/r/RELounge

Photograph via snooOG

What happens when a discovery leaves IDA upon your own computer and meets the real world?

/r/RELounge

2,874 Subscribers

2

Looking for a Free, Structured Roadmap for Reverse Engineering and Malware Analysis

Hello everyone!

I have several years of experience with high-level programming languages, including C#, as well as web development (HTML, CSS, JavaScript) and some cloud technologies such as Docker and Kubernetes. Additionally, I have a little experience with low-level programming in C and x86 assembly.

I am familiar with tools like IDA Pro and can solve simple crackmes. However, I am eager to enhance my skills further. My goal is to learn about reverse engineering and malware analysis in detail, so that I can confidently analyze almost any executable.

While I am comfortable with self-study, I would prefer to find a free, comprehensive resource (such as a book, course, or roadmap) that follows a structured learning approach rather than a collection of scattered tutorials. Ideally, I am looking for something that covers a range of topics from the basics to advanced concepts.

Do you have any recommendations for free resources or roadmaps that meet this description?

Thank you in advance!

0 Comments
2024/11/15
17:21 UTC

1

Reverse Engineering Book Advice

I’m a Computer Science university student, and I recently took a week-long introduction to Software Reverse Engineering (SRE), which I really enjoyed. I’ve planned to dive deeper by reading these books in a specific order (I prefer learning through books). However, I don’t have much experience in this field yet, so I’m wondering if my approach makes sense.

Of course I’m not expecting to become an expert after reading these books, but I’d like to gain a general understanding of reverse engineering and be able to perform basic tasks. What do you all think about this plan?

  • Computer Organization and Design: The Hardware/Software Interface By David A. Patterson, John L. Hennessy

  • Computer Networking: A Top-Down Approach By James F. Kurose, Keith W. Ross

  • Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation By Bruce Dang, Alexandre Gazet, Elias Bachaalany, Sebastien Josse

  • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software By Michael Sikorski, Andrew Honig

  • Windows Internals Part 1 & Part 2 By Mark E. Russinovich, David A. Solomon, Alex Ionescu

6 Comments
2024/10/22
20:01 UTC

4

I made a free online disassembler based on Ghidra

Hello all!

I've been working on a small project recently. It's essentially just a web version of Ghidra, where you can view disassembly, decompilation, raw hex, control flow graphing, and strings. It's definitely more limited and slow compared to the desktop version of Ghidra, but if you need to analyze something under 2MB in a pinch, please give it a shot and let me know if you have any suggestions. It's open source if anyone wants to contribute :)

https://netdis.org/

https://github.com/anthonyshibitov/netdis

4 Comments
2024/09/11
00:04 UTC

3

Looking for a cool project? Liberate e-bikes!

So, e-bikes are cool, but often big manufacturers like Bosch use encryption between their controllers and the battery, to force customers to buy another battery from them at a very high price.

It would be cool if we could reverse-engineer their firmware to get their AES keys and the communication protocol, in order to allow any battery producer to produce drop-in compatible Bosch bike batteries!

Shimano is interesting too!

If you have a bike or have access to one, would be great if you want to take a look!

0 Comments
2024/09/07
15:40 UTC

1

Recommendations for a Binary Exploitation Course Teaching About Modern Mitigation Bypass

Hello,

I'm looking for a course that teaches about modern mitigations in binaries and how to bypass them. I have basic background knowledge about binary exploitation.

Do you have any recommendations? Everything from paid courses to YouTube playlists or channels will be super helpful.

Thanks!

0 Comments
2024/08/22
09:48 UTC

1

Cryo Dune mystery debug commands in memdump

I've been hacking about with my old CD copy of Dune by Cryo interactive, using Cryogenic.

A memory dump appears to show some debug commands. Presumably these were used by the developers to test parts of the game without needing to playthrough everything. There's some very old discussion on the same topic here.

