| https://twitter.com/_mattata | |
| Personal Blog | https://remyhax.xyz |
| Professional Blog | https://www.greynoise.io/blog |
| Pronouns | He/Him |
Android APK’s have a dedicated loader for Ghidra, but they’re also Archives with nested files which is a different loader. This causes quirks.
Here’s how to get around that and use the best tool.
Ghidra Is Best: Android Reverse Engineering
There’s a lot of “VPN’s are snakeoil, just use HTTPS” discourse again, so here, I’ll sell the farm for the sake of demonstrating exactly how wrong this argument is for phones.
You Want a VPN for Your Phone, Because Apps.
Graph Theory for Reverse Engineers
Or “everything actually is a nail, you just need a bigger hammer”
https://remyhax.xyz/posts/graph-theory-for-reverse-engineers/
Or “everything actually is a nail, you just need a bigger hammer” Graph Theory is a really neat subject matter relating to the modeling of pairwise relations between objects. When you understand graph theory, everything steadily becomes a graph theory problem, because pretty much anything can be.
Step One: How2 Z3
or "I hate math and always re-use the same z3 template when solving crackmes and CTF's and use BitVector because I can represent anything as BitVector and never need to learn more z3, so here's how I finally wrote it down"
Bots associated with this botnet can typically be recognized by distinctive hexadecimal banners featuring strings such as `head[...]1111` or `head[...]11111111`, predominantly appearing on TCP port 17000.
Since its initial detection, our ERT has closely monitored the activities and growth of #Eleven11bot . Early assessments indicate a large and geographically distributed botnet presence, spanning multiple countries such as the United States, Canada, Israel, Spain, the United Kingdom, Brazil, Taiwan, Romania, and Japan, among others.
Local, Private, AI Code Assistant in VSCode. The easy and free way.
Recently, products like Claude Code, Cursor, and Copilot have sprung to the forefront of my social media. I’ve ignored these for quite some time, but a coworker recommended that I try out <some product I can't remember> after I was fighting a particularly gnarly public codebase that had opaque documentation and involved a LOT of state machines.
Your LLMs were backdoored years ago.
The Xiaohongshu 小红书 REDnote 小红书国际版 "Backdoor"
Analysis: The existence of “backdoor” in the Xiaohongshu 小红书 REDnote app appears to be a problem in the connotation of the word itself among a global community, and nothing more.
Since this vulnerability is being successfully exploited in the wild, it probably is worth knowing if your system has been compromised, right?
A compromised box can easily fake (internal AND external) ICT results, and it can also fake the factory reset process as well. So is all hope lost?
Well, in the vast sea of bits on VirusTotal, apparently some good samaritan has uploaded a bootable ISO that can both decrypt an Ivanti ICS filesystem, as well as run the stand-alone ICT in a way that is truly stand-alone. i.e. it doesn't rely on your maybe-compromised running system not lying to you.
With some brief testing, it seems to work. And perhaps can be trustable as much as you trust a computer to boot from the media you specify.
https://www.virustotal.com/gui/file/2d76293e1639152e4871fba67cb5bdb010e444a3cd66bdf943503c48bba412c0/details
Deepfield
Mr. Bitterness
vox 
/sdcard/Android/data for "security" reasons?
@timb_machine
Yeah, I saw the general gist of the exploitation. But what's not clear to me is the whole getting past ASLR.
Yeah, it's only a 32-bit app, but if the exploitation requires 3 different independently randomized things (heap: 14 bits, stack: 12 bits, and binary: 9 bits), that adds up pretty quickly. 🤔
@timb_machine
As it turns out, exploitation can happen with only guessing the base address of a single loaded library.
Attached: 4 images And from @Rapid7Official 's @stephenfewer we have a (mostly) working exploit: https://github.com/sfewer-r7/CVE-2025-0282 While my naive attempt to get control of EIP leveraged both a known heap address and a known stack address, I wasn't pretty pleased with it due to the combined entropy of the heap (14 bits) and the stack (12 bits). Had I tried a bit harder, I could have found the bits that I needed all in a single loaded library (libdsplibs.so). And since it's a 32-bit app, we'll expect to see about 9 bits of entropy, which is very easily brute-forceable in a listening service that re-spawns itself when it crashes. Tweaks necessary to get this to RCE properly (at least with my VMs): 1. Set keep-alive header 2. Set TLS version 1.2 3. Auto-increment the libdsplibs_base value with each attempt, as at least with my VM, the crashing web server is forked from a parent that does not crash, and as such the ICS web server will have the same memory layout every single time. As such, you can't keep a fixed address and re-try until the server matches what you're guessing. You need to guess a different value each time. With these tweaks, I can pop my 22.7R2.4 ICS box in seconds. 🎉 The fact that a 2025 Ivanti ICS box has 32-bit binaries, no stack canaries (which is a mitigation that has been around for 20 years), and no official way to determine if a box is compromised that is sound makes it seem that Ivanti does not REALLY care about security. But please, draw your own conclusions here.
Tim (Wadhwa-)Brown 