Reading list

Armadillo's nanomites use a radical anti-debugging technique based on self-debugging, where a parent process simulates a legitimate debugger to control a child instance, making dynamic analysis nearly impossible. The core of the protection relies on replacing conditional instructions with INT 3 breakpoints, forcing the parent to dynamically reconstruct logical control flow at runtime.

• Anti-Debugging
• Reverse Engineering
• Binary Analysis

The White House's official app, built with React Native and Expo, reveals significant privacy and security concerns, including JavaScript injection to strip privacy banners from third-party websites, embedded GPS tracking infrastructure and reliance on third-party services like OneSignal for extensive user profiling and location data collection.

• Mobile Security
• Privacy
• Anti-Tampering

The article explains advanced obfuscation through virtualization, a technique used by tools like VMProtect or Denuvo to protect software against reverse engineering. It replaces native code with a proprietary language interpreted by an injected virtual machine, making analysis complex through mechanisms such as encrypted bytecode, CFG breaking, and obscure arithmetic-logical computations.

• Virtualization
• Obfuscation

mitmproxy is a powerful open-source tool for intercepting, analyzing, and modifying network traffic (HTTP/HTTPS, TCP/UDP) in man-in-the-middle mode, running on Linux, Android, and iOS. It enables bypassing mechanisms like certificate pinning through techniques adapted to each platform, while offering advanced features such as scripting to manipulate complex protocols like gRPC or protobuf.

• MITM
• Tooling
• Network Analysis

This follow-up piece documents the unprecedented correspondence between a security researcher and Persona CEO Rick Song regarding leaked source code exposing 269 verification checks, biometric processing, and potential surveillance ties.

• Privacy
• Leaks
• Identity Verification

A music player app, Muzio Player, requested unusual permissions—including access to call logs—to claim it scans for viruses after calls, which turned out to be a misleading tactic. Static and dynamic analysis revealed the app primarily used the permission to trigger ads and premium prompts, sending device data to ad networks.

• Android Security
• Reverse Engineering
• Adware
• Privacy

This analysis reveals critical local privilege escalation vulnerabilities in Intego X9's macOS applications, exploiting race conditions and insecure handling of sensitive operations. Researchers demonstrated how attackers could bypass security checks in tools like Intego Log Reporter and Personal Backup to gain root access, bypassing even the antivirus itself.

• macOS Security
• LPE
• Race Condition

This investigation reveals how OpenAI's identity verification system, powered by Persona, operates a global surveillance infrastructure that compares users' biometric data against sanctions lists, adverse media, and political figures, while filing Suspicious Activity Reports to FinCEN. surveillance.

• Privacy
• Identity Verification
• Surveillance
• AI / LLM

A team reverse-engineered a Chinese toy drone by intercepting and analyzing its wireless communication packets using tools like Wireshark and PCAPdroid. They decoded the protocol's structure—identifying fixed headers, variable command bytes, and packet clusters—to programmatically control flight movements, including takeoff, direction changes, and simple patterns.

• Drone Hacking
• Reverse Engineering
• Wireshark
• MITM

An unobfuscated anti-cheat driver for Tower of Fantasy was analyzed, revealing severe security flaws despite being unused by the game. The driver features weak authentication (a hardcoded magic value) and exposes critical vulnerabilities, including arbitrary process termination and handle manipulation, enabling potential BYOVD (Bring Your Own Vulnerable Driver) attacks.

• Windows Security
• Anti-Cheat
• Driver Vulnerability
• BYOVD

The article highlights the Department of Justice's flawed handling of Jeffrey Epstein's archived emails and attachments, including corrupted base64-encoded PDFs and poor redaction practices. A researcher demonstrates how to recover uncensored PDFs by manually decoding base64 data from poorly OCR'd scans, despite challenges like font distortions (Courier New) and JPEG artifacts.

• Digital Forensics
• OCR
• Data Recovery

The article explores a creative approach to solving Fossil SCM's ASCII-art CAPTCHA by leveraging minimal font data and code-golfing techniques.

• CAPTCHA
• Code Golf

This guide details the process of gaining physical access to an ASECAM IP camera by opening its casing and identifying the UART interface. After establishing a connection to the U-Boot shell, the firmware is extracted and modified to include a hidden login prompt. The squashfs file system is repacked, and the modified firmware is loaded using a TFTP server within U-Boot.

• IoT Security
• Hardware Hacking
• UART
• U-Boot
• Firmware Analysis

This post details the continuation of hacking an Asecam IP camera. It covers writing modified firmware to the SPI flash storage, verifying the changes by comparing hash signatures, and gaining root access via UART or Telnet. The process involves using tools like binwalk to analyze firmware structure and specialized commands to modify and verify the file system.

• IoT Security
• Hardware Hacking
• SPI Flash
• Firmware Analysis

A security assessment of a smart intercom revealed severe vulnerabilities, including passwordless root access via Telnet and UART interfaces, exposed MQTT credentials, and plaintext sensitive data. The device, connected to a shared guest WiFi network, allowed attackers to hijack video streams or unlock the front door remotely.

• IoT Security
• Hardware Hacking
• MQTT
• UART

The analysis explores CVE-2025-65606, an unpatched vulnerability in the Totolink EX200 router (firmware V4.0.3c) that exploits improper error handling in firmware uploads to trigger a telnet service.

• IoT Security
• CVE
• RCE
• Firmware Analysis

This analysis reveals severe security flaws in a camera, including hardcoded credentials, unauthenticated backdoors and disabled authentication for RTSP and Telnet. The camera exposes multiple vulnerabilities, such as a bypassable U-Boot password, plaintext Wi-Fi credentials, and direct root access via network protocols.

• IoT Security
• Reverse Engineering
• Hardcoded Credentials

This article details the process of extracting firmware from a Potensic Atom 2 drone by desoldering the flash chip and dumping its contents. It then explores the challenges of correcting corrupted firmware data using BCH error correction codes, including the identification of the primitive polynomial and brute-forcing the error correction process.

• Hardware Hacking
• Drone Hacking
• Firmware Extraction
• ECC

Security researcher Simone Margaritelli discovered multiple vulnerabilities in the TP-Link Tapo C200 IP camera, including hardcoded private keys, buffer overflows, and pre-authentication WiFi hijacking. Using AI-assisted reverse engineering, the researcher identified four vulnerabilities affecting thousands of devices exposed on the internet.

• IoT Security
• Reverse Engineering
• Buffer Overflow
• AI / LLM

This analysis explores vulnerabilities in the strategy game Anno 1404. Key flaws include a path traversal vulnerability in the multiplayer save file transfer mechanism and an out-of-bounds write vulnerability in the GR2 file format parser. These issues allow arbitrary code execution by manipulating file transfers or exploiting memory corruption in the game's 3D model loading system.

• Game Hacking
• RCE
• Heap Overflow
• ASLR Bypass

A recent cyber campaign has exploited vulnerabilities in Next.js applications to compromise over 59,000 servers in less than 48 hours. The attack uses remote code execution to steal sensitive credentials, such as cloud keys and SSH files, and installs command-and-control infrastructure for persistence.

• RCE
• Web Security
• Next.js
• Exploit Campaign

This article describes how to restore pro features in JuiceSSH, an Android SSH client. The solution involves decompiling the app, patching specific code to bypass payment checks, recompiling, and self-signing the APK.

• Reverse Engineering
• Mobile Security
• Software Cracking

Researchers reverse-engineered a €12 smartwatch's firmware by first identifying its unusual components, then cracking its Bluetooth authentication mechanism using an outdated legacy algorithm. After failing to extract the firmware through standard means, they developed a novel approach called a `blinkenlights attack` leveraging the watch's display to capture data sent to its screen controller. By analyzing the screen's pixel data, they successfully reconstructed the entire firmware image.

• Reverse Engineering
• Hardware Hacking
• Firmware Extraction
• BLE

The article details a vulnerability in the .NET Framework's HTTP client proxies due to an invalid cast in the HttpWebClientProtocol.GetWebRequest method. This allows attackers to manipulate proxies to write SOAP requests to the filesystem instead of sending them over HTTP, enabling exploits like arbitrary file writes, NTLM relaying, and remote code execution (RCE) through webshell uploads or PowerShell script drops.