I wonder if anyone smarter than me has an idea, or is willing to research, how these might be used within the game? Also interested in which values I would need to change to set charisma in memory. It would be cool to unlock what seems to be some long lost features of this game!

Below are commands in plaintext, and screengrabs from Spice86:

...SUPER FREMEN HERE. PHASE LOC KNOWN. ALL SIETCHS KNOWN. RALLY ALL FREMEN /SIETCH. ALL LOC PROSPECTED. MUAD'DIB + 10. SHOW COORDS/SMALL MAP. TIME VERY FAST. TIME NORMAL. VEG ET EVERYWHERE. SHOW TRAVEL ANGLES. SHOW VARIABLE. BACK TO SCR. ALL TEXTS . SHOW TIME AND SPEED. BUF TO SCR. ALL LOC KNOWN. NO "TOO FAR...". GOTO PHASE 80. INCPHASE. PHASE 123. GO->GAME END. HARKO ATTACK. NOT KILLED. 9 PERS OS HERE. ALL PERSOS.

Screengrab from Spice86

1 Comment
2024/08/19
17:22 UTC

0

Looking to hire someone to reverse engineer a console app

Hi, I'm looking for someone to Disassemble a desktop console app.

My budget is low

0 Comments
2024/07/22
10:51 UTC

1

Reverse engineering pcbs

Anyone on here based in the UK that would be interested in doing this as well as pulling the data from an IC on the boards

I have 3 pcbs that need doing, nothing too complex, just beyond my level of expertise.

Dm me if interested.

0 Comments
2024/07/11
00:42 UTC

3

Interesting images found while binwalking through a Sega Saturn ROM

So I was using Kali Linux to look through some Saturn ROMs and I dug some images out of the first bin file of NiGHTS Into Dreams. I found 2 images that seem to be interlaced, or somehow set up to be displayed using scanlines and all of that. I am not very well versed in any field of study that I've jumped into. Just trying to learn by immersion. My forte is electrical engineering. It would be awesome if anyone could help me unscramble the pics. They look like they are the main menu backgrounds because I can make out the SEGA and NiGHTS text. Thanks in advance.

https://preview.redd.it/fcdsvu94uu3d1.jpg?width=640&format=pjpg&auto=webp&s=4aa07aed22634fc2fc238a90b50b145b93379327

4 Comments
2024/06/01
00:27 UTC

1

BBS port?

Hello, I just opened a satellite receiver and found this port named bbs. What does this port do?

https://preview.redd.it/ddhjy6v1l7vc1.jpg?width=1600&format=pjpg&auto=webp&s=590187e9307389b9f42bcdaf38789fbe038db2df

1 Comment
2024/04/18
09:42 UTC

3

Compare APKs version differences

Hello, I'm looking for tools to compare two APK files. My goal is to pinpoint changes in the source code at the individual class file level. I need a tool that can identify modifications in the source code itself. Any recommendations for tools or libraries that can streamline this process? Thanks in advance for your advice !

1 Comment
2024/04/02
20:27 UTC

1

WinDBG Stops

WinDBG stops after I give it a dump file to analyze. It used to work before and now it completely stops. it used to be so fast and generate a bunch of answers. Any suggestions will be appreciated.

2 Comments
2024/03/17
21:35 UTC

3

Best approaches to decompile 30-year-old MS-DOS binaries?

Many years ago, I created a number of programs, which luckily I have been able to retrieve as binaries from the internet. These include:

- a 64k intro called Obez (with realtime 3D Phong rendering) released in 1995, made with Turbo-Pascal, TASM, pmode, probably other tools https://github.com/thbar/demomaking?tab=readme-ov-file#obez-1995

- a demo called Nikki (released in 1996) captured here https://www.youtube.com/watch?v=t8o-uuq73UU and stored here https://github.com/thbar/demomaking/tree/master/nikki, made in Watcom C++ and Assembly

- a bomberman clone, dated from 1995 https://github.com/thbar/demomaking/tree/master/dyna-k made in Turbo-Pascal and Assembly as well

I have long lost the source code, and I'm looking into decompiling all or part of these binaries.

