PrepIQ OffSec OSED EXP301 OffSec Exploit Developer Ultimate Exam, Exams of Technology

The PrepIQ OffSec OSED EXP301 OffSec Exploit Developer Ultimate Exam focuses on exploit development and vulnerability research techniques. Topics include buffer overflows, reverse engineering, debugging methodologies, exploit crafting, and advanced software exploitation practices.

Typology: Exams

2025/2026

Available from 06/03/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 50

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PrepIQ OffSec OSED EXP301 OffSec
Exploit Developer Ultimate Exam
**Question 1.** Which WinDbg command displays the contents of the stack pointer
register and the top 16 dwords on the stack?
A) dd esp L16
B) dp esp L16
C) dt esp L16
D) du esp L16
Answer: A
Explanation: `dd` (display dword) with the register `esp` and length `L16` prints
the stack pointer value followed by 16 dwords from that address.
**Question 2.** In the x86 calling convention `stdcall`, who is responsible for
cleaning the stack after a function call?
A) Caller
B) Callee
C) Both equally
D) The OS kernel
Answer: B
Explanation: `stdcall` requires the callee to execute `ret N` where N is the number
of bytes of arguments, thereby cleaning the stack.
**Question 3.** Which register holds the address of the next instruction to execute
in x86?
A) EAX
B) ESP
C) EIP
D) EBX
Answer: C
Explanation: The Instruction Pointer register (EIP) always points to the next
instruction.
**Question 4.** What does the WinDbg pseudo-register `@@c++(@$t0)` evaluate?
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32

Partial preview of the text

Download PrepIQ OffSec OSED EXP301 OffSec Exploit Developer Ultimate Exam and more Exams Technology in PDF only on Docsity!

Exploit Developer Ultimate Exam

Question 1. Which WinDbg command displays the contents of the stack pointer register and the top 16 dwords on the stack? A) dd esp L B) dp esp L C) dt esp L D) du esp L Answer: A Explanation: dd (display dword) with the register esp and length L16 prints the stack pointer value followed by 16 dwords from that address. Question 2. In the x86 calling convention stdcall, who is responsible for cleaning the stack after a function call? A) Caller B) Callee C) Both equally D) The OS kernel Answer: B Explanation: stdcall requires the callee to execute ret N where N is the number of bytes of arguments, thereby cleaning the stack. Question 3. Which register holds the address of the next instruction to execute in x86? A) EAX B) ESP C) EIP D) EBX Answer: C Explanation: The Instruction Pointer register (EIP) always points to the next instruction. Question 4. What does the WinDbg pseudo-register @@c++(@$t0) evaluate?

Exploit Developer Ultimate Exam

A) Current thread ID B) Value of the first argument to the current function C) The address of the instruction pointer D) The size of the current stack frame Answer: B Explanation: @$t0 is the first argument (t0) of the current function; @@c++ casts it to a C-style integer. Question 5. Which of the following WinDbg commands sets a hardware breakpoint on the instruction at address 0x00401234? A) bp 0x B) ba e 1 0x C) eb 0x D) bp -h 0x Answer: B Explanation: ba e 1 creates a hardware execute breakpoint of length 1 at the specified address. Question 6. In a typical Windows SEH chain, the Next pointer of the _EXCEPTION_REGISTRATION_RECORD points to: A) The previous exception registration record B) The address of the handler function C) The start of the stack D) The EXCEPTION_POINTERS structure Answer: A Explanation: The Next field links to the previous registration record, forming a linked list. Question 7. Which instruction sequence is commonly used as a “pop-pop-ret” (PPR) gadget to bypass SEH overwrites? A) pop eax; pop ebx; ret

Exploit Developer Ultimate Exam

C) 0x3C D) 0x4E Answer: B Explanation: In Windows 7 x86, NtAllocateVirtualMemory is system call 0x1A; the number can vary by OS version, but 0x1A is the common value for many releases. Question 11. Which instruction is used to obtain the base address of kernel32.dll at runtime without using LoadLibrary? A) call dword ptr [fs:0x30] B) mov eax, [fs:0x30] ; then walk the PEB loader list C) int 0x2E D) jmp dword ptr [eax] Answer: B Explanation: The Process Environment Block (PEB) is at fs:[0x30]; walking the InMemoryOrderModuleList yields the base address of loaded modules like kernel32.dll. Question 12. Which of the following shellcode characteristics is essential for bypassing a NULL-byte filter? A) Using only alphanumeric characters B) Avoiding any byte equal to 0x00 in the entire payload C) Encoding the payload with Base D) Placing the payload in the .data section Answer: B Explanation: A NULL-byte filter terminates strings at 0x00; the shellcode must be completely NULL-free. Question 13. In IDA Pro, which view is most appropriate for locating the entry point of a PE file? A) Disassembly view of the .text section B) Imports window

