/r/RELounge
What happens when a discovery leaves IDA upon your own computer and meets the real world?
/r/RELounge
2,867 Subscribers
Reverse Engineering Book Advice
I’m a Computer Science university student, and I recently took a week-long introduction to Software Reverse Engineering (SRE), which I really enjoyed. I’ve planned to dive deeper by reading these books in a specific order (I prefer learning through books). However, I don’t have much experience in this field yet, so I’m wondering if my approach makes sense.
Of course I’m not expecting to become an expert after reading these books, but I’d like to gain a general understanding of reverse engineering and be able to perform basic tasks. What do you all think about this plan?
Computer Organization and Design: The Hardware/Software Interface By David A. Patterson, John L. Hennessy
Computer Networking: A Top-Down Approach By James F. Kurose, Keith W. Ross
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation By Bruce Dang, Alexandre Gazet, Elias Bachaalany, Sebastien Josse
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software By Michael Sikorski, Andrew Honig
Windows Internals Part 1 & Part 2 By Mark E. Russinovich, David A. Solomon, Alex Ionescu
20:01 UTC
I made a free online disassembler based on Ghidra
Hello all!
I've been working on a small project recently. It's essentially just a web version of Ghidra, where you can view disassembly, decompilation, raw hex, control flow graphing, and strings. It's definitely more limited and slow compared to the desktop version of Ghidra, but if you need to analyze something under 2MB in a pinch, please give it a shot and let me know if you have any suggestions. It's open source if anyone wants to contribute :)
00:04 UTC
Looking for a cool project? Liberate e-bikes!
So, e-bikes are cool, but often big manufacturers like Bosch use encryption between their controllers and the battery, to force customers to buy another battery from them at a very high price.
It would be cool if we could reverse-engineer their firmware to get their AES keys and the communication protocol, in order to allow any battery producer to produce drop-in compatible Bosch bike batteries!
Shimano is interesting too!
If you have a bike or have access to one, would be great if you want to take a look!
15:40 UTC
Recommendations for a Binary Exploitation Course Teaching About Modern Mitigation Bypass
Hello,
I'm looking for a course that teaches about modern mitigations in binaries and how to bypass them. I have basic background knowledge about binary exploitation.
Do you have any recommendations? Everything from paid courses to YouTube playlists or channels will be super helpful.
Thanks!
09:48 UTC
Cryo Dune mystery debug commands in memdump
I've been hacking about with my old CD copy of Dune by Cryo interactive, using Cryogenic.
A memory dump appears to show some debug commands. Presumably these were used by the developers to test parts of the game without needing to playthrough everything. There's some very old discussion on the same topic here.
I wonder if anyone smarter than me has an idea, or is willing to research, how these might be used within the game? Also interested in which values I would need to change to set charisma in memory. It would be cool to unlock what seems to be some long lost features of this game!
Below are commands in plaintext, and screengrabs from Spice86:
...SUPER FREMEN HERE. PHASE LOC KNOWN. ALL SIETCHS KNOWN. RALLY ALL FREMEN /SIETCH. ALL LOC PROSPECTED. MUAD'DIB + 10. SHOW COORDS/SMALL MAP. TIME VERY FAST. TIME NORMAL. VEG ET EVERYWHERE. SHOW TRAVEL ANGLES. SHOW VARIABLE. BACK TO SCR. ALL TEXTS . SHOW TIME AND SPEED. BUF TO SCR. ALL LOC KNOWN. NO "TOO FAR...". GOTO PHASE 80. INCPHASE. PHASE 123. GO->GAME END. HARKO ATTACK. NOT KILLED. 9 PERS OS HERE. ALL PERSOS.
17:22 UTC
Looking to hire someone to reverse engineer a console app
Hi, I'm looking for someone to Disassemble a desktop console app.
My budget is low
10:51 UTC
Reverse engineering pcbs
Anyone on here based in the UK that would be interested in doing this as well as pulling the data from an IC on the boards
I have 3 pcbs that need doing, nothing too complex, just beyond my level of expertise.
Dm me if interested.