The Obez one is probably the most tricky, because it used compression techniques etc.

What would be the best tools available today to approach this? I know about IDA Pro etc. Maybe there are interesting approaches involving LLM?

Thanks for your ideas :-)

6 Comments
2024/03/14
22:27 UTC

1

How to verify DLL patch is *not* malicious?

Howdy all. Our work is pushing Windows 11 on all machines. I'm reponsible for maintenance of our older products that use versions of SW that are not supported on Windows 11. Specifically Xilinx ISE 14.7. There is a way to get these tools to work on Win10, but that same trick doesn't work on Win11. Turns out somebody has found a patch for one DLL (libPortability.dll) to make it work on Win11. But our IS/Security team won't let us use a random DLL found on the interwebs. I tried it out on a virtual machine (with no network access) and it works. So I need some way to *prove* it isn't malicious.

I have done a binary comparison of the files. They are different by only 8 bytes. Doesn't seem like enough to be malicious, but I need more than that. I've tried decompiling using Ghidra, but I can't seem to figure out how to "diff" the decompiled output in a meaningful way. The decompiled output of two DLLs is radically different. But just a binary compare shows only 9 bytes different.

I have a few ideas to proceed, but I'm not sure of the technical steps.

  1. Given an offset in the DLL (where the binary differences are), how do I map that to a virtual address in Ghidra (or other tool)?

  2. How can I map an DLL entry point (ordinal) to the target virtual addresses that have changed? Is there some tool that can walk the call chains from entry points?

I've googled quite a bit the last couple of days, but have found little to no detail on how to proceed here.

6 Comments
2024/02/27
20:50 UTC

1

[Help Request] - Understanding MetroDroid

Good Evening All,

I'm not sure of this is the best place to post this, but I'm hoping somebody might be able to assist me.

I'm currently working on trying to understand, how MetroDroid, is able to determine an Expiration Date, based off of a Card Dump.

I've tried going through the code, but I'm just not really all that technical, when it comes down to it. And I feel like I might just be missing something simple.

The card I'm looking at, has this information:

It's a Ventra - Mifare Ultralight - EV1 - Single-Use

[=] block#   | data        |lck| ascii
[=] ---------+-------------+---+------
[=]   0/0x00 | 04 2E 9F 3D |   | ...=
[=]   1/0x01 | CA A1 13 90 |   | ....
[=]   2/0x02 | E8 48 00 00 |   | .H..
[=]   3/0x03 | 00 00 00 00 | 0 | ....
[=]   4/0x04 | 0A 04 00 B4 | 0 | ....
[=]   5/0x05 | 30 01 3F 00 | 0 | 0.?.
[=]   6/0x06 | 00 00 00 DE | 0 | ....
[=]   7/0x07 | 00 00 3F 39 | 0 | ..?9
[=]   8/0x08 | 20 84 5A FF | 0 |  .Z.
[=]   9/0x09 | 01 00 00 00 | 0 | ....
[=]  10/0x0A | FF 00 00 00 | 0 | ....
[=]  11/0x0B | 00 00 65 66 | 0 | ..ef
[=]  12/0x0C | 00 00 00 00 | 0 | ....
[=]  13/0x0D | 00 00 00 00 | 0 | ....
[=]  14/0x0E | 00 00 00 00 | 0 | ....
[=]  15/0x0F | 00 00 5F 5A | 0 | .._Z
[=]  16/0x10 | 00 00 00 FF | 0 | ....
[=]  17/0x11 | 00 05 00 00 | 0 | ....
[=]  18/0x12 | 00 00 00 00 | 0 | ....
[=]  19/0x13 | 00 00 00 00 | 0 | ....
[=] ---------------------------------

When I scan it with the app, I get this information:

What I'm curious of, is what determines the $0.00 and the Valid until 5/19/24 12:00 AM

