| Website | https://washi.dev |
| GitHub | https://github.com/Washi1337 |
| https://twitter.com/washi_dev | |
| BlueSky | https://bsky.app/profile/washi-dev.bsky.social |
Over the past couple years, I have come to know the #dotnet platform pretty well, from a developer's and a #reversing standpoint.
I canβt always say the same the #infosec community.
Today, I decided to rant a little (or maybe a lot π)
π https://blog.washi.dev/posts/misconceptions-about-dotnet/
Better late than never, I finally managed to finalize my #flareon12 write-upsπ
Overall, it was a fun set of challenges and the latter ones a reminder of how much I still have to learn in the field of RE :).
π https://blog.washi.dev/posts/flareon12/
π https://washi1337.github.io/ctf-writeups/writeups/flare-on/2025/
Image
After #flareon11 challenge 7, I got inspired to build tooling for #dotnet Native AOT reverse engineering.
As such, I built a #Ghidra Analyzer that can automatically recover most .NET types, methods and frozen objects (e.g., strings).
πhttps://blog.washi.dev/posts/recovering-nativeaot-metadata/
Did you know you could write entire #csharp programs just by using the "await" keyword?
OK, well not really, but I spent some weekends developing AwaitFuscator: A (dumb) #obfuscator that turns your #dotnet program into nothing but "await" expressions!
"Noo! Ghidra has such a bad UI! IDA is much better!"
Explain to me: In what world does a hex view need column selection that crosses multiple columns (and beyond) and disappears upon scrolling?
The decompiler may be good but I genuinely don't see how people put up with IDA's UI.
Earlier this month I found a way to consistently pop calculators in #dnSpy by opening a file and clicking some nodes in its browser.
Today I release a write-up on how this can be done:
π https://blog.washi.dev/posts/popping-calcs-in-dnspy/
Update dnSpy if you haven't already!
Programming languages that operate on a virtual machine often promise safety guards against many unsafe operations. However, virtual machines can have pretty serious bugs. In this post, we explore one interesting limitation of self-contained applications in .NET, and see how we can exploit it to pop calculators from our trusty decompiler dnSpy:
I participated in DEFCON CTF Qualifiers of this year with Shellphish (thanks for inviting me!), and solved a web/rev/pwn challenge where we pwned a Javascript VM with... Python Picklesπ₯?
Have a read how we ended up doing this on my blog π https://blog.washi.dev/posts/defcon-brinebid
On May 27 until May 29, I had the pleasure to join Shellphish in the DEFCON CTF Qualifiers of 2023. I wanted to highlight one of the challenges called brinebid that I ended up working on as well as finding and submitting the flag for. It is a really interesting challenge, combining web security with some reverse engineering a virtual machine (VM), as well as exploiting a vulnerability in the VM to get arbitrary code execution.
What really is the entry point of a #dotnet application? Is it `public static void Main()`, or are there other places that we should look at when reverse engineering .NET samples?
πRead about it in my new blog post: https://washi.dev/blog/posts/entry-points/
#reversing #malware
public static void Main(); This is what most people associate with the entry point of a .NET module. However, as it so turns out, this is not the place where it all begins. In this post, we will review different types of entry points that are available to us, and go on a quest to find the holy grail the actual place where user code really starts.
I thought it was time to show off some of #AsmResolver's new #native #PE #patching API. In this blog, we discuss how to programmatically inject code into an arbitrary PE, and learn how to construct new import directories as we go.
Patching PE files is easy. Injecting new code that uses functions from external modules, however, is more complicated. In this post, we are implementing a method for rebuilding import directories, such that we can inject any type of code in an arbitrary PE file.
Time for another blog post!
This time we are tackling .NET debuggers and make them display garbage data with the help of proxy objects and debugger display attributes.
Full post: https://washi.dev/blog/posts/debugger-proxy-objects/
PoC Implementation: https://github.com/Washi1337/ProxyObjects
#dotnet #obfuscation #reversing #asmresolver #cil #dnspy #decompiler #debugger #poc
.NET decompilers and debuggers have become very good at helping reverse engineers figure out the inner workings of a program. However, they also make a lot of assumptions that can be used against them. In this post, we will explore a method that can be used to trick the debugger into hiding a lot of important information during a debugging session.