• RCE
• .NET
• Web Security
• SOAP

A new attack leverages AI and search engine manipulation to deliver the AMOS macOS stealer. Users search for common troubleshooting queries, like 'clear disk space,' and encounter poisoned search results from platforms like ChatGPT and Grok, which appear legitimate but provide malicious Terminal commands.

• Malware Analysis
• macOS Security
• Stealer
• AI / LLM
• Phishing

A $200 software protection system, Enigma Protector, was bypassed effortlessly by copying the unprotected payload files extracted during installation, rendering its advanced security features irrelevant.

• Reverse Engineering
• Software Cracking

A critical vulnerability in React Server Components allows remote code execution via specially crafted HTTP requests. This flaw affects React Server Functions and Next.js apps using the App Router, enabling attackers to execute arbitrary code on the server with nearly 100% success.

• RCE
• CVE
• React
• Web Security

A researcher discovered a vulnerability in a legal AI platform's API. By reverse engineering the code, they identified an endpoint that required no authentication and returned a full admin token. This token granted unrestricted access to a law firm's entire Box filesystem, revealing nearly 100,000 confidential files, including sensitive documents protected by HIPAA and court orders.

• Web Security
• Authentication Bypass
• API Security
• AI / LLM

Researchers discovered a stack-based buffer overflow vulnerability in the BeeStation Plus's web interface, specifically in the AdminCenter Auth endpoint. This allowed for remote code execution and root access.

• RCE
• Buffer Overflow
• IoT Security
• Pwn2Own

LLVM 21 introduces new intrinsics, specifically `__builtin_ct_select`, designed to protect cryptographic code from timing attacks caused by compiler optimizations. These intrinsics act as barriers, preventing the compiler from altering constant-time implementations in ways that could introduce data-dependent timing variations.

• Cryptography
• Compiler
• Side-Channel
• LLVM

This article highlights a critical security issue where users inadvertently expose sensitive credentials by saving data to popular online code formatter tools like JSONFormatter and CodeBeautify. These tools generate shareable links that store user input publicly, leading to the exposure of thousands of passwords, API keys, and other secrets from various sectors including government, finance, and cybersecurity.

• Web Security
• Data Leak
• Privacy

An old Kindle, despite its broken screen and boot issues, serves as a powerful embedded Linux platform. By accessing its serial port, diagnosing hardware failures, and rebuilding the kernel with custom tools, the device was transformed into a functional Linux environment.

• Hardware Hacking
• IoT Security
• Linux
• UART

AV1, an open and modern video codec, has become a cornerstone of Netflix's streaming infrastructure, powering approximately 30% of all streaming sessions. AV1 offers significant advantages, including superior compression efficiency, higher video quality at lower bitrates, and reduced buffering.

• Video Codec
• AV1
• Compression

This analysis examines the Rhadamanthys loader, a component of a stealer malware known for its sophisticated anti-sandbox and anti-analysis features. The loader employs layered obfuscation, including control flow flattening and jump target obfuscation, making static analysis extremely difficult. The author developed a deobfuscation method focusing on function-level analysis, using techniques like data slicing and instruction patching to restore the original control flow.

• Malware Analysis
• Deobfuscation
• Control Flow Flattening

An old racing game released in 1998 encounters crashes on modern Windows systems due to a buffer overflow in its DirectInput device enumeration code. The game enumerates all input devices, including non-standard ones like LED controllers, until it overflows its fixed-size array. The fix involves a minimal DLL shim that filters DirectInput to only enumerate game controllers and limits enumeration to 8 devices.

• Game Modding
• Buffer Overflow
• DLL

Trail of Bits has released pure Go implementations of NIST-standardized post-quantum signature algorithms (ML-DSA and SLH-DSA). To prevent side-channel attacks, particularly timing attacks from integer divisions, the team employed branchless programming and division-free algorithms. They demonstrated techniques like constant-time conditional swaps and Barrett reduction, which use multiplication and conditional adjustments to achieve constant-time execution without divisions.

• Cryptography
• Post-Quantum
• Side-Channel
• Constant-Time

Researchers discovered a vulnerability in Fortinet FortiWeb devices allowing attackers to bypass authentication through a path traversal and an authentication bypass flaw. By crafting a malicious request with a specific header, attackers can impersonate any user, including administrators, gaining full control over the affected appliance. The vulnerability affects multiple versions of FortiWeb, and a patch was released with the CVE-2025-64446 identifier.

• CVE
• Authentication Bypass
• Path Traversal
• Web Security

Checksec Anywhere consolidates fragmented binary analysis tools into a single, browser-based platform. It offers multi-format analysis (ELF, PE, Mach-O), prioritizes privacy by running everything locally, and provides fast performance with features like batch processing, URL shareable results, and SARIF export for seamless integration with security workflows.

• Binary Analysis
• Tooling

Researchers identified two vulnerabilities in Citrix NetScaler: a memory leak from misconfiguration (not deemed a real-world threat) and a reflected XSS issue exploitable via CSRF.

• CVE
• XSS
• CSRF
• Memory Leak

Curiosity about a personal blood pressure monitor protocol led to an exploration of reverse engineering. After obtaining the device post-vaccination, the author attempted to access its data without using the official software, which required Windows. By setting up a virtual machine and using Wireshark to capture USB traffic, the author identified the structure of the data packets containing blood pressure readings (systolic, diastolic, heart rate, and oscillometric peak pressure). Challenges included decoding timestamps and inconsistencies in the protocol.

• Reverse Engineering
• Hardware Hacking
• USB Protocol

Following Apple's removal of the 'right-click and open' Gatekeeper override in 2024, attackers have found new ways to bypass security. One emerging method uses AppleScript files (.scpt) disguised as common file types like .docx or .pptx, or as fake updates for Zoom or Teams. These scripts often use comments to encourage execution while hiding malicious code. Malware like MacSync and Odyssey Stealer have adopted this technique, making it more widespread. Attackers also use custom icons to make the files appear legitimate.

• macOS Security
• Gatekeeper
• Malware Analysis
• Social Engineering

This article details the process of gaining root access on the HughesNet HT3000W satellite modem. It covers understanding the NAND flash error correction code (ECC), specifically the BCH algorithm, and reverse engineering its parameters. The steps involve simulating the NAND device, modifying the UBI filesystem to create an 'englab.dat' file for SSH access, repacking the UBI image with correct ECC, and flashing it back to the modem, resulting in successful root access.

• IoT Security
• Hardware Hacking
• Firmware Analysis
• ECC
• Rooting

This article details the hardware analysis and low-level firmware extraction process for the HughesNet HT3000W satellite modem. It explores the modem's internal hardware, and documents the destructive rework required to access the Spansion NAND flash chip. The process involves NAND dumping, error correction, partition carving, and UBI image extraction to reveal the modem's bootloader, kernel, and filesystem structure.

• IoT Security
• Hardware Hacking
• Firmware Analysis
• UBI

Electronic passports contain embedded chips with cryptographic protections to prevent unauthorized access, copying, and forgery. They use a combination of filesystem structures, access controls, and protocols like BAC, PACE, and EAC to secure personal data. However, legacy systems and gaps in the threat model still pose risks, and emerging technologies like zero-knowledge identity proofs offer privacy benefits but introduce new security considerations.

• Cryptography
• NFC
• Privacy
• Protocols

This article explains methods to bypass software protections by manipulating flow control and eliminating code sections, using reverse engineering tools like IDA Pro.

• Reverse Engineering
• Software Cracking
• Binary Patching

Apple's once-renowned attention to detail has significantly declined over the last 8-10 years, particularly with the introduction of iOS 26 and macOS Ventura (26). The author expresses frustration over numerous user experience issues, including persistent permission prompts, inconsistent UI elements across applications, bugs in core apps like Reminders and Files, and problematic design choices such as the 'liquid glass' effect.

• UI/UX
• iOS
• macOS

This article explores browser cache smuggling as a technique for delivering malware. It demonstrates how COM hijacking can execute DLLs directly from the cache without renaming, reducing detection risks.

• Digital Forensics
• Steganography
• Windows Internals
• Malware Delivery

CVE-2025-9242 is an out-of-bounds write vulnerability in WatchGuard Fireware OS's IKEv2 implementation, allowing remote attackers to execute arbitrary code. The vulnerability affects specific versions of Fireware OS and can be triggered by sending crafted identification data during the IKE_SA_AUTH phase of the IKEv2 protocol.

