


















































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The PrepIQ MRE Certified Reverse Engineer Ultimate Exam focuses on software reverse engineering and malware analysis methodologies. Learners gain expertise in binary analysis, debugging, disassembly, code tracing, and advanced malware investigation techniques.
Typology: Exams
1 / 58
This page cannot be seen from the preview
Don't miss anything!



















































Question 1. Which PE header field specifies the offset to the PE signature (“PE\0\0”) in a Portable Executable file? A) e_lfanew B) SizeOfOptionalHeader C) NumberOfSections D) ImageBase Answer: A Explanation: In the DOS header, the e_lfanew field points to the start of the PE signature, allowing the loader to locate the PE header. Question 2. In a PE file, the Data Directory entry that points to the Import Table is located at which index? A) 0 B) 1 C) 2 D) 3 Answer: B Explanation: Index 1 of the Data Directory array corresponds to the Import Table, providing the RVA and size of the import descriptors. Question 3. Which section name is conventionally used to store embedded icons and dialogs in a Windows executable? A) .text B) .data C) .rsrc D) .reloc Answer: C
Explanation: The .rsrc (resource) section holds icons, dialogs, version info, and other compiled resources. Question 4. When searching a binary for potential C2 server IP addresses, which regular expression best matches IPv4 dotted-decimal notation? A) \b\d{1,3}(.\d{1,3}){3}\b B) \b[0-9A-F]{8}\b C) \b[0-9a-f]{32}\b D) \b\w+@\w+.\w{2,4}\b Answer: A Explanation: The pattern captures four groups of 1-3 digits separated by periods, matching typical IPv4 strings. Question 5. In x86-64 calling convention __stdcall, how are the first four integer arguments passed? A) RCX, RDX, R8, R B) Stack only, left-to-right C) RDI, RSI, RDX, RCX D) RAX, RBX, RCX, RDX Answer: B Explanation: __stdcall is a 32-bit convention; arguments are pushed on the stack right-to-left, and the callee cleans the stack. Question 6. Which register holds the instruction pointer on x86- 64 architecture? A) RSP B) RBP C) RIP
C) !imports D) lm Answer: C Explanation: The !imports extension lists imported functions and their originating DLLs for the target module. Question 10. When using x64dbg, which breakpoint type is most suitable for monitoring writes to a specific memory address without stopping the process? A) Software breakpoint B) Hardware execute breakpoint C) Hardware write breakpoint D) Conditional breakpoint Answer: C Explanation: Hardware data breakpoints can be set for read/write access; a write breakpoint triggers on memory writes. Question 11. In memory forensics, which Windows API is commonly used by malware to allocate executable memory on the heap? A) VirtualAllocEx B) HeapCreate C) LocalAlloc D) GlobalFree Answer: A Explanation: VirtualAllocEx can reserve and commit memory with PAGE_EXECUTE_READWRITE, enabling code injection.
Question 12. To bypass a simple license check that compares a hard-coded serial number, which patching technique is most direct? A) Replace the comparison instruction with NOPs B) Change the serial constant in the .rdata section C) Modify the jump after the compare from JNE to JMP D) Insert a breakpoint at the compare instruction Answer: C Explanation: Changing a conditional jump (e.g., JNE) to an unconditional JMP forces the code to take the success path regardless of the comparison result. Question 13. Which of the following best describes the “Original Entry Point” (OEP) in a packed executable? A) The address where the packer’s stub begins execution B) The address of the first imported function C) The address where the original, unpacked code starts running after the stub finishes D) The RVA of the .text section header Answer: C Explanation: The OEP is the entry point of the original program after the unpacker has restored the original code. Question 14. The Windows API IsDebuggerPresent returns which value when a debugger is attached? A) TRUE (non-zero) B) FALSE (zero) C) 0xFFFFFFFF D) It raises an exception Answer: A
C) Polymorphic code D) Instruction padding Answer: B Explanation: Opaque predicates are conditions that are always true or false but are crafted to look complex, adding dead code. Question 18. Which Windows persistence mechanism registers a program to run at every system startup via the registry? A) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run B) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services C) HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion RunOnce D) HKEY_CURRENT_USER\Environment Answer: A Explanation: The “Run” key under HKCU or HKLM causes the listed executable to launch each boot. Question 19. In the context of scheduled tasks persistence, which command- line utility can create a task that runs with SYSTEM privileges? A) schtasks /create /sc ONSTART /ru SYSTEM B) at /create /every:1 /user:system C) taskmgr /new /system D) reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v task /t REG_SZ /d … Answer: A Explanation: schtasks with /ru SYSTEM creates a task that runs under the SYSTEM account.
