shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

265
active users

#reversing

0 posts0 participants0 posts today

Next Thursday, May 15 at @NorthSec in Montreal, I will be hosting the workshop "Reconstructing Rust Types: A Practical Guide for Reverse Engineers"! This will be a 3-hour workshop how to approach Rust types and data structures when reversing Rust binaries. See nsec.io/session/2025-reconstru for more details!

Workshops at NorthSec will be streamed on YouTube Live. My workshop is scheduled for 1300-1600 EDT (UTC-4) on Thursday, May 15 in the Workshop 2 track, in Salle de la Commune. The stream link for all the Thursday Salle de la Commune workshops is here: youtube.com/watch?v=UwJgS32Q6A

Looking forward to seeing folks there! 🦀

(Edited since I can't count days of the week apparently: May 15, which is when my workshop is occurring, is a Thursday, not a Wednesday.)

NorthSec 2025Reconstructing Rust Types: A Practical Guide for Reverse Engineers
Replied in thread

Day 32 🗳️💨

Things are coming in thick and fast today, so I’ll try to summarise the major themes.

No Policies of the #Liberal, #LNP and #Coalition.

#AngusTaylor (Opposition Treasurer, Liberal) hands in his #Economics homework late, it’s got problems.

A 🎃 derivative that is toxic ☢️

“A Coalition government would drive the #budget deeper into #deficit over the coming two years, as the shadow finance minister, #JaneHume, insisted her party’s plan to save $17.2bn by #slashing the number of #Canberra-based #PublicServants by 41,000 through “natural attrition” was achievable.”

If returned to power, the Coalition would gut a long list of environment and clean energy programs, including #scrapping the #NetZero #Economy #Agency, reversing Labor’s #TaxBreaks for #ElectricVehicles, and redirecting money slated for the #HomeBatteries program.

#Reversing tax incentives for green hydrogen would save $1.5bn over four years, and not proceeding with Labor’s critical mineral production tax credits would save $1.2bn, the Coalition’s election policy costings show.”

#AusPol / #treasury / #costings / #economy / #future <theguardian.com/australia-news>

The Guardian · Coalition costings reveal larger deficit over coming two years with cuts to foreign aid and environment programsBy Patrick Commins

In the course of its investigations, @volexity frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.
 
Today, @volexity is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. @r00tbsd & Killian Raimbaud presented details at INCYBER Forum earlier today.
 
GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!
 
Check out the blog post on how GoResolver works and where to download it: volexity.com/blog/2025/04/01/g
 
#dfir #reversing #malwareanalysis

a discord guild i was in got some malspam (link to reddit post which linked to malware present on compromised wordpress site sexccessories.co[.]ke)

Funnily enough, there were supposedly both windows and mac samples present, except they fucked up with the mac one, a passworded zip containing a “dmg” which is actually the following text:

Build failed: failed to create DMG: exit status 64
Output: Creating disk image...
Mounting disk image...
Device name:     /dev/disk4
Searching for mounted interstitial disk image using /dev/disk4s... 
Mount dir:       /Volumes/dmg.kfA109
Copying background file '/tmp/8aAwS.png'...
Copying volume icon file '/Users/user/desktop/TradingView_3760.icns'...
Will sleep for 2 seconds to workaround occasions "Can't get disk (-1728)" issues...
Running AppleScript to make Finder stuff pretty: /usr/bin/osascript "/var/folders/1p/6ssndcmx4j7_gb_c2_0cdklm0000gn/T/createdmg.tmp.XXXXXXXXXX.dIQPQTlFZk" "dmg.kfA109"
/var/folders/1p/6ssndcmx4j7_gb_c2_0cdklm0000gn/T/createdmg.tmp.XXXXXXXXXX.dIQPQTlFZk:85:89: execution error: Finder got an error: Can’t get disk "dmg.kfA109". (-1728)
Failed running AppleScript
Unmounting disk image...
"disk4" ejected.

I predicted it would be a packed stealer of some description. I was right, unpacked binary is lumma stealer.