MetroDroid Display

This is the data I can get from MetroDroid by Exporting the information

        {
            "tagId": "042e9fcaa11390",
            "scannedAt": {
                "timeInMillis": 1708651483860,
                "tz": "America/Chicago"
            },
            "mifareUltralight": {
                "cardModel": "EV1_MF0UL11",
                "pages": [
                    {
                        "data": "042e9f3d"
                    },
                    {
                        "data": "caa11390"
                    },
                    {
                        "data": "e8480000"
                    },
                    {
                        "data": "00000000"
                    },
                    {
                        "data": "0a0400b4"
                    },
                    {
                        "data": "30013f00"
                    },
                    {
                        "data": "000000de"
                    },
                    {
                        "data": "00003f39"
                    },
                    {
                        "data": "20845aff"
                    },
                    {
                        "data": "01000000"
                    },
                    {
                        "data": "ff000000"
                    },
                    {
                        "data": "00006566"
                    },
                    {
                        "data": "00000000"
                    },
                    {
                        "data": "00000000"
                    },
                    {
                        "data": "00000000"
                    },
                    {
                        "data": "00005f5a"
                    },
                    {
                        "data": "000000ff"
                    },
                    {
                        "data": "00050000"
                    },
                    {
                        "data": "00000000"
                    },
                    {
                        "data": "00000000"
                    }
                ]
            }
        }

Honestly, any help would be greatly appreciated.

If any further information is needed from the Card itself, please let me know and I'll provide what I can.

I have a `Proxmark3 Easy` to get the data that I did.

0 Comments
2024/02/23
03:48 UTC

2

Advice/Help needed in attempting RE the closed-source YSMenu for NDS flashcarts

Hi guys,

I recently started to revamp my wife's childhood DS Lite for her, and one of the changes was to get a flashcart. I ended up picking up a cheap R4i cart, which I loaded YSMenu from this post here: https://gbatemp.net/download/retrogamefan-multi-cart-update.35737/

I've been able to make some graphical edits, but would love to do some others that are not provided in the configuration .ini file, such as removing a time stamp from the menu.

The original project was from another developer, Mr. Yasu, in the 00's: http://hp.vector.co.jp/authors/VA013928/ Unfortunately the original files were on a now defunct subdomain but I've found a copy I believe are original. zip file The project was then forked by retrogamefan in order to build support for using different flashcarts and providing updated game fixes (also done by Jhon591 at ds-scene.net) . They kept the entire thing closed-source unfortunately.

I've taken a peek at the files with HxD (See here), and Ghidra (see here), but nothing I've found helpful to me. Maybe someone else will have a better idea what to look for. In Ghidra I've been setting the language (when importing) to ARM7 small endian.

One potential idea I had was to perhaps decode a utility program made by retrogamefan that allows people to edit some of the .dat files (infolib.dat, extinfo.dat, and savlib.dat) to see if that could allow me to figure out what they've used to create the others. Program: https://gbatemp.net/download/ttdt.36159/ I have been able to load ttdt in Ollydbg, but I don't know yet what I've found: img

That said, I am suspecting that the stuff I want to edit is in either system.u2l or system.l2u and not in a .dat file. I have not found a lot of info on either format.

All in all, I am not a regular RE person and just a tinkerer. It would be great if someone could offer suggestions or even lend their expertise to help me out.

2 Comments
2023/12/10
04:47 UTC

2

VR/RE jobs outside gov/ctr (USA)

I am starting to look for a new role, and I am really sick of working in and around the government. Has anyone recently switched from a gov role or a contractor role to a commercial role?

I have been working in this field specifically in embedded systems RE/CNO dev for 7+ years now. Started on the MIL side in the IC.

My biggest problem is figuring out a solid mapping between RE roles ive had for the DOD and those on the commercial side. Seems like there arent many jobs really looking for the same skillset, but I am hoping im wrong.

