A CT scanner reveals surprises inside the 386 processor's ceramic package
Intel released the 386 processor in 1985, the first 32-bit chip in the x86 line. This chip was packaged in a ceramic square with 132 gold-pl...| www.righto.com
Intel released the 386 processor in 1985, the first 32-bit chip in the x86 line. This chip was packaged in a ceramic square with 132 gold-pl...| www.righto.com
Vercel recently announced BotID, an anti-bot meant to protect against bots without requiring manual intervention. This post reverse-engineers the script and takes a peek inside.| www.nullpt.rs
An introduction to Wirego, a tool for Wireshark plugin development| Quarkslab's blog
Or “How I got annoyed by a poor decompilation so I unearthed a hidden Ghidra feature” TLDR: there is a (undocumented and disabled by default) feature in the Ghidra decompiler that lets you create your own decompiler passes, using a custom DSL. I leverage it to write a deobfuscation rule for a simple obfuscation technique. Story Setup - introduction and problem statement Decompiler 101 - building and using Ghidra decompiler directly RULECOMPILE - a curious #define flag from the decompiler ...| msm's home
Intel released the powerful Pentium processor in 1993, establishing a long-running brand of processors.| Ken Shirriff's blog
Addition is harder than you'd expect, at least for a computer.| Ken Shirriff's blog
Intel released the powerful Pentium processor in 1993, establishing a long-running brand of high-performance processors.1| Ken Shirriff's blog
I was studying the silicon die of the Pentium processor and noticed some puzzling structures where| Ken Shirriff's blog
We recently received an attitude indicator for the F-4 fighter plane, an instrument that| Ken Shirriff's blog
Ferroelectric memory (FRAM) is an interesting storage technique that stores bits in a special "ferroelectric" material.| Ken Shirriff's blog
The Minuteman missile was introduced in 1962 as a key part of America's nuclear deterrent.| Ken Shirriff's blog
The Space Shuttle contained a bulky printer so the astronauts could| Ken Shirriff's blog
How to measure OpenAI's response latency using WebRTC and VoIP tools with an analysis of the results| webrtcHacks
Catbert Ransomware presents a disk image with four encrypted files, and UEFI bios. I’ll run the bios in an emulator, and find the binary responsible for the shell. In there, I’ll find the decrypt function and reverse it to see how it is using code at the end of the encrypted images in a small VM to check the input password. I’ll write Python VM emulator to work through the code finding the passwords. On decrypting all three, there’s some fun in the emulated bios and the flag.| 0xdf hacks stuff
fullspeed is a challenge around a .NET-AOT binary, which means unlike typical .NET binaries, it’s fully compiled to assembly. The binary makes an Elliptic Curve Diffie-Hellmen exchange and then uses it to send data including the flag. I’ll show how I use the given PCAP and the initialized values in the binary to recover the randomly generated privarte key, and decrypt the messages.| 0xdf hacks stuff
bloke2 involves reversing a Verilog description language project to find a hidden flag inserted by a missing developer. I’ll find a relatively long string of data and where an XOR might be applying it to the input test data, except it’s always disabled by a flag. I’ll enable that flag and the flag comes out while running the tests.| 0xdf hacks stuff
sshd is a really cool challenge that is based on the XZ Utils backdoor. I get an image that has an sshd coredump. In it, I’ll find where it crashed, in the liblzma library. I’ll reverse that to see where it is decrypting a static shellcode buffer and running it. That buffer is connecting to a TCP socket and reading off an encryption key and nonce, as well as a file path. It then reads the file at that path, encrypts it, and sends it back over the socket. I’ll use the core dump to get th...| 0xdf hacks stuff
Meme Maker 3000 is an HTML / JavaScript challenge that is made so much easier using webcrack. Most of the solution here is running webcrack and then it’s fairly easy to see a few commands to run in the browser dev console to get the flag. I’ll include a video comparing my solution without webcrack with what webcrack can do.| 0xdf hacks stuff
aray is a Yara reversing challenge. The Yara language is used to classified and identify malware (and other binary) files. In aray, I’m given a complex rule with hundreds of conditions that define a 85 byte file. I’ll find the 38 conditions that actually define the 85 bytes, and write a Python script to parse the rule and return the file contents.| 0xdf hacks stuff
checksum presents a binary compiled from Golang. I’ll have to answer a series of math addition problems, and then give it the valid SHA256 hash that matches a static value stored in the binary. On success, it writes an image to my AppData Local directory that has the flag.| 0xdf hacks stuff
In the final article of this series, we extract TLS-protected messages from a time-tracking application, using both a TLS-intercepting proxy and Frida.| jreyesr's blog
In the conclusions to my last post, “Modifying System Call Arguments With ptrace”, I mentioned that one of the main drawbacks of the explained approach for modifying system call arguments was that there is a process switch for each system call performed by the tracee. I also suggested a possible approach to overcome that issue … Continue reading "Filter and Modify System Calls with seccomp and ptrace"| Alfonso Sánchez-Beato's blog
This is a continuation from| astrid.tech
Strap in kids, this post is about me physically hacking apart Amazon’s| astrid.tech
This is a continuation of| astrid.tech
Because I had the privilege of obtaining factory-fresh ROMs from the cameras| astrid.tech
Disable certificate verification on Android with Frida| www.gabriel.urdhr.fr
Philipp "Fippo" Hancke examines End-to-End Encryption (E2EE) adoption and standardization progress in WebRTC.| webrtcHacks
With the release of the Dota 2 Reborn Beta, users are able to try out the new Source 2 Engine. Just recently, Valve released the Mac and Linux clients for this beta.| hacking with praydog
Planetside 2 and H1Z1 generate hashes for specific intervals of data within some data structures. In H1Z1, a lot more areas have this type of data tampering protection enabled. If the stored hash is not equal to a recently generated hash, the game will force an exception and crash.| hacking with praydog
This very short post shows the Domain Generation Algorithm of BumbleBee, a loader for Cobalt Strike or other malware.| Binary Reverse Engineering Blog
Video that shows the DGA of the fileinfector m0yv and results of sinkholing domains for over a year.| Binary Reverse Engineering Blog
The Orchard malware uses a domain generation algorithm (DGA) that is seeded both by the current date, and also by the current balance of the Bitcoin genesis block.| Binary Reverse Engineering Blog
This blog post shows how the open source framework “binary refinery™” can extract the download URL of complicated TA551 malspam emails.| Binary Reverse Engineering Blog
Domain generation algorithms are relatively straightforward to program and usually bug free. Not so the new DGA of BazarLoader, which goes haywire during the summer months.| Binary Reverse Engineering Blog
Bazar Loader decided to change its perfectly fine domain generation algorithm (DGA) once again. The change in the algorithm is very minor, but it yields more domain names.| Binary Reverse Engineering Blog
This blog post shows yet another domain generation algorithm of Bazar Loader. Although it still uses exclusively the .bazar top level domain and similar seeding, the algorithm itself is completely new.| Binary Reverse Engineering Blog
This blog post is about the faulty domain generation algorithm found in some BazarLoader samples. The DGA not only uses an invalid tld, it also occasionally generates invalid characters for the second level domain.| Binary Reverse Engineering Blog
Authored by Philipp Hancke, investigation prompted by unusual behavior in Google Meet's handling of the scalabilityMode statistic. Hancke reveals the use of AV1 during pre-call stages, AV1 with VP9 SVC, and provides data on the advantages of AV1 screen sharing.| webrtcHacks
