questions covering various topics in reverse engineering, such as x86-64 architecture, pe file structure, windows api usage, anti-debugging techniques, and disassembly tools like ida pro and ghidra. Each question is followed by a detailed explanation of the correct answer, making it a valuable resource for students and professionals preparing for the certification or seeking to enhance their reverse engineering skills. The exam covers essential concepts and tools used in malware analysis and software reverse engineering, offering practical insights into the field. It serves as a useful tool for self-assessment and knowledge reinforcement.

Typology: Exams

2024/2025

Available from 12/03/2025

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 104

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
[MCSI] MRE Certified Reverse Engineer Practice
Exam
**Question 1.** Which register in the x8664 architecture is conventionally used
to pass the first integer argument to a function?
A) RAX
B) RBX
C) RCX
D) RDI
Answer: D
Explanation: In the Microsoft x64 calling convention, the first integer or pointer
argument is passed in RDI.
**Question 2.** In a PE file, the “.text” section typically contains:
A) Imported function names
B) Executable code
C) Resource data
D) Debug symbols
Answer: B
Explanation: The .text section stores the program’s executable instructions.
**Question 3.** Which Windows API is most commonly used by malware to
create or modify registry keys for persistence?
A) CreateFileW
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download MRE Certified Reverse Engineer Practice Exam and more Exams Technology in PDF only on Docsity!

Exam

Question 1. Which register in the x86‑64 architecture is conventionally used to pass the first integer argument to a function? A) RAX B) RBX C) RCX D) RDI Answer: D Explanation: In the Microsoft x64 calling convention, the first integer or pointer argument is passed in RDI. Question 2. In a PE file, the “.text” section typically contains: A) Imported function names B) Executable code C) Resource data D) Debug symbols Answer: B Explanation: The .text section stores the program’s executable instructions. Question 3. Which Windows API is most commonly used by malware to create or modify registry keys for persistence? A) CreateFileW

Exam

B) RegSetValueExA C) VirtualAllocEx D) SendMessageW Answer: B Explanation: RegSetValueEx (or RegCreateKey) writes values to the registry, a typical persistence method. Question 4. The technique of inserting meaningless instructions to confuse disassemblers is called: A) Packing B) Junk code insertion C) API hooking D) Process hollowing Answer: B Explanation: Junk code (or NOP sleds) adds irrelevant instructions that hinder static analysis. Question 5. Which of the following is a hardware breakpoint type? A) Break on execution of a specific instruction address B) Break when a memory location is read or written C) Break after a specified number of instructions

Exam

Explanation: RegMon monitors registry reads/writes; its functionality is now integrated into Process Monitor. Question 8. In IDA Pro, the shortcut “Ctrl‑F” is used to: A) Open the function window B) Search for a string in the binary C) Find a specific instruction address D) Open the “Find Text” dialog for any text Answer: D Explanation: Ctrl‑F opens the generic text search dialog. Question 9. Which of the following is an indicator that a binary is packed with UPX? A) Presence of “UPX0” and “UPX1” sections B) High entropy in the .data section only C) Imports only from kernel32.dll D) A .reloc section larger than 10 KB Answer: A Explanation: UPX creates sections named UPX0, UPX1, etc., to store compressed code.

Exam

Question 10. The Windows API function “CheckRemoteDebuggerPresent” is used to: A) Detect if the process is being debugged locally B) Detect if another process is being debugged C) Hide a process from the debugger D) Disable all breakpoints in the process Answer: B Explanation: CheckRemoteDebuggerPresent checks whether a specified process has a debugger attached. Question 11. Which memory region typically stores the stack for a newly created thread in Windows? A) .bss B) .data C) The region pointed to by the ESP/RSP register D) The heap segment Answer: C Explanation: The stack pointer registers (ESP/RSP) point to the current stack area. Question 12. In Ghidra, the “Symbol Tree” view primarily displays: A) All imported functions only

Exam

C) Access the system registry D) Modify file permissions Answer: B Explanation: NtQuerySystemInformation with SystemProcessInformation returns details about running processes. Question 15. Which of the following best describes “control‑flow flattening”? A) Converting all jumps to indirect calls through a dispatcher loop B) Encrypting string literals in the binary C) Removing all function boundaries D) Packing the executable with a custom compressor Answer: A Explanation: Flattening replaces structured control flow with a dispatcher that decides the next block, obscuring the original flow. Question 16. A debugger that sets a “software breakpoint” typically does this by: A) Modifying the target’s memory to insert an INT 3 (0xCC) opcode B) Using CPU debug registers C) Pausing the VM hypervisor D) Changing the process priority class

Exam

Answer: A Explanation: Software breakpoints replace the target instruction with INT 3, causing a trap when executed. Question 17. Which PE header field indicates the preferred load address of the image? A) SizeOfHeaders B) ImageBase C) SectionAlignment D) FileAlignment Answer: B Explanation: ImageBase specifies the virtual address where the loader prefers to map the image. Question 18. The Windows API “VirtualProtect” is commonly abused by malware to: A) Allocate new threads B) Change memory protection to executable for injected code C) Enumerate network adapters D) Delete files securely Answer: B

Exam

Question 21. A “process hollowing” technique involves: A) Replacing the entry point of a legitimate process with malicious code after the process is created B) Injecting shellcode into a paused thread of another process C) Creating a new process and terminating it immediately D) Using a driver to hide a process from the task manager Answer: A Explanation: Process hollowing creates a legitimate process, unmaps its memory, and maps malicious code in its place. Question 22. Which Ghidra feature allows automatic generation of C‑like pseudocode from disassembled functions? A) Decompiler B) Data Type Manager C) Script Manager D) Symbol Table Answer: A Explanation: Ghidra’s Decompiler translates assembly into high‑level pseudocode. Question 23. The Windows API “CreateRemoteThread” is primarily used for: A) Launching a new process on a remote machine