Any help would be huge.

P.S typed on phone, at work, on burner account. Sorry if grammar is bad

0 Comments
2023/11/15
15:30 UTC

2

Extract u-boot from Unifi Dream Machine Pro firmware

I have a broken UDMP that i would really like to repair.

I have access to the U-Boot console via JTAG. It is showing errors in loading the USB controller, the Ethernet and the XHCI Controller, which causes the kernel to fail to load.

The guy i got it off said it happened during a failed firmware update, so my gut feeling is that a re-flash of the bootloader may bring it back to life as I find it hard to believe that all the onboard components can fail at once.

I have downloaded the UDMP firmware from unifi and run binwalk over it as well as strings.

I can find multiple references to u-boot from strings and head but am stuck at how to actually extract u-boot from the firmware so i can re-flash it back onto my device. as it just shows me the text it found and the location, i dont know how to expand on that to find a useful section to extract

Its a long shot, but thanks for your help in advance!

binwalk output:

richa@raspberrypi:~ $ binwalk 4f64-udmpro-1.9.0-7d413a95296646e1aa685674a2bc1db8.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Ubiquiti firmware header, header size: 264 bytes, ~CRC32: 0x54244190, version: "UDM.alpinev2.v1.9.0.928880d.210301.1532"
699           0x2BB           Flattened device tree, size: 5111470 bytes, version: 17
943           0x3AF           gzip compressed data, has original file name: "Image", from Unix, last modified: 2021-03-01 17:04:20
4928963       0x4B35C3        Flattened device tree, size: 24370 bytes, version: 17
4953971       0x4B9773        Flattened device tree, size: 26307 bytes, version: 17
4980911       0x4C00AF        Flattened device tree, size: 24358 bytes, version: 17
5005907       0x4C6253        Flattened device tree, size: 25972 bytes, version: 17
5032515       0x4CCA43        Flattened device tree, size: 26118 bytes, version: 17
5059267       0x4D32C3        Flattened device tree, size: 24341 bytes, version: 17
5084247       0x4D9457        Flattened device tree, size: 26282 bytes, version: 17
5112233       0x4E01A9        Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 626379969 bytes, 71665 inodes, blocksize: 131072 bytes, created: 2021-03-01 17:18:35
631829337     0x25A8F359      Unix path: /home/winder/projects/data/customers/ubiquiti/multi_dt/preboot_v2/stage3/i2c_wrapper.c
631829609     0x25A8F469      Unix path: /home/winder/projects/data/customers/ubiquiti/multi_dt/preboot_v2/stage3/pci_devices.c
632021553     0x25ABE231      Flattened device tree, size: 25342 bytes, version: 17
632050225     0x25AC5231      Flattened device tree, size: 23763 bytes, version: 17
632074801     0x25ACB231      Flattened device tree, size: 25252 bytes, version: 17
632103473     0x25AD2231      Flattened device tree, size: 25121 bytes, version: 17
632132145     0x25AD9231      Flattened device tree, size: 25041 bytes, version: 17
632160817     0x25AE0231      Flattened device tree, size: 24538 bytes, version: 17
632708865     0x25B65F01      CRC32 polynomial table, little endian
632763775     0x25B7357F      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/iofic/al_hal_iofic.c
632763933     0x25B7361D      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/udma/al_hal_udma_main.c
632764867     0x25B739C3      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/udma/al_hal_udma_config.c
632765538     0x25B73C62      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/udma/al_hal_udma_iofic.c
632769766     0x25B74CE6      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/eth/al_hal_eth_main.c
632770259     0x25B74ED3      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//include/udma/al_hal_udma.h
632772052     0x25B755D4      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/eth/al_hal_eth_kr.c
632772400     0x25B75730      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/eth/al_hal_eth_epe.c
632772652     0x25B7582C      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/ssm/al_hal_ssm.c
632772801     0x25B758C1      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/ssm/al_hal_ssm_raid.c
632774716     0x25B7603C      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/serdes/al_hal_serdes_hssp.c
632775536     0x25B76370      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/serdes/al_hal_serdes_25g.c
