Liste de lecture

Apple's once-renowned attention to detail has significantly declined over the last 8-10 years, particularly with the introduction of iOS 26 and macOS Ventura (26). The author expresses frustration over numerous user experience issues, including persistent permission prompts, inconsistent UI elements across applications, bugs in core apps like Reminders and Files, and problematic design choices such as the 'liquid glass' effect.

• Apple design
• iOS 26 issues
• UI/UX

This article explores browser cache smuggling as a technique for delivering malware. It demonstrates how COM hijacking can execute DLLs directly from the cache without renaming, reducing detection risks.

• Browser Cache Smuggling
• COM Hijacking
• Steganography
• DLL Hijacking

This article details the author's experience of reverse engineering Amazon's Kindle DRM system. Amazon implemented multiple obfuscation layers, including randomized glyph IDs and anti-scraping techniques like fake font hints in SVG paths. The solution involved rendering SVG glyphs as images, generating perceptual hashes, and matching against standard TTF fonts using SSIM hashing.

• DRM
• reverse engineering
• Kindle
• obfuscation
• SSIM hashing

A vulnerability was discovered in ClubWPT Gold's online poker platform, allowing unauthorized access to the back office application. Attackers gained access to source code and credentials through an exposed environment file and hardcoded admin credentials. They bypassed two-factor authentication using a vulnerability in the authentication system, leading to exposure of customer data including personal information and transaction details.

• back office access
• authentication bypass

A reverse engineer describes building a custom browser tool designed for analyzing web scripts and anti-bot measures. The tool uses Chromium DevTools Protocol to inject hooks into JavaScript functions, log calls across frames, and deobfuscate scripts.

• reverse engineering
• anti-bot
• fingerprinting
• DevTools Protocol
• deobfuscation

CVE-2025-61882 is a pre-authentication remote code execution chain in Oracle E-Business Suite. It combines multiple vulnerabilities including SSRF, CRLF injection, authentication bypass, and XSL injection. Attackers can exploit this chain without credentials to achieve full system compromise.

• pre-authentication
• Remote Code Execution
• CVE-2025-61882
• SSRF
• CRLF Injection
• XSLT

The author describes building a browser specifically for reverse engineering and analyzing web scripts. Starting with browser extensions, they faced limitations and moved to a Chromium fork for deeper hooks. Key features include intercepting JavaScript function calls via a custom CDP domain, deobfuscation tools, function overriding, and analysis of anti-bot and fingerprinting scripts. The project evolved from a weekend prototype to a robust tool, with plans to transition away from Electron.

• reverse engineering
• JavaScript hooks
• anti-bot
• fingerprinting
• Chromium
• deobfuscation

A vulnerability in the Unity Runtime allows attackers to execute arbitrary code by manipulating intent handlers. Attackers can load malicious libraries via the `-xrsdk-pre-init-library` command line argument, enabling code execution with Unity's permissions.

• Arbitrary Code Execution
• Unity
• Android
• Dlopen

This talk explores the reverse engineering of Denuvo's anti-tamper protection in Hogwarts Legacy. It explains that Denuvo protects game licenses rather than preventing copying, using unique hardware fingerprints and runtime validation. The presenter details their bypass technique involving thousands of hooks to simulate valid fingerprints from another PC, resulting in a stable but patched game. The analysis shows minimal performance impact during gameplay but significant during transitions.

• Denuvo
• reverse engineering
• anti-tamper
• fingerprint

This analysis confirms evidence of in-the-wild exploitation of CVE-2025-10035 in Fortra GoAnywhere MFT, beginning as early as September 10, 2025—eight days before the vendor's public advisory.

A critical vulnerability (CVE-2025-10035) in Fortra GoAnywhere MFT allows remote code execution without authentication via a deserialization flaw. Attackers can bypass authentication by manipulating the system's licensing endpoint, leading to the deserialization of arbitrary objects.

• deserialization
• GoAnywhere
• authentication bypass
• CVE-2025-10035
• pre-auth RCE

JSON Web Tokens (JWTs) are widely used for authentication and authorization but can introduce security risks if improperly configured. Common vulnerabilities include flawed signature verification, allowing attackers to alter token claims; weak secret keys enabling brute-force attacks; and header injections (JWK, JKU, KID) that bypass key verification.