00:42 UTC
Interesting images found while binwalking through a Sega Saturn ROM
So I was using Kali Linux to look through some Saturn ROMs and I dug some images out of the first bin file of NiGHTS Into Dreams. I found 2 images that seem to be interlaced, or somehow set up to be displayed using scanlines and all of that. I am not very well versed in any field of study that I've jumped into. Just trying to learn by immersion. My forte is electrical engineering. It would be awesome if anyone could help me unscramble the pics. They look like they are the main menu backgrounds because I can make out the SEGA and NiGHTS text. Thanks in advance.
00:27 UTC
Url UUIDs
Can anyone make sense of this url format?
1708423184453-6299L2VRVVHUYYVSFYBP/DB43C0F8-F10C-4B58-93E5-1787415E5A29.JPG
I understand the first part is a unix timestamp and last part is a 36 character uuid.
I don't understand why the middle is the way it is.
09:12 UTC
BBS port?
Hello, I just opened a satellite receiver and found this port named bbs. What does this port do?
09:42 UTC
Compare APKs version differences
Hello, I'm looking for tools to compare two APK files. My goal is to pinpoint changes in the source code at the individual class file level. I need a tool that can identify modifications in the source code itself. Any recommendations for tools or libraries that can streamline this process? Thanks in advance for your advice !
20:27 UTC
WinDBG Stops
WinDBG stops after I give it a dump file to analyze. It used to work before and now it completely stops. it used to be so fast and generate a bunch of answers. Any suggestions will be appreciated.
21:35 UTC
Best approaches to decompile 30-year-old MS-DOS binaries?
Many years ago, I created a number of programs, which luckily I have been able to retrieve as binaries from the internet. These include:
- a 64k intro called Obez (with realtime 3D Phong rendering) released in 1995, made with Turbo-Pascal, TASM, pmode, probably other tools https://github.com/thbar/demomaking?tab=readme-ov-file#obez-1995
- a demo called Nikki (released in 1996) captured here https://www.youtube.com/watch?v=t8o-uuq73UU and stored here https://github.com/thbar/demomaking/tree/master/nikki, made in Watcom C++ and Assembly
- a bomberman clone, dated from 1995 https://github.com/thbar/demomaking/tree/master/dyna-k made in Turbo-Pascal and Assembly as well
I have long lost the source code, and I'm looking into decompiling all or part of these binaries.
The Obez one is probably the most tricky, because it used compression techniques etc.
What would be the best tools available today to approach this? I know about IDA Pro etc. Maybe there are interesting approaches involving LLM?
Thanks for your ideas :-)
22:27 UTC
How to verify DLL patch is *not* malicious?
Howdy all. Our work is pushing Windows 11 on all machines. I'm reponsible for maintenance of our older products that use versions of SW that are not supported on Windows 11. Specifically Xilinx ISE 14.7. There is a way to get these tools to work on Win10, but that same trick doesn't work on Win11. Turns out somebody has found a patch for one DLL (libPortability.dll) to make it work on Win11. But our IS/Security team won't let us use a random DLL found on the interwebs. I tried it out on a virtual machine (with no network access) and it works. So I need some way to *prove* it isn't malicious.
I have done a binary comparison of the files. They are different by only 8 bytes. Doesn't seem like enough to be malicious, but I need more than that. I've tried decompiling using Ghidra, but I can't seem to figure out how to "diff" the decompiled output in a meaningful way. The decompiled output of two DLLs is radically different. But just a binary compare shows only 9 bytes different.
I have a few ideas to proceed, but I'm not sure of the technical steps.
Given an offset in the DLL (where the binary differences are), how do I map that to a virtual address in Ghidra (or other tool)?
How can I map an DLL entry point (ordinal) to the target virtual addresses that have changed? Is there some tool that can walk the call chains from entry points?
I've googled quite a bit the last couple of days, but have found little to no detail on how to proceed here.
20:50 UTC
[Help Request] - Understanding MetroDroid
Good Evening All,
I'm not sure of this is the best place to post this, but I'm hoping somebody might be able to assist me.
I'm currently working on trying to understand, how MetroDroid, is able to determine an Expiration Date, based off of a Card Dump.