Exploit Developer Ultimate Exam

C) Segments view D) Functions window after pressing G and entering 0x00400000 Answer: A Explanation: The entry point is a function within the .text section; the disassembly view directly shows it. Question 14. When performing dynamic analysis with a debugger, what does the “step over” (F10) command accomplish? A) Executes the current instruction and stops at the next line, skipping over called functions B) Executes the current instruction and any called functions until the next breakpoint C) Executes the entire program until termination D) Reverts the last instruction executed Answer: A Explanation: “Step over” runs the current instruction, but if it is a call, the debugger runs the called function without stopping inside it. Question 15. Which of the following is a typical symptom of a stack cookie (canary) mismatch? A) Application prints “Access denied” B) The program terminates with a 0xC0000409 STATUS_STACK_BUFFER_OVERRUN exception C) The system logs a “Page Fault” error D) The debugger shows an illegal instruction (0xCC) Answer: B Explanation: Windows raises STATUS_STACK_BUFFER_OVERRUN when the canary value is altered. Question 16. Which WinDbg command can be used to display all loaded modules and their base addresses? A) lm

Exploit Developer Ultimate Exam

C) ASLR

D) Stack cookies Answer: C Explanation: /DYNAMICBASE:NO tells the linker not to mark the image as ASLR-compatible, thus disabling address randomization for that module. Question 20. In a format string vulnerability, which specifier can be used to read a 4-byte value from the stack? A) %n B) %x C) %s D) %p Answer: B Explanation: %x reads a 4-byte unsigned integer from the stack and prints it in hexadecimal. Question 21. Which of the following WinDbg commands writes the value 0xdeadbeef to the memory location pointed to by eax? A) eb eax 0xdeadbeef B) eb @eax 0xdeadbeef C) ew @eax 0xdeadbeef D) eb @eax=0xdeadbeef Answer: C Explanation: ew writes a 4-byte word; @eax dereferences the register. Question 22. What is the purpose of the VirtualProtect API when used in an exploit that bypasses DEP? A) To allocate new memory B) To change the protection of a memory region to PAGE_EXECUTE_READWRITE, allowing shellcode execution C) To free a previously allocated buffer

Exploit Developer Ultimate Exam

D) To retrieve the base address of a module Answer: B Explanation: VirtualProtect can change a region’s protection flags, making previously non-executable memory executable. Question 23. Which of the following is a reliable way to locate a non-ASLR module in a 64-bit Windows process? A) Search for “msvcrt.dll” in the process memory B) Query the PEB’s Ldr.InMemoryOrderModuleList for modules without the IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE flag C) Use GetModuleHandleA from within the exploit code D) Scan the stack for “kernel32.dll” strings Answer: B Explanation: The loader list contains module entries with flags; modules lacking the dynamic base flag are not ASLR-enabled. Question 24. In the x86 instruction set, which of the following instructions does not modify the EFLAGS register? A) inc eax B) sub ebx, ecx C) mov edx, 0x D) and eax, ebx Answer: C Explanation: mov copies data and does not affect flags; arithmetic and logical instructions generally do. Question 25. What does the WinDbg command .exr -1 display? A) The most recent exception record B) The current thread’s register state C) The list of loaded modules D) The contents of the stack pointer

