remy🐀

@_mattata@infosec.exchange
1.1K Followers
785 Following
268 Posts
Dad, Vulnerability Research, Packet connoisseur. He/Him. Cyber Security Architect GreyNoise. Top percentage Rattata
Twitterhttps://twitter.com/_mattata
Personal Bloghttps://remyhax.xyz
Professional Bloghttps://www.greynoise.io/blog
PronounsHe/Him
remy🐀Jun 13

Android APK’s have a dedicated loader for Ghidra, but they’re also Archives with nested files which is a different loader. This causes quirks.

Here’s how to get around that and use the best tool.

Ghidra Is Best: Android Reverse Engineering

https://remyhax.xyz/posts/android-with-ghidra/

Ghidra is best: Android Reverse Engineering

Ghidra is the best Android app RE tool. It just seems like it’s not, because the loader has easily fixed quirks. Let me demonstrate.

REMY HAX
remy🐀May 17

There’s a lot of “VPN’s are snakeoil, just use HTTPS” discourse again, so here, I’ll sell the farm for the sake of demonstrating exactly how wrong this argument is for phones.

You Want a VPN for Your Phone, Because Apps.

https://remyhax.xyz/posts/you-want-a-vpn-for-your-phone/

You want a VPN for your phone, because apps.

VPN: phone, not desktop. WiFi: N/A. These statements are correct. Or at least as correct as is applicable to the general user in the scope of the following contextual blog which generally recommends that:

REMY HAX
remy🐀May 16

Graph Theory for Reverse Engineers

Or “everything actually is a nail, you just need a bigger hammer”

https://remyhax.xyz/posts/graph-theory-for-reverse-engineers/

Graph Theory for Reverse Engineers

Or “everything actually is a nail, you just need a bigger hammer” Graph Theory is a really neat subject matter relating to the modeling of pairwise relations between objects. When you understand graph theory, everything steadily becomes a graph theory problem, because pretty much anything can be.

REMY HAX
remy🐀Apr 5

Step One: How2 Z3

or "I hate math and always re-use the same z3 template when solving crackmes and CTF's and use BitVector because I can represent anything as BitVector and never need to learn more z3, so here's how I finally wrote it down"

https://remyhax.xyz/posts/z3/

Step One: How2 Z3

This article is a long time coming. z3, the constraint solver, is commonly used in crackmes and CTF challenges. Wherever possible, I just lift to angr for symbolic execution and bruteforce that way, since z3 is basically math bruteforce anyways.

remy🐀Mar 5
Show threadDeepfieldMar 1

Bots associated with this botnet can typically be recognized by distinctive hexadecimal banners featuring strings such as `head[...]1111` or `head[...]11111111`, predominantly appearing on TCP port 17000.

Since its initial detection, our ERT has closely monitored the activities and growth of #Eleven11bot . Early assessments indicate a large and geographically distributed botnet presence, spanning multiple countries such as the United States, Canada, Israel, Spain, the United Kingdom, Brazil, Taiwan, Romania, and Japan, among others.

remy🐀Mar 4

Local, Private, AI Code Assistant in VSCode. The easy and free way.

https://remyhax.xyz/posts/local-llm-code-ai/

Local, Private, AI Code Assistant

Recently, products like Claude Code, Cursor, and Copilot have sprung to the forefront of my social media. I’ve ignored these for quite some time, but a coworker recommended that I try out <some product I can't remember> after I was fighting a particularly gnarly public codebase that had opaque documentation and involved a LOT of state machines.

remy🐀Feb 5

Your LLMs were backdoored years ago.

https://remyhax.xyz/posts/plagairism/

Your LLMs were backdoored years ago.

Plagiarism is an ethical violation. Always has been. As such: “A computer can never be held accountable, therefore a computer must never make a management decision”.

remy🐀Jan 17

The Xiaohongshu 小红书 REDnote 小红书国际版 "Backdoor"

Analysis: The existence of “backdoor” in the Xiaohongshu 小红书 REDnote app appears to be a problem in the connotation of the word itself among a global community, and nothing more.

https://remyhax.xyz/posts/xiaohongshu-rednote-backdoor/

The Xiaohongshu 小红书 REDnote 小红书国际版 "Backdoor"

The popular social media app “TikTok” is likely facing an iminent ban in the United States in the coming days. This has resulted in a mass migration to the Chinese app 小红书 (meaning “little red book”), Xiaohongshu, or simply “REDnote”.

remy🐀Jan 11
Show threadMr. BitternessJan 10

Since this vulnerability is being successfully exploited in the wild, it probably is worth knowing if your system has been compromised, right?

A compromised box can easily fake (internal AND external) ICT results, and it can also fake the factory reset process as well. So is all hope lost?

Well, in the vast sea of bits on VirusTotal, apparently some good samaritan has uploaded a bootable ISO that can both decrypt an Ivanti ICS filesystem, as well as run the stand-alone ICT in a way that is truly stand-alone. i.e. it doesn't rely on your maybe-compromised running system not lying to you.