• RCE
• CVE
• VPN
• Network Protocols

This article details the author's experience of reverse engineering Amazon's Kindle DRM system. Amazon implemented multiple obfuscation layers, including randomized glyph IDs and anti-scraping techniques like fake font hints in SVG paths. The solution involved rendering SVG glyphs as images, generating perceptual hashes, and matching against standard TTF fonts using SSIM hashing.

• Reverse Engineering
• DRM
• Obfuscation
• Web Scraping

A vulnerability was discovered in ClubWPT Gold's online poker platform, allowing unauthorized access to the back office application. Attackers gained access to source code and credentials through an exposed environment file and hardcoded admin credentials. They bypassed two-factor authentication using a vulnerability in the authentication system, leading to exposure of customer data including personal information and transaction details.

• Web Security
• Authentication Bypass
• Misconfiguration

This analysis examines a 32-bit .NET malware sample that employs reflective injection to load stages in memory. The initial stage uses embedded bitmap images and Lagrange polynomial interpolation to build subsequent payloads. Multiple obfuscated stages follow, including a JavaScript RAT with keylogging capabilities, scheduled task persistence, and Domain Generation Algorithm (DGA) for C2 communication.

• Malware Analysis
• .NET
• Reflective Injection

A reverse engineer describes building a custom browser tool designed for analyzing web scripts and anti-bot measures. The tool uses Chromium DevTools Protocol to inject hooks into JavaScript functions, log calls across frames, and deobfuscate scripts.

• Reverse Engineering
• Tooling
• Browser Fingerprinting
• DevTools Protocol

CVE-2025-61882 is a pre-authentication remote code execution chain in Oracle E-Business Suite. It combines multiple vulnerabilities including SSRF, CRLF injection, authentication bypass, and XSL injection. Attackers can exploit this chain without credentials to achieve full system compromise.

• RCE
• CVE
• Web Security
• SSRF

A vulnerability in the Unity Runtime allows attackers to execute arbitrary code by manipulating intent handlers. Attackers can load malicious libraries via the `-xrsdk-pre-init-library` command line argument, enabling code execution with Unity's permissions.

• RCE
• CVE
• Android Security
• Unity
• Mobile Security

This report details the latest updates in Rhadamanthys (v0.9.x), a sophisticated stealer malware. Key changes include refined obfuscation (RC4 in Stage 3), enhanced anti-sandbox techniques (Lua-based trigonometry), new data collection modules (browser fingerprinting), expanded stealer functionality (additional wallet plugins), and diversification of C2 communication and injection methods.

• Malware Analysis
• Stealer
• Obfuscation
• Anti-Analysis

Basic Fit's QR code system for gym entry encodes user details such as card ID, a unique random identifier, a timestamp, and a device ID. A SHA-256 hash of this data ensures security and uniqueness. The system relies on technologies like React Native and OAuth 2.0 with PKCE, making it robust against attacks and restricting access to authorized devices only.

• Reverse Engineering
• Cryptography
• QR Code
• OAuth

This analysis confirms evidence of in-the-wild exploitation of CVE-2025-10035 in Fortra GoAnywhere MFT, beginning as early as September 10, 2025—eight days before the vendor's public advisory.

• RCE
• CVE
• Exploitation

A critical vulnerability (CVE-2025-10035) in Fortra GoAnywhere MFT allows remote code execution without authentication via a deserialization flaw. Attackers can bypass authentication by manipulating the system's licensing endpoint, leading to the deserialization of arbitrary objects.

• RCE
• CVE
• Deserialization
• Authentication Bypass

JSON Web Tokens (JWTs) are widely used for authentication and authorization but can introduce security risks if improperly configured. Common vulnerabilities include flawed signature verification, allowing attackers to alter token claims; weak secret keys enabling brute-force attacks; and header injections (JWK, JKU, KID) that bypass key verification.

• Web Security
• Cryptography
• JWT
• Authentication

This article details an educational exploration of reverse-engineering the Sononym Electron application to understand its evaluation and licensing mechanisms. By patching the JavaScript function, the author demonstrated how trial restrictions could be bypassed, illustrating the structure of Electron apps and the mixing of JavaScript with native modules.

• Reverse Engineering
• Electron
• Software Cracking

Apple has introduced a private CSS property called `-apple-visual-effect` that allows developers to add Liquid Glass effects to web content within iOS apps using WKWebView. While the property is currently only accessible within Apple's own applications and requires enabling a specific setting, it offers a way to achieve the sleek, native-like appearance seen in iOS 26. The article suggests that Apple may already be using this feature in its own apps, contributing to the seamless integration of webviews that users often experience without noticing.

• CSS
• iOS
• UI/UX
• WKWebView

JPEG compression is common online but alters images slightly, leaving visible artifacts. ELA (Error Level Analysis) detects inconsistencies by recompressing images and comparing the results, revealing areas manipulated by AI or other tools.

• Digital Forensics
• Image Forensics
• AI / LLM
• JPEG

DCOM, a distributed extension of COM, enables remote object activation and communication, built on core concepts like CLSIDs, ProgIDs, and interfaces for abstraction. This article covers COM/DCOM fundamentals, including historical context, key identifiers, enumeration methods using tools like PowerShell and OleView.NET, instantiation techniques, and the activation process involving RPC protocols, providing a foundation for understanding remote method calls and their security implications.

• Windows Internals
• Network Protocols
• RPC
• DCOM

Curiosity about a TP-Link indoor camera's onboarding process led to reverse-engineering efforts. The author discovered a default admin password and an encrypted communication channel. By analyzing the app and camera interactions, they developed a script to automate the setup, bypassing the need for cloud integration. The experience revealed insecure coding practices but resulted in a practical solution for simplified camera deployment.

• Reverse Engineering
• IoT Security
• Frida
• Mobile Security

The 2025 Synacktiv Summer Challenge focused on optimizing Podman archive formats by exploiting internal caching mechanisms and compressing image layers. Participants competed to create the smallest possible OCI or Docker archive containing a self-extracting binary.

• Docker
• Podman
• Compression
• CTF
• Containerization

A critical vulnerability in FreePBX (CVE-2025-57819) allows unauthenticated attackers to bypass security and execute arbitrary code. The flaw stems from improper handling of user input, enabling access to sensitive areas and remote code execution via SQL injection in the Endpoint module. Systems using FreePBX versions 16 or 17 are affected, with recommendations to apply patches immediately.

• RCE
• SQL Injection
• CVE
• Web Security

Cybercriminals are targeting macOS users with the Atomic macOS Stealer (AMOS), disguised as cracked versions of legitimate software. Attackers use two main delivery methods; distributing malicious .dmg files that bypass Gatekeeper or tricking users into executing commands via the Terminal.

• Malware Analysis
• macOS Security
• Stealer
• Gatekeeper

This article describes the process of creating a more engaging and humorous language model by training the Mistral Small 3 24B model on data from various websites.

• AI / LLM
• Training
• Machine Learning

This article details the process of cracking 40-bit RC4-encrypted code signing keys from leaked files. The author initially used a CPU-based brute-force approach but optimized performance by transitioning to GPU acceleration with Apple's Metal framework.

• Cryptography
• Brute-force
• GPU
• RC4
• Code Signing

Linear disassembly decodes bytecode sequentially, which works for static VMs but fails when bytecode is modified at runtime. Recursive disassembly follows jumps and handles runtime changes, but may skip dead code.

• Reverse Engineering
• Disassembly
• Virtualization

This article details the reverse engineering of Miele's proprietary diagnostic interface, known as the Program Correction (PC) interface. The interface, accessible via an infrared port disguised as an indicator light, allows for reading sensor data, monitoring appliance status, calibrating sensors, updating firmware, and accessing service modes. Reverse engineering revealed that the interface uses a simple optical UART protocol with even parity at 2400 baud. By analyzing the microcontroller's behavior and using a logic analyzer, the author successfully unlocked the interface and dumped the firmware, providing valuable insights for self-repair and potential integration with open-source tools.

• Reverse Engineering
• Hardware Hacking
• IoT Security
• UART

This analysis examines Vercel's BotID service, an anti-bot system that operates through client-side signal collection. The service features two modes: Basic, which is free and relies on detecting browser automation and other bot-like behaviors, and Deep Analysis, which requires a paid plan and uses Kasada's advanced fingerprinting scripts. The article demonstrates how to reverse-engineer the obfuscated JavaScript used by BotID and shows that Basic mode can be bypassed by spoofing browser properties.

