Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

265
active users

shakedown.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#reversing

0 posts0 participants0 posts today
Public *
Cindʎ Xiao 🍉

Next Thursday, May 15 at @NorthSec in Montreal, I will be hosting the workshop "Reconstructing Rust Types: A Practical Guide for Reverse Engineers"! This will be a 3-hour workshop how to approach Rust types and data structures when reversing Rust binaries. See nsec.io/session/2025-reconstru for more details!

Workshops at NorthSec will be streamed on YouTube Live. My workshop is scheduled for 1300-1600 EDT (UTC-4) on Thursday, May 15 in the Workshop 2 track, in Salle de la Commune. The stream link for all the Thursday Salle de la Commune workshops is here: youtube.com/watch?v=UwJgS32Q6A

Looking forward to seeing folks there! 🦀

(Edited since I can't count days of the week apparently: May 15, which is when my workshop is occurring, is a Thursday, not a Wednesday.)

NorthSec 2025Reconstructing Rust Types: A Practical Guide for Reverse Engineers
#rustlang#ReverseEngineering#MalwareAnalysis
Replied in thread
Public
☮ ♥🧑‍💻

Day 32 🗳️💨

Things are coming in thick and fast today, so I’ll try to summarise the major themes.

No Policies of the #Liberal, #LNP and #Coalition.

#AngusTaylor (Opposition Treasurer, Liberal) hands in his #Economics homework late, it’s got problems.

A 🎃 derivative that is toxic ☢️

“A Coalition government would drive the #budget deeper into #deficit over the coming two years, as the shadow finance minister, #JaneHume, insisted her party’s plan to save $17.2bn by #slashing the number of #Canberra-based #PublicServants by 41,000 through “natural attrition” was achievable.”

If returned to power, the Coalition would gut a long list of environment and clean energy programs, including #scrapping the #NetZero #Economy #Agency, reversing Labor’s #TaxBreaks for #ElectricVehicles, and redirecting money slated for the #HomeBatteries program.

#Reversing tax incentives for green hydrogen would save $1.5bn over four years, and not proceeding with Labor’s critical mineral production tax credits would save $1.2bn, the Coalition’s election policy costings show.”

#AusPol / #treasury / #costings / #economy / #future <theguardian.com/australia-news>

The Guardian · Coalition costings reveal larger deficit over coming two years with cuts to foreign aid and environment programsBy Patrick Commins
Public
Volexity :verified:

In the course of its investigations, @volexity frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.
 
Today, @volexity is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. @r00tbsd & Killian Raimbaud presented details at INCYBER Forum earlier today.
 
GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!
 
Check out the blog post on how GoResolver works and where to download it: volexity.com/blog/2025/04/01/g
 
#dfir #reversing #malwareanalysis

Paul Rascagneres & Killian Raimbaud on stage at INCYBER Forum - they are on the right side of the stage near a podium. Behind them, center stage, is a projection screen of the title slide for their talk, which says "Volexity: GoResolver, Control-flow Graph Similarity Applied to Golang Binary Obfuscation". There is an illustration on the right side of the slide showing Go gophers in varying colors with varying accessories, and a round lens with a border that says Volexity GoResolver. Two Go gophers inside the lens are revealed as being identical.
A Volexity logo, a banner that reads "Threat Intelligence", and the title "GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically". There is an illustration on the right side of the slide showing Go gophers in varying colors with varying accessories, and a round lens with a border that says Volexity GoResolver. Two Go gophers inside the lens are revealed as being identical.
Public
Rairii :win3_progman: :win3:

a discord guild i was in got some malspam (link to reddit post which linked to malware present on compromised wordpress site sexccessories.co[.]ke)

Funnily enough, there were supposedly both windows and mac samples present, except they fucked up with the mac one, a passworded zip containing a “dmg” which is actually the following text:

Build failed: failed to create DMG: exit status 64
Output: Creating disk image...
Mounting disk image...
Device name:     /dev/disk4
Searching for mounted interstitial disk image using /dev/disk4s... 
Mount dir:       /Volumes/dmg.kfA109
Copying background file '/tmp/8aAwS.png'...
Copying volume icon file '/Users/user/desktop/TradingView_3760.icns'...
Will sleep for 2 seconds to workaround occasions "Can't get disk (-1728)" issues...
Running AppleScript to make Finder stuff pretty: /usr/bin/osascript "/var/folders/1p/6ssndcmx4j7_gb_c2_0cdklm0000gn/T/createdmg.tmp.XXXXXXXXXX.dIQPQTlFZk" "dmg.kfA109"
/var/folders/1p/6ssndcmx4j7_gb_c2_0cdklm0000gn/T/createdmg.tmp.XXXXXXXXXX.dIQPQTlFZk:85:89: execution error: Finder got an error: Can’t get disk "dmg.kfA109". (-1728)
Failed running AppleScript
Unmounting disk image...
"disk4" ejected.

