Cracking BattlEye packet encryption
https://secret.club/2020/06/19/battleye-packet-encryption.html
@reverseengine
https://secret.club/2020/06/19/battleye-packet-encryption.html
@reverseengine
secret club
Cracking BattlEye packet encryption
Recently, Battlestate Games, the developers of Escape From Tarkov, hired BattlEye to implement encryption on networked packets so that cheaters can’t capture these packets, parse them and use them for their advantage in the form of radar cheats, or otherwise.…
The Intezer Analyze IDA Pro plugin is now available to community users
https://intezer.com/blog/intezer-analyze/ida-pro-plugin-now-available-to-the-community
@reverseengine
https://intezer.com/blog/intezer-analyze/ida-pro-plugin-now-available-to-the-community
@reverseengine
Intezer
IDA Pro Plugin Now Available to the Community
Accelerate reverse engineering by enriching every function of disassembled machine code with info about where the code was seen previously.
ببخشید، امتحان های دانشگاه هست، نمیرسم بعد از این که تموم شدن قوی تر ادامه میدیم.
Sorry, I have university exams, I couldn't make it. We'll continue stronger after they're over.
Sorry, I have university exams, I couldn't make it. We'll continue stronger after they're over.
❤18👏1
حالم اصن خوب نیست خودتون دلیلشو میدونید وقتی خوب شدم دوباره فعالیت مثل قبل میشه عذر میخام💔
I'm not feeling well at all. You know the reason. When I get better, I'll be back to being active like before. I apologize🖤
I'm not feeling well at all. You know the reason. When I get better, I'll be back to being active like before. I apologize🖤
❤27💔6🤣1
امیدوارم حالتون خوب باشه برادرها و خواهرای من، به زودی دوباره شروع میکنیم 🖤
I hope you are well my brothers and sisters, we will start again soon ❤️🩹
I hope you are well my brothers and sisters, we will start again soon ❤️🩹
💔19❤3🤣2👍1👎1
How LLMs feed Your RE Habit
https://clearbluejar.github.io/posts/how-llms-feed-your-re-habit-following-the-uaf-trail-in-clfs
@reverseengine
https://clearbluejar.github.io/posts/how-llms-feed-your-re-habit-following-the-uaf-trail-in-clfs
@reverseengine
clearbluejar
How LLMs Feed Your RE Habit: Following the Use-After-Free Trail in CLFS
Dive into how LLMs and pyghidra-mcp accelerate reverse engineering by tracing a UAF vulnerability in CLFS through a patch diff.
19 Shades of LockBit5.0
https://www.levelblue.com/blogs/spiderlabs-blog/19-shades-of-lockbit5.0-inside-the-latest-cross-platform-ransomware-part-1
@reverseengine
https://www.levelblue.com/blogs/spiderlabs-blog/19-shades-of-lockbit5.0-inside-the-latest-cross-platform-ransomware-part-1
@reverseengine
Levelblue
19 Shades of LockBit5.0, Inside the Latest Cross-Platform Ransomware: Part 1
This three-part blog series presents an analysis of a cross-platform LockBit 5.0 ransomware payload affecting Windows, Linux, and ESXi environments.
سیستم عامل برای مهندسی معکوس
🟢 1️⃣ Process پروسه
Process =
یک برنامه در حال اجرا
وقتی یک فایل اجرایی اجرا میشه
سیستمعامل یک Process میسازه به اون PID میده یک فضای حافظه جدا اختصاص میده رجیسترها و context مخصوص داره
هر Process:
حافظه جدا داره
Stack و Heap
جدا داره
ماژولها (DLL / SO) خودش رو داره
داخل مهندسی معکوس مهمه چرا:
چون باینری که تحلیل میکنید داخل یک Process اجرا میشه و همه چیز داخل همین فضا اتفاق میوفته
Operating System for Reverse Engineering
🟢 1️⃣ Process
Process = A running program
When an executable file is executed
The operating system creates a Process, gives it a PID, allocates a separate memory space, and has its own registers and context
Each Process:
Has a separate memory
Has a separate Stack and Heap
Has its own modules (DLL / SO)
Why is reverse engineering important:
Because the binary you are analyzing is executed inside a Process and everything happens inside this space
@reverseengine
🟢 1️⃣ Process پروسه
Process =
یک برنامه در حال اجرا
وقتی یک فایل اجرایی اجرا میشه
سیستمعامل یک Process میسازه به اون PID میده یک فضای حافظه جدا اختصاص میده رجیسترها و context مخصوص داره
هر Process:
حافظه جدا داره
Stack و Heap
جدا داره
ماژولها (DLL / SO) خودش رو داره
داخل مهندسی معکوس مهمه چرا:
چون باینری که تحلیل میکنید داخل یک Process اجرا میشه و همه چیز داخل همین فضا اتفاق میوفته
Operating System for Reverse Engineering
🟢 1️⃣ Process
Process = A running program
When an executable file is executed
The operating system creates a Process, gives it a PID, allocates a separate memory space, and has its own registers and context
Each Process:
Has a separate memory