• Reverse Engineering
• Anti-Bot
• Browser Fingerprinting
• JavaScript Obfuscation

This article describes the development of a custom licensing system for a kiosk app that operated offline after initial activation. The solution involved several security layers: storing license expiry dates on the device, enforcing forward-only time progression to prevent date tampering, using unique nonces to block replay attacks, verifying API responses with digital signatures and embedded public keys (via obfuscation), and additional hardening measures like nonce validation and time synchronization checks.

• Licensing
• Reverse Engineering
• Offline Security
• Cryptography

This article explores vulnerabilities in the FIDO2/WebAuthn protocol used for passkeys. It details how researchers reverse-engineered the CTAP2 protocol, built a software authenticator to impersonate a hardware key, and demonstrated forging passkey signatures for automated logins. The analysis reveals that many relying parties lack proper security measures, allowing replay attacks, and suggests mitigations like enforcing sign-counters and restricting browser automation APIs.

• Web Security
• Authentication
• Cryptography
• FIDO2

A security team exploited the Tesla Wall Connector, an AC electric vehicle charger, by leveraging its charge port connector to access and manipulate firmware. They identified a logic flaw allowing unauthorized firmware installation and used a buffer overflow vulnerability to achieve arbitrary code execution, demonstrating a significant security risk.

• IoT Security
• Reverse Engineering
• Buffer Overflow
• Firmware

This analysis explores a vulnerability in Heroes of Might and Magic V where specially crafted map files can trigger a heap overflow during decompression. By exploiting this issue, attackers can overwrite a vtable pointer, enabling code execution. The vulnerability occurs in the decompression process of ZIP-formatted map files, specifically targeting the handling of compressed data sizes. The article demonstrates how to leverage this flaw by creating malicious map files that manipulate memory through controlled decompression.

• Game Security
• Reverse Engineering
• Heap Overflow

This article describes an anti-scraping technique that uses text obfuscation through a custom font with remapped characters. While initially clever, the method becomes difficult to bypass programmatically, especially when the font changes randomly. However, it is ultimately ineffective as major search engines can still render the text correctly, rendering it a poor protection mechanism.

• Web Scraping
• Anti-Scraping
• OCR
• Obfuscation

British Airways offers free in-flight WiFi restricted to messaging apps. A user discovered that by using a technique involving manipulating the Server Name Indication (SNI) field during the TLS handshake to mimic a connection to WhatsApp (wa.me), they could bypass the restrictions and access the full internet. The article also touches upon the concept of Encrypted Client Hello (ECH) as a potential improvement to mitigate SNI leakage issues.

• Network Protocols
• TLS
• SNI
• ECH

A nostalgic journey into reverse engineering began when the author sought to unlock all characters in a fan-made Digimon Rumble Arena Unity game. Using tools like dnSpy, they decompiled the game's DLL files to find hardcoded cheat logic, eventually modifying a boolean variable to grant full access across all game modes.

• Reverse Engineering
• Game Hacking
• Unity
• dnSpy

This analysis explores vulnerabilities in Puregym's QR code access system. The system, which allows gate access via a mobile app, is found to bypass geolocation restrictions by spoofing coordinates. Monitoring app traffic reveals that gate opening is authenticated solely via a base64-encoded email/password in an HTTP header.

• Reverse Engineering
• IoT Security
• QR Code
• Authentication

A security researcher discovered a critical vulnerability in ASUS's DriverHub software, allowing remote code execution (RCE) via an insecure RPC endpoint that accepted requests from any subdomain of driverhub.asus.com. By exploiting a wildcard origin check and abusing ASUS-signed executables, an attacker could silently install arbitrary admin-level malware.

• RCE
• Windows Security
• RPC

Researchers discovered a novel trojan delivered via a dark web 'Bitcoin generator' site. Analysis revealed an in-memory dropper that loaded a second-stage payload from remote servers. The malware used .NET and was obfuscated with techniques like de4dot and potentially BabelVM, indicating advanced evasion methods.

• Malware Analysis
• Obfuscation
• .NET

This article details the creation of an innovative business card that runs machine learning inference. The goal was to design a compact circuit board that could execute a neural network for speech recognition. Starting with an Arduino prototype, the author transitioned to an RP2040 chip for easier assembly. Challenges included hardware compatibility issues and audio signal processing problems, which were resolved by adjusting sample rates and circuit design.

• Machine Learning
• Hardware Hacking
• IoT

A public GitHub repository that provides a license key generator for 010 Editor, written entirely in Assembly. The tool allows generating custom license keys supporting arbitrary usernames, expiration dates up to the year 3000, and multi-user licenses (1–1000 users).

• Software Cracking
• Keygen
• Assembly

A method to recover files encrypted by a recent Linux/ESXI variant of Akira ransomware involves brute-forcing four timestamps used to generate encryption keys. The approach leverages nanosecond-level timestamps and GPU acceleration for speed. Known plaintext and ciphertext from specific files (like VMware disk files) help verify decryption keys. The process requires significant computational resources, such as multiple GPUs, and can be costly.

• Malware Analysis
• Ransomware
• Cryptography
• Brute-force
• GPU

This article details the reverse engineering of Nanjing University's SAK28/FM1208 CPU-based NFC campus cards. The author used tools like Proxmark3 to reverse-engineer the card's communication protocol and discovered that data could be read and cloned easily, similar to older M1 cards. The FM1208 protocol itself has security flaws, such as the lack of encryption and weak authentication, making the cards insecure. Additionally, the author demonstrated how Android's Host Card Emulation (HCE) can be used to emulate the card on a smartphone, further highlighting the card's vulnerabilities.

• Reverse Engineering
• NFC
• Cryptography
• HCE

This article provides a detailed analysis of the Undetectable anti-detect browser, explaining how it randomizes fingerprinting attributes to evade detection. It covers how the browser injects JavaScript to modify browser properties for non-Chromium profiles and alters core functionality for Chromium profiles. The piece also presents two reliable detection techniques: one based on identifying JavaScript modifications for non-Chromium browsers and another by detecting specific script injection patterns regardless of the browser profile.

• Browser Fingerprinting
• Anti-Scraping
• Web Security

JavaScript developers can exploit try-catch blocks to create non-linear code flow, hiding legitimate functionality by forcing errors and using catch blocks to execute the real payload. This technique, often chained with multiple try-catch blocks, confuses static analysis tools by making the code's actual behavior dependent on specific error conditions.

• JavaScript
• Obfuscation
• Control Flow

Threat actors have created a convincing fake DeepSeek website that lures Mac users into downloading the Atomic (AMOS) Stealer, a sophisticated malware sold as a Malware-as-a-Service (MaaS). The attack begins with malvertising redirecting users to a fraudulent site that mimics DeepSeek. This malware uses anti-debugging techniques and checks for known researcher usernames to avoid detection. It steals sensitive data from web browsers, cryptocurrency wallets (including Electrum, Exodus, and others), Telegram, and the macOS Keychain.

• Malware Analysis
• macOS Security
• Stealer
• Phishing

An analysis of an HTML obfuscator tool revealed that it primarily encodes HTML via multi-layered JavaScript obfuscation, using techniques like string splitting, function construction, and runtime decoding. While the tool hides the original code in the DOM and includes basic anti-tampering checks, it ultimately relies on `document.write` to reconstruct the HTML, which can be bypassed with simple debugging or function hooking.

• JavaScript
• Obfuscation
• Deobfuscation

This article explains that protecting JavaScript code isn't about making it unbreakable, but about abstracting its execution. One approach is virtualization, where code is compiled into a custom instruction set that runs on a simulated environment within JavaScript. This makes reverse-engineering more difficult compared to analyzing raw JavaScript, as binary code is harder to read.

• JavaScript
• Virtualization
• Obfuscation
• Reverse Engineering

The NanoKVM is a compact hardware KVM switch enabling remote computer control via web browsers. It comes with several security flaws, including default passwords, hardcoded encryption keys, reliance on Chinese servers, pre-installed hacking tools, and a hidden built-in microphone for audio recording.

• Hardware Hacking
• IoT Security
• Privacy

A public GitHub repository providing a simple key generator for Xmanager, written in Python. The project includes a script (`Xmanager-keygen.py`) that generates license keys for Xmanager by reproducing or emulating the software's internal key-validation mechanism.

