I had a blast today. Doing some reverse engineering, and usually my tool of choice is BinaryNinja. Not today, after some internal monologue I decided to try fully switching to Ghidra.
Since I usually write scripts to reverse/trail through apps, Ghidra and Python were great. What I enjoyed most: I can actually customize the auto analysis for my specific target. That's so pleasant.
So #ghidra made a friend today.
To the #Rust #Wasm community, I wrote a #Pulley #Ghidra plugin to help advance the usage and #ReverseEngineering of the work.
Реверс-инжиниринг ebedded-системы без дизассемблера: патчинг статических данных на примере 9S12HY64
Практический кейс реверс-инжиниринга приборной панели на базе микроконтроллера 9S12HY64 (Freescale). Вместо дизассемблирования мы использовали сниффинг шины I²C, сбор референсных команд, поиск сигнатур в прошивке и точечный патчинг статических данных.
https://habr.com/ru/articles/1016008/
#реверсинжиниринг #ghidra #логический_анализатор #патчинг #freescale
Введение Всем добра и здравия! Цель статьи: показать подход к реверсу незнакомой архитектуры в условиях отсутствия привычных инструментов анализа. Задача: модифицировать вывод информации на дисплей...
Well, live and learn. There is actually a better search option which supports wildcards under: Search -> "Memory..." .
If we look closely and chew through some endianness magic, we can now start searching for the "magic bytes" using the knowledge that `CALLF` instruction starts with 0x9a and the next four bytes is the address of the thunk.
One way so far is via Search -> "For Instruction Patterns" and looking up all the possible locations for these calls.
All this is manual work though, until I figure out a way to script this...
Some minor progress with Ghidra:
Firstly, it recognizes imports from various libraries (GDI, KERNEL and MMSYSTEM), but as it hasn't fully decompiled the game, most of the imports are marked as unused. On the image below `GDI::CREATECOMPATIBLEDC` is referenced from the code, but `GDI::CREATEDC` isn't.
So if we dig further, we can see that the library calls use `CALLF address_of_thunk` which in hex is `9a4000b811`...
#ghidra #reverseengineering #win16
Security Blog publie un retour d’expérience détaillé sur l’usage d’LLMs (GPT‑5.1/mini, Claude Sonnet 4.6/Opus) dans un labo d’analyse de malwares, basé sur des tests concrets (dont CVE‑2017‑11882) et l’intégration d’outils via MCP. 🧪 Mise en place et premiers essais L’auteur déploie deux VMs (Remnux et Windows 10) et connecte des serveurs MCP (remnux, remnux-docs, x64dbg, virustotal, ssh-mcp, ghidra-mcp) pour piloter analyse statique/dynamique. Sur un document Office exploitant CVE‑2017‑11882 (Equation Editor), GPT‑5.1‑mini échoue (faux positifs, mauvaise lecture d’oletools “decalage.info”, échecs avec Unicorn/Speakeasy). GPT‑5.1 et Claude Sonnet 4.6 réussissent avec guidage : extraction du shellcode, émulation Speakeasy et récupération de l’URL du stage suivant. Sonnet 4.6 identifie seul l’exploit et la zone du shellcode, mais requiert l’émulation pour obtenir l’URL. 🚀 Efficacité vs fiabilité
Daniel S. Reichenbach
Kevin Thomas ✅
OffSequence
Habr
plaes
Pen Test Partners
CyberVeille.ch
buherator