Reading list

This analysis explores vulnerabilities in the strategy game Anno 1404. Key flaws include a path traversal vulnerability in the multiplayer save file transfer mechanism and an out-of-bounds write vulnerability in the GR2 file format parser. These issues allow arbitrary code execution by manipulating file transfers or exploiting memory corruption in the game's 3D model loading system.

• game modding
• heap overflow
• RCE
• ASLR bypass

The article details a vulnerability in the .NET Framework's HTTP client proxies due to an invalid cast in the HttpWebClientProtocol.GetWebRequest method. This allows attackers to manipulate proxies to write SOAP requests to the filesystem instead of sending them over HTTP, enabling exploits like arbitrary file writes, NTLM relaying, and remote code execution (RCE) through webshell uploads or PowerShell script drops.

• .NET
• RCE
• CVE-2025-34392

A critical vulnerability in React Server Components allows remote code execution via specially crafted HTTP requests. This flaw affects React Server Functions and Next.js apps using the App Router, enabling attackers to execute arbitrary code on the server with nearly 100% success.

• React
• RCE
• CVE-2025-55182

A researcher discovered a vulnerability in a legal AI platform's API. By reverse engineering the code, they identified an endpoint that required no authentication and returned a full admin token. This token granted unrestricted access to a law firm's entire Box filesystem, revealing nearly 100,000 confidential files, including sensitive documents protected by HIPAA and court orders.

• reverse engineering
• authentication bypass

Researchers discovered a stack-based buffer overflow vulnerability in the BeeStation Plus's web interface, specifically in the AdminCenter Auth endpoint. This allowed for remote code execution and root access.

• CVE-2025-12686
• buffers overflow
• reverse engineering

LLVM 21 introduces new intrinsics, specifically `__builtin_ct_select`, designed to protect cryptographic code from timing attacks caused by compiler optimizations. These intrinsics act as barriers, preventing the compiler from altering constant-time implementations in ways that could introduce data-dependent timing variations.

• LLVM
• cryptography

This article highlights a critical security issue where users inadvertently expose sensitive credentials by saving data to popular online code formatter tools like JSONFormatter and CodeBeautify. These tools generate shareable links that store user input publicly, leading to the exposure of thousands of passwords, API keys, and other secrets from various sectors including government, finance, and cybersecurity.

• JavaScript

An old Kindle, despite its broken screen and boot issues, serves as a powerful embedded Linux platform. By accessing its serial port, diagnosing hardware failures, and rebuilding the kernel with custom tools, the device was transformed into a functional Linux environment.

• IoT
• UART interface

AV1, an open and modern video codec, has become a cornerstone of Netflix's streaming infrastructure, powering approximately 30% of all streaming sessions. AV1 offers significant advantages, including superior compression efficiency, higher video quality at lower bitrates, and reduced buffering.

• AV1
• HDR

This analysis examines the Rhadamanthys loader, a component of a stealer malware known for its sophisticated anti-sandbox and anti-analysis features. The loader employs layered obfuscation, including control flow flattening and jump target obfuscation, making static analysis extremely difficult. The author developed a deobfuscation method focusing on function-level analysis, using techniques like data slicing and instruction patching to restore the original control flow.

• malware analysis
• deobfuscation
• control flow flattening

An old racing game released in 1998 encounters crashes on modern Windows systems due to a buffer overflow in its DirectInput device enumeration code. The game enumerates all input devices, including non-standard ones like LED controllers, until it overflows its fixed-size array. The fix involves a minimal DLL shim that filters DirectInput to only enumerate game controllers and limits enumeration to 8 devices.

• game modding
• buffer overflow
• DLL

Trail of Bits has released pure Go implementations of NIST-standardized post-quantum signature algorithms (ML-DSA and SLH-DSA). To prevent side-channel attacks, particularly timing attacks from integer divisions, the team employed branchless programming and division-free algorithms. They demonstrated techniques like constant-time conditional swaps and Barrett reduction, which use multiplication and conditional adjustments to achieve constant-time execution without divisions.

• post-quantum
• cryptography

Researchers discovered a vulnerability in Fortinet FortiWeb devices allowing attackers to bypass authentication through a path traversal and an authentication bypass flaw. By crafting a malicious request with a specific header, attackers can impersonate any user, including administrators, gaining full control over the affected appliance. The vulnerability affects multiple versions of FortiWeb, and a patch was released with the CVE-2025-64446 identifier.

• Fortinet
• FortiWeb
• authentication bypass
• path traversal
• CVE-2025-64446

Checksec Anywhere consolidates fragmented binary analysis tools into a single, browser-based platform. It offers multi-format analysis (ELF, PE, Mach-O), prioritizes privacy by running everything locally, and provides fast performance with features like batch processing, URL shareable results, and SARIF export for seamless integration with security workflows.

• binary analysis

Researchers identified two vulnerabilities in Citrix NetScaler: a memory leak from misconfiguration (not deemed a real-world threat) and a reflected XSS issue exploitable via CSRF.

• memory leak
• reflected XSS
• CVE-2025-12101
• CSRF

Curiosity about a personal blood pressure monitor protocol led to an exploration of reverse engineering. After obtaining the device post-vaccination, the author attempted to access its data without using the official software, which required Windows. By setting up a virtual machine and using Wireshark to capture USB traffic, the author identified the structure of the data packets containing blood pressure readings (systolic, diastolic, heart rate, and oscillometric peak pressure). Challenges included decoding timestamps and inconsistencies in the protocol.