With some brief testing, it seems to work. And perhaps can be trustable as much as you trust a computer to boot from the media you specify.
https://www.virustotal.com/gui/file/2d76293e1639152e4871fba67cb5bdb010e444a3cd66bdf943503c48bba412c0/details

VirusTotal

VirusTotal

remy🐀Nov 30, 2024
vox Nov 30, 2024
remember when google blocked access to /sdcard/Android/data for "security" reasons?

lmao
×
vox Nov 30, 2024
remember when google blocked access to /sdcard/Android/data for "security" reasons?

lmao
Show threadvox Nov 30, 2024
its a trillion dollar company ffs
Show threadMaeNov 30, 2024
@vox wait what's happening here?
Show threadvox Nov 30, 2024
@Mae@is.badat.dev adding zero width space to the directory name lol

and it suddenly becomes readable
Show threadMaeNov 30, 2024
@vox no I get that but like why are the files there? A ZWS should mean it's a different directory
Show threadvox Nov 30, 2024
@Mae@is.badat.dev /sdcard is a FUSE filesystem (with fat32-like path normalization), sth's going wrong there i assume
Show threadMaeNov 30, 2024
@vox has this been reported to google yet lol
Show threadhellhound gaymingNov 30, 2024
@Mae @vox please NEVER do that (i mean maybe you should but like. ugggghh i just want to access app data folders without re-rooting calyxos every update)
Show threadMaeNov 30, 2024
@pup @vox I'm not gonna but the fact that this has been posted publicly means it might get reported by someone else
Show threadhellhound gaymingNov 30, 2024
@Mae @vox yeah. i mean it's probably for the best that it does but still GRR BARK SNARL LET ME READ APPDATA OVER ADB
Show threadMaeNov 30, 2024
@pup @vox security was the worst invention
Show threademNov 30, 2024
@vox can’t repro, what android version is that?
Show threadvox Nov 30, 2024
@easrng@pleroma.envs.net android 14 (samsung oneui) with october security updates
Show threademNov 30, 2024
@vox in termux or only in adb?
Show threadvox Nov 30, 2024
@easrng@pleroma.envs.net
both termux and any file explorer, havent tried adb (reportedly only works on some android builds)
Show threademNov 30, 2024
@vox (I’m on grapheneos btw)
Show threadAlexia ΘΔNov 30, 2024
@vox okay but can you write to it
Show threadvox Nov 30, 2024
@alexia@app.wafrn.net yep ~
Show threadvox Nov 30, 2024
@alexia@app.wafrn.net
Show threadAlexia ΘΔNov 30, 2024
@vox actually hilarious, I wonder what's causing some builds to not be affected but still fun
Show thread温鱼Nov 30, 2024
@vox holy shit it works?? (android 14 miui btw)
Show threadClaire :bi_verify::trans_verify:Nov 30, 2024
@vox can't repro on grapheneos

cannot tell if that's a good thing (no vuln) or a bad thing (i fucking want access to my files please)
Show threadMyra ​​ Nov 30, 2024

@vox Android 15 on a Pixel (not rooted)

I'm either doing something wrong or they broke it further

Show threadvox Nov 30, 2024
@VasilisTheChu
that's the adb shell.
the one in the screenshot is running with normal app context (in termux).
you can also add zwsp to the path in any file explorer app and it would work as well
Show threadRotziiwahlNov 30, 2024
@vox @pup fuckin wild lol
Show threadNelson MinarNov 30, 2024
@vox Android has not yet won its war against the filesystem.
Show threadJons MostovojsNov 30, 2024
@vox good job!
Show threadHazelnootNov 30, 2024
@vox well what do you know! Can't wait for the write-up on this one lol

#CyberSec #Security #Hacking
Show threadHazelnootNov 30, 2024
@vox oh that's fun, you can recurse into subdirectories and access files too
Show threadvox Nov 30, 2024
@hazelnoot
you can also write stuff :3 (basically full access)
Show threadSimon HewisonDec 2, 2024
@vox @hazelnoot if it's an actual SD card, anyone could just take it out and put it into a normal device and bypass the silly restriction on accessing your own data on your own storage device.
Show threadHazelnootDec 2, 2024
@zymurgic @vox it's not actually an SD card - this is an encrypted partition on the internal storage
Show threadKarstenDec 1, 2024
@vox
"com.companyname.andriodapp1" 🙀
Show threadKarstenDec 3, 2024
@vox
Apparently "Seeker" by "ShinjiIndustrial". Interesting.
Show threadvox Dec 3, 2024
@byteborg (its an open-source SoulSeek client, i use it to pirate FLACs lmao)
https://github.com/jackBonadies/SeekerAndroid
https://apt.izzysoft.de/fdroid/index/apk/com.companyname.andriodapp1
GitHub - jackBonadies/SeekerAndroid: Android client for the Soulseek peer-to-peer network

Android client for the Soulseek peer-to-peer network - jackBonadies/SeekerAndroid

GitHub
Show threadKarstenDec 3, 2024
@vox
I just found the typo somewhat peculiar.
Show threadmxkDec 1, 2024
@vox wait, how does this work? I would have assumed that the permission denied is generated by SELinux, which doesn't care about the string representation of a path
Show threadMax MehlDec 1, 2024
@vox Whoops, nice, also works on CalyxOS 6.1.0 (Android 15)
@calyxos #calyxos
Show threadSaphire LatticeDec 2, 2024

@vox hmm

Not working via Termux on a Samsung phone, with security update from a month or two ago