Module 2, Part 1 of our IDA reverse engineering series. A step by step guide to marking up Windows PE binaries using IDA. In this tutorial we begin our analysis of the extracted Stage 2. binary. W...
2025-02-03 15:00:15 +0000 UTC
View Post
Module 1, Part 2 of our IDA reverse engineering series. A step by step guide to marking up Windows PE binaries using IDA. In this tutorial we continue our analysis of the stage 1 DLL diving into th...
2025-01-27 15:00:12 +0000 UTC
View Post
Module 1, Part 1 of our IDA reverse engineering series. A step by step guide to marking up Windows PE binaries using IDA. In this tutorial we open our sample DLL in IDA and mark up the DLLEntryPoin...
2025-01-20 15:00:14 +0000 UTC
View Post
In this stream we continue our analysis of "malware" that was apparently automatically launched from a USB Ethernet adapter. In this part we investigate the sandbox results from Hybrid Analysis and...
2025-01-14 15:02:02 +0000 UTC
View Post
In this stream we analyze "malware" that was apparently automatically launched from a USB Ethernet adapter. We reverse engineer the code line-by-line to confirm that nothing is malicious.
In ...
2025-01-14 15:00:12 +0000 UTC
View Post
This an introduction to our series on basic reverse engineering with IDA. It's boring and very much worth watching.
2025-01-13 15:00:11 +0000 UTC
View Post
Just a quick tip and some x64dbg scripts that can be used to spy on the C Runtime interface. This will only work if the C Runtime is dynamically linked which is uncommon for msvc compiled malware, ...
2024-12-15 00:05:54 +0000 UTC
View Post
In this Twitch stream we explore the past two years of CryptBot iterations as the developers attempt to distance themselves from the original stealer.
Samples
In this Twitch stream we triage Spectre RAT a commodity "implant" used in targeted e-crime intrusions. The RAT is written in C++ and we exploit some silly design choices by the developer to simplif...
2024-11-24 15:00:07 +0000 UTC
View Post
in this tutorial we examine C++ strings initialized in the CRT __initterm and how to take advantage of this setup when reverse engineering malware with encrypted strings.
Resources
identifying and correctly typing C++ strings is the first step towards easier C++ reverse engineering. In this tutorial we walk through the mechanics (and code) behind the standard strings in C++
2024-11-17 15:00:09 +0000 UTC
View Post
If you are just getting started with reverse engineering this the place to start. In this tutorial we provide an overview the current setup that we currently run, this is also the same setup used i...
2024-10-15 21:22:00 +0000 UTC
View Post
In this Twitch stream we take a look at the new Latrodectus variant which uses AES to encrypt its strings. Instead of writing an AES string decrypter we take a generic "black box approach" using em...
2024-10-05 14:00:12 +0000 UTC
View Post
In this tutorial we demonstrate how to use x64dbg to intercept network traffic in a target process. We are using Lumma Stealer as an example but the approach is roughly the same for all malware.
2024-09-26 00:44:39 +0000 UTC
View Post
Is it a benign PE file, is it a malicious HTA script? In this live stream we explore an interesting polyglot loader! Short and sweet, hope you all like scripts!
Sample
dd52a6b3...
2024-09-24 17:03:08 +0000 UTC
View Post
An introduction to DTRace and D-generate.
References
An introduction to DBI with PIN and TinyTracer.
References
In this live stream we take a different approach to analyzing the annoying string encryption in Zharkbot; dynamic analysis!
Sample
1aa0622a744ec4d28a561bac60ec5e907476587efbad...
2024-09-07 14:00:08 +0000 UTC
View Post
Instruction tracing with x64dbg.
References
Syscall tracing with x64dbg.
References
In this live stream we analyze an unknown python stealer that comes bundled as a PyInstaller, but instead of static analysis we opt for dynamic analysis with x64dbg!
Sample
2a1...
2024-09-01 01:24:13 +0000 UTC
View Post
Introduction to API tracing with the debugger.
References
A brief overview of how VM protection works.
References
A quick refresher on static vs. dynamic analysis.
2024-08-26 14:01:00 +0000 UTC
View Post
Tooling Setup
To complete the labs you will need the following setup.
Hey Reverse Engineers,
Long time no post! if you are wondering why it has been two weeks since our last stream we have been busy putting the final touches on our DEF CON workshop! Sadly tick...
2024-08-07 02:43:35 +0000 UTC
View Post
In this twitch stream we take a look at a new packer being used to protect the latest version of Zharkbot... plot twist, the packer is written in rust!
Sample
068ef78225ab94c3...
2024-07-15 14:00:14 +0000 UTC
View Post
In this tutorial we combine multiple concepts and transform x64dbg into a memory tracing tool using conditional breakpoints. Many of the concepts used in this tutorial build on our previous tutoria...
2024-07-06 14:00:08 +0000 UTC
View Post
This is the second part in our analysis of RansomHouse ransomware loader. In this stream we rebuild a custom PE format used by the loader.
Sample
2024-06-27 14:00:12 +0000 UTC
View Post
Back to basics, full reverse engineering! In this stream we investigate how the password protection feature works on RansomHouse/WhiteRabbit ransomware.
Sample
2024-06-02 19:46:38 +0000 UTC
View Post