Reverse Engineering WebAssembly
https://medium.com/%40pnfsoftware/reverse-engineering-webassembly-ed184a099931
@reverseengine
https://medium.com/%40pnfsoftware/reverse-engineering-webassembly-ed184a099931
@reverseengine
Medium
Reverse Engineering WebAssembly
This is an abridged version of http://www.pnfsoftware.com/reversing-wasm.pdf. For additional details, including footnotes, as well as…
❤1
Time Trvel Triage: An Introduction to Time Travel Debugging using a .NET Process Hollowing
https://cloud.google.com/blog/topics/threat-intelligence/time-travel-debugging-using-net-process-hollowing?linkId=17730646
@reverseengine
https://cloud.google.com/blog/topics/threat-intelligence/time-travel-debugging-using-net-process-hollowing?linkId=17730646
@reverseengine
Google Cloud Blog
Time Travel Triage: An Introduction to Time Travel Debugging using a .NET Process Hollowing Case Study | Google Cloud Blog
The basics of WinDbg and Time Travel Debugging necessary to start incorporating it into your analysis.
❤1
UPX Unpacking: Manual Reverse Engineering
https://guidedhacking.com/threads/how-to-unpack-upx-using-x64dbg.20985
@reverseengine
https://guidedhacking.com/threads/how-to-unpack-upx-using-x64dbg.20985
@reverseengine
❤1
Fully Undetectable Windows Shellcode Loader Now Available in IRIS C2
https://www.irisc2.com/blog/javelin-fud-loader
@reverseengine
https://www.irisc2.com/blog/javelin-fud-loader
@reverseengine
Irisc2
JAVELIN: Fully Undetectable Windows Shellcode Loader Now Available in IRIS C2
JAVELIN enables users to deliver MANTIS stage zero shellcode into memory on target devices without triggering AV, EDR, or XDR solutions.
❤1
Using EDR-Redir to Break EDR Via Bind Link and Cloud Filter
https://www.zerosalarium.com/2025/10/DR-Redir-Break-EDR-Via-BindLink-Cloud-Filter.html?m=1
@reverseengine
https://www.zerosalarium.com/2025/10/DR-Redir-Break-EDR-Via-BindLink-Cloud-Filter.html?m=1
@reverseengine
Zerosalarium
Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter
EDR-Redir uses BindLink Filter and Windows Cloud Filter to inject, corrupt, and disable EDRs.
❤1
Process Hollowing on Windows 11 24H2
https://hshrzd.wordpress.com/2025/01/27/process-hollowing-on-windows-11-24h2
@reverseengine
https://hshrzd.wordpress.com/2025/01/27/process-hollowing-on-windows-11-24h2
@reverseengine
hasherezade's 1001 nights
Process Hollowing on Windows 11 24H2
Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…
❤1
Epic
EPIC is a Toolkit for Developing and Building C-to-PIC Shell Code
https://github.com/Print3M/epic
@reverseengine
EPIC is a Toolkit for Developing and Building C-to-PIC Shell Code
https://github.com/Print3M/epic
@reverseengine
GitHub
GitHub - Print3M/epic: Extensible Position Independent Code – shellcode (C/C++) development and building toolkit designed for developer…
Extensible Position Independent Code – shellcode (C/C++) development and building toolkit designed for developer experience, predictability, and modularity. - Print3M/epic
❤1
Exploit Writting Tutorial From Basic To Intermediate
http://x9090.blogspot.com/2010/03/tutorial-exploit-writting-tutorial-from.html
@reverseengine
http://x9090.blogspot.com/2010/03/tutorial-exploit-writting-tutorial-from.html
@reverseengine
Blogspot
[TUTORIAL] Exploit Writting Tutorial From Basic To Intermediate
Malware analysis, vulnerability analysis, exploit analysis, exploit development, WIndows Kernel, Mac OS X. Anything about computer security
❤1
❤1
Reverse Engineering WhatsApp Encryption for Chat Manipulation
https://www.youtube.com/watch?v=N0Ne623fKWc
@reverseengine
https://www.youtube.com/watch?v=N0Ne623fKWc
@reverseengine
YouTube
Reverse Engineering WhatsApp Encryption for Chat Manipulation and More
We managed to reverse engineer WhatsApp web source code and successfully decrypted WhatsApp traffic. During the process we translated all WhatsApp web functions to python and created Burpsuit extension that you can use to investigate WhatsApp traffic and…
❤1
Pointers, References and Dynamic Memory Allocation
https://www3.ntu.edu.sg/home/ehchua/programming/cpp/cp4_PointerReference.html
@reverseengine
https://www3.ntu.edu.sg/home/ehchua/programming/cpp/cp4_PointerReference.html
@reverseengine
❤1
Local Variables روی استک
وقتی تابع متغیر محلی داره کامپایلر اون رو روی استک میزاره
ساختار فریم استک کامل
بعد از اجرای prologue:
ساختار میشه:
مثال:
اسمبلی:
نکات مهم:
متغیر t روی استک قرار میگیره آدرسش rbp-4
چون int هست سایز 4 بایت
eax خروجی تابع
Local Variables on the Stack
When a function has a local variable, the compiler pushes it onto the stack
Complete stack frame structure
After executing the prologue:
The structure becomes:
Example:
Assembly:
Important notes:
The variable t is placed on the stack, its address is rbp-4
Because it is an int, its size is 4 bytes
eax is the output of the function
@reverseengine
وقتی تابع متغیر محلی داره کامپایلر اون رو روی استک میزاره
ساختار فریم استک کامل
بعد از اجرای prologue:
push rbp
mov rbp, rsp
sub rsp, X ; ایجاد فضا برای متغیرهای محلی
ساختار میشه:
[ rbp+16 ] آرگومان سوم
[ rbp+8 ] آدرس برگشت
[ rbp+0 ] RBP قبلی
[ rbp-8 ] متغیر محلی 1
[ rbp-16 ] متغیر محلی 2
مثال:
int foo(int x) {
int t = x + 3;
return t * 2;
}
اسمبلی:
foo:
push rbp
mov rbp, rsp
sub rsp, 16 ; فضای متغیر محلی
mov DWORD PTR [rbp-4], edi ; t = x
add DWORD PTR [rbp-4], 3 ; t = x + 3
mov eax, DWORD PTR [rbp-4]
add eax, eax ; eax = t * 2
leave
ret
نکات مهم:
متغیر t روی استک قرار میگیره آدرسش rbp-4
چون int هست سایز 4 بایت
eax خروجی تابع
Local Variables on the Stack
When a function has a local variable, the compiler pushes it onto the stack
Complete stack frame structure
After executing the prologue:
push rbp
mov rbp, rsp
sub rsp, X ; Create space for local variables
The structure becomes:
[ rbp+16 ] Third argument
[ rbp+8 ] Return address
[ rbp+0 ] Previous RBP
[ rbp-8 ] Local variable 1
[ rbp-16 ] Local variable 2
Example:
int foo(int x) {
int t = x + 3;
return t * 2;
}
Assembly:
foo:
push rbp
mov rbp, rsp
sub rsp, 16 ; Local variable space
mov DWORD PTR [rbp-4], edi ; t = x
add DWORD PTR [rbp-4], 3 ; t = x + 3
mov eax, DWORD PTR [rbp-4]
add eax, eax ; eax = t * 2
leave
ret
Important notes:
The variable t is placed on the stack, its address is rbp-4
Because it is an int, its size is 4 bytes
eax is the output of the function
@reverseengine
👍4