Has a separate Stack and Heap
Has its own modules (DLL / SO)
Why is reverse engineering important:
Because the binary you are analyzing is executed inside a Process and everything happens inside this space
@reverseengine
🟢 2️⃣ Thread
Thread =
واحد اجرای داخل Process
هر Process حداقل یک Thread داره
هر Thread:
Stack جدا داره
رجیسترهای جدا دارد
ولی حافظه Process مشترک است
خیلی مهم: چون بعضی رفتارها داخل Threadهای جدا اجرا میشن و در دیباگ باید Thread درست رو دنبال کنید
🟢 2️⃣ Thread
Thread = Unit of execution within a Process
Each Process has at least one Thread
Each Thread:
Has a separate Stack
Has separate registers
But the Process memory is shared
Very important: Because some behaviors are executed in separate Threads and in debugging you must follow the correct Thread
@reverseengine
Thread =
واحد اجرای داخل Process
هر Process حداقل یک Thread داره
هر Thread:
Stack جدا داره
رجیسترهای جدا دارد
ولی حافظه Process مشترک است
خیلی مهم: چون بعضی رفتارها داخل Threadهای جدا اجرا میشن و در دیباگ باید Thread درست رو دنبال کنید
🟢 2️⃣ Thread
Thread = Unit of execution within a Process
Each Process has at least one Thread
Each Thread:
Has a separate Stack
Has separate registers
But the Process memory is shared
Very important: Because some behaviors are executed in separate Threads and in debugging you must follow the correct Thread
@reverseengine
تا اینجا، اسمبلی رو کامل یاد گرفتیم، هرچی نیاز بود، و گفتم و الان نوبت یاد گرفتن سیستم عامله، این بخش خیلی مهمه.
So far, we have learned assembly completely, everything we needed, and now it's time to learn the operating system. This is a very important part.
So far, we have learned assembly completely, everything we needed, and now it's time to learn the operating system. This is a very important part.
A Ghidra processor module for the EFI Byte Code (EBC)
https://github.com/meromwolff/Ghidra-EFI-Byte-Code-Processor
@reverseengine
https://github.com/meromwolff/Ghidra-EFI-Byte-Code-Processor
@reverseengine
GitHub
GitHub - meromwolff/Ghidra-EFI-Byte-Code-Processor: A Ghidra processor module for the EFI Byte Code (EBC)
A Ghidra processor module for the EFI Byte Code (EBC) - meromwolff/Ghidra-EFI-Byte-Code-Processor
Tools used during the reversing of the Nikon firmware
https://github.com/simeonpilgrim/nikon-firmware-tools
@reverseengine
https://github.com/simeonpilgrim/nikon-firmware-tools
@reverseengine
GitHub
GitHub - simeonpilgrim/nikon-firmware-tools: Tools used during the reversing of the Nikon firmware
Tools used during the reversing of the Nikon firmware - simeonpilgrim/nikon-firmware-tools
Cracking BattlEye packet encryption
https://secret.club/2020/06/19/battleye-packet-encryption.html
@reverseengine
https://secret.club/2020/06/19/battleye-packet-encryption.html
@reverseengine
secret club
Cracking BattlEye packet encryption
Recently, Battlestate Games, the developers of Escape From Tarkov, hired BattlEye to implement encryption on networked packets so that cheaters can’t capture these packets, parse them and use them for their advantage in the form of radar cheats, or otherwise.…
Thread-Name Calling - A new process injection technique using Thread Name.
The code to be injected is passed as a thread denoscription to the target
https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/
@reverseengine
The code to be injected is passed as a thread denoscription to the target
https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/
@reverseengine
Check Point Research
Thread Name-Calling - using Thread Name for offense - Check Point Research
Research by: hasherezade Highlights: Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purposes such as: Due to the fact that interference in the memory…
Hexrays Toolbox - Find code patterns within the Hexrays AST
https://github.com/patois/HexraysToolbox
@reverseengine
https://github.com/patois/HexraysToolbox
@reverseengine
GitHub
GitHub - patois/HexraysToolbox: Hexrays Toolbox - Find code patterns within the Hexrays ctree
Hexrays Toolbox - Find code patterns within the Hexrays ctree - patois/HexraysToolbox
Advanced Root Detection & Bypass Techniques
https://8ksec.io/advanced-root-detection-bypass-techniques
@reverseengine
https://8ksec.io/advanced-root-detection-bypass-techniques
@reverseengine
8kSec
Frida Part 5: Root Detection Bypass | 8kSec
Learn advanced root detection techniques on Android and practical methods to bypass them using Frida. Covers common detection libraries and evasion strategies.