I've tried going through the code, but I'm just not really all that technical, when it comes down to it. And I feel like I might just be missing something simple.
The card I'm looking at, has this information:
It's a Ventra - Mifare Ultralight - EV1 - Single-Use
[=] block# | data |lck| ascii
[=] ---------+-------------+---+------
[=] 0/0x00 | 04 2E 9F 3D | | ...=
[=] 1/0x01 | CA A1 13 90 | | ....
[=] 2/0x02 | E8 48 00 00 | | .H..
[=] 3/0x03 | 00 00 00 00 | 0 | ....
[=] 4/0x04 | 0A 04 00 B4 | 0 | ....
[=] 5/0x05 | 30 01 3F 00 | 0 | 0.?.
[=] 6/0x06 | 00 00 00 DE | 0 | ....
[=] 7/0x07 | 00 00 3F 39 | 0 | ..?9
[=] 8/0x08 | 20 84 5A FF | 0 | .Z.
[=] 9/0x09 | 01 00 00 00 | 0 | ....
[=] 10/0x0A | FF 00 00 00 | 0 | ....
[=] 11/0x0B | 00 00 65 66 | 0 | ..ef
[=] 12/0x0C | 00 00 00 00 | 0 | ....
[=] 13/0x0D | 00 00 00 00 | 0 | ....
[=] 14/0x0E | 00 00 00 00 | 0 | ....
[=] 15/0x0F | 00 00 5F 5A | 0 | .._Z
[=] 16/0x10 | 00 00 00 FF | 0 | ....
[=] 17/0x11 | 00 05 00 00 | 0 | ....
[=] 18/0x12 | 00 00 00 00 | 0 | ....
[=] 19/0x13 | 00 00 00 00 | 0 | ....
[=] ---------------------------------When I scan it with the app, I get this information:
What I'm curious of, is what determines the $0.00 and the Valid until 5/19/24 12:00 AM
This is the data I can get from MetroDroid by Exporting the information
{
"tagId": "042e9fcaa11390",
"scannedAt": {
"timeInMillis": 1708651483860,
"tz": "America/Chicago"
},
"mifareUltralight": {
"cardModel": "EV1_MF0UL11",
"pages": [
{
"data": "042e9f3d"
},
{
"data": "caa11390"
},
{
"data": "e8480000"
},
{
"data": "00000000"
},
{
"data": "0a0400b4"
},
{
"data": "30013f00"
},
{
"data": "000000de"
},
{
"data": "00003f39"
},
{
"data": "20845aff"
},
{
"data": "01000000"
},
{
"data": "ff000000"
},
{
"data": "00006566"
},
{
"data": "00000000"
},
{
"data": "00000000"
},
{
"data": "00000000"
},
{
"data": "00005f5a"
},
{
"data": "000000ff"
},
{
"data": "00050000"
},
{
"data": "00000000"
},
{
"data": "00000000"
}
]
}
}Honestly, any help would be greatly appreciated.
If any further information is needed from the Card itself, please let me know and I'll provide what I can.
I have a `Proxmark3 Easy` to get the data that I did.
03:48 UTC
Advice/Help needed in attempting RE the closed-source YSMenu for NDS flashcarts
Hi guys,
I recently started to revamp my wife's childhood DS Lite for her, and one of the changes was to get a flashcart. I ended up picking up a cheap R4i cart, which I loaded YSMenu from this post here: https://gbatemp.net/download/retrogamefan-multi-cart-update.35737/
I've been able to make some graphical edits, but would love to do some others that are not provided in the configuration .ini file, such as removing a time stamp from the menu.
The original project was from another developer, Mr. Yasu, in the 00's: http://hp.vector.co.jp/authors/VA013928/ Unfortunately the original files were on a now defunct subdomain but I've found a copy I believe are original. zip file The project was then forked by retrogamefan in order to build support for using different flashcarts and providing updated game fixes (also done by Jhon591 at ds-scene.net) . They kept the entire thing closed-source unfortunately.