• JWT security
• signature verification
• JWK injection
• JKU injection
• KID injection

Apple has introduced a private CSS property called `-apple-visual-effect` that allows developers to add Liquid Glass effects to web content within iOS apps using WKWebView. While the property is currently only accessible within Apple's own applications and requires enabling a specific setting, it offers a way to achieve the sleek, native-like appearance seen in iOS 26. The article suggests that Apple may already be using this feature in its own apps, contributing to the seamless integration of webviews that users often experience without noticing.

• CSS
• Liquid Glass
• WKWebView

JPEG compression is common online but alters images slightly, leaving visible artifacts. ELA (Error Level Analysis) detects inconsistencies by recompressing images and comparing the results, revealing areas manipulated by AI or other tools.

• JPEG compression
• Error Level Analysis (ELA)
• image forensics
• deepfakes
• artifacts

DCOM, a distributed extension of COM, enables remote object activation and communication, built on core concepts like CLSIDs, ProgIDs, and interfaces for abstraction. This article covers COM/DCOM fundamentals, including historical context, key identifiers, enumeration methods using tools like PowerShell and OleView.NET, instantiation techniques, and the activation process involving RPC protocols, providing a foundation for understanding remote method calls and their security implications.

• COM
• DCOM

Curiosity about a TP-Link indoor camera's onboarding process led to reverse-engineering efforts. The author discovered a default admin password and an encrypted communication channel. By analyzing the app and camera interactions, they developed a script to automate the setup, bypassing the need for cloud integration. The experience revealed insecure coding practices but resulted in a practical solution for simplified camera deployment.

• reverse engineering
• IoT security
• Frida
• PyTapo

The 2025 Synacktiv Summer Challenge focused on optimizing Podman archive formats by exploiting internal caching mechanisms and compressing image layers. Participants competed to create the smallest possible OCI or Docker archive containing a self-extracting binary.

• Podman
• OCI archive
• Docker archive
• compression

A critical vulnerability in FreePBX (CVE-2025-57819) allows unauthenticated attackers to bypass security and execute arbitrary code. The flaw stems from improper handling of user input, enabling access to sensitive areas and remote code execution via SQL injection in the Endpoint module. Systems using FreePBX versions 16 or 17 are affected, with recommendations to apply patches immediately.

• FreePBX
• CVE-2025-57819
• SQL injection
• remote code execution

This article describes the process of creating a more engaging and humorous language model by training the Mistral Small 3 24B model on data from various websites.

• Language Model
• Training

This article details the process of cracking 40-bit RC4-encrypted code signing keys from leaked files. The author initially used a CPU-based brute-force approach but optimized performance by transitioning to GPU acceleration with Apple's Metal framework.

• code signing keys
• RC4
• brute-force
• GPU
• Metal
• decryption

Linear disassembly decodes bytecode sequentially, which works for static VMs but fails when bytecode is modified at runtime. Recursive disassembly follows jumps and handles runtime changes, but may skip dead code.

• disassembly
• VM
• reverse engineering

This analysis examines Vercel's BotID service, an anti-bot system that operates through client-side signal collection. The service features two modes: Basic, which is free and relies on detecting browser automation and other bot-like behaviors, and Deep Analysis, which requires a paid plan and uses Kasada's advanced fingerprinting scripts. The article demonstrates how to reverse-engineer the obfuscated JavaScript used by BotID and shows that Basic mode can be bypassed by spoofing browser properties.

• anti-bot
• fingerprinting
• JavaScript obfuscation

This article describes the development of a custom licensing system for a kiosk app that operated offline after initial activation. The solution involved several security layers: storing license expiry dates on the device, enforcing forward-only time progression to prevent date tampering, using unique nonces to block replay attacks, verifying API responses with digital signatures and embedded public keys (via obfuscation), and additional hardening measures like nonce validation and time synchronization checks.

• licensing system
• nonce validation
• reverse engineering

This article explores vulnerabilities in the FIDO2/WebAuthn protocol used for passkeys. It details how researchers reverse-engineered the CTAP2 protocol, built a software authenticator to impersonate a hardware key, and demonstrated forging passkey signatures for automated logins. The analysis reveals that many relying parties lack proper security measures, allowing replay attacks, and suggests mitigations like enforcing sign-counters and restricting browser automation APIs.