Leveraging Raw Disk Reads to Bypass EDR
https://medium.com/workday-engineering/leveraging-raw-disk-reads-to-bypass-edr-f145838b0e6d
@reverseengine
https://medium.com/workday-engineering/leveraging-raw-disk-reads-to-bypass-edr-f145838b0e6d
@reverseengine
Medium
Leveraging Raw Disk Reads to Bypass EDR
Drivers are a common part of every Windows environment, and many of them provide low-level functionality. This blog details how to connect…
NX
چیه و چرا Shellcode مستقیم معمولا اجرا نمیشه
درباره shellcode
کد رو داخل استک ریختید
RIP رو فرستادید روی استک
کد اجرا میشد
ولی الان معمولا این کار جواب نمیده
دلیلش یک مکانیزم امنیتی مهمه:
NX = Non-Executable
NX دقیقا چه کار میکنه؟
NX
میگه:
بعضی بخش های حافظه فقط برای داده هستن نه برای اجرای کد
یعنی:
استک → فقط داده
هیپ → فقط داده
اجرای دستور → ممنوع
اگر CPU تلاش کنه از این بخش ها دستور اجرا کنه → برنامه فورا کرش میکنه
چه اتفاقی میوفته؟
فرض کنید:
Shellcode رو داخل بافر ریختید
RIP رو کردید آدرس همون بافر
روی سیستم NX:
executable : نیست CPU این بخش
segmentation fault
یعنی:
کنترل RIP رو دارید ولی اجرای کد هنوز ندارید
و این دقیقا همون جاییه که خیلی از exploit های مبتدی شکست میخورن
پس چرا NX اضافه شد؟
چون Shellcode injection خیلی رایج شده بود
NX
اومد که این سناریو رو ببنده:
با NX این زنجیره قطع میشه
اکسپلویترها چه کار کردن؟
وقتی اجرای کد جدید ممنوع شد ایده ی جدید شکل گرفت:
کد جدید اجرا نکنید از کدهای موجود استفاده کنید
و این شد:
Return Oriented Programming (ROP)
یعنی:
اجرای gadget های داخل باینری و libc
بدون اجرای کد تزریق شده
کاملا سازگار با NX
یک اشتباه رایج
NX ≠ ضد اکسپلویت
NX فقط:
اجرای کد تزریقی رو میبنده
ولی:
جلوی ROP رو نمیگیره
جلوی ret2libc رو نمیگیره
جلوی chain کردن gadget ها رو نمیگیره
برای همین هنوز exploit ممکنه فقط روشش عوض شده
NX
باعث میشه بخشهایی از حافظه مثل استک و هیپ قابل اجرای کد نباشن
یعنی دیگه نمیتونید به سادگی Shellcode تزریق کنید و اجراش کنید
همین باعث شد تکنیکهای پیشرفته تر مثل ROP به وجود بیان
پس NX اکسپلویت اخر نبود فقط روشش رو عوض کرد
NX
What is and why direct shellcode is usually not executed
About shellcode
Put the code on the stack
Push RIP onto the stack
The code was executed
But now this usually does not work
The reason is an important security mechanism:
NX = Non-Executable
What exactly does NX do?
NX
says:
Some memory sections are for data only, not for code execution
That is:
Stack → Data only
Heap → Data only
Instruction execution → Forbidden
If the CPU tries to execute an instruction from these sections → the program crashes immediately
What happens?
Suppose:
You put the shellcode into the buffer
You did the RIP to the address of the same buffer
On a system with NX:
The executable is not the CPU of this section
Segmentation fault
That is:
You have control of the RIP but you don't have the code execution yet
And this is exactly where many beginner exploits fail
So why was NX added?
Because shellcode injection had become so common
NX
was introduced to close this scenario:
With NX, this chain is broken
What did the exploiters do?