• reverse engineering
• USB protocol
• Wireshark

Following Apple's removal of the 'right-click and open' Gatekeeper override in 2024, attackers have found new ways to bypass security. One emerging method uses AppleScript files (.scpt) disguised as common file types like .docx or .pptx, or as fake updates for Zoom or Teams. These scripts often use comments to encourage execution while hiding malicious code. Malware like MacSync and Odyssey Stealer have adopted this technique, making it more widespread. Attackers also use custom icons to make the files appear legitimate.

• AppleScript
• Gatekeeper bypass
• macOS
• stealer

Electronic passports contain embedded chips with cryptographic protections to prevent unauthorized access, copying, and forgery. They use a combination of filesystem structures, access controls, and protocols like BAC, PACE, and EAC to secure personal data. However, legacy systems and gaps in the threat model still pose risks, and emerging technologies like zero-knowledge identity proofs offer privacy benefits but introduce new security considerations.

• electronic passports
• cryptography
• zero-knowledge proofs

Apple's once-renowned attention to detail has significantly declined over the last 8-10 years, particularly with the introduction of iOS 26 and macOS Ventura (26). The author expresses frustration over numerous user experience issues, including persistent permission prompts, inconsistent UI elements across applications, bugs in core apps like Reminders and Files, and problematic design choices such as the 'liquid glass' effect.

• iOS 26 issues
• UI/UX

This article explores browser cache smuggling as a technique for delivering malware. It demonstrates how COM hijacking can execute DLLs directly from the cache without renaming, reducing detection risks.

• COM
• steganography
• DLL Hijacking

CVE-2025-9242 is an out-of-bounds write vulnerability in WatchGuard Fireware OS's IKEv2 implementation, allowing remote attackers to execute arbitrary code. The vulnerability affects specific versions of Fireware OS and can be triggered by sending crafted identification data during the IKE_SA_AUTH phase of the IKEv2 protocol.

• CVE-2025-9242
• Fireware OS
• IKEv2
• RCE

This article details the author's experience of reverse engineering Amazon's Kindle DRM system. Amazon implemented multiple obfuscation layers, including randomized glyph IDs and anti-scraping techniques like fake font hints in SVG paths. The solution involved rendering SVG glyphs as images, generating perceptual hashes, and matching against standard TTF fonts using SSIM hashing.

• DRM
• reverse engineering
• Kindle
• obfuscation
• SSIM hashing

A vulnerability was discovered in ClubWPT Gold's online poker platform, allowing unauthorized access to the back office application. Attackers gained access to source code and credentials through an exposed environment file and hardcoded admin credentials. They bypassed two-factor authentication using a vulnerability in the authentication system, leading to exposure of customer data including personal information and transaction details.

• back office access
• authentication bypass

This analysis examines a 32-bit .NET malware sample that employs reflective injection to load stages in memory. The initial stage uses embedded bitmap images and Lagrange polynomial interpolation to build subsequent payloads. Multiple obfuscated stages follow, including a JavaScript RAT with keylogging capabilities, scheduled task persistence, and Domain Generation Algorithm (DGA) for C2 communication.

• malware analysis
• .NET
• reflective injection

A reverse engineer describes building a custom browser tool designed for analyzing web scripts and anti-bot measures. The tool uses Chromium DevTools Protocol to inject hooks into JavaScript functions, log calls across frames, and deobfuscate scripts.

• reverse engineering
• fingerprinting
• DevTools Protocol
• deobfuscation

CVE-2025-61882 is a pre-authentication remote code execution chain in Oracle E-Business Suite. It combines multiple vulnerabilities including SSRF, CRLF injection, authentication bypass, and XSL injection. Attackers can exploit this chain without credentials to achieve full system compromise.

• pre-auth RCE
• CVE-2025-61882
• CRLF Injection

A vulnerability in the Unity Runtime allows attackers to execute arbitrary code by manipulating intent handlers. Attackers can load malicious libraries via the `-xrsdk-pre-init-library` command line argument, enabling code execution with Unity's permissions.

• Arbitrary Code Execution
• Unity
• Android security
• Dlopen

This report details the latest updates in Rhadamanthys (v0.9.x), a sophisticated stealer malware. Key changes include refined obfuscation (RC4 in Stage 3), enhanced anti-sandbox techniques (Lua-based trigonometry), new data collection modules (browser fingerprinting), expanded stealer functionality (additional wallet plugins), and diversification of C2 communication and injection methods.

• malware analysis
• obfuscation
• fingerprinting

Basic Fit's QR code system for gym entry encodes user details such as card ID, a unique random identifier, a timestamp, and a device ID. A SHA-256 hash of this data ensures security and uniqueness. The system relies on technologies like React Native and OAuth 2.0 with PKCE, making it robust against attacks and restricting access to authorized devices only.

• SHA-256
• PKCE
• QR code

This analysis confirms evidence of in-the-wild exploitation of CVE-2025-10035 in Fortra GoAnywhere MFT, beginning as early as September 10, 2025—eight days before the vendor's public advisory.

A critical vulnerability (CVE-2025-10035) in Fortra GoAnywhere MFT allows remote code execution without authentication via a deserialization flaw. Attackers can bypass authentication by manipulating the system's licensing endpoint, leading to the deserialization of arbitrary objects.

• deserialization
• GoAnywhere
• authentication bypass
• CVE-2025-10035
• pre-auth RCE

JSON Web Tokens (JWTs) are widely used for authentication and authorization but can introduce security risks if improperly configured. Common vulnerabilities include flawed signature verification, allowing attackers to alter token claims; weak secret keys enabling brute-force attacks; and header injections (JWK, JKU, KID) that bypass key verification.