• FIDO2
• CTAP2
• forging passkeys

This article describes an anti-scraping technique that uses text obfuscation through a custom font with remapped characters. While initially clever, the method becomes difficult to bypass programmatically, especially when the font changes randomly. However, it is ultimately ineffective as major search engines can still render the text correctly, rendering it a poor protection mechanism.

• web scraping
• anti-scraping
• OCR

British Airways offers free in-flight WiFi restricted to messaging apps. A user discovered that by using a technique involving manipulating the Server Name Indication (SNI) field during the TLS handshake to mimic a connection to WhatsApp (wa.me), they could bypass the restrictions and access the full internet. The article also touches upon the concept of Encrypted Client Hello (ECH) as a potential improvement to mitigate SNI leakage issues.

• SNI
• ECH
• TLS

WatchWitch is an Android application that enables communication with Apple Watch devices by reverse engineering their proprietary protocols. It facilitates interoperability, allowing Android users to interact with Apple Watches, while conducting a thorough security analysis of Apple's wireless communication mechanisms, including IKEv2, ESP, and A-over-C encryption. The research uncovers vulnerabilities and proposes a framework for secure, cross-platform interaction with Apple Watch technology.

• Apple Watch
• Security Analysis
• Reverse Engineering
• Wireless Protocols

This project aimed to develop a machine learning model using TensorFlow to solve 4Chan CAPTCHAs reliably. Challenges included acquiring training data, which involved scraping CAPTCHAs and generating synthetic data due to limitations with commercial solving services. The model, built with an LSTMCNN architecture, achieved over 90% accuracy on real CAPTCHAs after addressing issues like image processing errors and model conversion hurdles.

• machine learning
• TensorFlow
• LSTMCNN
• captcha

A comprehensive technical breakdown of multiple zero-day vulnerabilities discovered in Anki, including arbitrary code execution (RCE) through JavaScript injection, LaTeX command injection, and media player command injection. The article details the discovery process, proof-of-concept exploits, and the mitigations implemented by Anki.

• Zero-day exploit
• Arbitrary code execution
• RCE
• LaTeX injection

An experiment demonstrated how easily social media follower counts can be artificially inflated, specifically using the Nostr protocol. By generating and broadcasting follow requests through multiple relays with a script, over a million new followers were created in less than 24 hours.

• Nostr
• Sybil Attack

This article details the frustration with TicketMaster's SafeTix system, which uses rotating PDF417 barcodes for ticket entry. Through reverse engineering using Chrome DevTools, the author discovers that the barcodes are generated using cryptographic secrets and tokens, enabling offline ticket duplication.

• reverse engineering
• mobile tickets
• TOTP

This article details the discovery of cross-site scripting (XSS) vulnerabilities on chess.com through a rich text editor. By exploiting the background-image attribute's onload property, the author bypassed sanitization to manipulate cookies and redirect users. A subsequent payload using the srcset attribute achieved full XSS by directly executing JavaScript.

• XSS
• Cross-Site Scripting
• Rich Text Editor
• Background-Image

This article details how the author replaced the static dialogue in Animal Crossing with dynamically generated text using an LLM. By reverse-engineering the game's dialogue system and establishing communication via shared memory, the author created a two-step AI pipeline: a 'Writer' LLM generates dialogue and a 'Director' LLM handles formatting and control codes.

• Animal Crossing
• Reverse Engineering
• LLM
• Game Modding

This article details a vulnerability in the rcore_radiocar resource used in GTA V RP servers built on FiveM. By allowing users to input arbitrary URLs, attackers can inject malicious scripts via XSS. This enables control of player accounts, including unauthorized access to microphones, stealing in-game money, and altering player appearances.

• FiveM
• XSS
• server security

This article details the process of reverse-engineering Supreme's anti-bot system to extract decryption and encryption keys, enabling the creation of valid cookies that bypass anti-bot measures. The authors compiled a modified Firefox browser, intercepted JavaScript functions, and captured necessary data to generate these keys and browser fingerprints.

• anti-bot bypass
• custom browser compilation
• decryption
• browser fingerprint
• reverse-engineering

Debuggers are essential for analyzing code, but some websites employ anti-debugging measures to hinder reverse engineering. The article explores various evasion techniques, starting with disabling breakpoints but noting this limits functionality. A Greasyfork script attempt to override the debugger keyword fails against heavily obfuscated code. The most effective solution involves renaming the 'debugger' keyword in the browser's source code, specifically in Firefox, allowing breakpoints to trigger without causing infinite loops.