I predicted it would be a packed stealer of some description. I was right, unpacked binary is lumma stealer.

Been a while since I’ve done manual unpacking of a malware sample, this one was fun. The packer is the same as described here https://alertoverload.com/posts/2025/01/remcos-v5.3.0/

Original zipfile has the hash 85a2619c5bc5ae10d9ab3aab48c364b638d7b835d169f651b08c1f0282c39d58.

The original binary was ~800MB, padded with garbage. Removing that padding yields a binary with the hash d0e956e5fe825e8f2817ce660d3680294d790cf1baec0bdfdc540841e7202c80 - and manually unpacking that gives bbd1e2cc95f1907d4c8c92d66bc62f43aa3e5634af6bdb947dfd826023195253.

There’s also a bunch of additional stuff in the zip alongside the malware sample; copied straight from a windows installation, and the way it was copied in revealed the localisation installed on that system, which is unsurprisingly Russian (Russia) [ru-RU].

alertoverload.comRemcos v5.3.0
#malware#reversing#infosec
Public
Adam Van Hine

Me and my homie Joe have been working on #reversing an IoT gateway he has that is used to control his blinds. The ultimate goal is to get a shell on it. We started by decompiling the Android app.

We were able to figure out the API of the gateway just from strings in the app. Since the code was unobfuscated we could really easily see how they were forming their requests to the API.

Later we found out that some of the #homeassistant folks had done a bunch of this already :P

Public
Davide Eynard (+mala)

Hi everyone! Six more months passed since my last #introduction, so here is an updated one:

AKA: +mala, AiTTaLaM

Job: Doin’ trustworthy #AI @ moz://a.ai - more generally I love #teaching, no matter if to humans or machines :-)

Projects: 3564020356.org is the oldest (~22yrs 😅), #PicoGopher the most recent... Look around and find the rest! 😜

Interests: #bouldering #gopher #SelfHosting #opensource #reversing #fediverse #recsys #ML #solarpunk #CommunitiesOfExperience

Replied in thread
Public
Cindʎ Xiao 🍉

The Rust Windows kernel GDI code also has symbols for fallible_vec::FallibleVec<T,A> , which looks like a non-panicking Vec implementation. try_extend, try_extend_from_slice, try_splice_in, and try_insert are all implemented.

In fact it looks suspiciously similar to the rust_fallible_vec crate, which Microsoft recently open-sourced: github.com/microsoft/rust_fall :thonking:
( @TehPenguin 👋 )

The methods are generic over the allocator type A; some of these FallibleVec method implementations use the registered global allocator gdi_alloc::Win32Allocator , and others use the gdi_alloc::TaggedAllocator with the GDI-specific pool tags.

Symbols in win32kbase_rs.sys, showing the try_extend, try_splic_in, try_extend_from_slice, and try_insert methods of the trait fallible_vec::FallibleVec<T, A>
An annotated implementation, in Binary Ninja, of a function named fallible_vec::FallibleVec<T,A>::try_extend, where A is likely the allocator type gdi_alloc::Win32Allocator.
#rust#rustlang#windows
Continued thread
Public
Cindʎ Xiao 🍉

For the specific GDI objects, there are still allocations made with the existing GDI-specific pool tags.

It looks like the rgncore::scan::ScanBuilder<gdi_alloc::TaggedAllocator<_>> object uses the existing GDI pool tag Gscn ( i.e. GDITAG_SCAN_ARRAY) for vector allocations. (Probably gdi_alloc::TaggedAllocator<_> requires specifying a pool tag)

I also see Gedg (i.e. GDITAG_EDGE) being used in gdi_rust::region::from_path::GlobalEdgeTable::add_edge, and gdi_rust::region::from_path::ActiveEdgeTable::new
, among other places.

#rust#rustlang#windows
Public *
Cindʎ Xiao 🍉

For the new Windows kernel Rust GDI stuff that is all the rage now (win32kbase_rs.sys, win32kfull_rs.sys): here are the links to download copies of those binaries, from the Microsoft Symbol Server:

msdl.microsoft.com/download/sy

msdl.microsoft.com/download/sy

These should be the versions that are in Windows 11 Insider Preview 25357.1 (zn_release) amd64 . The SHA-256 hashes are:

87ee0235caf2c97384581e74e525756794fa91b666eaacc955fc7859f540430d win32kbase_rs.sys
2efb9ea4032b3dfe7bf7698bd35e3ea3817d52f4d9a063b966f408e196957208 win32kfull_rs.sys

(I first extracted these files myself from the update package for build 25357.1, then generated the symbol server download URLs from the PE metadata in the files)

Of course, in addition to the actual executables, symbols are available from the symbol server as well (see screenshot).

@analog_feelings already did some reversing of win32kbase_rs.sys several weeks ago, here: tech.lgbt/@analog_feelings/110 🤘

Now, time for me to go figure out how to actually reverse Rust 🦀

#rust#rustlang#windows
ExploreLive feeds
About