⚙ïļ Reverse Engineering

MA Backlog

Add new items here: https://malpedia.caad.fkie.fraunhofer.de/login and see also here https://objective-see.org/. Types From ChatGPT File infectors: These viruses infect executable files and are spread when the infected file is executed.

Process Injections

Windows Most of the information is taken from here, but more visualization is added. The screenshots from IDA Pro are also copied from that blog post.

📚 Basics

During forensics investigation it’s sometimes needed to reverse engineer some suspicious piece of code. This section is a reverse engineering dive-in section.

⚙ïļ Exploits

This section is the collection of jailbreak exploits digested by me and described. There is a difference between the terms jailbreak and exploit.

IPC Analysis

In order to detect and response to the incidents in a short time, there are playbooks which are basically guidelines. Some IR frameworks have these included in order to ease the process.

ðŸĐŧ Anatomy Of Executables

🍎 iOS Applications RE

During forensic analysis it’s not too rare to run into some suspicious application. In this article I’m going to learn to reverse engineer iOS applications.

🎁 Packed Executables And Unpacking

There are several indicators that the executable is packed. Here they are (this list will be growing as I encounter new indicators):

⛏ Crackme Algorithm

Methodology Look at the strings fs strings and f in radare2 or rabin -zz Find xrefs for the strings of interest axt @ str.

📓 REFM

Rabin2 rabin2 -I [progname] # main info about the prog rabin2 -z [progname] # the strings from the binary's data section rabin2 -zz [progname] # all strings from the binary rabin2 -zqq [progname] # strings only without additional info rabin2 -x iGoat-Swift # thin the binary R2 Info il # libs in use ii # or iiq to see imports r2 [progname] # launch radare2 > s main # seak main function and go to it > aa # find all strings > v # psedu GUI mode (Hex editor) > VV # graph mode > afvn user_input input # rename local var and all the places it was referenced # rename function > s function_old_name > afn function_new_name > c # show cursor in visual mode > afvd # print all local variables > u # back?