• JavaScript debugging
• anti-debugging
• reverse engineering
• custom Firefox build

This article introduces a series focused on evaluating anti-bot platforms from an attacker's perspective. It highlights the prevalence and impact of web automation attacks, the growth of the anti-bot industry, and the challenge of effective protection due to misinformation and deceptive metrics.

• anti-bot
• automation
• botting

This article explores how to intercept TLS-encrypted network traffic from an application like TimeDoctor using tools such as PolarProxy and Frida. It covers reverse engineering Qt's networking library to extract URLs.

• reverse engineering
• TLS interception
• PolarProxy
• Frida
• Qt

This article explores how to analyze logs generated by a time tracker application using Gravwell, a data platform for log ingestion and querying. It covers setting up log ingestion, performing basic and advanced queries (including filtering, transactions, and aggregations), and creating dashboards for visualization.

• Gravwell
• log analysis

This article explores the reverse engineering and monitoring of TimeDoctor, a productivity tracking tool. It details how to use Frida, a dynamic instrumentation tool, to intercept and log SQLite database interactions from a running application, providing visibility into the tool's data collection mechanisms.

• Frida
• Reverse Engineering
• SQLite

This article details the development of a disassembler for Nike's VM-based bot protection system. The author explains how to handle the lack of clear opcode definitions by implementing a recursive traversal method to analyze control flow. The disassembler identifies functions and loops by tracking instruction pointers and registers, avoiding the need to execute the bytecode. Challenges include unreachable code and bloat, but the tool successfully recovers a significant portion of the VM's instructions, providing a foundation for further analysis.

• reverse engineering
• bot protection
• virtual machine
• disassembler
• VM bytecode

Web attacks like account brute forcing and botting threaten digital systems. Browser fingerprinting helps protect against these by creating unique identifiers, but it's easy to spoof. Obfuscation complicates reverse engineering, leading to virtualization obfuscation—a custom VM architecture that stores code as bytecode. This article examines Nike's Kasada contractor-created system, which uses a virtual machine to interpret bytecode.

• bot protection
• obfuscation
• virtualization
• reverse engineering
• custom VM
• bytecode

This article explores the reverse engineering of TikTok's VM obfuscation mechanism, revealing a custom virtual machine that executes JavaScript code with a unique bytecode format. The author decompiles and disassembles the Kotlin code to understand the VM's operations, including instruction execution, array handling, and environment management. The findings include two bytecode dumps—one for the VM itself and another for the main application code.

• VM
• Obfuscation
• Bytecode
• JavaScript
• Reverse Engineering

This article details two main reverse engineering achievements related to Supercell games. First, it presents a universal solution for extracting the public server key (pks) from multiple games, including HayDayPop. This approach uses dynamic memory hooking and watchpoints to bypass obfuscation techniques like Arxan, avoiding reliance on static offsets. Second, the author describes a sophisticated 'Videobot' system built for automating the recording of top players in Clash Royale. This system employs custom Android applications, Frida for code injection, and a Python backend to manage device operations, video compression, and encryption-related tasks. The Videobot replaces server connections with a local mock to facilitate recording.

• reverse engineering
• Frida
• Clash Royale
• server key

This article details the advanced security measures implemented by Supercell in their mobile games, focusing on reverse engineering techniques to bypass anti-cracking protections. It covers identifying and disabling specific 'hard' and 'soft' checks that prevent code execution tools like Frida from functioning. The author then demonstrates how to intercept and redirect network traffic to a local proxy, replacing DNS lookups to route game communications through a custom application.

• reverse engineering
• frida
• supercell

This article examines the effectiveness of Jscrambler's JavaScript obfuscation techniques by analyzing an obfuscated game sample. The author discovers that obfuscation significantly increases code length and employs string concealment and encoding functions. By isolating these functions and using an Abstract Syntax Tree (AST) approach with tools like Esprima, the author successfully deobfuscates the code, making it more readable and revealing its functionality.

• JavaScript
• deobfuscation
• AST
• Jscrambler

This article details the reverse engineering process of Brawl Stars' new, previously unknown protection mechanism. After identifying a compiler and protection system, the author faced challenges in debugging due to a packer preventing code execution. Using a combination of frida, Android kernel modifications, and inline syscalls, the author found ways to intercept system calls, delay process startup, and gain code execution.