When new code execution was banned, a new idea was born:
Don't run new code, use existing code
And this is what happened:
Return Oriented Programming (ROP)
That is:
Executing gadgets inside binaries and libc
Without executing injected code
Completely compatible with NX
A common mistake
NX ≠ anti-exploit
NX only:
Stops execution of injected code
But:
It doesn't prevent ROP
It doesn't prevent ret2libc
It doesn't prevent chaining of gadgets
That's why exploits are still possible, just the method has changed
NX
Makes parts of memory like the stack and heap inaccessible to code
That means you can't simply inject shellcode and execute it
That's what gave rise to more modern techniques like ROP
So NX wasn't the last exploit, it just changed the method
@reverseengine
چیه و چرا Shellcode مستقیم معمولا اجرا نمیشه
درباره shellcode
کد رو داخل استک ریختید
RIP رو فرستادید روی استک
کد اجرا میشد
ولی الان معمولا این کار جواب نمیده
دلیلش یک مکانیزم امنیتی مهمه:
NX = Non-Executable
NX دقیقا چه کار میکنه؟
NX
میگه:
بعضی بخش های حافظه فقط برای داده هستن نه برای اجرای کد
یعنی:
استک → فقط داده
هیپ → فقط داده
اجرای دستور → ممنوع
اگر CPU تلاش کنه از این بخش ها دستور اجرا کنه → برنامه فورا کرش میکنه
چه اتفاقی میوفته؟
فرض کنید:
Shellcode رو داخل بافر ریختید
RIP رو کردید آدرس همون بافر
روی سیستم NX:
executable : نیست CPU این بخش
segmentation fault
یعنی:
کنترل RIP رو دارید ولی اجرای کد هنوز ندارید
و این دقیقا همون جاییه که خیلی از exploit های مبتدی شکست میخورن
پس چرا NX اضافه شد؟
چون Shellcode injection خیلی رایج شده بود
NX
اومد که این سناریو رو ببنده:
Copy code
input → overflow → shellcode → jump → execute
با NX این زنجیره قطع میشه
اکسپلویترها چه کار کردن؟
وقتی اجرای کد جدید ممنوع شد ایده ی جدید شکل گرفت:
کد جدید اجرا نکنید از کدهای موجود استفاده کنید
و این شد:
Return Oriented Programming (ROP)
یعنی:
اجرای gadget های داخل باینری و libc
بدون اجرای کد تزریق شده
کاملا سازگار با NX
یک اشتباه رایج
NX ≠ ضد اکسپلویت
NX فقط:
اجرای کد تزریقی رو میبنده
ولی:
جلوی ROP رو نمیگیره
جلوی ret2libc رو نمیگیره
جلوی chain کردن gadget ها رو نمیگیره
برای همین هنوز exploit ممکنه فقط روشش عوض شده
NX
باعث میشه بخشهایی از حافظه مثل استک و هیپ قابل اجرای کد نباشن
یعنی دیگه نمیتونید به سادگی Shellcode تزریق کنید و اجراش کنید
همین باعث شد تکنیکهای پیشرفته تر مثل ROP به وجود بیان
پس NX اکسپلویت اخر نبود فقط روشش رو عوض کرد
NX
What is and why direct shellcode is usually not executed
About shellcode
Put the code on the stack
Push RIP onto the stack
The code was executed
But now this usually does not work
The reason is an important security mechanism:
NX = Non-Executable
What exactly does NX do?
NX
says:
Some memory sections are for data only, not for code execution
That is:
Stack → Data only
Heap → Data only
Instruction execution → Forbidden
If the CPU tries to execute an instruction from these sections → the program crashes immediately
What happens?
Suppose:
You put the shellcode into the buffer
You did the RIP to the address of the same buffer
On a system with NX:
The executable is not the CPU of this section
Segmentation fault
That is:
You have control of the RIP but you don't have the code execution yet
And this is exactly where many beginner exploits fail
So why was NX added?
Because shellcode injection had become so common
NX
was introduced to close this scenario:
Copy code
input → overflow → shellcode → jump → execute
With NX, this chain is broken
What did the exploiters do?
When new code execution was banned, a new idea was born:
Don't run new code, use existing code
And this is what happened:
Return Oriented Programming (ROP)
That is:
Executing gadgets inside binaries and libc
Without executing injected code
Completely compatible with NX
A common mistake
NX ≠ anti-exploit
NX only:
Stops execution of injected code
But:
It doesn't prevent ROP
It doesn't prevent ret2libc
It doesn't prevent chaining of gadgets
That's why exploits are still possible, just the method has changed
NX
Makes parts of memory like the stack and heap inaccessible to code
That means you can't simply inject shellcode and execute it
That's what gave rise to more modern techniques like ROP
So NX wasn't the last exploit, it just changed the method
@reverseengine
🤔2