I've taken a peek at the files with HxD (See here), and Ghidra (see here), but nothing I've found helpful to me. Maybe someone else will have a better idea what to look for. In Ghidra I've been setting the language (when importing) to ARM7 small endian.
One potential idea I had was to perhaps decode a utility program made by retrogamefan that allows people to edit some of the .dat files (infolib.dat, extinfo.dat, and savlib.dat) to see if that could allow me to figure out what they've used to create the others. Program: https://gbatemp.net/download/ttdt.36159/ I have been able to load ttdt in Ollydbg, but I don't know yet what I've found: img
That said, I am suspecting that the stuff I want to edit is in either system.u2l or system.l2u and not in a .dat file. I have not found a lot of info on either format.
All in all, I am not a regular RE person and just a tinkerer. It would be great if someone could offer suggestions or even lend their expertise to help me out.
04:47 UTC
VR/RE jobs outside gov/ctr (USA)
I am starting to look for a new role, and I am really sick of working in and around the government. Has anyone recently switched from a gov role or a contractor role to a commercial role?
I have been working in this field specifically in embedded systems RE/CNO dev for 7+ years now. Started on the MIL side in the IC.
My biggest problem is figuring out a solid mapping between RE roles ive had for the DOD and those on the commercial side. Seems like there arent many jobs really looking for the same skillset, but I am hoping im wrong.
Any help would be huge.
P.S typed on phone, at work, on burner account. Sorry if grammar is bad
15:30 UTC
Extract u-boot from Unifi Dream Machine Pro firmware
I have a broken UDMP that i would really like to repair.
I have access to the U-Boot console via JTAG. It is showing errors in loading the USB controller, the Ethernet and the XHCI Controller, which causes the kernel to fail to load.
The guy i got it off said it happened during a failed firmware update, so my gut feeling is that a re-flash of the bootloader may bring it back to life as I find it hard to believe that all the onboard components can fail at once.
I have downloaded the UDMP firmware from unifi and run binwalk over it as well as strings.
I can find multiple references to u-boot from strings and head but am stuck at how to actually extract u-boot from the firmware so i can re-flash it back onto my device. as it just shows me the text it found and the location, i dont know how to expand on that to find a useful section to extract
Its a long shot, but thanks for your help in advance!
binwalk output:
richa@raspberrypi:~ $ binwalk 4f64-udmpro-1.9.0-7d413a95296646e1aa685674a2bc1db8.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Ubiquiti firmware header, header size: 264 bytes, ~CRC32: 0x54244190, version: "UDM.alpinev2.v1.9.0.928880d.210301.1532"
699 0x2BB Flattened device tree, size: 5111470 bytes, version: 17
943 0x3AF gzip compressed data, has original file name: "Image", from Unix, last modified: 2021-03-01 17:04:20
4928963 0x4B35C3 Flattened device tree, size: 24370 bytes, version: 17
4953971 0x4B9773 Flattened device tree, size: 26307 bytes, version: 17
4980911 0x4C00AF Flattened device tree, size: 24358 bytes, version: 17
5005907 0x4C6253 Flattened device tree, size: 25972 bytes, version: 17
5032515 0x4CCA43 Flattened device tree, size: 26118 bytes, version: 17
5059267 0x4D32C3 Flattened device tree, size: 24341 bytes, version: 17
5084247 0x4D9457 Flattened device tree, size: 26282 bytes, version: 17
5112233 0x4E01A9 Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 626379969 bytes, 71665 inodes, blocksize: 131072 bytes, created: 2021-03-01 17:18:35
631829337 0x25A8F359 Unix path: /home/winder/projects/data/customers/ubiquiti/multi_dt/preboot_v2/stage3/i2c_wrapper.c
631829609 0x25A8F469 Unix path: /home/winder/projects/data/customers/ubiquiti/multi_dt/preboot_v2/stage3/pci_devices.c
632021553 0x25ABE231 Flattened device tree, size: 25342 bytes, version: 17
632050225 0x25AC5231 Flattened device tree, size: 23763 bytes, version: 17
632074801 0x25ACB231 Flattened device tree, size: 25252 bytes, version: 17
632103473 0x25AD2231 Flattened device tree, size: 25121 bytes, version: 17
632132145 0x25AD9231 Flattened device tree, size: 25041 bytes, version: 17
632160817 0x25AE0231 Flattened device tree, size: 24538 bytes, version: 17
632708865 0x25B65F01 CRC32 polynomial table, little endian