• JWT security
• signature verification
• JWK injection
• JKU injection
• KID injection

This article details an educational exploration of reverse-engineering the Sononym Electron application to understand its evaluation and licensing mechanisms. By patching the JavaScript function, the author demonstrated how trial restrictions could be bypassed, illustrating the structure of Electron apps and the mixing of JavaScript with native modules.

• reverse engineering
• Electron
• DRM

Apple has introduced a private CSS property called `-apple-visual-effect` that allows developers to add Liquid Glass effects to web content within iOS apps using WKWebView. While the property is currently only accessible within Apple's own applications and requires enabling a specific setting, it offers a way to achieve the sleek, native-like appearance seen in iOS 26. The article suggests that Apple may already be using this feature in its own apps, contributing to the seamless integration of webviews that users often experience without noticing.

• CSS
• Liquid Glass
• WKWebView

JPEG compression is common online but alters images slightly, leaving visible artifacts. ELA (Error Level Analysis) detects inconsistencies by recompressing images and comparing the results, revealing areas manipulated by AI or other tools.

• JPEG compression
• image forensics
• deepfakes

DCOM, a distributed extension of COM, enables remote object activation and communication, built on core concepts like CLSIDs, ProgIDs, and interfaces for abstraction. This article covers COM/DCOM fundamentals, including historical context, key identifiers, enumeration methods using tools like PowerShell and OleView.NET, instantiation techniques, and the activation process involving RPC protocols, providing a foundation for understanding remote method calls and their security implications.

• COM
• DCOM

Curiosity about a TP-Link indoor camera's onboarding process led to reverse-engineering efforts. The author discovered a default admin password and an encrypted communication channel. By analyzing the app and camera interactions, they developed a script to automate the setup, bypassing the need for cloud integration. The experience revealed insecure coding practices but resulted in a practical solution for simplified camera deployment.

• reverse engineering
• IoT security
• frida
• PyTapo

The 2025 Synacktiv Summer Challenge focused on optimizing Podman archive formats by exploiting internal caching mechanisms and compressing image layers. Participants competed to create the smallest possible OCI or Docker archive containing a self-extracting binary.

• Podman
• OCI archive
• Docker archive
• compression

A critical vulnerability in FreePBX (CVE-2025-57819) allows unauthenticated attackers to bypass security and execute arbitrary code. The flaw stems from improper handling of user input, enabling access to sensitive areas and remote code execution via SQL injection in the Endpoint module. Systems using FreePBX versions 16 or 17 are affected, with recommendations to apply patches immediately.

• FreePBX
• CVE-2025-57819
• SQL injection
• RCE

This article describes the process of creating a more engaging and humorous language model by training the Mistral Small 3 24B model on data from various websites.

• Language Model
• Training

This article details the process of cracking 40-bit RC4-encrypted code signing keys from leaked files. The author initially used a CPU-based brute-force approach but optimized performance by transitioning to GPU acceleration with Apple's Metal framework.

• code signing keys
• RC4
• bruteforce
• GPU
• Metal
• decryption

Linear disassembly decodes bytecode sequentially, which works for static VMs but fails when bytecode is modified at runtime. Recursive disassembly follows jumps and handles runtime changes, but may skip dead code.

• disassembly
• VM
• reverse engineering

This article details the reverse engineering of Miele's proprietary diagnostic interface, known as the Program Correction (PC) interface. The interface, accessible via an infrared port disguised as an indicator light, allows for reading sensor data, monitoring appliance status, calibrating sensors, updating firmware, and accessing service modes. Reverse engineering revealed that the interface uses a simple optical UART protocol with even parity at 2400 baud. By analyzing the microcontroller's behavior and using a logic analyzer, the author successfully unlocked the interface and dumped the firmware, providing valuable insights for self-repair and potential integration with open-source tools.

• reverse engineering
• UART interface
• IoT

This analysis examines Vercel's BotID service, an anti-bot system that operates through client-side signal collection. The service features two modes: Basic, which is free and relies on detecting browser automation and other bot-like behaviors, and Deep Analysis, which requires a paid plan and uses Kasada's advanced fingerprinting scripts. The article demonstrates how to reverse-engineer the obfuscated JavaScript used by BotID and shows that Basic mode can be bypassed by spoofing browser properties.

• fingerprinting
• JavaScript obfuscation

This article describes the development of a custom licensing system for a kiosk app that operated offline after initial activation. The solution involved several security layers: storing license expiry dates on the device, enforcing forward-only time progression to prevent date tampering, using unique nonces to block replay attacks, verifying API responses with digital signatures and embedded public keys (via obfuscation), and additional hardening measures like nonce validation and time synchronization checks.

• licensing system
• nonce validation
• reverse engineering

This article explores vulnerabilities in the FIDO2/WebAuthn protocol used for passkeys. It details how researchers reverse-engineered the CTAP2 protocol, built a software authenticator to impersonate a hardware key, and demonstrated forging passkey signatures for automated logins. The analysis reveals that many relying parties lack proper security measures, allowing replay attacks, and suggests mitigations like enforcing sign-counters and restricting browser automation APIs.

• FIDO2
• CTAP2
• forging passkeys

A security team exploited the Tesla Wall Connector, an AC electric vehicle charger, by leveraging its charge port connector to access and manipulate firmware. They identified a logic flaw allowing unauthorized firmware installation and used a buffer overflow vulnerability to achieve arbitrary code execution, demonstrating a significant security risk.

• Tesla Wall Connector
• buffer overflow
• reverse engineering

This analysis explores a vulnerability in Heroes of Might and Magic V where specially crafted map files can trigger a heap overflow during decompression. By exploiting this issue, attackers can overwrite a vtable pointer, enabling code execution. The vulnerability occurs in the decompression process of ZIP-formatted map files, specifically targeting the handling of compressed data sizes. The article demonstrates how to leverage this flaw by creating malicious map files that manipulate memory through controlled decompression.