Question 20. Which WMI class is commonly abused to achieve persistence by executing a command at system boot? A) Win32_Process B) Win32_StartupCommand C) __EventFilter and __FilterToConsumerBinding D) Win32_Service Answer: C Explanation: Attackers create an __EventFilter and bind it to a __CommandLineEventConsumer, causing code execution when the filter’s event occurs (e.g., system startup). Question 21. A custom C2 protocol encrypts its payload using XOR with a rotating key. Which analysis step will most likely reveal the plaintext? A) Static string extraction B) Observing network traffic in Wireshark and applying the XOR decryption offline C) Dumping the process memory after decryption D) Searching for the XOR key in the .data section Answer: B Explanation: Capturing the encrypted traffic and applying the same XOR algorithm (with the rotating key) allows reconstruction of the plaintext without needing to run the malware. Question 22. Which of the following is NOT a typical indicator of compromise (IOC) generated from a reverse-engineering report? A) SHA-256 hash of the malicious file B) List of referenced Windows API calls C) Domain name used for C2 communication D) Registry key created for persistence
Answer: B Explanation: After resolving imports, the loader marks the IAT as read-only to prevent tampering. Question 26. Which instruction sequence is most likely used to retrieve the base address of the current module in position-independent shellcode on Windows x86? A) call GetModuleHandleA B) push ebp; mov ebp, esp; call $+5; pop ebx; add ebx, offset C) mov eax, fs:[0x30]; mov eax, [eax+0x0C] D) lea eax, [esp+4] Answer: C Explanation: fs:[0x30] points to the PEB; offset 0x0C contains the pointer to the ImageBaseAddress, a common technique in shellcode. Question 27. During dynamic analysis, which Windows API can be hooked to monitor file writes performed by malware? A) CreateFileA B) ReadFile C) GetModuleFileName D) SetFileAttributes Answer: A Explanation: Hooking CreateFile (or CreateFileW) captures file creation/opening with write access, revealing persistence or exfiltration attempts.
Question 28. Which of the following is a reliable sign that a binary has been packed with UPX? A) Section name “UPX0” and “UPX1” present B) High entropy in the .text section only C) Presence of a .tls section with callbacks D) Import table contains only kernel32.dll functions Answer: A Explanation: UPX creates sections named UPX0, UPX1, etc., and adds a stub that can be detected. Question 29. A debugger breakpoint is set at address 0x401000. After the breakpoint hits, the instruction pointer (RIP) shows 0x401005. Why? A) The breakpoint instruction (INT 3) is 5 bytes long B) The debugger automatically advances RIP past the original instruction C) INT 3 is a single-byte opcode, and the debugger adds the original instruction length (5) to RIP D) The processor increments RIP by the size of the next instruction Answer: C Explanation: INT 3 replaces the first byte of the original instruction; after the breakpoint, the debugger restores the original byte and sets RIP to the next instruction, which is original length (5 bytes) ahead. Question 30. Which of the following techniques is most effective against “API hashing” used by malware to resolve functions at runtime? A) Monitoring the import table for missing entries B) Hooking GetProcAddress and logging the resolved names C) Searching for the hash algorithm in the binary and reproducing it offline
B) Embeds a full PDB path for remote debugging C) Includes a debug directory entry pointing to a .pdb file D) Disables all optimizations for easier reverse engineering Answer: C Explanation: The /DEBUG option adds a debug directory entry so the loader can locate the associated PDB for source-level debugging. Question 34. Which Windows API can be used by malware to hide its threads from debuggers that rely on Thread-Local Storage (TLS) callbacks? A) SetThreadContext B) NtSetInformationThread with ThreadHideFromDebugger flag C) CreateThread with CREATE_SUSPENDED flag D) QueueUserAPC Answer: B Explanation: NtSetInformationThread with the ThreadHideFromDebugger information class marks a thread as hidden from typical debugger enumerations. Question 35. In a packed binary, the stub often performs a “relocation fix-up” before transferring control to the OEP. Which PE data structure contains the necessary relocation entries? A) Import Address Table B) Base Relocation Table (.reloc) C) Export Directory D) Resource Directory Answer: B Explanation: The .reloc section holds relocation entries that the loader (or packer stub) uses to adjust addresses when the image is loaded at a non-preferred base.
