ReverseEngineering – Telegram
ReverseEngineering
@reverseengine
1.24K subscribers
40 photos
10 videos
55 files
666 links
Download Telegram
About
Blog
Apps
Platform
Join
ReverseEngineering
1.24K subscribers
ReverseEngineering
This media is not supported in your browser
VIEW IN TELEGRAM
Injection DLLs into the explorer process using icons

https://github.com/d419h/IconJector

@reverseengine
5
129 viewsedited  
ReverseEngineering
Forwarded from DarkBit
New Persistence Method In Windows.pdf
1.8 MB
🔒 تکنیک جدید Persist در ویندوز! 

📌 خلاصه مقاله: 
در این بخش به معرفی یک تکنیک پایداری (Persistence) در ویندوز می‌پردازیم که با استفاده از تزریق و جایگزینی DLL با دسترسی کاربر پیاده‌سازی شده است. در این روش، فایل DLL مخرب توسط فرآیند svchost.exe اجرا می‌شود و امکان اجرای مداوم و مخفیانه کد در سیستم هدف را فراهم می‌سازد.

#RedTeam #CyberSecurity
#Maldev #Persistence
#WindowsInternals

💬 Forum 
📣 DarkBit
7👍1
119 views
ReverseEngineering
Forwarded from DarkBit
source.rar
2.6 KB
Password: @DarkBitx
7
119 views
ReverseEngineering
DarkBit
New Persistence Method In Windows.pdf
🔒 New Persist Technique in Windows!

📌 Article Summary:
In this section, we will introduce a persistence technique in Windows that is implemented using DLL injection and replacement with user access. In this method, the malicious DLL file is executed by the svchost.exe process, allowing continuous and secret code execution on the target system.

#RedTeam #CyberSecurity
#Maldev #Persistence
#WindowsInternals

💬 Forum 
📣 DarkBit
Telegram
DarkBit Community | انجمن دارک‌بیت
Channel: @DarkBitx
6
180 views
ReverseEngineering
Exploit Development: Investigating Kernel Mode Shadow Stacks on Windows

https://connormcgarr.github.io/km-shadow-stacks

@reverseengine
Connor McGarr’s Blog
Exploit Development: Investigating Kernel Mode Shadow Stacks on Windows
Using SourcePoint’s JTAG debugger to investigate the implementation of Intel CET Shadow Stacks in kernel-mode on Windows
5
162 viewsedited  
ReverseEngineering
RSA Backdoor Generator

https://github.com/monsieurPale/RSA-Backdoor

@reverseengine
GitHub
GitHub - monsieurPale/RSA-Backdoor: Generate backdoored RSA keys using SETUP
Generate backdoored RSA keys using SETUP . Contribute to monsieurPale/RSA-Backdoor development by creating an account on GitHub.
1
136 views
ReverseEngineering
Analysing a 1-day Vulnerability in the Linux Kernel's TLS Subsystem

https://faith2dxy.xyz/2025-10-02/kCTF-TLS-nday-analysis

@reverseengine
faith2dxy.xyz
Analysing a 1-day Vulnerability in the Linux Kernel's TLS Subsystem
I recently decided to start doing some Linux kernel security research in my free time, with the goal of creating one of my own submissions in Google's kernelCTF…
1
111 views
ReverseEngineering
Writing an operation system

https://www.youtube.com/playlist?list=PL980gcR1LE3LBuWuSv2CL28HsfnpC4Qf7

@reverseengine
YouTube
Writing an operating system
Share your videos with friends, family, and the world
1
110 views
ReverseEngineering
Rowhammer Attacks on DDR5

https://thehackernews.com/2025/09/phoenix-rowhammer-attack-bypasses.html

https://youtu.be/1emxVQ6__qg

@reverseengine
YouTube
Phoenix – Rowhammer Attacks on DDR5 ::: PTE Exploit Demo
This video demonstrates the end-to-end PTE exploit that we mounted using our novel Phoenix attack on DDR5. This is the first Rowhammer privilege escalation exploit on a DDR5 device.

For more information about Phoenix, please visit: https://comsec.ethz.ch/phoenix.…
1
101 viewsedited  
ReverseEngineering
PowerShell Obfuscator

https://github.com/TaurusOmar/psobf

@reverseengine
GitHub
GitHub - TaurusOmar/psobf: PowerShell Obfuscator
PowerShell Obfuscator. Contribute to TaurusOmar/psobf development by creating an account on GitHub.
5
118 views
ReverseEngineering
A Trace Explorer for Reverse Engineers

https://github.com/gaasedelen/tenet

@reverseengine
GitHub
GitHub - gaasedelen/tenet: A Trace Explorer for Reverse Engineers
A Trace Explorer for Reverse Engineers. Contribute to gaasedelen/tenet development by creating an account on GitHub.
1
125 viewsedited  
ReverseEngineering
Ghidra Scripts/Plugins/Extension

https://github.com/AllsafeCyberSecurity/awesome-ghidra

@reverseengine
GitHub
GitHub - AllsafeCyberSecurity/awesome-ghidra: A curated list of awesome Ghidra materials
A curated list of awesome Ghidra materials. Contribute to AllsafeCyberSecurity/awesome-ghidra development by creating an account on GitHub.
1
127 views
ReverseEngineering
A Universal MCU Firmware Emulator for Dynamic Analysis without Any Hardware Dependence

https://github.com/MCUSec/uEmu

@reverseengine
GitHub
GitHub - MCUSec/uEmu: A Universal MCU Firmware Emulator for Dynamic Analysis without Any Hardware Dependence.
A Universal MCU Firmware Emulator for Dynamic Analysis without Any Hardware Dependence. - MCUSec/uEmu
1
157 viewsedited  
ReverseEngineering
VMProtect 2 - Detailed Analysis of the Virtual Machine Architecture