• heap overflow
• reverse engineering

This article describes an anti-scraping technique that uses text obfuscation through a custom font with remapped characters. While initially clever, the method becomes difficult to bypass programmatically, especially when the font changes randomly. However, it is ultimately ineffective as major search engines can still render the text correctly, rendering it a poor protection mechanism.

• web scraping
• anti-scraping
• OCR

British Airways offers free in-flight WiFi restricted to messaging apps. A user discovered that by using a technique involving manipulating the Server Name Indication (SNI) field during the TLS handshake to mimic a connection to WhatsApp (wa.me), they could bypass the restrictions and access the full internet. The article also touches upon the concept of Encrypted Client Hello (ECH) as a potential improvement to mitigate SNI leakage issues.

• SNI
• ECH
• TLS

This analysis explores vulnerabilities in Puregym's QR code access system. The system, which allows gate access via a mobile app, is found to bypass geolocation restrictions by spoofing coordinates. Monitoring app traffic reveals that gate opening is authenticated solely via a base64-encoded email/password in an HTTP header.

• QR code

Researchers discovered a novel trojan delivered via a dark web 'Bitcoin generator' site. Analysis revealed an in-memory dropper that loaded a second-stage payload from remote servers. The malware used .NET and was obfuscated with techniques like de4dot and potentially BabelVM, indicating advanced evasion methods.

• malware analysis
• .NET
• dropper
• BabelVM
• reverse engineering

This article details the creation of an innovative business card that runs machine learning inference. The goal was to design a compact circuit board that could execute a neural network for speech recognition. Starting with an Arduino prototype, the author transitioned to an RP2040 chip for easier assembly. Challenges included hardware compatibility issues and audio signal processing problems, which were resolved by adjusting sample rates and circuit design.

• ML
• IoT
• Arduino

A public GitHub repository that provides a license key generator for 010 Editor, written entirely in Assembly. The tool allows generating custom license keys supporting arbitrary usernames, expiration dates up to the year 3000, and multi-user licenses (1–1000 users).

• keygen

A method to recover files encrypted by a recent Linux/ESXI variant of Akira ransomware involves brute-forcing four timestamps used to generate encryption keys. The approach leverages nanosecond-level timestamps and GPU acceleration for speed. Known plaintext and ciphertext from specific files (like VMware disk files) help verify decryption keys. The process requires significant computational resources, such as multiple GPUs, and can be costly.

• ransomware
• decryption
• bruteforce

This article provides a detailed analysis of the Undetectable anti-detect browser, explaining how it randomizes fingerprinting attributes to evade detection. It covers how the browser injects JavaScript to modify browser properties for non-Chromium profiles and alters core functionality for Chromium profiles. The piece also presents two reliable detection techniques: one based on identifying JavaScript modifications for non-Chromium browsers and another by detecting specific script injection patterns regardless of the browser profile.

• fingerprinting
• JavaScript
• anti-scraping

JavaScript developers can exploit try-catch blocks to create non-linear code flow, hiding legitimate functionality by forcing errors and using catch blocks to execute the real payload. This technique, often chained with multiple try-catch blocks, confuses static analysis tools by making the code's actual behavior dependent on specific error conditions.

• JavaScript
• reverse engineering

This article explains that protecting JavaScript code isn't about making it unbreakable, but about abstracting its execution. One approach is virtualization, where code is compiled into a custom instruction set that runs on a simulated environment within JavaScript. This makes reverse-engineering more difficult compared to analyzing raw JavaScript, as binary code is harder to read.

• JavaScript
• virtualization
• obfuscation
• JIT

The NanoKVM is a compact hardware KVM switch enabling remote computer control via web browsers. It comes with several security flaws, including default passwords, hardcoded encryption keys, reliance on Chinese servers, pre-installed hacking tools, and a hidden built-in microphone for audio recording.

• KVM
• IoT security

A public GitHub repository providing a simple key generator for Xmanager, written in Python. The project includes a script (`Xmanager-keygen.py`) that generates license keys for Xmanager by reproducing or emulating the software’s internal key-validation mechanism.

• keygen

Denuvo is a sophisticated DRM system that protects software by enforcing hardware integrity checks. Upon first execution, it collects system information and sends it to a server to generate a unique license file containing encrypted constants. The game then verifies runtime hardware against this license, ensuring any discrepancies cause immediate failure. Denuvo employs various checks, including CPUID, SYSCALL, and Windows API calls, combined with advanced techniques like a virtual machine that stores data bit by bit and uses mixed-Boolean arithmetic for obfuscation. Anti-tampering measures include spinlocks and disruption of exception-based hooking.

• DRM
• VM
• anti-tampering
• obfuscation

A public GitHub repository providing a key generation and patch tool for DBeaver. The project includes a JAR-based keygen/patcher labeled as "DBeaver注册机" along with instructions in Chinese for modifying DBeaver installations.

• keygen

WatchWitch is an Android application that enables communication with Apple Watch devices by reverse engineering their proprietary protocols. It facilitates interoperability, allowing Android users to interact with Apple Watches, while conducting a thorough security analysis of Apple's wireless communication mechanisms, including IKEv2, ESP, and A-over-C encryption. The research uncovers vulnerabilities and proposes a framework for secure, cross-platform interaction with Apple Watch technology.

