Explore the Mamba ransomware through dynamic analysis, memory forensics, and kernel debugging to examine how the malware works and whether recovery is possible without the original password. The result is an in-depth look at an unsophisticated but effective form of ransomware.
A step-by-step guide to setting up a virtual machine tailored for malware analysis, covering OS installation, tool selection, and hardening. Designed for safe, realistic, and practical reverse engineering workflows.
A complete workflow from CVE release to developing a proof of concept exploit for local privilege escalation.
Reverse engineering a C++ CrackMe distributed as an AppImage, using Ghidra and GDB to analyze a secp256k1-based key validation routine. Explores public key generation from partially known secrets and automates key recovery with Pollard’s kangaroo algorithm.
A virtualization-heavy CrackMe, utilizing a user-level stack to obfuscate dataflow. Static analysis reveals little, but dynamic instrumentation with GDB and Python recovers meaningful behavior and paves the way to SMT for flag recovery.
Analysis of this CrackMe covers the structure of a virtual machine at a granular level, including the fetch-decode-dispath-handle process. A custom Ghidra processor is developed to support disassembly and decompilation of the VM bytecode. Lastly, two approaches are explored to recover valid input: symbolic execution via a custom Ghidra extension (Ghimera), and manual algorithm identification.
Reverse engineering and manipulation of a CTF stock trading game that uses a PNG as a save file. Covers save file decryption, bypassing license checks via binary patching, and generating valid license keys through reverse-engineered constraints.
Koi is a C++ extension to the Triton dynamic binary analysis library that provides convenience features for symbolic execution. By hooking functions and instructions, the heap and stack can be dynamically tracked for a large range of cyber related tasks.
A beginner-friendly reverse engineering walkthrough of a CrackMe, focusing on static analysis of a simple assembly binary using Ghidra, with step-by-step key file reconstruction.