• Software Cracking
• Keygen

This analysis details the 'Open Gatekeeper Friendly' (OGF) macOS infostealer malware. It uses obfuscated AppleScript and shell commands to evade detection, hiding processes and creating random temporary directories. The malware targets sensitive data from browsers, password managers, cryptocurrency wallets, and messaging apps like Telegram.

• Malware Analysis
• macOS Security
• Stealer
• Gatekeeper

A new macOS malware variant, known as 'Open Gatekeeper Friendly', is spreading through pirated software releases. This info-stealer disguises itself as a legitimate tool used by pirates to bypass macOS Gatekeeper, leveraging its common name to evade suspicion.

• Malware Analysis
• macOS Security
• Stealer
• Gatekeeper

Denuvo is a sophisticated DRM system that protects software by enforcing hardware integrity checks. Upon first execution, it collects system information and sends it to a server to generate a unique license file containing encrypted constants. The game then verifies runtime hardware against this license, ensuring any discrepancies cause immediate failure. Denuvo employs various checks, including CPUID, SYSCALL, and Windows API calls, combined with advanced techniques like a virtual machine that stores data bit by bit and uses mixed-Boolean arithmetic for obfuscation. Anti-tampering measures include spinlocks and disruption of exception-based hooking.

• Reverse Engineering
• DRM
• Virtualization
• Anti-Tampering

A public GitHub repository providing a key generation and patch tool for DBeaver. The project includes a JAR-based keygen/patcher labeled as "DBeaver注册机" along with instructions in Chinese for modifying DBeaver installations.

• Software Cracking
• Keygen
• Java

WatchWitch is an Android application that enables communication with Apple Watch devices by reverse engineering their proprietary protocols. It facilitates interoperability, allowing Android users to interact with Apple Watches, while conducting a thorough security analysis of Apple's wireless communication mechanisms, including IKEv2, ESP, and A-over-C encryption. The research uncovers vulnerabilities and proposes a framework for secure, cross-platform interaction with Apple Watch technology.

• Reverse Engineering
• Apple Watch
• Cryptography
• Bluetooth

This guide demonstrates how to use LLDB to reverse engineer an iOS mobile game and manipulate in-game coin values. By analyzing assembly code with Hopper and setting breakpoints, the author identifies the register (`W9`) controlling coin counts, then directly alters its value to achieve an inflated balance.

• iOS Security
• Reverse Engineering
• Game Hacking
• LLDB

This analysis details the Rhadamanthys Stealer malware's delivery and execution techniques. The attack chain begins with a phishing email containing an obfuscated JavaScript file disguised as a PDF. This script initiates a drive-by download, fetching and executing an encoded PowerShell script. The PowerShell script establishes persistence, employs evasion techniques including dynamic API loading, and reflective loading of components to bypass application whitelisting. It then loads a crypter into memory, which decrypts and injects the final stealer payload. The stealer uses encryption, obfuscation, and process hollowing to evade detection and exfiltrate data.

• Malware Analysis
• Stealer
• PowerShell
• Phishing

This article explores various JavaScript obfuscation techniques designed to make code difficult to analyze and deobfuscate. It covers methods such as functions reading themselves by embedding data in comments, using stack traces for decryption keys, browser crashes via loops or async bombs, extracting variable names from object keys, and strategies to hinder large language models and analysis tools by exploiting token limits or inserting misleading content.

• JavaScript
• Obfuscation
• Deobfuscation
• Reverse Engineering

This project aimed to develop a machine learning model using TensorFlow to solve 4Chan CAPTCHAs reliably. Challenges included acquiring training data, which involved scraping CAPTCHAs and generating synthetic data due to limitations with commercial solving services. The model, built with an LSTMCNN architecture, achieved over 90% accuracy on real CAPTCHAs after addressing issues like image processing errors and model conversion hurdles.

• Machine Learning
• CAPTCHA
• Computer Vision

This analysis examines a sophisticated PDF-based malware delivery mechanism that initiates a drive-by download. The malicious PDF, disguised as an invoice, contains embedded URLs leading to a booking.com domain. When clicked, it executes an obfuscated JavaScript file that bypasses execution policies and downloads a PowerShell script via IRM. This script employs multiple layers of obfuscation, including octal encoding, requiring several decoding stages to reveal a final .NET binary payload—the Rhadamanthys Stealer.

• Malware Analysis
• Stealer
• PowerShell
• Phishing

This research examines how silent delivery receipts in mobile instant messaging apps can be exploited to monitor user activities without their knowledge. The study demonstrates that these features leak sensitive information, including online status, typing indicators, and message read states, enabling surveillance of users' behavior patterns and communication habits. The findings reveal significant privacy risks inherent in current instant messaging implementations.

• Privacy
• Mobile Security
• Side-Channel

A public GitHub repository containing a Python script to generate license activation files for MobaXterm, a Windows terminal emulator with networking tools.

• Software Cracking
• Keygen

A technical blog post that provides updated tips and guidance for using UltraEdit, a powerful text and code editor.

• Text Editor
• Tips

This article details the process of acquiring an older Just Eat / Takeaway.com terminal and modifying it. After purchasing the device, the author gained access by either using an NFC card to trigger specific actions or by entering device codes. Once inside, they discovered it ran on an older Android version and was vulnerable. The author proceeded to root the device, install custom file managers and browsers, and even dump the firmware. They also found hidden admin functions accessible via specific codes or screen interactions. The terminal's hardware includes an ethernet port, USB ports, and NFC capabilities.

• IoT Security
• Reverse Engineering
• Rooting
• NFC

A detailed analysis revealed significant security vulnerabilities in a device running Android with integrated AI features. The device stored an OpenAI API key locally, exposing sensitive data. The companion app lacked proper authentication, allowing unauthorized access to user chats and personal information. While some fixes were implemented, key exposure issues persist.

• IoT Security
• Reverse Engineering
• API Security
• Android Security

The macOS Atomic Stealer family has evolved significantly in 2024, with variants like Amos, Poseidon, Cthulu, and Banshee targeting Mac users. These infostealers, distributed through spoofed enterprise apps, employ evasion techniques such as code obfuscation, dynamic payload fetching, and TCC bypass to evade detection. They steal cryptocurrency wallet credentials, admin passwords, and other sensitive data.

• Malware Analysis
• macOS Security
• Stealer

An open-source Python project that generates registration keys for Beyond Compare 5.x (up to version 5.1 ver 31016) by reproducing the software's license verification mechanism. The repository includes scripts (`keygen.py`, `app.py`) that produce custom license keys after optionally modifying the embedded RSA key in the Beyond Compare executable.

• Software Cracking
• Keygen
• Cryptography
• RSA

A comprehensive technical breakdown of multiple zero-day vulnerabilities discovered in Anki, including arbitrary code execution (RCE) through JavaScript injection, LaTeX command injection, and media player command injection. The article details the discovery process, proof-of-concept exploits, and the mitigations implemented by Anki.

• RCE
• XSS
• LaTeX
• CVE

This article details the discovery and exploitation of an SQL injection vulnerability on the Clemson University website using a custom tool called SQLiF. It explains what SQL injection is, demonstrates how it can be exploited through examples, and describes how SQLiF automates the detection of these vulnerabilities by analyzing web application responses for specific database errors.

• Web Security
• SQL Injection
• Tooling

Kernel-level anti-cheats, while controversial due to their elevated system access, offer limited additional risks beyond user-mode software—yet they remain a necessary evil for combating persistent cheating in multiplayer games. The article argues that privacy concerns are overstated, as user-mode software can already access sensitive data, and security failures in user-mode history highlight deeper industry shortcomings.

• Anti-Cheat
• Security Analysis
• Game Security

This article explores how FileMaker stores passwords in the fmp12 file format. It explains that passwords are stored as one-way hashes, specifically using PBKDF2 with SHA-1, and are combined with a salt during the hashing process. The article details the reverse-engineering process, including how the hashing mechanism was identified through debugging, and discusses the structure of the account storage within the file format, including associated checksums and other metadata.

• Reverse Engineering
• Cryptography
• Password Storage

An experiment demonstrated how easily social media follower counts can be artificially inflated, specifically using the Nostr protocol. By generating and broadcasting follow requests through multiple relays with a script, over a million new followers were created in less than 24 hours.

• Social Media
• Sybil Attack
• Security

This article details the reverse engineering of Pokémon GO to understand its internal workings. The author first explored route mechanics, discovering how to bypass certain limitations by manipulating server communication, leading to detailed analysis of item drop rates. Subsequently, the author uncovered significant vulnerabilities in the PvP combat system, where extensive player data is transmitted during battles, allowing unauthorized access.