632763775 0x25B7357F Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/iofic/al_hal_iofic.c
632763933 0x25B7361D Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/udma/al_hal_udma_main.c
632764867 0x25B739C3 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/udma/al_hal_udma_config.c
632765538 0x25B73C62 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/udma/al_hal_udma_iofic.c
632769766 0x25B74CE6 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/eth/al_hal_eth_main.c
632770259 0x25B74ED3 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//include/udma/al_hal_udma.h
632772052 0x25B755D4 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/eth/al_hal_eth_kr.c
632772400 0x25B75730 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/eth/al_hal_eth_epe.c
632772652 0x25B7582C Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/ssm/al_hal_ssm.c
632772801 0x25B758C1 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/ssm/al_hal_ssm_raid.c
632774716 0x25B7603C Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/serdes/al_hal_serdes_hssp.c
632775536 0x25B76370 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/serdes/al_hal_serdes_25g.c
632779009 0x25B77101 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pcie/al_hal_pcie.c
632782428 0x25B77E5C Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pcie/al_hal_pcie_interrupts.c
632782674 0x25B77F52 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/ddr/al_hal_ddr.c
632786410 0x25B78DEA Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/ddr/al_hal_ddr_pmu.c
632786907 0x25B78FDB Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_muio_mux.c
632787406 0x25B791CE Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_spi.c
632788063 0x25B7945F Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_nand_dma.c
632788252 0x25B7951C Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_bootstrap.c
632788630 0x25B79696 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_gpio.c
632789338 0x25B7995A Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_i2c.c
632789961 0x25B79BC9 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/pbs/al_hal_addr_map.c
632791030 0x25B79FF6 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/ring/al_hal_pll.c
632791490 0x25B7A1C2 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/sys_services/al_hal_timer.c
632792134 0x25B7A446 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/sys_fabric/al_hal_sys_fabric_utils.c
632792711 0x25B7A687 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/sys_fabric/al_hal_iommu.c
632793162 0x25B7A84A Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//drivers/ring/al_hal_cmos.c
632794615 0x25B7ADF7 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//services/eth/al_init_eth_lm.c
632798926 0x25B7BECE Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//services/eth/al_eth_group_lm.c
632800446 0x25B7C4BE Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//services/pcie/al_init_pcie.c
632802076 0x25B7CB1C Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//services/iomap_dynamic/al_hal_iomap_dynamic.c
632802476 0x25B7CCAC Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//services/tpm/al_tpm.c
632802824 0x25B7CE08 Unix path: /home/builder/workspace/Bootloaders/BL_al_boot_multi/src/HAL//services/tpm/al_tpm_if_i2c.c
632863681 0x25B8BBC1 Flattened device tree, size: 1748 bytes, version: 17
632925601 0x25B9ADA1 Intel x86 or x64 microcode, pf_mask 0x11a296a, 1A5C-01-10, size 2048
632976829 0x25BA75BD Flattened device tree, size: 13809110 bytes, version: 17
632977073 0x25BA76B1 gzip compressed data, has original file name: "Image", from Unix, last modified: 2020-10-22 16:39:57
646602945 0x268A60C1 Flattened device tree, size: 24344 bytes, version: 17
646627925 0x268AC255 Flattened device tree, size: 26281 bytes, version: 17
646654841 0x268B2B79 Flattened device tree, size: 24332 bytes, version: 17
646679809 0x268B8D01 Flattened device tree, size: 25922 bytes, version: 17
646706369 0x268BF4C1 Flattened device tree, size: 26092 bytes, version: 17
646733093 0x268C5D25 Flattened device tree, size: 24315 bytes, version: 17
646758045 0x268CBE9D Flattened device tree, size: 26256 bytes, version: 17
646786018 0x268D2BE2 Signed Ubiquiti end header, RSA 2048 bit, header size: 264 bytes
10:11 UTC
Nuitka Reverse Engineering
So I am new to the Reverse Engineering world, and I have an exe which is written using Python and used Nuitka to make it exe. Any idea how should I work with it?