632779009     0x25B77101      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pcie/al_hal_pcie.c
632782428     0x25B77E5C      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pcie/al_hal_pcie_interrupts.c
632782674     0x25B77F52      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/ddr/al_hal_ddr.c
632786410     0x25B78DEA      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/ddr/al_hal_ddr_pmu.c
632786907     0x25B78FDB      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_muio_mux.c
632787406     0x25B791CE      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_spi.c
632788063     0x25B7945F      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_nand_dma.c
632788252     0x25B7951C      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_bootstrap.c
632788630     0x25B79696      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_gpio.c
632789338     0x25B7995A      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_i2c.c
632789961     0x25B79BC9      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_addr_map.c
632791030     0x25B79FF6      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/ring/al_hal_pll.c
632791490     0x25B7A1C2      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/sys_services/al_hal_timer.c
632792134     0x25B7A446      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/sys_fabric/al_hal_sys_fabric_utils.c
632792711     0x25B7A687      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/sys_fabric/al_hal_iommu.c
632793162     0x25B7A84A      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/ring/al_hal_cmos.c
632794615     0x25B7ADF7      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//services/eth/al_init_eth_lm.c
632798926     0x25B7BECE      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//services/eth/al_eth_group_lm.c
632800446     0x25B7C4BE      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//services/pcie/al_init_pcie.c
632802076     0x25B7CB1C      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//services/iomap_dynamic/al_hal_iomap_dynamic.c
632802476     0x25B7CCAC      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//services/tpm/al_tpm.c
632802824     0x25B7CE08      Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//services/tpm/al_tpm_if_i2c.c
632863681     0x25B8BBC1      Flattened device tree, size: 1748 bytes, version: 17
632925601     0x25B9ADA1      Intel x86 or x64 microcode, pf_mask 0x11a296a, 1A5C-01-10, size 2048
632976829     0x25BA75BD      Flattened device tree, size: 13809110 bytes, version: 17
632977073     0x25BA76B1      gzip compressed data, has original file name: "Image", from Unix, last modified: 2020-10-22 16:39:57
646602945     0x268A60C1      Flattened device tree, size: 24344 bytes, version: 17
646627925     0x268AC255      Flattened device tree, size: 26281 bytes, version: 17
646654841     0x268B2B79      Flattened device tree, size: 24332 bytes, version: 17
646679809     0x268B8D01      Flattened device tree, size: 25922 bytes, version: 17
646706369     0x268BF4C1      Flattened device tree, size: 26092 bytes, version: 17
646733093     0x268C5D25      Flattened device tree, size: 24315 bytes, version: 17
646758045     0x268CBE9D      Flattened device tree, size: 26256 bytes, version: 17
646786018     0x268D2BE2      Signed Ubiquiti end header, RSA 2048 bit, header size: 264 bytes

0 Comments
2023/11/02
10:11 UTC

2

Nuitka Reverse Engineering

So I am new to the Reverse Engineering world, and I have an exe which is written using Python and used Nuitka to make it exe. Any idea how should I work with it?

I know it is very hard to get the full source code. I am okay with even a bit of it.

Remark: What Nuitka does is that it changes the Python code to C code, then compiles it, which makes it more complex to reverse engineer. (I tried to reverse engineer it as C code but didn't work) But I am still new, so maybe I did something wrong.

Any help or idea is appreciated

2 Comments
2023/09/23
08:09 UTC

2

Hytera/Motorola stolen IP/RE

I came across the issue of Hytera being found guilty of stolen IP from Motorola DMR product line. I see that one of the stolen IP items was source code, among other IP items. Most of the content I come across has generalities of what was stolen. Anyone come across any specific of the tech specs that were taken? What specific source code, for what models of radios, microcontroller architecture, etc. Cheers.

