Habr1d ago

Реверс-инжиниринг ebedded-системы без дизассемблера: патчинг статических данных на примере 9S12HY64

Практический кейс реверс-инжиниринга приборной панели на базе микроконтроллера 9S12HY64 (Freescale). Вместо дизассемблирования мы использовали сниффинг шины I²C, сбор референсных команд, поиск сигнатур в прошивке и точечный патчинг статических данных.

https://habr.com/ru/articles/1016008/

#реверсинжиниринг #ghidra #логический_анализатор #патчинг #freescale

Реверс-инжиниринг ebedded-системы без дизассемблера: патчинг статических данных на примере 9S12HY64

Введение Всем добра и здравия! Цель статьи: показать подход к реверсу незнакомой архитектуры в условиях отсутствия привычных инструментов анализа. Задача: модифицировать вывод информации на дисплей...

Хабр
Show threadplaes1d ago

Well, live and learn. There is actually a better search option which supports wildcards under: Search -> "Memory..." .

#ghidra #win16 #reverseengineering

Show threadplaes1d ago

If we look closely and chew through some endianness magic, we can now start searching for the "magic bytes" using the knowledge that `CALLF` instruction starts with 0x9a and the next four bytes is the address of the thunk.

One way so far is via Search -> "For Instruction Patterns" and looking up all the possible locations for these calls.
All this is manual work though, until I figure out a way to script this...

#ghidra #reverseengineering #win16

Show threadplaes1d ago

Some minor progress with Ghidra:

Firstly, it recognizes imports from various libraries (GDI, KERNEL and MMSYSTEM), but as it hasn't fully decompiled the game, most of the imports are marked as unused. On the image below `GDI::CREATECOMPATIBLEDC` is referenced from the code, but `GDI::CREATEDC` isn't.

So if we dig further, we can see that the library calls use `CALLF address_of_thunk` which in hex is `9a4000b811`...
#ghidra #reverseengineering #win16

Pen Test PartnersMar 12
Ghidra is free, extensible, and helpful for reverse engineering firmware, but its learning curve is steep...

In this blog post, Adam Bromiley shares tips and tricks that make firmware reversing less painful, from finding the load address and interrupt vector table, through to defining a proper memory map and making better use of strings, scripts, LLMs, and more.

It's a guide built from real research projects and a lot of hours spent in front of Ghidra’s UI.

📌Read here: https://www.pentestpartners.com/security-blog/taming-the-dragon-reverse-engineering-firmware-with-ghidra/

#ReverseEngineering #FirmwareSecurity #Ghidra #HardwareHacking #CyberSecurity
CyberVeille.chMar 9
📢 LLM et analyse de malware : gains réels, limites fortes et bonnes pratiques
📝 Security Blog publie un retour d’expérience détaillé sur l’usage d’LLMs (GPT‑5.1/mini, Claude Sonnet 4.6/Opus) dans un labo d’analyse de malwares, basé s...
📖 cyberveille : https://cyberveille.ch/posts/2026-03-08-llm-et-analyse-de-malware-gains-reels-limites-fortes-et-bonnes-pratiques/
🌐 source : https://blog.gdatasoftware.com/2026/03/38381-llm-malware-analysis
#CVE_2017_11882 #Ghidra #Cyberveille
LLM et analyse de malware : gains réels, limites fortes et bonnes pratiques

Security Blog publie un retour d’expérience détaillé sur l’usage d’LLMs (GPT‑5.1/mini, Claude Sonnet 4.6/Opus) dans un labo d’analyse de malwares, basé sur des tests concrets (dont CVE‑2017‑11882) et l’intégration d’outils via MCP. 🧪 Mise en place et premiers essais L’auteur déploie deux VMs (Remnux et Windows 10) et connecte des serveurs MCP (remnux, remnux-docs, x64dbg, virustotal, ssh-mcp, ghidra-mcp) pour piloter analyse statique/dynamique. Sur un document Office exploitant CVE‑2017‑11882 (Equation Editor), GPT‑5.1‑mini échoue (faux positifs, mauvaise lecture d’oletools “decalage.info”, échecs avec Unicorn/Speakeasy). GPT‑5.1 et Claude Sonnet 4.6 réussissent avec guidage : extraction du shellcode, émulation Speakeasy et récupération de l’URL du stage suivant. Sonnet 4.6 identifie seul l’exploit et la zone du shellcode, mais requiert l’émulation pour obtenir l’URL. 🚀 Efficacité vs fiabilité

CyberVeille
buheratorMar 4
#Ghidra 12.0.4 released, mostly with bugfixes:

https://github.com/NationalSecurityAgency/ghidra/blob/Ghidra_12.0.4_build/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.md
buheratorFeb 26
I just realized that my cyclomatic complexity calculator breaks with PyGhidra so I pushed some fixes:

https://github.com/v-p-b/rabbithole

#Ghidra #ReverseEngineering
GitHub - v-p-b/rabbithole: Cumulative cyclomatic complexity calculation for Ghidra

Cumulative cyclomatic complexity calculation for Ghidra - v-p-b/rabbithole

GitHub
Hacker NewsFeb 22

We hid backdoors in ~40MB binaries and asked AI + Ghidra to find them

https://quesma.com/blog/introducing-binaryaudit/

#HackerNews #AI #Binary #Audit #Ghidra #Backdoors #Security

We hid backdoors in ~40MB binaries and asked AI + Ghidra to find them - Quesma Blog

BinaryAudit benchmarks AI agents using Ghidra to find backdoors in compiled binaries of real open-source servers, proxies, and network infrastructure.

Quesma
Alexandre DulaunoyFeb 19

Lots of exciting work happening around the MISP project, we’ll reveal more once things are ready 👀

Meanwhile, a new MISP extension for Ghidra is under active development and steadily growing with awesome new features.

https://github.com/MISP/misp-ghidra

#ghidra #misp #cybersecurity #threatintel #reversing

@misp
@circl

GitHub - MISP/misp-ghidra: Ghidra and MISP

Ghidra and MISP. Contribute to MISP/misp-ghidra development by creating an account on GitHub.

GitHub