• Apple Watch
• reverse engineering
• Wireless Protocols

This analysis details the Rhadamanthys Stealer malware's delivery and execution techniques. The attack chain begins with a phishing email containing an obfuscated JavaScript file disguised as a PDF. This script initiates a drive-by download, fetching and executing an encoded PowerShell script. The PowerShell script establishes persistence, employs evasion techniques including dynamic API loading, and reflective loading of components to bypass application whitelisting. It then loads a crypter into memory, which decrypts and injects the final stealer payload. The stealer uses encryption, obfuscation, and process hollowing to evade detection and exfiltrate data.

• malware analysis
• stealer
• phishing
• obfuscation
• JavaScript
• PowerShell
• reflective injection

This article explores various JavaScript obfuscation techniques designed to make code difficult to analyze and deobfuscate. It covers methods such as functions reading themselves by embedding data in comments, using stack traces for decryption keys, browser crashes via loops or async bombs, extracting variable names from object keys, and strategies to hinder large language models and analysis tools by exploiting token limits or inserting misleading content.

• JavaScript
• obfuscation
• LLM
• XOR
• encryption
• decryption

This project aimed to develop a machine learning model using TensorFlow to solve 4Chan CAPTCHAs reliably. Challenges included acquiring training data, which involved scraping CAPTCHAs and generating synthetic data due to limitations with commercial solving services. The model, built with an LSTMCNN architecture, achieved over 90% accuracy on real CAPTCHAs after addressing issues like image processing errors and model conversion hurdles.

• machine learning
• TensorFlow
• LSTMCNN
• captcha

This analysis examines a sophisticated PDF-based malware delivery mechanism that initiates a drive-by download. The malicious PDF, disguised as an invoice, contains embedded URLs leading to a booking.com domain. When clicked, it executes an obfuscated JavaScript file that bypasses execution policies and downloads a PowerShell script via IRM. This script employs multiple layers of obfuscation, including octal encoding, requiring several decoding stages to reveal a final .NET binary payload—the Rhadamanthys Stealer.

• PowerShell
• obfuscation
• .NET
• malware analysis

This research examines how silent delivery receipts in mobile instant messaging apps can be exploited to monitor user activities without their knowledge. The study demonstrates that these features leak sensitive information, including online status, typing indicators, and message read states, enabling surveillance of users' behavior patterns and communication habits. The findings reveal significant privacy risks inherent in current instant messaging implementations.

• privacy
• mobile security

A public GitHub repository containing a Python script to generate license activation files for MobaXterm, a Windows terminal emulator with networking tools.

• keygen

A technical blog post that provides updated tips and guidance for using UltraEdit, a powerful text and code editor.

• keygen

This article details the process of acquiring an older Just Eat / Takeaway.com terminal and modifying it. After purchasing the device, the author gained access by either using an NFC card to trigger specific actions or by entering device codes. Once inside, they discovered it ran on an older Android version and was vulnerable. The author proceeded to root the device, install custom file managers and browsers, and even dump the firmware. They also found hidden admin functions accessible via specific codes or screen interactions. The terminal's hardware includes an ethernet port, USB ports, and NFC capabilities.

• reverse engineering
• rooting
• NFC

A detailed analysis revealed significant security vulnerabilities in a device running Android with integrated AI features. The device stored an OpenAI API key locally, exposing sensitive data. The companion app lacked proper authentication, allowing unauthorized access to user chats and personal information. While some fixes were implemented, key exposure issues persist.

• reverse engineering

An open-source Python project that generates registration keys for Beyond Compare 5.x (up to version 5.1 ver 31016) by reproducing the software’s license verification mechanism. The repository includes scripts (`keygen.py`, `app.py`) that produce custom license keys after optionally modifying the embedded RSA key in the Beyond Compare executable.

• keygen

A comprehensive technical breakdown of multiple zero-day vulnerabilities discovered in Anki, including arbitrary code execution (RCE) through JavaScript injection, LaTeX command injection, and media player command injection. The article details the discovery process, proof-of-concept exploits, and the mitigations implemented by Anki.

• Zero-day exploit
• RCE
• LaTeX injection

This article details the discovery and exploitation of an SQL injection vulnerability on the Clemson University website using a custom tool called SQLiF. It explains what SQL injection is, demonstrates how it can be exploited through examples, and describes how SQLiF automates the detection of these vulnerabilities by analyzing web application responses for specific database errors.

• SQL injection

This article explores how FileMaker stores passwords in the fmp12 file format. It explains that passwords are stored as one-way hashes, specifically using PBKDF2 with SHA-1, and are combined with a salt during the hashing process. The article details the reverse-engineering process, including how the hashing mechanism was identified through debugging, and discusses the structure of the account storage within the file format, including associated checksums and other metadata.

• FileMaker
• fmp12
• reverse engineering

An experiment demonstrated how easily social media follower counts can be artificially inflated, specifically using the Nostr protocol. By generating and broadcasting follow requests through multiple relays with a script, over a million new followers were created in less than 24 hours.

• Sybil Attack

This article details the reverse engineering of Pokémon GO to understand its internal workings. The author first explored route mechanics, discovering how to bypass certain limitations by manipulating server communication, leading to detailed analysis of item drop rates. Subsequently, the author uncovered significant vulnerabilities in the PvP combat system, where extensive player data is transmitted during battles, allowing unauthorized access.

• Pokémon GO
• reverse engineering

An open-source key generator for Charles Proxy that implements a cracking approach (via RC5) to produce valid registration keys for the Charles web debugging proxy.

• keygen

To scrape Clutch, a B2B service directory, and bypass its Cloudflare antibot, use a service like Bright Data's Scraping Browser with Playwright to obtain necessary cookies. These cookies, along with browser-like headers, must be reused in scraping requests. A TLS client is used to replicate a realistic browser fingerprint.