• Reverse Engineering
• Game Security
• Mobile Security

An open-source key generator for Charles Proxy that implements a cracking approach (via RC5) to produce valid registration keys for the Charles web debugging proxy.

• Software Cracking
• Keygen
• Cryptography
• RC5

To scrape Clutch, a B2B service directory, and bypass its Cloudflare antibot, use a service like Bright Data's Scraping Browser with Playwright to obtain necessary cookies. These cookies, along with browser-like headers, must be reused in scraping requests. A TLS client is used to replicate a realistic browser fingerprint.

• Web Scraping
• Anti-Bot
• Cloudflare

This analysis details the disassembly of the HughesNet HT2000W satellite modem. By accessing UART ports on both PCBs, researchers gained root access on the router side and U-Boot on the modem side. Firmware dumps revealed weak, outdated password hashes that could be cracked, enabling SSH access.

• IoT Security
• Hardware Hacking
• UART
• Firmware Analysis

Branch encryption protects sensitive data by encrypting code sections that depend on a specific input. Instead of storing comparison values directly, they are hashed, and the associated code is encrypted. Execution only proceeds if the input matches the hash, preventing attackers from easily accessing secrets.

• Cryptography
• Obfuscation
• Control Flow
• Reverse Engineering

This article details the frustration with TicketMaster's SafeTix system, which uses rotating PDF417 barcodes for ticket entry. Through reverse engineering using Chrome DevTools, the author discovers that the barcodes are generated using cryptographic secrets and tokens, enabling offline ticket duplication.

• Reverse Engineering
• Cryptography
• TOTP

A new macOS malware, identified as macOS.Bkdr.Activator, is spreading rapidly through cracked software downloads available on torrent sites. This deceptive 'Activator' malware pretends to provide cracked versions of popular apps but instead installs a backdoor. Upon execution, it disables macOS security features, installs a persistence mechanism, and attempts to download further malicious components, potentially enabling operators to control infected machines or deploy other malware at scale.

• Malware Analysis
• macOS Security
• Piracy

This article details the discovery of cross-site scripting (XSS) vulnerabilities on chess.com through a rich text editor. By exploiting the background-image attribute's onload property, the author bypassed sanitization to manipulate cookies and redirect users. A subsequent payload using the srcset attribute achieved full XSS by directly executing JavaScript.

• XSS
• Web Security

This article details the process of training a large language model to clone Discord friends. The author used a Mistral-7B model on an RTX 3090 GPU, cleaning extensive Discord chat data by removing low-quality messages and formatting it for training.

• AI / LLM
• Training
• Machine Learning

This article details how the author replaced the static dialogue in Animal Crossing with dynamically generated text using an LLM. By reverse-engineering the game's dialogue system and establishing communication via shared memory, the author created a two-step AI pipeline: a 'Writer' LLM generates dialogue and a 'Director' LLM handles formatting and control codes.

• Game Modding
• AI / LLM
• Reverse Engineering
• Memory Hacking

This piece explores an unconventional approach to determine if a number is even or odd by replacing arithmetic operations with an exhaustive series of conditional checks—one for each possible value. The author demonstrates how this method, initially mocked on social media, can be scaled from 8-bit to 32-bit integers using meta-programming and assembly, despite encountering technical limits like compiler heap space and file size constraints.

• Assembly
• Code Golf
• Optimization

A public C/C++ GitHub project that implements a key generator for EditPlus, a Windows text and code editor developed by ES-Computing.

• Software Cracking
• Keygen
• C++

This article details a vulnerability in the rcore_radiocar resource used in GTA V RP servers built on FiveM. By allowing users to input arbitrary URLs, attackers can inject malicious scripts via XSS. This enables control of player accounts, including unauthorized access to microphones, stealing in-game money, and altering player appearances.

• Game Hacking
• XSS
• Web Security

A detailed blog post explaining the implementation and reverse-engineering of a Proxifier license key generator. It covers analyzing Proxifier's registration key format and validation algorithm, including a breakdown of the `Check` algorithm used in the official software and how to construct valid keys.

• Software Cracking
• Keygen
• Reverse Engineering

This article details the process of reverse-engineering Supreme's anti-bot system to extract decryption and encryption keys, enabling the creation of valid cookies that bypass anti-bot measures. The authors compiled a modified Firefox browser, intercepted JavaScript functions, and captured necessary data to generate these keys and browser fingerprints.

• Reverse Engineering
• Anti-Bot
• Browser Fingerprinting

Debuggers are essential for analyzing code, but some websites employ anti-debugging measures to hinder reverse engineering. The article explores various evasion techniques, starting with disabling breakpoints but noting this limits functionality. A Greasyfork script attempt to override the debugger keyword fails against heavily obfuscated code. The most effective solution involves renaming the 'debugger' keyword in the browser's source code, specifically in Firefox, allowing breakpoints to trigger without causing infinite loops.

• JavaScript
• Anti-Debugging
• Reverse Engineering

This article introduces a series focused on evaluating anti-bot platforms from an attacker's perspective. It highlights the prevalence and impact of web automation attacks, the growth of the anti-bot industry, and the challenge of effective protection due to misinformation and deceptive metrics.

• Web Scraping
• Anti-Bot
• Security Analysis

A public GitHub project that provides a key generator for JFrog Artifactory, allowing the creation of Artifactory license artifacts. The repository contains Java/Kotlin source code and supporting files to generate licenses, and includes additional tooling (such as an agent) to help patch Artifactory for testing.

• Software Cracking
• Keygen
• Java

The Kullback test identifies repeating patterns in encrypted text by transposing blocks and measuring randomness with the Index of Coincidence (IOC). It helps break ciphers like Vigenere by detecting periodic spikes that reveal key lengths or repeating patterns. The test can also solve custom ciphers by finding consistent intervals where text repeats, guiding decryption strategies.

• Cryptography
• Cryptanalysis
• CTF

This article examines how FileMaker Server stores encrypted credentials in its keystore file. The author found that while RSA encryption is used during file uploads, the keystore contains AES-128-CBC encrypted values using a null IV. The encryption key is derived from a machine-specific ID combined with user credentials via PBKDF2. The process was reverse-engineered through debugging, revealing that the same key can be recreated, allowing decryption.

• Reverse Engineering
• Cryptography
• Encryption
• AES

This article explores how to intercept TLS-encrypted network traffic from an application like TimeDoctor using tools such as PolarProxy and Frida. It covers reverse engineering Qt's networking library to extract URLs.

• Reverse Engineering
• Frida
• MITM
• TLS

This article explores how to analyze logs generated by a time tracker application using Gravwell, a data platform for log ingestion and querying. It covers setting up log ingestion, performing basic and advanced queries (including filtering, transactions, and aggregations), and creating dashboards for visualization.

• Data Analysis
• Log Analysis
• Tooling

This article explores the reverse engineering and monitoring of TimeDoctor, a productivity tracking tool. It details how to use Frida, a dynamic instrumentation tool, to intercept and log SQLite database interactions from a running application, providing visibility into the tool's data collection mechanisms.

• Reverse Engineering
• Frida
• Dynamic Analysis

A public GitHub repository that provides a simple key generator for HTTP Debugger Pro. The tool generates a license key and writes it into the appropriate Windows registry location so that the software is activated automatically once HTTP Debugger has been run at least once. The README explains the structure of the registration format and how it derives the serial number from version and disk identifiers.

• Software Cracking
• Keygen
• Registry

This article details the development of a disassembler for Nike's VM-based bot protection system. The author explains how to handle the lack of clear opcode definitions by implementing a recursive traversal method to analyze control flow. The disassembler identifies functions and loops by tracking instruction pointers and registers, avoiding the need to execute the bytecode. Challenges include unreachable code and bloat, but the tool successfully recovers a significant portion of the VM's instructions, providing a foundation for further analysis.

• Reverse Engineering
• Disassembly
• Virtualization
• Anti-Bot

Web attacks like account brute forcing and botting threaten digital systems. Browser fingerprinting helps protect against these by creating unique identifiers, but it's easy to spoof. Obfuscation complicates reverse engineering, leading to virtualization obfuscation—a custom VM architecture that stores code as bytecode. This article examines Nike's Kasada contractor-created system, which uses a virtual machine to interpret bytecode.