3 Comments
2023/09/17
16:07 UTC

3

Flash game reverse engineering?

It's an odd question to ask since it's 2023 and flash is... well, not supported anymore unless using plugins or something.

But there's the curiousity of the possibility of doing such a thing with flash games nowadays. For extracting assets and stuff but only to study how they are made and how their code works.

Basically, learning purposes, because there is very cool stuff out there in old flash games and I find it interesting to know how people achieved such things.

8 Comments
2023/09/14
12:59 UTC

2

Is a jailbroken iPhone is necessary to extract the ipa of a pre-installed app like iMessage?

Link to my research notes: https://docs.google.com/document/d/1Y-2SZX4s1E1Mq9yWHZMMBzW3BJTfUuMl-YYXoZlY73w/edit?usp=sharing

From my research, I have come to the understanding that in order to extract the ipa file of an installed app in a non-jailbroken iphone, the available options are to either use apple configurator, imazing, or itunes. I have also studied the ipa extraction process for a jailbroken iphone, but given that my I am on an A14 chip iphone 12 pro max running ios 16.0.3, it is almost impossible to downgrade to ios 15 for a jailbreak, and a PPL bypass has not been discovered yet for A12+ ios 16+ iphones. Due to these unfortunate limitations, I am trying to set up a proper debugging environment in a non-jailbroken iphone if possible using this approach: https://googleprojectzero.blogspot.com/2021/05/fuzzing-ios-code-on-macos-at-native.html

The question is whether a jailbroken iphone is necessary to extract the ipa file of a pre-installed app, such as imessage. The ultimate goal is to extract the compiled ios binary executable from the corresponding ipa->app bundle to run it as a macos process for debugging.

0 Comments
2023/09/04
20:46 UTC

1

Extracting firmware form i2c eeprom with an arduino.

So i have an old laser printer that is basically fired and does’t work anymore. So I took upon myself a challenge to extract its firmware. On the main board I found an i2c eeprom. I connected it to an arduino and read its contents but when I try to run binwalk on it nothing happens. Why is that? Do you need to do something more than just read the contents of the chip?

3 Comments
2023/08/30
13:35 UTC

4

Heroes and Generals and how it almost died

Hey there!

Maybe you played Heroes and Generals yourself, maybe you didn't. Long story short: Game publisher chosen to shutdown the servers...

As mentioned in https://www.reddit.com/r/HeroesandGenerals/comments/13ipas7/self_hosted_servers/ there are still many people who like to continue playing.

We made plans on how to accomplish that. One of the possible solutions is to rewrite the server logic on our own but is a lot of work.

Mainly looking for people who are willing to contribute as C++ dev and "information gathering" (hope you know ghidra or other tools ^.^).

Willing to join? We have a discord channel at https://discord.gg/gnnfKKuumg

POC is also running but only up to the login page (not the game itself yet).

3 Comments
2023/08/20
20:15 UTC

1

[IDA Pro] Remove blank lines from decompiler and reload .cfg

I am having 2 issues with IDA Pro. First, I often add blank lines to the pseudocode window to separate code blocks, but I can't figure out how to remove them without using Ctrl+Z.

Second, I edited the hexrays.cfg file to increase the indentation from 2 to 4, but it didn't change, even after closing and opening the app. Is there a way of reloading the config?

Thanks in advance.

0 Comments
2023/08/04
17:20 UTC

1

You know you've screwed up when you start getting errors with typos from Intel

Pin: pin-3.24-98612-6bd5931f2

Copyright 2002-2022 Intel Corporation.

A: C:\tmp_proj\pinjen\workspace\pypl-pin-nightly\GitPin\Source\pin\vm\jit_outlined_funcs.cpp: LEVEL_VM::AssertTargetIaddrValid: 599: assertion failed: tragetAddrValid

What did I do, Jen?