• reverse engineering
• Brawl Stars
• Supercell
• frida

This article explores the concept of 'variants' in Supreme botting, which refers to size IDs used in the checkout process. It explains how variants can be identified through the mobile_stock.json file, where item IDs increment sequentially. This knowledge allows bots to skip certain API steps and checkout directly, offering a significant advantage for bot developers.

• supreme bot
• bruteforce
• api

This article details the technical steps involved in automating purchases on Supreme using bots. It covers the process of adding items to cart by sending POST requests with specific IDs and using mobile user-agents, the checkout process which requires user data and includes a ReCAPTCHA captcha, and methods for handling captchas. The article explains how bots can bypass captchas by either having users complete them or using third-party services, and describes how bots monitor the checkout process using a unique slug and status endpoint.

• mobile user-agent
• CSRF token
• captcha
• bot automation

This article examines how bots operate on the Supreme website, focusing on a category that uses mobile endpoints to fetch and post data. It explains that these bots work in five steps, with part one covering the initial steps of finding an item and retrieving its style and sizing information. The process involves detecting new items by periodically fetching the mobile_stock.json endpoint, which contains all available products. Once an item is identified, its specific endpoint provides details on styles and sizes, which are necessary for completing a purchase.

• Supreme bot
• parsing JSON

This article details the reverse engineering of Supercell's custom encryption, which was heavily obfuscated with Arxan. The author faced significant challenges due to techniques like opaque predicates and control flow flattening, making static analysis nearly impossible. The approach involved dynamic analysis using frida to intercept memory and network traffic, emulation with unicorn to bypass obfuscation, and custom Python scripts to log and analyze execution. Key steps included intercepting /dev/urandom for nonce and key generation, hooking specific functions to avoid crashes, and implementing a decryption routine.

• reverse engineering
• Supercell
• frida
• unicorn

This entry details a reverse engineering journey focused on Android mobile games, specifically Supercell's protections. Key techniques included using dynamic analysis with Frida to bypass protections, debugging game encryption with tools like Unicorn, and building custom emulators for comparison.

• reverse engineering
• Android security
• Supercell
• frida
• encryption
• game hacking
• Unicorn

This post details ongoing reverse engineering efforts on Boom Beach, highlighting several security protections implemented by Supercell. The analysis reveals a compiler likely using Clang with custom LLVM plugins, strong string encryption handled via an ELF initialization table, and extensive obfuscation. The most significant finding relates to anti-tampering measures, specifically a CRC check mechanism that can be bypassed using specific offsets to prevent crashes.

• reverse engineering
• Supercell
• Boom Beach
• string encryption
• anti-tampering
• CRC function
• frida

In October 2017, Supercell released updates across Clash Royale, Clash of Clans, and Boom Beach. While new content was the main focus, the updates included enhanced security measures to prevent reverse engineering and binary manipulation. In Boom Beach, login encryption was obfuscated, debuggers were blocked, and the binary was protected against modification. Despite these changes, the encryption logic itself remained unchanged.

• reverse engineering
• supercell
• frida
• game obfuscation
• encryption

This article details the reverse engineering of two key message types in Supercell's Clash Royale protocol: ECT (EndClientTurn) and OHD (OwnHomeData). ECT messages are used to keep the server and client synchronized, especially during user actions, and include a client-generated checksum for anti-cheat purposes. OHD messages contain extensive data for the client to build the game home, including deck information and event data. The reverse engineering reveals how ECT payloads change during specific actions, and the structure of OHD is detailed, with plans to open-source the findings post-update.

• reverse engineering
• Clash Royale
• Supercell protocol
• checksum

This analysis explains how to reverse engineer SuperCell's new encryption in Clash of Clans (and related games). The previous encryption method, which involved patching a hardcoded public key, no longer works. The new encryption uses a different approach where a shared key is dynamically generated during runtime using a hardcoded public key. To bypass this, the author developed a patch that modifies two memory offsets, effectively replacing the dynamically generated shared key with a hardcoded one. This allows for decrypting and encrypting payloads similar to the old method. Tools like IDA, GDB, and Unicorn were used in the reverse engineering process.

• reverse engineering
• encryption
• SuperCell
• Clash of Clans