UEFI scanner brings Microsoft Defender ATP protection to a new level
https://www.microsoft.com/security/blog/2020/06/17/uefi-scanner-brings-microsoft-defender-atp-protection-to-a-new-level
@reverseengine
https://www.microsoft.com/security/blog/2020/06/17/uefi-scanner-brings-microsoft-defender-atp-protection-to-a-new-level
@reverseengine
Microsoft News
UEFI scanner brings Microsoft Defender ATP protection to a new level
The UEFI scanner is a new component of the built-in antivirus solution on Windows 10 and gives Microsoft Defender ATP the ability to scan inside of the firmware filesystem and perform security assessment.
OSX.EvilQuest Uncovered analyzing a new piece of mac ransomware and more!
https://objective-see.com/blog/blog_0x59.html
@reverseengine
https://objective-see.com/blog/blog_0x59.html
@reverseengine
Objective-See
OSX.EvilQuest Uncovered
part i: infection, persistence, and more!
How to unc0ver a 0-day in 4 hours or less
https://googleprojectzero.blogspot.com/2020/07/how-to-unc0ver-0-day-in-4-hours-or-less.html
@reverseengine
https://googleprojectzero.blogspot.com/2020/07/how-to-unc0ver-0-day-in-4-hours-or-less.html
@reverseengine
projectzero.google
How to unc0ver a 0-day in 4 hours or less - Project Zero
By Brandon Azad, Project ZeroAt 3 PM PDT on May 23, 2020, the unc0ver jailbreak was released for iOS 13.5 (the latest signed version at the time of release) ...
Cracking BattlEye packet encryption
https://secret.club/2020/06/19/battleye-packet-encryption.html
@reverseengine
https://secret.club/2020/06/19/battleye-packet-encryption.html
@reverseengine
secret club
Cracking BattlEye packet encryption
Recently, Battlestate Games, the developers of Escape From Tarkov, hired BattlEye to implement encryption on networked packets so that cheaters can’t capture these packets, parse them and use them for their advantage in the form of radar cheats, or otherwise.…
The Intezer Analyze IDA Pro plugin is now available to community users
https://intezer.com/blog/intezer-analyze/ida-pro-plugin-now-available-to-the-community
@reverseengine
https://intezer.com/blog/intezer-analyze/ida-pro-plugin-now-available-to-the-community
@reverseengine
Intezer
IDA Pro Plugin Now Available to the Community
Accelerate reverse engineering by enriching every function of disassembled machine code with info about where the code was seen previously.
ببخشید، امتحان های دانشگاه هست، نمیرسم بعد از این که تموم شدن قوی تر ادامه میدیم.
Sorry, I have university exams, I couldn't make it. We'll continue stronger after they're over.
Sorry, I have university exams, I couldn't make it. We'll continue stronger after they're over.
❤18👏1
حالم اصن خوب نیست خودتون دلیلشو میدونید وقتی خوب شدم دوباره فعالیت مثل قبل میشه عذر میخام💔
I'm not feeling well at all. You know the reason. When I get better, I'll be back to being active like before. I apologize🖤
I'm not feeling well at all. You know the reason. When I get better, I'll be back to being active like before. I apologize🖤
❤27💔6🤣1
امیدوارم حالتون خوب باشه برادرها و خواهرای من، به زودی دوباره شروع میکنیم 🖤
I hope you are well my brothers and sisters, we will start again soon ❤️🩹
I hope you are well my brothers and sisters, we will start again soon ❤️🩹
💔19❤3🤣2👍1👎1
How LLMs feed Your RE Habit
https://clearbluejar.github.io/posts/how-llms-feed-your-re-habit-following-the-uaf-trail-in-clfs
@reverseengine
https://clearbluejar.github.io/posts/how-llms-feed-your-re-habit-following-the-uaf-trail-in-clfs
@reverseengine
clearbluejar
How LLMs Feed Your RE Habit: Following the Use-After-Free Trail in CLFS
Dive into how LLMs and pyghidra-mcp accelerate reverse engineering by tracing a UAF vulnerability in CLFS through a patch diff.
19 Shades of LockBit5.0
https://www.levelblue.com/blogs/spiderlabs-blog/19-shades-of-lockbit5.0-inside-the-latest-cross-platform-ransomware-part-1
@reverseengine
https://www.levelblue.com/blogs/spiderlabs-blog/19-shades-of-lockbit5.0-inside-the-latest-cross-platform-ransomware-part-1
@reverseengine
Levelblue
19 Shades of LockBit5.0, Inside the Latest Cross-Platform Ransomware: Part 1
This three-part blog series presents an analysis of a cross-platform LockBit 5.0 ransomware payload affecting Windows, Linux, and ESXi environments.