2 Comments
2023/07/14
22:30 UTC

0

Can I retrieve content of encrypted file using reverse engineering

1 Comment
2023/06/07
16:45 UTC

2

[HIRING] Somebody to Reverse Engineering an Android App

I'm currently in search of somebody who can assist me in reverse engineering an Android APK.

The primary goal is to rewrite an AES encryption function. It involves reverse engineering an APK (original app and decompiled code would be provided).

These are the headers that I need a script to generate them locally:

X-Book-Security-Token: 4d6a55774e5463304d7a45344e6a6730

X-Book-Identifier-Type: MZyGb/ylkFYYpEqgx5HAIw== 

X-Book-User-Identifier: EMBEQb01fnjUF9QzhSHU1TfdYXguyD2YPY8wmDlpZRo=

The headers are somehow associated with each other, I suspect it has an ID or something appended to it during generation.

I suspect the functions below handle the encryption process:

    public final String mo178266b(String str, String str2, String str3, String str4) {
        C75446pfv.m13004a((Object) str, "");
        C75446pfv.m13004a((Object) str2, "");
        C75446pfv.m13004a((Object) str3, "");
        C75446pfv.m13004a((Object) str4, "");
        try {
            SecretKeyFactory instance = SecretKeyFactory.getInstance(str4);
            char[] charArray = str3.toCharArray();
            C75446pfv.m13022e((Object) charArray, "");
            byte[] bytes = m187477d(m187475b(str2)).getBytes(pxn.f11244g);
            C75446pfv.m13022e((Object) bytes, "");
            SecretKeySpec secretKeySpec = new SecretKeySpec(instance.generateSecret(new PBEKeySpec(charArray, bytes, 4096, 128)).getEncoded(), "AES");
            byte[] decode = Base64.decode(str, 2);
            Cipher instance2 = Cipher.getInstance("AES/CBC/PKCS5Padding");
            instance2.init(2, secretKeySpec, m187476c(m187475b(str2)));
            byte[] doFinal = instance2.doFinal(decode);
            C75446pfv.m13022e((Object) doFinal, "");
            return new String(doFinal, pxn.f11244g);
        } catch (Exception e) {
            e.printStackTrace();
            return "";
        }
    }

    /* renamed from: a */
    public final String mo178264a(byte[] bArr) {
        C75446pfv.m13004a((Object) bArr, "");
        StringBuilder sb = new StringBuilder();
        for (byte b : bArr) {
            String hexString = Integer.toHexString(b & UnsignedBytes.MAX_VALUE);
            C75446pfv.m13022e((Object) hexString, "");
            if (hexString.length() == 1) {
                sb.append('0');
            }
            sb.append(hexString);
        }
        String sb2 = sb.toString();
        C75446pfv.m13022e((Object) sb2, "");
        return sb2;
    }
    public final char[] mo178270d(String str, String str2, String str3, String str4) {
        C75446pfv.m13004a((Object) str, "");
        C75446pfv.m13004a((Object) str2, "");
        C75446pfv.m13004a((Object) str3, "");
        C75446pfv.m13004a((Object) str4, "");
        try {
            String c = mo178268c(str, str4, str2, str3);
            byte[] bytes = (str4 + "|" + c).getBytes(pxn.f11244g);
            C75446pfv.m13022e((Object) bytes, "");
            String encodeToString = Base64.encodeToString(bytes, 2);
            C75446pfv.m13022e((Object) encodeToString, "");
            char[] charArray = encodeToString.toCharArray();
            C75446pfv.m13022e((Object) charArray, "");
            return charArray;
        } catch (Exception e) {
            e.printStackTrace();
            char[] charArray2 = "".toCharArray();
            C75446pfv.m13022e((Object) charArray2, "");
            return charArray2;
        }
    }

The payment for this project is negotiable and will be determined based on the complexity of the task.

If you have the expertise and are interested in working on this project, please feel free to reach out by commenting here or sending me a private message.

4 Comments
2023/04/26
19:36 UTC

Back To Top