At last, the series begins: MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface. googleprojectzero.blogspot.com/2020/07/mms-ex… I'm excited to start sharing more about this work, starting with a deep dive into the internals and history of the codec.

At last i finish my writeup of TCTF Chrome challenge and my first blog, it was really a long time😂 In addition, I give the forth challenge - Chromium Fullchain++ at the end of the writeup. Give it a try and i'll mail some gifts for the first 3 winners😜 dmxcsnsbh.github.io/2020/07/20/0CT…

Slides of my HITCON talk are public now From LNK to (actually not) RCE: Finding bugs in Windows Shell Link Parser hitcon.org/2020/slides/Fr…

Excited to finally publish my lockdown project from earlier this year: an iOS zero-click radio proximity exploit odyssey. googleprojectzero.blogspot.com/2020/12/an-ios…

Tenet is an #IDAPro plugin for exploring execution traces. The goal of this plugin is to provide more natural, human controls for navigating execution traces against a given binary. Check it out: blog.ret2.io/2021/04/20/ten… #reverseengineering #idapython

A few months ago Cellebrite announced that they would begin parsing data from Signal in their extraction tools. It seems they're not doing that very carefully. Exploiting vulnerabilities in Cellebrite's software, from an app's perspective: signal.org/blog/cellebrit…

Interesting writeup about all the work involved in preparing for a pwn2own's target, in this case: Zoom RCE. sector7.computest.nl/post/2021-08-z…

I played corCTF with organizers this weekend and I made a writeup for Outfoxed, a Firefox pwn challenge. Enjoy! org.anize.rs/corCTF-2021/pw…

Lots of nice techniques demonstrated here, defeating basically everything upstream mitigation-wise as well as the not-yet-merged FG-KASLR: willsroot.io/2021/08/corctf…

New blog entry: Automation in Reverse Engineering C++ STL/Template Code msreverseengineering.com/blog/2021/9/21…

Logical sandbox escape in AppJailLauncher (fix in AppJailLauncher plus Microsoft CVE-2021-41346), thanks Thalium Team for the blog post that led to the discovery of the bugs ! synacktiv.com/sites/default/…

One byte write to a full ROP chain??? No way! Check out the nightmare challenge that was hosted during diceCTF! hackmd.io/@pepsipu/ry-SK…

Tetragone: A Lesson in Security Fundamentals grsecurity.net/tetragone_a_le…

🔥 We are thrilled to announce our first sponsor! 🙏 Thank you Bugscale for helping us make this highly technical conference possible 🐞 To find out more about Bugscale: ➡️ bugscale.ch hexacon.fr/sponsors/ #HEXACON2022

New research 👉 Exception Oriented Programming, Part 2: Weaponizing Fundamental Weaknesses in Exception Unwinding to Gain Code Execution billdemirkapi.me/abusing-except…

We're #hiring ! You can check out the job desc on our website: bugscale.ch/careers/ or you can also apply on LinkedIn: linkedin.com/jobs/view/3601…

I've audited the Android kernel in late 2023, and reported 10+ kernel bugs to Google, along with 2 exploits. Today, I'm releasing the first exploit, targeting the Mali GPU on Pixel devices, accessible from an untrusted_app context. github.com/0x36/Pixel_GPU…

The time has come, and with it your reading material for the week. Phrack #71 is officially released ONLINE! Let us know what you think! phrack.org/issues/71/1.ht…

Check out our first blog post about V8 CVE-2024-12695: bugscale.ch/blog/dissectin…

Going to share about my work with Kozma Sacha on the Samsung Galaxy S25 at Bugscale in March at Insomni'Hack! We managed to get a one-click RCE with some limitations; further details will be disclosed during the talk as the bugs are still in the process of patching.