• anti-scraping

Branch encryption protects sensitive data by encrypting code sections that depend on a specific input. Instead of storing comparison values directly, they are hashed, and the associated code is encrypted. Execution only proceeds if the input matches the hash, preventing attackers from easily accessing secrets.

• JavaScript
• encryption
• virtualization
• decryption

This article details the frustration with TicketMaster's SafeTix system, which uses rotating PDF417 barcodes for ticket entry. Through reverse engineering using Chrome DevTools, the author discovers that the barcodes are generated using cryptographic secrets and tokens, enabling offline ticket duplication.

• reverse engineering
• mobile tickets
• TOTP

This article details the discovery of cross-site scripting (XSS) vulnerabilities on chess.com through a rich text editor. By exploiting the background-image attribute's onload property, the author bypassed sanitization to manipulate cookies and redirect users. A subsequent payload using the srcset attribute achieved full XSS by directly executing JavaScript.

• XSS
• Cross-Site Scripting
• Rich Text Editor

This article details the process of training a large language model to clone Discord friends. The author used a Mistral-7B model on an RTX 3090 GPU, cleaning extensive Discord chat data by removing low-quality messages and formatting it for training.

• LLM
• AI

This article details how the author replaced the static dialogue in Animal Crossing with dynamically generated text using an LLM. By reverse-engineering the game's dialogue system and establishing communication via shared memory, the author created a two-step AI pipeline: a 'Writer' LLM generates dialogue and a 'Director' LLM handles formatting and control codes.

• reverse engineering
• LLM
• game modding

A public C/C++ GitHub project that implements a key generator for EditPlus, a Windows text and code editor developed by ES-Computing.

• keygen

This article details a vulnerability in the rcore_radiocar resource used in GTA V RP servers built on FiveM. By allowing users to input arbitrary URLs, attackers can inject malicious scripts via XSS. This enables control of player accounts, including unauthorized access to microphones, stealing in-game money, and altering player appearances.

• XSS

This article details the process of reverse-engineering Supreme's anti-bot system to extract decryption and encryption keys, enabling the creation of valid cookies that bypass anti-bot measures. The authors compiled a modified Firefox browser, intercepted JavaScript functions, and captured necessary data to generate these keys and browser fingerprints.

• custom browser compilation
• decryption
• browser fingerprint
• reverse engineering

Debuggers are essential for analyzing code, but some websites employ anti-debugging measures to hinder reverse engineering. The article explores various evasion techniques, starting with disabling breakpoints but noting this limits functionality. A Greasyfork script attempt to override the debugger keyword fails against heavily obfuscated code. The most effective solution involves renaming the 'debugger' keyword in the browser's source code, specifically in Firefox, allowing breakpoints to trigger without causing infinite loops.

• JavaScript debugging
• anti-debugging
• reverse engineering

This article introduces a series focused on evaluating anti-bot platforms from an attacker's perspective. It highlights the prevalence and impact of web automation attacks, the growth of the anti-bot industry, and the challenge of effective protection due to misinformation and deceptive metrics.

• automation
• botting

A public GitHub project that provides a key generator for JFrog Artifactory, allowing the creation of Artifactory license artifacts. The repository contains Java/Kotlin source code and supporting files to generate licenses, and includes additional tooling (such as an agent) to help patch Artifactory for testing.

• keygen

The Kullback test identifies repeating patterns in encrypted text by transposing blocks and measuring randomness with the Index of Coincidence (IOC). It helps break ciphers like Vigenere by detecting periodic spikes that reveal key lengths or repeating patterns. The test can also solve custom ciphers by finding consistent intervals where text repeats, guiding decryption strategies.

• Kullback test
• CTF
• Index of Coincidence
• Vigenere

This article examines how FileMaker Server stores encrypted credentials in its keystore file. The author found that while RSA encryption is used during file uploads, the keystore contains AES-128-CBC encrypted values using a null IV. The encryption key is derived from a machine-specific ID combined with user credentials via PBKDF2. The process was reverse-engineered through debugging, revealing that the same key can be recreated, allowing decryption.

• FileMaker
• encryption
• reverse engineering
• AES
• PBKDF2

This article explores how to intercept TLS-encrypted network traffic from an application like TimeDoctor using tools such as PolarProxy and Frida. It covers reverse engineering Qt's networking library to extract URLs.

• reverse engineering
• TLS
• PolarProxy
• frida
• Qt

This article explores how to analyze logs generated by a time tracker application using Gravwell, a data platform for log ingestion and querying. It covers setting up log ingestion, performing basic and advanced queries (including filtering, transactions, and aggregations), and creating dashboards for visualization.

• Gravwell

This article explores the reverse engineering and monitoring of TimeDoctor, a productivity tracking tool. It details how to use Frida, a dynamic instrumentation tool, to intercept and log SQLite database interactions from a running application, providing visibility into the tool's data collection mechanisms.

• frida
• reverse engineering

A public GitHub repository that provides a simple key generator for HTTP Debugger Pro. The tool generates a license key and writes it into the appropriate Windows registry location so that the software is activated automatically once HTTP Debugger has been run at least once. The README explains the structure of the registration format and how it derives the serial number from version and disk identifiers.

• keygen

This article details the development of a disassembler for Nike's VM-based bot protection system. The author explains how to handle the lack of clear opcode definitions by implementing a recursive traversal method to analyze control flow. The disassembler identifies functions and loops by tracking instruction pointers and registers, avoiding the need to execute the bytecode. Challenges include unreachable code and bloat, but the tool successfully recovers a significant portion of the VM's instructions, providing a foundation for further analysis.