Exam

B) Injecting code into another process on the same system C) Establishing a network socket D) Enumerating services on a remote host Answer: B Explanation: CreateRemoteThread creates a thread in the address space of another process, facilitating code injection. Question 24. Which of the following is a reliable method to detect the presence of a debugger using timing checks? A) Measuring the duration of GetTickCount between two points B) Checking the value of the EIP register C) Reading the PEB’s BeingDebugged flag D) Scanning for a debugger’s window title Answer: A Explanation: Debuggers introduce latency; measuring elapsed time with GetTickCount or RDTSC can reveal abnormal delays. Question 25. In the PE format, the “Data Directory” entry for “Resource” points to: A) The .rsrc section containing icons, dialogs, etc. B) The import table of the executable C) The export table of the DLL

Exam

Explanation: BeingDebugged is a Boolean flag set by the OS when a debugger is attached. Question 28. Which of the following is an effective way to bypass simple anti‑VM checks that look for known virtual hardware IDs? A) Rename the binary file B) Modify the registry key “HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation” C) Use a sandbox that spoofs hardware identifiers D) Disable Windows Defender Answer: C Explanation: Spoofing hardware IDs in a sandbox prevents malware from detecting known VM signatures. Question 29. In x86‑64, the “RIP‑relative” addressing mode is used to: A) Access memory locations relative to the instruction pointer B) Perform indirect jumps via a register C) Store immediate values larger than 32 bits D) Switch between 32‑bit and 64‑bit mode Answer: A Explanation: RIP‑relative addressing allows position‑independent code to reference data using the current instruction pointer.

Exam

Question 30. Which of the following tools is specifically designed for memory forensics on Windows crash dumps? A) Volatility B) Process Monitor C) Wireshark D) OllyDbg Answer: A Explanation: Volatility parses memory images and crash dumps to extract processes, DLLs, and hidden data. Question 31. The “Export Directory” in a PE file contains: A) A list of functions that the executable imports from other modules B) A list of functions that the module makes available to other modules C) The locations of all string literals D) The entry point of the program Answer: B Explanation: Export Directory enumerates functions that the PE exposes for external use. Question 32. Which Windows API call can be used by malware to hide a file by setting its attributes to “hidden” and “system”?

Exam

C) It requires administrative rights to install a driver D) It modifies the Master Boot Record (MBR) Answer: B Explanation: File‑less malware avoids writing files, often leveraging in‑memory execution and scripting. Question 35. The Windows API “NtUnmapViewOfSection” is commonly used in which technique? A) Process hollowing B) DLL injection via LoadLibrary C) Creating a new thread D) Enumerating services Answer: A Explanation: NtUnmapViewOfSection removes the original code section of a process, a step in process hollowing. Question 36. Which of the following best describes the purpose of a “Control Flow Graph” (CFG) in static analysis? A) To list all imported DLLs B) To visualize possible execution paths between basic blocks C) To display raw hexadecimal data D) To enumerate registry keys accessed by the binary

Exam

Answer: B Explanation: A CFG shows how basic blocks are connected, helping analysts understand program logic. Question 37. When analyzing a binary with IDA Pro, the “F5” key is used to: A) Open the function window B) Switch to the graph view of a function C) Rename a symbol D) Start a debugging session Answer: B Explanation: F5 toggles the graph view, which displays the control flow of the selected function. Question 38. Which of the following is an example of a “network indicator of compromise” (IOC) for malware? A) A specific registry key path B) A unique process name C) A hard‑coded C2 IP address or domain D) A particular file hash Answer: C Explanation: Network IOCs include IP addresses, domains, or URLs used for command‑and‑control communication.

Exam

A) Measure the randomness of a section’s data, indicating compression or encryption B) Determine the number of exported functions C) Calculate the size of the import table D) Identify the type of CPU architecture Answer: A Explanation: High entropy suggests that data is compressed or encrypted, typical of packed sections. Question 42. Which of the following techniques is most effective against “inline hook” detection by anti‑debuggers? A) Using a kernel‑mode driver to hide breakpoints B) Modifying the original function prologue after the hook is placed C) Setting a hardware breakpoint on the hook routine D) Disabling all system breakpoints via the registry Answer: B Explanation: Restoring the original prologue after the hook reduces the chance of detection. Question 43. The Windows API “SetUnhandledExceptionFilter” can be abused to: A) Hide a process from Task Manager

Exam

B) Implement a custom crash handler that executes malicious code C) Enumerate all open network sockets D) Change file permissions on protected files Answer: B Explanation: By installing a custom exception filter, malware can execute code when an exception occurs. Question 44. Which of the following statements about “DLL side‑loading” is true? A) It requires modifying the system registry to point to a malicious DLL B) It exploits the way Windows searches for DLLs in the application directory before system directories C) It only works on 64‑bit processes D) It is detected by checking the file’s digital signature Answer: B Explanation: Side‑loading places a malicious DLL with the same name as a legitimate one in the same folder as the executable. Question 45. In a typical sandbox environment, which of the following artifacts would indicate that the malware has detected the sandbox? A) Creation of a file named “sandbox_detected.txt” B) Immediate termination after checking for known virtualization drivers