Exploit Developer Ultimate Exam

Explanation: SafeSEH restricts the OS to only handlers listed in the SafeSEH table; using a gadget from a non-SafeSEH module avoids this restriction. Question 29. Which of the following is the most common method to bypass ASLR when you have a format string vulnerability that can leak arbitrary memory? A) Overwrite the return address with a hard-coded address B) Leak a pointer to a module that is not compiled with /DYNAMICBASE and calculate offsets from it C) Use VirtualAlloc to allocate executable memory at a predictable address D) Disable ASLR via a registry key from the exploit Answer: B Explanation: Leaking a known module base (non-ASLR) allows you to compute the address of needed gadgets or functions. Question 30. Which instruction pattern is typically used to align the stack pointer before calling a function that expects 16-byte alignment on Windows 10 x64? A) sub esp, 0xC B) and esp, 0xFFFFFFF C) push ebp; mov ebp, esp D) sub esp, 0x10; and esp, 0xFFFFFFF Answer: D Explanation: The combination of subtracting and aligning ensures the stack is 16 - byte aligned as required by the Windows x64 ABI. Question 31. In a 32-bit Windows process, which register points to the Thread Information Block (TIB) via the FS segment? A) EAX B) EBX C) ECX D) None; the FS segment selector itself references the TIB Answer: D

Exploit Developer Ultimate Exam

Explanation: The FS segment base (FS:[0]) points to the TIB; there is no dedicated register. Question 32. Which of the following opcode bytes corresponds to the instruction jmp esp? A) FF E B) FF 24 25 C) 68 00 00 00 00 D) 6A 00 Answer: A Explanation: FF E4 is the machine code for jmp esp, frequently used in exploit development. Question 33. When constructing a ROP chain, why is it advantageous to start with a “stack pivot” gadget? A) It changes the process’s privilege level B) It moves the stack pointer to a location you control, allowing the rest of the chain to be placed there C) It disables DEP automatically D) It loads the address of kernel32.dll into EAX Answer: B Explanation: A stack pivot (xchg esp, eax; ret) redirects execution to attacker-controlled memory, where the rest of the chain resides. Question 34. Which of the following is a correct way to encode the string “w00t” as an egg for an egghunter that searches for two consecutive copies? A) 0x746f3077 0x746f B) 0x77773030 0x C) 0x30777730 0x D) 0x746f3077 0x Answer: A

Exploit Developer Ultimate Exam

Explanation: dumpbin /headers lists the SAFESEH flag in the load configuration directory, indicating the feature is present. Question 38. Which instruction pair is commonly used in shellcode to locate the base address of kernel32.dll via the PEB's Ldr.InMemoryOrderModuleList? A) mov eax, fs:[0x30]; mov eax, [eax+0x0C] B) mov eax, fs:[0x30]; mov eax, [eax+0x0C]; mov eax, [eax+0x18]; mov eax, [eax+0x30] C) mov eax, fs:[0x30]; mov eax, [eax+0x0C]; mov eax, [eax+0x10] D) mov eax, fs:[0x30]; mov eax, [eax+0x30] Answer: B Explanation: The sequence walks the PEB, then the Loader data, then the InMemoryOrderModuleList entries to finally reach the base address of kernel32.dll. Question 39. In a DEP-protected process, which of the following techniques can directly make the stack executable without using a ROP chain? A) Heap spraying B) Return-to-libc C) Using VirtualProtect via a ROP chain D) Overwriting the NtSetInformationThread pointer Answer: C Explanation: VirtualProtect changes memory protection; invoking it via a ROP chain is the standard way to make the stack executable. Question 40. Which of the following is NOT a typical characteristic of a “null-free” shellcode? A) No byte equal to 0x00 anywhere in the code B) Uses relative addressing instead of absolute addresses C) Relies on the presence of a null-terminated string in memory for function resolution D) Often uses push/pop tricks to avoid zero bytes

Exploit Developer Ultimate Exam

Answer: C Explanation: Null-free shellcode cannot rely on null-terminated strings because a null byte would terminate the payload. Question 41. What does the WinDbg command !address -summary provide? A) A list of all loaded modules with their base addresses B) A summary of virtual memory usage, including free, reserved, and committed pages C) The current value of the instruction pointer D) A disassembly of the current function Answer: B Explanation: !address -summary prints a high-level overview of the process’s virtual address space. Question 42. In a 32-bit Windows binary, which of the following sections typically contains the import address table (IAT)? A) .text B) .data C) .rdata D) .idata Answer: D Explanation: The import directory resides in the .idata section. Question 43. Which of the following techniques can be used to defeat a “NX” (DEP) flag on a 64-bit binary that does not contain any writable-executable sections? A) Use a ROP chain that calls VirtualAlloc with PAGE_EXECUTE_READWRITE B) Overwrite the return address with the address of system C) Place shellcode on the heap and jump to it directly D) Use a buffer overflow to overwrite the stack canary Answer: A