• Reverse Engineering
• Virtualization
• Obfuscation
• Anti-Bot

This article explores the reverse engineering of TikTok's VM obfuscation mechanism, revealing a custom virtual machine that executes JavaScript code with a unique bytecode format. The author decompiles and disassembles the Kotlin code to understand the VM's operations, including instruction execution, array handling, and environment management. The findings include two bytecode dumps—one for the VM itself and another for the main application code.

• Reverse Engineering
• Virtualization
• JavaScript Obfuscation
• Mobile Security

This article presents method to bypass unRAID's license verification by hooking a specific decryption function with custom code, allowing users to simulate a valid registration without purchasing a license.

• Reverse Engineering
• Software Cracking
• LD_PRELOAD

This article explores the anti-jailbreak and anti-Frida protections in Pokémon GO, focusing on how the game detects jailbroken devices and dynamic analysis tools like Frida. The analysis reveals techniques such as hooking Mach-O constructors via `dyld` functions, bypassing anti-debug checks, and leveraging obfuscation to extract strings.

• Jailbreak Detection
• Frida
• Anti-Debugging
• iOS Security

A comprehensive analysis of VMProtect 2's virtual machine architecture, covering vm_entry routines, vm handler tables, transformations, and techniques for bypassing protections.

• Reverse Engineering
• Virtualization
• Obfuscation
• DRM

This article details the process of reverse engineering a thermal printer's Bluetooth Low Energy (BLE) protocol to enable communication via computer instead of a proprietary app. The author decompiled the manufacturer's app to discover command structures and CRC8 checksums, then implemented a Python solution using the Bleak library for BLE communication.

• Hardware Hacking
• Reverse Engineering
• BLE

This article demonstrates a brute-force technique to locate a specific function in a heavily obfuscated binary, by systematically testing every address in the executable. Using PowerShell and a client-server approach, the method bypasses obfuscation by calling unknown code segments until the correct function—here, a decryption routine—is identified.

• Reverse Engineering
• Game Hacking
• Brute-force
• IL2CPP

A GitHub repository that provides a combined Burp Suite Pro Loader and Keygen tool intended to help with offline activation and launching of Burp Suite Pro (from version 2020.1 onward). The project integrates multiple existing Burp loader/keygen efforts and adds features like update detection and auto run.

• Software Cracking
• Keygen
• Java

A GitHub repository that implements a WinRAR license key generator and explains the principle of WinRAR key generation. It provides code and workflows to reproduce the elliptic-curve based signature algorithm used by WinRAR.

• Software Cracking
• Keygen
• Cryptography
• ECC

The article explores advanced techniques for reversing Snapchat's heavily obfuscated binary, focusing on bypassing anti-debugging mechanisms like `fuckup_debugging` and deobfuscating complex control-flow obfuscations (MBA). It highlights practical strategies such as symbolic execution, watchpoints, and manual register tracing to reconstruct obfuscated logic.

• Anti-Debugging
• Binary Analysis
• Obfuscation
• Reverse Engineering

This article explores advanced obfuscation techniques used in Snapchat's binary to protect its API authentication token, including control flow obfuscation (indirect branches, opaque predicates, dead code), dynamic library calls, and anti-debugging measures like checksum-based breakpoint detection. Data obfuscation methods like mixed-boolean arithmetic and scratch arguments further complicate reverse engineering, while clever tricks like in-house `memmove` implementations and overflow-based memory access add layers of complexity.

• Anti-Debugging
• Obfuscation
• Control Flow Flattening
• Binary Analysis

This article details a method for creating overlays in games using DLL injection and ImGui. It explains how to inject a DLL into a game process, hook OpenGL functions to render overlays, and integrate ImGui for creating UI elements. The process involves finding the target process, allocating memory, and handling function hooks to display graphics on top of the game.

• Game Hacking
• DLL Injection
• Reverse Engineering
• OpenGL

This article demonstrates a scalable approach to swizzling every method in UIKit by leveraging trampoline functions and a unified handler. It explains how to dynamically replace method implementations—such as for logging or thread checks—without manually coding each one, using assembly-level optimizations to manage performance.

• iOS Internals
• Reverse Engineering
• Objective-C
• Runtime Hooking

The article documents a hands-on exploration of repurposing an OBD2 scanner device by reverse-engineering its firmware and hardware. The author tested alternative devices to understand their components—such as microcontrollers, LCD screens, and flash memory—while mapping out pinouts and debugging interfaces.

• Hardware Hacking
• IoT Security
• Firmware Analysis

This article details two main reverse engineering achievements related to Supercell games. First, it presents a universal solution for extracting the public server key (pks) from multiple games, including HayDayPop. This approach uses dynamic memory hooking and watchpoints to bypass obfuscation techniques like Arxan, avoiding reliance on static offsets. Second, the author describes a sophisticated 'Videobot' system built for automating the recording of top players in Clash Royale. This system employs custom Android applications, Frida for code injection, and a Python backend to manage device operations, video compression, and encryption-related tasks. The Videobot replaces server connections with a local mock to facilitate recording.

• Reverse Engineering
• Mobile Security
• Dynamic Analysis
• Automation

This article details the advanced security measures implemented by Supercell in their mobile games, focusing on reverse engineering techniques to bypass anti-cracking protections. It covers identifying and disabling specific 'hard' and 'soft' checks that prevent code execution tools like Frida from functioning. The author then demonstrates how to intercept and redirect network traffic to a local proxy, replacing DNS lookups to route game communications through a custom application.

• Reverse Engineering
• Mobile Security
• Anti-Tampering
• Network Traffic

A JavaScript-based key generator for Wolfram Mathematica that reproduces the offline activation key/password generation algorithm for Mathematica versions around 12.0. The package (installable via npm) exports a `keygen(mathID, activationKey)` function that takes a Machine ID and an activation key and returns an array of generated passwords.

• Software Cracking
• Keygen
• JavaScript

This article details the discovery and exploitation of a stack-based buffer overflow vulnerability in an IP camera's firmware. The vulnerability was leveraged to bypass ASLR using a ROP chain, enabling unauthenticated RCE. The exploit involved manipulating the GOT to redirect execution to the `system` function, demonstrating techniques relevant to ARM architecture.

• Reverse Engineering
• RCE
• Buffer Overflow
• ROP
• IoT Security

This article examines the effectiveness of Jscrambler's JavaScript obfuscation techniques by analyzing an obfuscated game sample. The author discovers that obfuscation significantly increases code length and employs string concealment and encoding functions. By isolating these functions and using an Abstract Syntax Tree (AST) approach with tools like Esprima, the author successfully deobfuscates the code, making it more readable and revealing its functionality.

• JavaScript
• Deobfuscation
• Reverse Engineering

This article details the reverse engineering process of Brawl Stars' new, previously unknown protection mechanism. After identifying a compiler and protection system, the author faced challenges in debugging due to a packer preventing code execution. Using a combination of frida, Android kernel modifications, and inline syscalls, the author found ways to intercept system calls, delay process startup, and gain code execution.

• Reverse Engineering
• Mobile Security
• Anti-Tampering
• Packer

A hobbyist reverse-engineered the communication protocol of a WiFi-enabled Chinese drone to bypass its proprietary app, uncovering an 8-byte UDP-based control system. By analyzing packet traffic—captured via a Mac's virtual interface—they decoded movement commands (left/right, throttle, etc.) and special functions like auto-takeoff or motor unlock.

• Drone Hacking
• Reverse Engineering
• UDP
• Protocol Analysis

A public GitHub repository that implements a key generator for Internet Download Manager (IDM) v6.x written in Python 3. The project includes a script (`idmv6_keygen.py`) that produces registration keys for IDM, enabling offline activation of the software for versions in the 6.x series.

• Software Cracking
• Keygen
• Python

This article details the reverse engineering of the Pokémon GO Plus device, revealing the certification algorithm used for pairing with the game. The author explains how to clone the device by extracting a device-specific blob and key, noting that using other devices' blobs may lead to future bans. The implementation is available for ESP32, and the hardware reverse engineering involved extracting firmware from the device's SPI flash.

• Reverse Engineering
• Hardware Hacking
• BLE
• Game Security

This article explores the concept of 'variants' in Supreme botting, which refers to size IDs used in the checkout process. It explains how variants can be identified through the mobile_stock.json file, where item IDs increment sequentially. This knowledge allows bots to skip certain API steps and checkout directly, offering a significant advantage for bot developers.

