Talk at Navaja Negra 2024 Modern software systems are becoming increasingly complex, making thorough analysis a daunting task. Add advanced DRM and obfuscation technologies into the mix, and the challenge grows exponentially. In this presentation, we’ll explore the development of a Windows user-space emulation framework designed to tackle these complexities head-on. We’ll discuss how emulation can be a powerful tool for analyzing and overcoming the obstacles posed by intricate software an...| Maurice's Blog 🐍
I am currently working on an emulation environment similar to Qiling. Unlike Qiling, it emulates the entire user-space, not just the target application. As Qiling reimplements all APIs (kernel32, vcruntime, …) outside the emulator, it gains a lot of speed (e.g. by not needing to run all the ntdll code during startup), while sacrificing stability (reimplementing all APIs can be error prone) and introducing a whole lot of work. My emulator draws the line on syscall level. So instead of reimpl...| Maurice's Blog 🐍
Guest lecture at Ruhr-Universität Bochum (in german) Moderne Kopierschutzsysteme sind heutzutage so fortschrittlich, dass klassisches Reverse Engineering bei deren Analyse oftmals an seine Grenzen stößt. Zur effektiven Untersuchung dieser Schutzmechanismen ist daher neues spezialisiertes Tooling erforderlich. Dieser Vortrag gibt einen Einblick in Qiling, ein Emulations-Framework und Grundlagen zu Hypervisorn, die dabei helfen, diese komplexen Systeme erfolgreich zu analysieren und zu über...| Maurice's Blog 🐍
When I announced my Black Ops 3 integrity bypass, someone commented that my research was not impressive and I should try analyzing Denuvo instead. That kinda stuck with me, so I did what everyone would do and spent the last 5 months of my free time reverse engineering and bypassing the Denuvo DRM in Hogwarts Legacy. I am obviously not as skilled and experienced as EMPRESS, who managed to do it within days, but that’s ok 😃| Maurice's Blog 🐍
I recently started to experiment with hypervisors and their use for bypassing anti-cheat or anti-tampering systems. This post will describe the concept of hypervisor-assisted hooking and a few simple approaches to detect such hooks. What is a hypervisor? In short: A hypervisor allows to run virtual machines with hardware acceleration. The concept of hypervisors in general is a huge topic, but for this post, all that depth doesn’t really matter.| Maurice's Blog 🐍
Thanks to Rektinator and TwistedFate for helping me solve this challenge. JIT was one of Google’s pwnable challenges. It implements an artificial assembly language, which gets jit-compiled into x64 assembly. An example program looks like this: MOV(A, 10) STR(A, 1) LDR(A, 2) SUM() JMP(2) RET() It supports basic instructions to move, add and subtract, jump and compare values. Two files were given: compiler.c and FancyJIT.java The c file implements the jit-compilation by translating each indiv...| Maurice's Blog 🐍
For our graduation-party at school two years ago, a friend of mine, Olrik, and I decided to play the Nyan Cat theme on all PCs at school. With the name 9os, we started writing the entire project using 16bit x86 assembly. The task was to draw the rainbow behind the cat, then the cat itself, play the music and in the end draw the stars. Drawing the rainbow was pretty simple, as it consists only of a few stripes that need to be drawn at alternating heights and colors. Staying in protected mode a...| Maurice's Blog 🐍
After having started to use libraries like libpcap or WinDivert, I got curious about low-level networking protocols like Ethernet, IP, ICMP, ARP, TCP or UDP. Especially the Address Resolution Protocol (ARP) fascinated me, as I have previously used tools like Ettercap or Cain & Abel to experiment with Man-in-the-middle attacks using ARP poisoning, however, I did not know how ARP poisoning worked in detail. Basically, using an ARP request, you can request the MAC address of a particular host be...| Maurice's Blog 🐍
A few years ago, I became aware of a security issue in most Call of Duty games. Although I did not discover it myself, I thought it might be interesting to see what it could be used for. Without going into detail, this security issue allows users playing a Call of Duty match to cause a buffer overflow on the host’s system inside a stack-allocated buffer within the game’s network handling. In consquence, this allows full remote code execution!| Maurice's Blog 🐍
Call of Duty: Black Ops 3 is protected by a DRM that, among other things, protects the integrity of the game’s code at runtime. Reverse engineering those integrity checks has been a personal goal I had for a long time. In this post I’m going to describe my process of achieving exactly that, so let’s dive in. Disclaimer Just a little disclaimer here. The goal of this post is not to encourage piracy. Creating pirated copies is possible without bypassing the integrity checks and has long b...| Maurice's Blog 🐍