Exploit Developer Ultimate Exam

Explanation: LoadLibraryA loads the DLL into the process, enabling subsequent calls to GetProcAddress to resolve needed functions. Question 47. Which of the following statements about the !heap -s WinDbg extension is true? A) It displays a summary of all heap allocations, including size and flags B) It only works on 64-bit processes C) It lists the contents of the stack pointer register D) It shows the current state of the Windows registry Answer: A Explanation: !heap -s provides a snapshot of heap usage, including allocation sizes and status flags. Question 48. In a Windows binary compiled with /GS, which mitigation is primarily being employed? A) ASLR B) DEP C) Stack canary (buffer overflow protection) D) SafeSEH Answer: C Explanation: The /GS flag enables stack cookies (canaries) to detect overwrites. Question 49. Which of the following is the most efficient way to locate a “jmp esp” gadget in a module that is not compiled with ASLR? A) Use the !search -b 0xFFE4 command in WinDbg on the module’s memory region B) Manually scan the binary with a hex editor looking for FFE4 C) Search the export table for “jmp_esp” D) Use !for_each_module to print all module base addresses Answer: A

Exploit Developer Ultimate Exam

Explanation: !search -b 0xFFE4 searches for the byte pattern FFE4 (jmp esp) within the specified module, providing a fast way to locate the gadget. Question 50. Which of the following registers is not preserved across a standard Windows stdcall call? A) EDI B) ESI C) EBX D) EAX Answer: D Explanation: EAX is used for return values and is not callee-saved; the other registers are part of the non-volatile set. Question 51. In a 64-bit Windows process, which register contains the address of the first argument to a function according to the Microsoft x64 calling convention? A) RCX B) RDX C) R D) R Answer: A Explanation: The first argument is passed in RCX; subsequent arguments go to RDX, R8, and R9. Question 52. Which WinDbg command can be used to view the current thread’s exception registration chain in a readable format? A) .exr - B) !exchain C) !teb D) .chain Answer: B

Exploit Developer Ultimate Exam

Question 56. In a 32-bit Windows process, which segment register points to the Thread Environment Block (TEB)? A) DS B) ES C) FS D) GS Answer: C Explanation: The FS segment base contains a pointer to the TEB. Question 57. Which of the following WinDbg commands can be used to set a breakpoint that triggers only after the instruction has been executed a specified number of times? A) bp /c "command" address count B) ba e count address C) bp address "gc"D) bp address "bu" Answer: B Explanation: ba e count address sets a hardware execute breakpoint that fires after the instruction has been executed count times. Question 58. Which of the following is the most reliable method to locate a “pop rdi; ret” gadget in a 64-bit module? A) Search for the byte sequence 5F C3 using !search -b B) Look for the string “pop rdi; ret” in the disassembly view C) Use the !for_each_module extension with the -g option D) Search for the opcode 0x5F alone Answer: A Explanation: 5F C3 corresponds to pop rdi; ret; !search -b finds the exact byte pattern.

Exploit Developer Ultimate Exam

Question 59. In a Windows exploit, why is it advantageous to target a module that is loaded at a fixed address (e.g., ntdll.dll on older systems) when building a ROP chain? A) The module’s code is always signed, preventing detection B) Fixed addresses remove the need for an information leak to calculate offsets C) The module contains built-in shellcode that can be invoked directly D) The module disables DEP for the process automatically Answer: B Explanation: If a module is not ASLR-randomized, its base address is known, allowing gadget offsets to be calculated without a leak. Question 60. Which of the following WinDbg commands displays the current value of the EIP register? A) r eip B) r $eip C) .reg eip D) ?? @$eip Answer: D Explanation: @@ or ?? can be used to evaluate expressions; ?? @$eip prints the value of the instruction pointer. Question 61. In the context of a buffer overflow on a 64-bit Windows binary, how many bytes must be written to overwrite the saved RIP after a 200-byte buffer, assuming standard stack alignment and a saved RBP? A) 200 + 8 B) 200 + 16 C) 200 + 24 D) 200 + 32 Answer: B Explanation: The layout is [buffer][saved RBP (8)][saved RIP (8)]; therefore 200 + 8 (RBP) = 208 bytes to reach RIP, then 8 more to overwrite it, totaling 216 bytes (200 + 16).