Been a while since I’ve done manual unpacking of a malware sample, this one was fun. The packer is the same as described here https://alertoverload.com/posts/2025/01/remcos-v5.3.0/

Original zipfile has the hash 85a2619c5bc5ae10d9ab3aab48c364b638d7b835d169f651b08c1f0282c39d58.

The original binary was ~800MB, padded with garbage. Removing that padding yields a binary with the hash d0e956e5fe825e8f2817ce660d3680294d790cf1baec0bdfdc540841e7202c80 - and manually unpacking that gives bbd1e2cc95f1907d4c8c92d66bc62f43aa3e5634af6bdb947dfd826023195253.

There’s also a bunch of additional stuff in the zip alongside the malware sample; copied straight from a windows installation, and the way it was copied in revealed the localisation installed on that system, which is unsurprisingly Russian (Russia) [ru-RU].

alertoverload.comRemcos v5.3.0

Me and my homie Joe have been working on #reversing an IoT gateway he has that is used to control his blinds. The ultimate goal is to get a shell on it. We started by decompiling the Android app.

We were able to figure out the API of the gateway just from strings in the app. Since the code was unobfuscated we could really easily see how they were forming their requests to the API.

Later we found out that some of the #homeassistant folks had done a bunch of this already :P

Hi everyone! Six more months passed since my last #introduction, so here is an updated one:

AKA: +mala, AiTTaLaM

Job: Doin’ trustworthy #AI @ moz://a.ai - more generally I love #teaching, no matter if to humans or machines :-)

Projects: 3564020356.org is the oldest (~22yrs 😅), #PicoGopher the most recent... Look around and find the rest! 😜

Interests: #bouldering #gopher #SelfHosting #opensource #reversing #fediverse #recsys #ML #solarpunk #CommunitiesOfExperience

Replied in thread

The Rust Windows kernel GDI code also has symbols for fallible_vec::FallibleVec<T,A> , which looks like a non-panicking Vec implementation. try_extend, try_extend_from_slice, try_splice_in, and try_insert are all implemented.

In fact it looks suspiciously similar to the rust_fallible_vec crate, which Microsoft recently open-sourced: github.com/microsoft/rust_fall :thonking:
( @TehPenguin 👋 )

The methods are generic over the allocator type A; some of these FallibleVec method implementations use the registered global allocator gdi_alloc::Win32Allocator , and others use the gdi_alloc::TaggedAllocator with the GDI-specific pool tags.

Continued thread

For the specific GDI objects, there are still allocations made with the existing GDI-specific pool tags.

It looks like the rgncore::scan::ScanBuilder<gdi_alloc::TaggedAllocator<_>> object uses the existing GDI pool tag Gscn ( i.e. GDITAG_SCAN_ARRAY) for vector allocations. (Probably gdi_alloc::TaggedAllocator<_> requires specifying a pool tag)

I also see Gedg (i.e. GDITAG_EDGE) being used in gdi_rust::region::from_path::GlobalEdgeTable::add_edge, and gdi_rust::region::from_path::ActiveEdgeTable::new
, among other places.

For the new Windows kernel Rust GDI stuff that is all the rage now (win32kbase_rs.sys, win32kfull_rs.sys): here are the links to download copies of those binaries, from the Microsoft Symbol Server:

msdl.microsoft.com/download/sy

msdl.microsoft.com/download/sy

These should be the versions that are in Windows 11 Insider Preview 25357.1 (zn_release) amd64 . The SHA-256 hashes are:

87ee0235caf2c97384581e74e525756794fa91b666eaacc955fc7859f540430d win32kbase_rs.sys
2efb9ea4032b3dfe7bf7698bd35e3ea3817d52f4d9a063b966f408e196957208 win32kfull_rs.sys

(I first extracted these files myself from the update package for build 25357.1, then generated the symbol server download URLs from the PE metadata in the files)

Of course, in addition to the actual executables, symbols are available from the symbol server as well (see screenshot).

@analog_feelings already did some reversing of win32kbase_rs.sys several weeks ago, here: tech.lgbt/@analog_feelings/110 🤘

Now, time for me to go figure out how to actually reverse Rust 🦀