سیستم عامل برای مهندسی معکوس
🟢 1️⃣ Process پروسه
Process =
یک برنامه در حال اجرا
وقتی یک فایل اجرایی اجرا میشه
سیستمعامل یک Process میسازه به اون PID میده یک فضای حافظه جدا اختصاص میده رجیسترها و context مخصوص داره
هر Process:
حافظه جدا داره
Stack و Heap
جدا داره
ماژولها (DLL / SO) خودش رو داره
داخل مهندسی معکوس مهمه چرا:
چون باینری که تحلیل میکنید داخل یک Process اجرا میشه و همه چیز داخل همین فضا اتفاق میوفته
Operating System for Reverse Engineering
🟢 1️⃣ Process
Process = A running program
When an executable file is executed
The operating system creates a Process, gives it a PID, allocates a separate memory space, and has its own registers and context
Each Process:
Has a separate memory
Has a separate Stack and Heap
Has its own modules (DLL / SO)
Why is reverse engineering important:
Because the binary you are analyzing is executed inside a Process and everything happens inside this space
@reverseengine
🟢 1️⃣ Process پروسه
Process =
یک برنامه در حال اجرا
وقتی یک فایل اجرایی اجرا میشه
سیستمعامل یک Process میسازه به اون PID میده یک فضای حافظه جدا اختصاص میده رجیسترها و context مخصوص داره
هر Process:
حافظه جدا داره
Stack و Heap
جدا داره
ماژولها (DLL / SO) خودش رو داره
داخل مهندسی معکوس مهمه چرا:
چون باینری که تحلیل میکنید داخل یک Process اجرا میشه و همه چیز داخل همین فضا اتفاق میوفته
Operating System for Reverse Engineering
🟢 1️⃣ Process
Process = A running program
When an executable file is executed
The operating system creates a Process, gives it a PID, allocates a separate memory space, and has its own registers and context
Each Process:
Has a separate memory
Has a separate Stack and Heap
Has its own modules (DLL / SO)
Why is reverse engineering important:
Because the binary you are analyzing is executed inside a Process and everything happens inside this space
@reverseengine
🟢 2️⃣ Thread
Thread =
واحد اجرای داخل Process
هر Process حداقل یک Thread داره
هر Thread:
Stack جدا داره
رجیسترهای جدا دارد
ولی حافظه Process مشترک است
خیلی مهم: چون بعضی رفتارها داخل Threadهای جدا اجرا میشن و در دیباگ باید Thread درست رو دنبال کنید
🟢 2️⃣ Thread
Thread = Unit of execution within a Process
Each Process has at least one Thread
Each Thread:
Has a separate Stack
Has separate registers
But the Process memory is shared
Very important: Because some behaviors are executed in separate Threads and in debugging you must follow the correct Thread
@reverseengine
Thread =
واحد اجرای داخل Process
هر Process حداقل یک Thread داره
هر Thread:
Stack جدا داره
رجیسترهای جدا دارد
ولی حافظه Process مشترک است
خیلی مهم: چون بعضی رفتارها داخل Threadهای جدا اجرا میشن و در دیباگ باید Thread درست رو دنبال کنید
🟢 2️⃣ Thread
Thread = Unit of execution within a Process
Each Process has at least one Thread
Each Thread:
Has a separate Stack
Has separate registers
But the Process memory is shared
Very important: Because some behaviors are executed in separate Threads and in debugging you must follow the correct Thread
@reverseengine
تا اینجا، اسمبلی رو کامل یاد گرفتیم، هرچی نیاز بود، و گفتم و الان نوبت یاد گرفتن سیستم عامله، این بخش خیلی مهمه.
So far, we have learned assembly completely, everything we needed, and now it's time to learn the operating system. This is a very important part.
So far, we have learned assembly completely, everything we needed, and now it's time to learn the operating system. This is a very important part.
A Ghidra processor module for the EFI Byte Code (EBC)
https://github.com/meromwolff/Ghidra-EFI-Byte-Code-Processor
@reverseengine
https://github.com/meromwolff/Ghidra-EFI-Byte-Code-Processor
@reverseengine
GitHub
GitHub - meromwolff/Ghidra-EFI-Byte-Code-Processor: A Ghidra processor module for the EFI Byte Code (EBC)
A Ghidra processor module for the EFI Byte Code (EBC) - meromwolff/Ghidra-EFI-Byte-Code-Processor
Tools used during the reversing of the Nikon firmware
https://github.com/simeonpilgrim/nikon-firmware-tools
@reverseengine
https://github.com/simeonpilgrim/nikon-firmware-tools
@reverseengine
GitHub
GitHub - simeonpilgrim/nikon-firmware-tools: Tools used during the reversing of the Nikon firmware
Tools used during the reversing of the Nikon firmware - simeonpilgrim/nikon-firmware-tools
Cracking BattlEye packet encryption
https://secret.club/2020/06/19/battleye-packet-encryption.html
@reverseengine
https://secret.club/2020/06/19/battleye-packet-encryption.html
@reverseengine
secret club
Cracking BattlEye packet encryption
Recently, Battlestate Games, the developers of Escape From Tarkov, hired BattlEye to implement encryption on networked packets so that cheaters can’t capture these packets, parse them and use them for their advantage in the form of radar cheats, or otherwise.…
Thread-Name Calling - A new process injection technique using Thread Name.
The code to be injected is passed as a thread denoscription to the target
https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/
@reverseengine
The code to be injected is passed as a thread denoscription to the target
https://research.checkpoint.com/2024/thread-name-calling-using-thread-name-for-offense/
@reverseengine
Check Point Research
Thread Name-Calling - using Thread Name for offense - Check Point Research
Research by: hasherezade Highlights: Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purposes such as: Due to the fact that interference in the memory…