I know it is very hard to get the full source code. I am okay with even a bit of it.
Remark: What Nuitka does is that it changes the Python code to C code, then compiles it, which makes it more complex to reverse engineer. (I tried to reverse engineer it as C code but didn't work) But I am still new, so maybe I did something wrong.
Any help or idea is appreciated
08:09 UTC
Hytera/Motorola stolen IP/RE
I came across the issue of Hytera being found guilty of stolen IP from Motorola DMR product line. I see that one of the stolen IP items was source code, among other IP items. Most of the content I come across has generalities of what was stolen. Anyone come across any specific of the tech specs that were taken? What specific source code, for what models of radios, microcontroller architecture, etc. Cheers.
16:07 UTC
Flash game reverse engineering?
It's an odd question to ask since it's 2023 and flash is... well, not supported anymore unless using plugins or something.
But there's the curiousity of the possibility of doing such a thing with flash games nowadays. For extracting assets and stuff but only to study how they are made and how their code works.
Basically, learning purposes, because there is very cool stuff out there in old flash games and I find it interesting to know how people achieved such things.
12:59 UTC
Is a jailbroken iPhone is necessary to extract the ipa of a pre-installed app like iMessage?
Link to my research notes: https://docs.google.com/document/d/1Y-2SZX4s1E1Mq9yWHZMMBzW3BJTfUuMl-YYXoZlY73w/edit?usp=sharing
From my research, I have come to the understanding that in order to extract the ipa file of an installed app in a non-jailbroken iphone, the available options are to either use apple configurator, imazing, or itunes. I have also studied the ipa extraction process for a jailbroken iphone, but given that my I am on an A14 chip iphone 12 pro max running ios 16.0.3, it is almost impossible to downgrade to ios 15 for a jailbreak, and a PPL bypass has not been discovered yet for A12+ ios 16+ iphones. Due to these unfortunate limitations, I am trying to set up a proper debugging environment in a non-jailbroken iphone if possible using this approach: https://googleprojectzero.blogspot.com/2021/05/fuzzing-ios-code-on-macos-at-native.html
The question is whether a jailbroken iphone is necessary to extract the ipa file of a pre-installed app, such as imessage. The ultimate goal is to extract the compiled ios binary executable from the corresponding ipa->app bundle to run it as a macos process for debugging.
20:46 UTC
Extracting firmware form i2c eeprom with an arduino.
So i have an old laser printer that is basically fired and does’t work anymore. So I took upon myself a challenge to extract its firmware. On the main board I found an i2c eeprom. I connected it to an arduino and read its contents but when I try to run binwalk on it nothing happens. Why is that? Do you need to do something more than just read the contents of the chip?
13:35 UTC
Heroes and Generals and how it almost died
Hey there!
Maybe you played Heroes and Generals yourself, maybe you didn't. Long story short: Game publisher chosen to shutdown the servers...
As mentioned in https://www.reddit.com/r/HeroesandGenerals/comments/13ipas7/self_hosted_servers/ there are still many people who like to continue playing.
We made plans on how to accomplish that. One of the possible solutions is to rewrite the server logic on our own but is a lot of work.
Mainly looking for people who are willing to contribute as C++ dev and "information gathering" (hope you know ghidra or other tools ^.^).
Willing to join? We have a discord channel at https://discord.gg/gnnfKKuumg
POC is also running but only up to the login page (not the game itself yet).
20:15 UTC
[IDA Pro] Remove blank lines from decompiler and reload .cfg
I am having 2 issues with IDA Pro. First, I often add blank lines to the pseudocode window to separate code blocks, but I can't figure out how to remove them without using Ctrl+Z.
Second, I edited the hexrays.cfg file to increase the indentation from 2 to 4, but it didn't change, even after closing and opening the app. Is there a way of reloading the config?
Thanks in advance.