Question 36. Which of the following methods can be used to reliably extract embedded configuration files from the .rsrc section? A) Searching for ASCII strings “CONFIG” B) Using the Windows API FindResource/LoadResource with the known resource ID C) Dumping the entire .rsrc section and manually parsing for known file signatures D) Running the binary and capturing the file after it writes to disk Answer: B Explanation: FindResource/LoadResource allows direct access to a specific resource by type and ID, ensuring accurate extraction. Question 37. Which flag in the PE Optional Header indicates that the executable supports Address Space Layout Randomization (ASLR)? A) IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE B) IMAGE_DLLCHARACTERISTICS_NX_COMPAT C) IMAGE_DLLCHARACTERISTICS_NO_SEH D) IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE Answer: A Explanation: The DYNAMIC_BASE flag signals that the image can be relocated randomly at load time, enabling ASLR. Question 38. When analyzing a malware sample that uses “SetThreadContext” to modify the instruction pointer of another thread, which anti-analysis technique is being employed? A) Anti-debugging via thread hijacking B] Anti-VM detection C) Code obfuscation through opaque predicates
A) CreateProcess B) EnumProcesses (from Psapi) C) GetSystemInfo D) GetFileAttributes Answer: B Explanation: EnumProcesses returns a list of process IDs, allowing malware to search for known analysis tools. Question 42. Which of the following is a typical sign that a binary uses “code virtualization” as an anti-reversing technique? A) Presence of a large interpreter loop that reads byte-code from a data section B) Multiple overlapping sections with identical raw data C) High entropy in the .text section only D) Use of the __fastcall calling convention exclusively Answer: A Explanation: Code virtualization translates original code into a custom byte-code interpreted at runtime, making static analysis difficult. Question 43. When patching a conditional jump (e.g., JNZ) to always take the true branch, which byte value should replace the opcode on x86? A) 0xEB (short unconditional jump) B) 0xE9 (near unconditional jump) C) 0x90 (NOP) D) 0x75 (original JNZ) Answer: A
Explanation: Replacing a short conditional jump (2 bytes) with 0xEB (JMP short) followed by the same displacement forces an unconditional short jump. Question 44. In a sandbox environment, a malware sample checks for the existence of the file “C:\Windows\System32\drivers\VBoxMouse.sys”. What is the purpose of this check? A) Detecting a virtual machine (VirtualBox) to decide whether to execute B) Verifying the presence of a specific driver required for its operation C) Ensuring the system has a mouse driver installed D) Locating a known DLL for code injection Answer: A Explanation: The presence of VBoxMouse.sys indicates a VirtualBox VM; many samples abort when they detect such artifacts. Question 45. Which tool is primarily used to generate a Control Flow Graph (CFG) from a PE binary for static analysis? A) IDA Pro’s Graph View B) Process Explorer C) Regedit D) Sysinternals Autoruns Answer: A Explanation: IDA Pro can automatically generate a CFG visualizing basic blocks and their branching relationships. Question 46. The presence of a “.tls” section in a PE file is most commonly used for: A) Storing thread-local storage callbacks that run before the entry point B) Holding encrypted configuration data
Question 49. Which of the following is the most effective way to detect a “return-oriented programming” (ROP) chain used by malware at runtime? A) Monitoring for a high frequency of RET instructions executed in a short time span B) Scanning the binary for the string “ROP” C) Checking for the presence of the “/SAFESEH” flag D) Looking for unusual imports of kernel32.dll functions Answer: A Explanation: ROP chains consist of many consecutive RETs; a spike in RET execution can indicate a ROP payload. Question 50. When analyzing a 64-bit PE file, which base register is used by the loader to compute the actual address of a function imported via the IAT? A) RAX B) RBX C) RDX D) R Answer: A Explanation: The loader typically loads the base address of the module into RAX (or a register) and adds the IAT entry offset to obtain the real function address. Question 51. Which of the following is a common method for malware to achieve code injection into another process? A) CreateRemoteThread with LoadLibraryA B) SetConsoleTitleA C) GetSystemMetrics D) RegOpenKeyEx
Answer: A Explanation: CreateRemoteThread combined with LoadLibrary loads a DLL into the target process’s address space, achieving injection. Question 52. A binary uses the “mov eax, fs:[0x30]” instruction. What is the purpose of this instruction in Windows exploitation? A) Retrieve the address of the Process Environment Block (PEB) B) Access the Thread Information Block (TIB) C) Load the base address of kernel32.dll D) Read the current EIP value Answer: A Explanation: fs:[0x30] points to the PEB in 32-bit Windows; moving it into EAX provides a handle to process information. Question 53. Which of the following is NOT a typical indicator that a program has been compiled with the /GS (Buffer Security Check) flag enabled? A) Presence of a “__security_cookie” global variable B) Calls to “__security_check_cookie” at function epilogues C) A .reloc section with many entries D) Additional stack canary verification code Answer: C Explanation: The .reloc section is unrelated to /GS; the other options are directly associated with stack cookie mechanisms. Question 54. Which Windows API can be used by malware to enumerate loaded modules of the current process for anti-analysis purposes? A) EnumProcessModules B) GetVersionEx