How to Build
With MinGW (on Windows):
For hotspot_sim.c:
mwindows to remove the console window and build the GUI
For gen_serial.c:
With MSVC (Developer Command Prompt):
hotspot_sim.c:
cl /EHsc hotspot_sim.c user32.lib gdi32.lib
gen_serial.c:
cl /EHsc gen_serial.c
How to test and use
Inside a Windows VM, be sure to run the VM and snapshot for the hotspot_sim.exe file
Give it a name of your choice, for example Ali. Now either create the serial with gen_serial.exe Ali and paste it in the Serial field, or run the generation function inside the debugger and read the expected value
If the serial is correct, the MessageBox will display success
A short guide to analyzing in x64dbg / IDA
Search Strings
: "Name:", "Serial:", "%04X-%04X-%04X", "Activate & Play" → References usually indicate important functions
IsDebuggerPresent: breakpoint
On IsDebuggerPresent or the address that calls it, if it returns 1, the program will hit the error path
GetWindowTextA: breakpoint
Put it to see the value of name and serial in memory
Constants: Search for XOR constants (0xA5A5A5A5, 0x5A5A5A5A, 0x3C3C3C3C) or the pattern %04X-%04X-%04X will take you to the serial generation function
Comparison: breakpoint on stricmp to see the two buffers before comparing
MessageBoxA:
Putting a breakpoint here will quickly tell you which branch was executed successfully or failed
@reverseengine
With MinGW (on Windows):
For hotspot_sim.c:
gcc hotspot_sim.c -o hotspot_sim.exe -mwindows
mwindows to remove the console window and build the GUI
For gen_serial.c:
gcc gen_serial.c -o gen_serial.exe
With MSVC (Developer Command Prompt):
hotspot_sim.c:
cl /EHsc hotspot_sim.c user32.lib gdi32.lib
gen_serial.c:
cl /EHsc gen_serial.c
How to test and use
Inside a Windows VM, be sure to run the VM and snapshot for the hotspot_sim.exe file
Give it a name of your choice, for example Ali. Now either create the serial with gen_serial.exe Ali and paste it in the Serial field, or run the generation function inside the debugger and read the expected value
If the serial is correct, the MessageBox will display success
A short guide to analyzing in x64dbg / IDA
Search Strings
: "Name:", "Serial:", "%04X-%04X-%04X", "Activate & Play" → References usually indicate important functions
IsDebuggerPresent: breakpoint
On IsDebuggerPresent or the address that calls it, if it returns 1, the program will hit the error path
GetWindowTextA: breakpoint
Put it to see the value of name and serial in memory
Constants: Search for XOR constants (0xA5A5A5A5, 0x5A5A5A5A, 0x3C3C3C3C) or the pattern %04X-%04X-%04X will take you to the serial generation function
Comparison: breakpoint on stricmp to see the two buffers before comparing
MessageBoxA:
Putting a breakpoint here will quickly tell you which branch was executed successfully or failed
@reverseengine
❤1
تحلیل استفاده از ابزارهای RMM برا بایپس EDR در حملات گروه های باج افزاری Medusa و DragonForce
Analysis of the use of RMM tools to bypass EDR in Medusa and DragonForce ransomware attacks
https://zensec.co.uk/blog/how-rmm-abuse-fuelled-medusa-dragonforce-attacks
@FUZZ0x
Analysis of the use of RMM tools to bypass EDR in Medusa and DragonForce ransomware attacks
https://zensec.co.uk/blog/how-rmm-abuse-fuelled-medusa-dragonforce-attacks
@FUZZ0x
Zensec
How RMM abuse fuelled Medusa & DragonForce attacks - Zensec
If you are reading this because you have experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.
❤1
Bootloader to Iris: A Security Teardown of a Hardware Wallet
https://hhj4ck.github.io/en/iris-wallet-security-teardown.html
@reverseengine
https://hhj4ck.github.io/en/iris-wallet-security-teardown.html
@reverseengine
Guanxing’s Blog
Bootloader to Iris: A Security Teardown of a Hardware Wallet
Recently, I got my hands on a hardware wallet that features iris recognition as a selling point. The novelty of the iris component sparked my curiosity, so I decided to take a deep dive into its implementation. Since the wallet’s hardware and software design…
❤1
Malware Development Evading Diaries
NTFS Files Attributes:
FuncIn
Code Cave
Stolen Certificate
Redirect Antivirus Website Evading Techniques:
Shortcut Hiding
Disabling Antivirus
Adding Antivirus Exception
Fake Signature
Mark-Of-The-Web (MOTW) Bypass
Return Address Spoofing
Runtime Function Decryption
DLL Unhooking
How DLL Unhooking works
Unhooking Strategies
Evasion Using Direct Syscalls
Key Aspects of This Technique
Operational Mechanis
Featured Windows APIs
Unloading Module With FreeLibrary
Operational Overview
Key Aspects of This Technique
Featured Windows APIs
References
@reverseengine
NTFS Files Attributes:
FuncIn
Code Cave
Stolen Certificate
Redirect Antivirus Website Evading Techniques:
Shortcut Hiding
Disabling Antivirus
Adding Antivirus Exception
Fake Signature
Mark-Of-The-Web (MOTW) Bypass
Return Address Spoofing
Runtime Function Decryption
DLL Unhooking
How DLL Unhooking works
Unhooking Strategies
Evasion Using Direct Syscalls
Key Aspects of This Technique
Operational Mechanis
Featured Windows APIs
Unloading Module With FreeLibrary
Operational Overview
Key Aspects of This Technique
Featured Windows APIs
References
@reverseengine
❤5
❤1
Reversing Microsoft Defender's Signatures for Evasion
https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world
@reverseengine
https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world
@reverseengine
❤1
Exploiting Windows Kernel
CVE-2023–28218
https://theori.io/blog/exploiting-windows-kernel-wild-copy-with-user-fault-handling-cve-2023-28218
@reverseengine
CVE-2023–28218
https://theori.io/blog/exploiting-windows-kernel-wild-copy-with-user-fault-handling-cve-2023-28218
@reverseengine
theori.io
Exploiting Windows Kernel Wild Copy With User Fault Handling (CVE-2023–28218) - Theori BLOG
At Hexacon 2023, we presented our Windows kernel security research, uncovering CVE-2023-28218, a heap overflow in afd.sys. Read our exploit analysis and methodology. | Vulnerability Research
❤1