17:20 UTC
You know you've screwed up when you start getting errors with typos from Intel
Pin: pin-3.24-98612-6bd5931f2
Copyright 2002-2022 Intel Corporation.
A: C:\tmp_proj\pinjen\workspace\pypl-pin-nightly\GitPin\Source\pin\vm\jit_outlined_funcs.cpp: LEVEL_VM::AssertTargetIaddrValid: 599: assertion failed: tragetAddrValid
What did I do, Jen?
22:30 UTC
Can I retrieve content of encrypted file using reverse engineering
16:45 UTC
[HIRING] Somebody to Reverse Engineering an Android App
I'm currently in search of somebody who can assist me in reverse engineering an Android APK.
The primary goal is to rewrite an AES encryption function. It involves reverse engineering an APK (original app and decompiled code would be provided).
These are the headers that I need a script to generate them locally:
X-Book-Security-Token: 4d6a55774e5463304d7a45344e6a6730
X-Book-Identifier-Type: MZyGb/ylkFYYpEqgx5HAIw==
X-Book-User-Identifier: EMBEQb01fnjUF9QzhSHU1TfdYXguyD2YPY8wmDlpZRo=The headers are somehow associated with each other, I suspect it has an ID or something appended to it during generation.
I suspect the functions below handle the encryption process:
public final String mo178266b(String str, String str2, String str3, String str4) {
C75446pfv.m13004a((Object) str, "");
C75446pfv.m13004a((Object) str2, "");
C75446pfv.m13004a((Object) str3, "");
C75446pfv.m13004a((Object) str4, "");
try {
SecretKeyFactory instance = SecretKeyFactory.getInstance(str4);
char[] charArray = str3.toCharArray();
C75446pfv.m13022e((Object) charArray, "");
byte[] bytes = m187477d(m187475b(str2)).getBytes(pxn.f11244g);
C75446pfv.m13022e((Object) bytes, "");
SecretKeySpec secretKeySpec = new SecretKeySpec(instance.generateSecret(new PBEKeySpec(charArray, bytes, 4096, 128)).getEncoded(), "AES");
byte[] decode = Base64.decode(str, 2);
Cipher instance2 = Cipher.getInstance("AES/CBC/PKCS5Padding");
instance2.init(2, secretKeySpec, m187476c(m187475b(str2)));
byte[] doFinal = instance2.doFinal(decode);
C75446pfv.m13022e((Object) doFinal, "");
return new String(doFinal, pxn.f11244g);
} catch (Exception e) {
e.printStackTrace();
return "";
}
}
/* renamed from: a */
public final String mo178264a(byte[] bArr) {
C75446pfv.m13004a((Object) bArr, "");
StringBuilder sb = new StringBuilder();
for (byte b : bArr) {
String hexString = Integer.toHexString(b & UnsignedBytes.MAX_VALUE);
C75446pfv.m13022e((Object) hexString, "");
if (hexString.length() == 1) {
sb.append('0');
}
sb.append(hexString);
}
String sb2 = sb.toString();
C75446pfv.m13022e((Object) sb2, "");
return sb2;
} public final char[] mo178270d(String str, String str2, String str3, String str4) {
C75446pfv.m13004a((Object) str, "");
C75446pfv.m13004a((Object) str2, "");
C75446pfv.m13004a((Object) str3, "");
C75446pfv.m13004a((Object) str4, "");
try {
String c = mo178268c(str, str4, str2, str3);
byte[] bytes = (str4 + "|" + c).getBytes(pxn.f11244g);
C75446pfv.m13022e((Object) bytes, "");
String encodeToString = Base64.encodeToString(bytes, 2);
C75446pfv.m13022e((Object) encodeToString, "");
char[] charArray = encodeToString.toCharArray();
C75446pfv.m13022e((Object) charArray, "");
return charArray;
} catch (Exception e) {
e.printStackTrace();
char[] charArray2 = "".toCharArray();
C75446pfv.m13022e((Object) charArray2, "");
return charArray2;
}
}The payment for this project is negotiable and will be determined based on the complexity of the task.
If you have the expertise and are interested in working on this project, please feel free to reach out by commenting here or sending me a private message.
19:36 UTC