https://back.engineering/17/05/2021/

@reverseengine
5
161 viewsedited  
ReverseEngineering
Malware Research

https://0x0d4y.blog/amadey-targeted-analysis

@reverseengine
0x0d4y Malware Research -
[Amadey] Targeted Analysis of its Campaign’s Kill Chain, String and Traffic Encryption Algorithm, and Download of Additional Modules…
A while back, I wrote a post about my BabbleLoader research (which you can access here), where in addition to reverse engineering its defense evasion capabilities, I also analyzed the public intelligence available on how the sample I was analyzing had been…
5
190 viewsedited  
ReverseEngineering
ReverseEngineering
PowerShell Obfuscator https://github.com/TaurusOmar/psobf @reverseengine
7
183 views
ReverseEngineering
Pointer Arithmetic & Array Access

دسترسی به آرایه تک‌ بعدی

دستور کلی:

arr[i] = *(arr + i)


در اسمبلی:

mov eax, DWORD PTR [rdi + rsi*4]


این خط یعنی:

rdi آدرس base آرایه

rsi مقدار i

*4 چون int = 4 bytes


نکته مهم برای ریورس:
هر وقت ضربدر 1/2/4/8 دیدی نوع داده مشخص میشه

ضربدر نوع داده

*1 char
*2 short
*4 int/float
*8 long/double/pointer





Pointer Arithmetic & Array Access

Accessing a one-dimensional array

General instruction:

arr[i] = *(arr + i)


In assembly:

mov eax, DWORD PTR [rdi + rsi*4]


This line means:

rdi base address of the array

rsi value of i

*4 because int = 4 bytes


Important note for reverse:

Whenever you see multiplication by 1/2/4/8, the data type is specified

Multiplication by data type

*1 char
*2 short
*4 int/float
*8 long/double/pointer


@reverseengine
2
126 views
ReverseEngineering
آرایه دو‌بعدی در حافظه Row-Major Layout

C
همه رو به صورت پشت‌ سر هم ذخیره میکنه

arr[i][j] = *(base + (i * ncols + j))


در اسمبلی:

mov eax, DWORD PTR [rdi + rsi*8 + rdx*4]


اگر 8 = ncols * 4 پس:

i * ncols * sizeof(int)


چیزی که باید بلد باشید: به عدد ضربی در index نگاه کنید تعداد ستون‌ها را میفهمی



2D Array in Memory Row-Major Layout

C Stores everything in a row

arr[i][j] = *(base + (i * ncols + j))


In assembly:

mov eax, DWORD PTR [rdi + rsi*8 + rdx*4]


If 8 = ncols * 4 then:

i * ncols * sizeof(int)


Something you should know: Look at the multiplier in the index to get the number of columns

@reverseengine
2
106 views
ReverseEngineering
دسترسی به struct

struct X {
int a; // offset 0
int b; // offset 4
double c; // offset 8
};


در اسمبلی:

mov eax, DWORD PTR [rdi] ; a
mov eax, DWORD PTR [rdi + 4] ; b
movsd xmm0, [rdi + 8] ; c


نکته:
double
همیشه با XMM رجیستر لود میشه




Accessing struct

struct X {
int a; // offset 0
int b; // offset 4
double c; // offset 8
};



In assembly:

mov eax, DWORD PTR [rdi] ; a
mov eax, DWORD PTR [rdi + 4] ; b
movsd xmm0, [rdi + 8] ; c


Note: double is always loaded with XMM register

@reverseengine
2
96 viewsedited  
ReverseEngineering
Pointer Arithmetic

اگر دیدید:

lea rax, [rdi + rsi*8]


یعنی:

pointer جا به جا میشه

هیچ read/write انجام نشده

فقط آدرس محاسبه شده


در C:

ptr = arr + i;



الگوی Flattened Arrays

کد اسمبلی:

int arr[3][4];
return arr[i][j];



اسمبلی الگوی دائمیش:

i * 4*size_row + j * 4


یعنی:

rdi + rsi*16 + rdx*4


حتی اگر بدون معنی باشه همیشه تابع همین الگو رو میسازه




Pointer Arithmetic

If you see:

lea rax, [rdi + rsi*8]


That means:

Pointer is moved

No read/write is done

Only address is calculated

In C:

ptr = arr + i;




Flattened Arrays Pattern

Assembly code:

int arr[3][4];

return arr[i][j];


Assembly its constant pattern:

i * 4*size_row + j * 4


That means:

rdi + rsi*16 + rdx*4


Even if it is meaningless, it always creates a function of this pattern

@reverseengine
2
105 views
ReverseEngineering
مهم‌ترین چیز این بخش برای ریورس

با دیدن ضرب‌ ها تعداد ستون‌ ها و نوع داده رو تشخیص بدید

مثال:

mov eax, DWORD PTR [rdi + rsi*20 + rdx*4]



چون 20 = 5*4 پس آرایه 2D است با 5 ستون


چطور بفهمیم pointer به عنوان iterator استفاده شده؟

اگر دیدی:

add rdi, 4


یعنی pointer افزایش داده شده

معادل:

ptr++;


اگر:

add rdi, 8

یعنی دابل (++)



The most important thing in this section for reverse

Distinguish the number of columns and data type by looking at the multiplications

Example:

mov eax, DWORD PTR [rdi + rsi*20 + rdx*4]



Since 20 = 5*4, it is a 2D array with 5 columns

How do we know that a pointer is used as an iterator?

If you see:

add rdi, 4


it means the pointer has been incremented

Equivalent to:

ptr++;


If:

add rdi, 8


it means double (++)

@reverseengine
2
88 viewsedited