How to use Ghidra to Reverse Engineer Mobile Application

https://medium.com/bugbountywriteup/how-to-use-ghidra-to-reverse-engineer-mobile-application-c2c89dc5b9aa

@reverseengine

IDA Pro Debugger: Leveraging the Take Memory Snapshot Feature

https://www.youtube.com/watch?v=plaRysF1cxk

@reverseengine

MASM32 Code collection for reverse engineers

https://github.com/Xyl2k/Xylitol-MASM32-snippets

@reverseengine

DRAM Anatomy

https://twitter.com/konradkokosa/status/1343835231304998912

@reverseengine

A comprehensive reverse engineering tutorial covering x86, x64, 32-bit ARM & 64-bit ARM architectures

https://github.com/mytechnotalent/Reverse-Engineering-Tutorial

@reverseengine

K7 Antivirus: Named pipe abuse, registry manipulation and privilege escalation

https://blog.quarkslab.com/k7-antivirus-named-pipe-abuse-registry-manipulation-and-privilege-escalation.html

#CVE-2024-36424

Project Zero: An iOS hacker tries Android

https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html

@reverseengine

ARM64 Android/Linux kernel gdb noscripts

https://github.com/duasynt/gdb_noscripts

@reverseengine

This is for the Pwners: Exploiting a WebKit 0-day in PlayStation 4

https://www.synacktiv.com/publications/this-is-for-the-pwners-exploiting-a-webkit-0-day-in-playstation-4.html

@reverseengine

Reversing Yubikey’s Static Password

https://xcellerator.github.io/posts/yubikey

@reverseengine

Ghidra Decompiler Plugin for IDA Pro

https://github.com/GregoryMorse/GhidraDec

@reverseengine

A Full-Featured HexEditor compatible with Linux/Windows/MacOS

https://github.com/echo-devim/fhex

@reverseengine

Ghidra framework for iOS kernelcache reverse engineering

https://github.com/0x36/ghidra_kernelcache

@reverseengine

Linux Kernel Adventures: Reversing and Exploiting a Linux Driver

https://media.handmade-seattle.com/linux-kernel-adventures

@reverseengine

Hexagon processor module for IDA Pro disassembler

https://github.com/n-o-o-n/idp_hexagon

@reverseengine

It's official! Dragon CTF 2020 has started on time!

https://ctf.dragonsector.pl

@reverseengine

Cobalt Strike 4.0 Source Code

https://github.com/Freakboy/CobaltStrike

@reverseengine

Hex-Rays MicroCode Explorer

https://github.com/gdbinit/MicrocodeExplorer

@reverseengine

APIMiner - The API Logger for Malwares - The Fast Way To Identifying Malwares

http://www.malware-analysis-and-detection-engineering.com/2020/09/apiminer-api-logger-for-malwares-fast.html

@reverseengine

Hot Chips 2025 presentations and videos

https://hc2025.hotchips.org

@reverseengine

این بخش داخل ریورس بدافزار آنپکینگ تحلیل فانکشن‌ های ++C و Lib ها استفاده میشه

Struct داخل struct

مثال C:

struct B {
int x;
int y;
};

struct A {
int id;
struct B pos;
double score;
};

داخل حافظه اینجوری دیده میشه:

offset 0 id (int)
offset 4 pos.x (int)
offset 8
pos.y (int)

offset 12 padding
(برای align کردن double)

offset 16 score (double)

در اسمبلی:

mov eax, DWORD PTR [rdi] ; id
mov eax, DWORD PTR [rdi + 4] ; pos.x
mov eax, DWORD PTR [rdi + 8] ; pos.y
movsd xmm0, [rdi + 16] ; score

نکته‌

اگر دیدید چند فیلد int پشت‌سر همن تقریبا همیشه یک struct است نه آرایه

اگر یک offset یهو زیاد شد مثل 16 یعنی وجود double / pointer / align



This section is used in reverse malware unpacking analysis of C++ functions and Libs

Struct inside struct

Example C:

struct B {
int x;
int y;
};

struct A {
int id;
struct B pos;
double score;
};

In memory it looks like this:

offset 0 id (int)

offset 4 pos.x (int)

offset 8
pos.y (int)

offset 12 padding
(to align double)

offset 16 score (double)

In assembly:

mov eax, DWORD PTR [rdi] ; id
mov eax, DWORD PTR [rdi + 4] ; pos.x
mov eax, DWORD PTR [rdi + 8] ; pos.y
movsd xmm0, [rdi + 16] ; score

Tip

If you see multiple int fields in a row, it's almost always a struct, not an array

If an offset suddenly increases, like 16, it means there's a double / pointer / align

@reverseengine