• reverse engineering
• VM
• disassembly
• VM bytecode

Web attacks like account brute forcing and botting threaten digital systems. Browser fingerprinting helps protect against these by creating unique identifiers, but it's easy to spoof. Obfuscation complicates reverse engineering, leading to virtualization obfuscation—a custom VM architecture that stores code as bytecode. This article examines Nike's Kasada contractor-created system, which uses a virtual machine to interpret bytecode.

• obfuscation
• virtualization
• reverse engineering
• custom VM
• bytecode

This article explores the reverse engineering of TikTok's VM obfuscation mechanism, revealing a custom virtual machine that executes JavaScript code with a unique bytecode format. The author decompiles and disassembles the Kotlin code to understand the VM's operations, including instruction execution, array handling, and environment management. The findings include two bytecode dumps—one for the VM itself and another for the main application code.

• VM
• bytecode
• JavaScript obfuscation
• reverse engineering

This article presents method to bypass unRAID's license verification by hooking a specific decryption function with custom code, allowing users to simulate a valid registration without purchasing a license.

• unRAID
• reverse engineering
• LD_PRELOAD

A comprehensive analysis of VMProtect 2's virtual machine architecture, covering vm_entry routines, vm handler tables, transformations, and techniques for bypassing protections.

• VMProtect
• reverse engineering
• VM
• obfuscation
• dynamic analysis
• decryption

This article details the process of reverse engineering a thermal printer's Bluetooth Low Energy (BLE) protocol to enable communication via computer instead of a proprietary app. The author decompiled the manufacturer's app to discover command structures and CRC8 checksums, then implemented a Python solution using the Bleak library for BLE communication.

• BLE
• reverse engineering

A GitHub repository that provides a combined Burp Suite Pro Loader and Keygen tool intended to help with offline activation and launching of Burp Suite Pro (from version 2020.1 onward). The project integrates multiple existing Burp loader/keygen efforts and adds features like update detection and auto run.

• keygen

A GitHub repository that implements a WinRAR license key generator and explains the principle of WinRAR key generation. It provides code and workflows to reproduce the elliptic-curve based signature algorithm used by WinRAR.

• keygen
• ECC

This article details a method for creating overlays in games using DLL injection and ImGui. It explains how to inject a DLL into a game process, hook OpenGL functions to render overlays, and integrate ImGui for creating UI elements. The process involves finding the target process, allocating memory, and handling function hooks to display graphics on top of the game.

• DLL injection
• ImGui
• OpenGL
• reverse engineering
• Windows API

This article details two main reverse engineering achievements related to Supercell games. First, it presents a universal solution for extracting the public server key (pks) from multiple games, including HayDayPop. This approach uses dynamic memory hooking and watchpoints to bypass obfuscation techniques like Arxan, avoiding reliance on static offsets. Second, the author describes a sophisticated 'Videobot' system built for automating the recording of top players in Clash Royale. This system employs custom Android applications, Frida for code injection, and a Python backend to manage device operations, video compression, and encryption-related tasks. The Videobot replaces server connections with a local mock to facilitate recording.

• reverse engineering
• frida

This article details the advanced security measures implemented by Supercell in their mobile games, focusing on reverse engineering techniques to bypass anti-cracking protections. It covers identifying and disabling specific 'hard' and 'soft' checks that prevent code execution tools like Frida from functioning. The author then demonstrates how to intercept and redirect network traffic to a local proxy, replacing DNS lookups to route game communications through a custom application.

• reverse engineering
• frida
• Supercell

A JavaScript-based key generator for Wolfram Mathematica that reproduces the offline activation key/password generation algorithm for Mathematica versions around 12.0. The package (installable via npm) exports a `keygen(mathID, activationKey)` function that takes a Machine ID and an activation key and returns an array of generated passwords.

• keygen

This article details the discovery and exploitation of a stack-based buffer overflow vulnerability in an IP camera's firmware. The vulnerability was leveraged to bypass ASLR using a ROP chain, enabling unauthenticated RCE. The exploit involved manipulating the GOT to redirect execution to the `system` function, demonstrating techniques relevant to ARM architecture.

• ASLR bypass
• ROP chain
• RCE
• buffer overflow
• IoT security

This article examines the effectiveness of Jscrambler's JavaScript obfuscation techniques by analyzing an obfuscated game sample. The author discovers that obfuscation significantly increases code length and employs string concealment and encoding functions. By isolating these functions and using an Abstract Syntax Tree (AST) approach with tools like Esprima, the author successfully deobfuscates the code, making it more readable and revealing its functionality.

• JavaScript obfuscation
• deobfuscation
• AST
• Jscrambler

This article details the reverse engineering process of Brawl Stars' new, previously unknown protection mechanism. After identifying a compiler and protection system, the author faced challenges in debugging due to a packer preventing code execution. Using a combination of frida, Android kernel modifications, and inline syscalls, the author found ways to intercept system calls, delay process startup, and gain code execution.

• reverse engineering
• Supercell
• frida

A public GitHub repository that implements a key generator for Internet Download Manager (IDM) v6.x written in Python 3. The project includes a script (`idmv6_keygen.py`) that produces registration keys for IDM, enabling offline activation of the software for versions in the 6.x series.

• keygen

This article details the reverse engineering of the Pokémon GO Plus device, revealing the certification algorithm used for pairing with the game. The author explains how to clone the device by extracting a device-specific blob and key, noting that using other devices' blobs may lead to future bans. The implementation is available for ESP32, and the hardware reverse engineering involved extracting firmware from the device's SPI flash.

• reverse engineering
• ESP32
• BLE

This article explores the concept of 'variants' in Supreme botting, which refers to size IDs used in the checkout process. It explains how variants can be identified through the mobile_stock.json file, where item IDs increment sequentially. This knowledge allows bots to skip certain API steps and checkout directly, offering a significant advantage for bot developers.