• Web Scraping
• Botting

This article details the process of extracting data from external EEPROM memory chips using two communication protocols: I2C (TWI) and SPI. For I2C, the Arduino Wire library is used to communicate at a specified clock frequency, set the start address, and read data in 32-byte chunks, sending raw output via serial for tools like RealTerm to interpret. For SPI, the SPISettings configure the clock speed, data mode, and bit order; the process involves setting up the chip select line, reading data sequentially, and handling potential voltage level differences with a logic level shifter.

• Hardware Hacking
• I2C
• SPI
• EEPROM

This article details the technical steps involved in automating purchases on Supreme using bots. It covers the process of adding items to cart by sending POST requests with specific IDs and using mobile user-agents, the checkout process which requires user data and includes a ReCAPTCHA captcha, and methods for handling captchas. The article explains how bots can bypass captchas by either having users complete them or using third-party services, and describes how bots monitor the checkout process using a unique slug and status endpoint.

• Web Scraping
• Botting
• CAPTCHA

This article examines how bots operate on the Supreme website, focusing on a category that uses mobile endpoints to fetch and post data. It explains that these bots work in five steps, with part one covering the initial steps of finding an item and retrieving its style and sizing information. The process involves detecting new items by periodically fetching the mobile_stock.json endpoint, which contains all available products. Once an item is identified, its specific endpoint provides details on styles and sizes, which are necessary for completing a purchase.

• Web Scraping
• Botting
• API Analysis

This article details the reverse engineering of Supercell's custom encryption, which was heavily obfuscated with Arxan. The author faced significant challenges due to techniques like opaque predicates and control flow flattening, making static analysis nearly impossible. The approach involved dynamic analysis using frida to intercept memory and network traffic, emulation with unicorn to bypass obfuscation, and custom Python scripts to log and analyze execution. Key steps included intercepting /dev/urandom for nonce and key generation, hooking specific functions to avoid crashes, and implementing a decryption routine.

• Reverse Engineering
• Mobile Security
• Dynamic Analysis
• Obfuscation
• Control Flow Flattening

A collection of guides and techniques for cracking SecuROM-protected software, compiled from various ARTeam members and other contributors.

• Reverse Engineering
• DRM
• Software Cracking

The article describes a method to bypass SSL pinning in an iOS app using TrustKit. By hooking the `verifyPublicKeyPin` function in TrustKit via a Frida script, the researcher replaced its logic to always return a success status, effectively disabling SSL verification.

• iOS Security
• SSL Pinning
• Frida
• MITM

A GitHub repository providing a Python-based key generator for activating Wing IDE v7, a Python integrated development environment. The tool includes a simple script (`keygen.py`) that generates an activation code for Wing IDE based on user input and the IDE's request code, allowing users to complete the activation prompt in Wing IDE.

• Software Cracking
• Keygen
• Python

The article demonstrates how to bypass SSL pinning in the AFNetworking framework by hooking the `evaluateServerTrust:forDomain:` method to force it to always return a successful validation. Using a Frida script, the author intercepts and modifies the return value.

• iOS Security
• SSL Pinning
• Frida
• MITM

This paper introduces Generative Pre-Training (GPT), a method that pre-trains a transformer-based language model on a large unlabeled text corpus and then fine-tunes it on supervised downstream tasks. The approach demonstrates that unsupervised pre-training significantly improves performance on a wide range of NLP benchmarks, including natural language inference, question answering, and text classification.

• AI / LLM
• NLP
• Research Paper

The article explains how to bypass SSL certificate pinning on iOS 11 by intercepting the `SecTrustEvaluate` function—a core security check in Apple's Security framework. Using a Frida script, the author demonstrates a technique to force the function to always return a 'trusted' result, enabling HTTPS traffic interception.

• iOS Security
• SSL Pinning
• Frida
• MITM

This entry details a reverse engineering journey focused on Android mobile games, specifically Supercell's protections. Key techniques included using dynamic analysis with Frida to bypass protections, debugging game encryption with tools like Unicorn, and building custom emulators for comparison.

• Reverse Engineering
• Mobile Security
• Dynamic Analysis
• Encryption

A GitHub repository for a Navicat offline activation key generator and exploration of Navicat's offline activation mechanism. The code focuses on the RSA-2048 public key that Navicat uses to encrypt/decrypt activation information, stored in the Navicat executable or resource files, and tools to produce keys for offline activation.

• Software Cracking
• Keygen
• Cryptography
• RSA

The article explains how TicketMaster 1.23.0 detects jailbreaks by checking for Cydia, MobileSubstrate, or file system write permissions. It details the internal logic of the jailbreak detection mechanism. A Frida-based hooking script is provided to bypass detection by forcing the method to always return a negative result, allowing the app to run on jailbroken devices.

• iOS Security
• Jailbreak Detection
• Frida
• Reverse Engineering

This post details ongoing reverse engineering efforts on Boom Beach, highlighting several security protections implemented by Supercell. The analysis reveals a compiler likely using Clang with custom LLVM plugins, strong string encryption handled via an ELF initialization table, and extensive obfuscation. The most significant finding relates to anti-tampering measures, specifically a CRC check mechanism that can be bypassed using specific offsets to prevent crashes.

• Reverse Engineering
• Mobile Security
• Anti-Tampering
• String Encryption

In October 2017, Supercell released updates across Clash Royale, Clash of Clans, and Boom Beach. While new content was the main focus, the updates included enhanced security measures to prevent reverse engineering and binary manipulation. In Boom Beach, login encryption was obfuscated, debuggers were blocked, and the binary was protected against modification. Despite these changes, the encryption logic itself remained unchanged.

• Reverse Engineering
• Mobile Security
• Anti-Tampering
• Encryption

This article details the reverse engineering of two key message types in Supercell's Clash Royale protocol: ECT (EndClientTurn) and OHD (OwnHomeData). ECT messages are used to keep the server and client synchronized, especially during user actions, and include a client-generated checksum for anti-cheat purposes. OHD messages contain extensive data for the client to build the game home, including deck information and event data. The reverse engineering reveals how ECT payloads change during specific actions, and the structure of OHD is detailed, with plans to open-source the findings post-update.

• Reverse Engineering
• Mobile Security
• Game Security
• Checksum

This analysis explains how to reverse engineer SuperCell's new encryption in Clash of Clans (and related games). The previous encryption method, which involved patching a hardcoded public key, no longer works. The new encryption uses a different approach where a shared key is dynamically generated during runtime using a hardcoded public key. To bypass this, the author developed a patch that modifies two memory offsets, effectively replacing the dynamically generated shared key with a hardcoded one. This allows for decrypting and encrypting payloads similar to the old method. Tools like IDA, GDB, and Unicorn were used in the reverse engineering process.

• Reverse Engineering
• Mobile Security
• Encryption
• Game Security

This paper introduces the Transformer architecture, a neural network model based entirely on self-attention mechanisms, removing the need for recurrent or convolutional layers. By enabling parallel computation and more effective modeling of long-range dependencies, the Transformer achieves state-of-the-art results in machine translation and becomes the foundation for many modern language models.

• AI / LLM
• NLP
• Research Paper

This guide explains how to debug iOS binaries using LLDB on a jailbroken device, covering setup steps like extracting and signing `debugserver`, attaching to processes, and handling ASLR.

• iOS Security
• LLDB
• ASLR
• Reverse Engineering

The article details the process of disabling anti-debug protections in the iOS version of Musical.ly by analyzing and patching key anti-debug checks, including `sysctl`-based and `ptrace`-related mechanisms. The author uses LLDB to decrypt the binary, identify obfuscated functions and replaces their logic with no-ops to bypass detection.

• iOS Security
• Anti-Debugging
• LLDB
• Reverse Engineering

This guide explains how to decrypt iOS applications downloaded from the App Store by leveraging a jailbroken device and tools like MachOView, LLDB, and `debugserver`. It covers methods for handling both single-architecture and multi-architecture executables, including locating encrypted sections in memory and replacing them with decrypted data.

• iOS Security
• DRM
• LLDB
• Reverse Engineering

This guide demonstrates how to set breakpoints in LLDB using Python scripts and extend their functionality with custom callbacks. By attaching a callback function to a breakpoint, developers can execute specific actions—like printing a message—whenever the breakpoint is triggered.

• iOS Security
• LLDB
• Python