• botting
• bruteforce

This article details the process of extracting data from external EEPROM memory chips using two communication protocols: I2C (TWI) and SPI. For I2C, the Arduino Wire library is used to communicate at a specified clock frequency, set the start address, and read data in 32-byte chunks, sending raw output via serial for tools like RealTerm to interpret. For SPI, the SPISettings configure the clock speed, data mode, and bit order; the process involves setting up the chip select line, reading data sequentially, and handling potential voltage level differences with a logic level shifter.

• I2C
• SPI
• EEPROM
• Arduino

This article details the technical steps involved in automating purchases on Supreme using bots. It covers the process of adding items to cart by sending POST requests with specific IDs and using mobile user-agents, the checkout process which requires user data and includes a ReCAPTCHA captcha, and methods for handling captchas. The article explains how bots can bypass captchas by either having users complete them or using third-party services, and describes how bots monitor the checkout process using a unique slug and status endpoint.

• CSRF token
• captcha
• botting

This article examines how bots operate on the Supreme website, focusing on a category that uses mobile endpoints to fetch and post data. It explains that these bots work in five steps, with part one covering the initial steps of finding an item and retrieving its style and sizing information. The process involves detecting new items by periodically fetching the mobile_stock.json endpoint, which contains all available products. Once an item is identified, its specific endpoint provides details on styles and sizes, which are necessary for completing a purchase.

• botting

This article details the reverse engineering of Supercell's custom encryption, which was heavily obfuscated with Arxan. The author faced significant challenges due to techniques like opaque predicates and control flow flattening, making static analysis nearly impossible. The approach involved dynamic analysis using frida to intercept memory and network traffic, emulation with unicorn to bypass obfuscation, and custom Python scripts to log and analyze execution. Key steps included intercepting /dev/urandom for nonce and key generation, hooking specific functions to avoid crashes, and implementing a decryption routine.

• reverse engineering
• Supercell
• frida
• unicorn
• control flow flattening
• dynamic analysis

A collection of guides and techniques for cracking SecuROM-protected software, compiled from various ARTeam members and other contributors.

• securom
• DRM
• reverse engineering
• vm interpreter

A GitHub repository providing a Python-based key generator for activating Wing IDE v7, a Python integrated development environment. The tool includes a simple script (`keygen.py`) that generates an activation code for Wing IDE based on user input and the IDE’s request code, allowing users to complete the activation prompt in Wing IDE.

• keygen

This paper introduces Generative Pre-Training (GPT), a method that pre-trains a transformer-based language model on a large unlabeled text corpus and then fine-tunes it on supervised downstream tasks. The approach demonstrates that unsupervised pre-training significantly improves performance on a wide range of NLP benchmarks, including natural language inference, question answering, and text classification.

• NLP
• language model
• fine-tuning
• ML

This entry details a reverse engineering journey focused on Android mobile games, specifically Supercell's protections. Key techniques included using dynamic analysis with Frida to bypass protections, debugging game encryption with tools like Unicorn, and building custom emulators for comparison.

• reverse engineering
• Android security
• frida
• encryption
• unicorn
• dynamic analysis

A GitHub repository for a Navicat offline activation key generator and exploration of Navicat’s offline activation mechanism. The code focuses on the RSA-2048 public key that Navicat uses to encrypt/decrypt activation information, stored in the Navicat executable or resource files, and tools to produce keys for offline activation.

• keygen
• RSA-2048

This post details ongoing reverse engineering efforts on Boom Beach, highlighting several security protections implemented by Supercell. The analysis reveals a compiler likely using Clang with custom LLVM plugins, strong string encryption handled via an ELF initialization table, and extensive obfuscation. The most significant finding relates to anti-tampering measures, specifically a CRC check mechanism that can be bypassed using specific offsets to prevent crashes.

• reverse engineering
• string encryption
• anti-tampering
• CRC function

In October 2017, Supercell released updates across Clash Royale, Clash of Clans, and Boom Beach. While new content was the main focus, the updates included enhanced security measures to prevent reverse engineering and binary manipulation. In Boom Beach, login encryption was obfuscated, debuggers were blocked, and the binary was protected against modification. Despite these changes, the encryption logic itself remained unchanged.

• reverse engineering
• Supercell
• frida
• game obfuscation
• encryption

This article details the reverse engineering of two key message types in Supercell's Clash Royale protocol: ECT (EndClientTurn) and OHD (OwnHomeData). ECT messages are used to keep the server and client synchronized, especially during user actions, and include a client-generated checksum for anti-cheat purposes. OHD messages contain extensive data for the client to build the game home, including deck information and event data. The reverse engineering reveals how ECT payloads change during specific actions, and the structure of OHD is detailed, with plans to open-source the findings post-update.

• reverse engineering
• Supercell
• checksum

This analysis explains how to reverse engineer SuperCell's new encryption in Clash of Clans (and related games). The previous encryption method, which involved patching a hardcoded public key, no longer works. The new encryption uses a different approach where a shared key is dynamically generated during runtime using a hardcoded public key. To bypass this, the author developed a patch that modifies two memory offsets, effectively replacing the dynamically generated shared key with a hardcoded one. This allows for decrypting and encrypting payloads similar to the old method. Tools like IDA, GDB, and Unicorn were used in the reverse engineering process.

• reverse engineering
• encryption
• Supercell

This paper introduces the Transformer architecture, a neural network model based entirely on self-attention mechanisms, removing the need for recurrent or convolutional layers. By enabling parallel computation and more effective modeling of long-range dependencies, the Transformer achieves state-of-the-art results in machine translation and becomes the foundation for many modern language models.

• NLP
• transformer
• ML