I spent the last 5 months reverse engineering Denuvo's protection in Hogwarts Legacy and finally managed to bypass it using more than 2000 hooks 😂 One of the toughest challenges of my life. Here's my blog post about it: momo5502.com/posts/2024-03-…

Congrats to Charles Fol who will be speaker at offensivecon in Berlin in May !

The first part of the blog series: #Iconv, set the charset to RCE. We'll use #PHP filters and #CVE-2024-2961 to get a very stable code execution exploit from a file read primitive. #cnext

Paged Out! #4 has some amaazinggg stuff inside. And it's free. Like free free, you don't even have to give out your email address :)

Charles Fol Roundcube Sorry, missed it by mistake. It's up now. youtu.be/dqKFHjcK9hM?si…

Nouvelle vidéo ! LE SYSTÈME ELO. Comment fonctionne cette méthode de notation très connue aux échecs, mais également utilisée dans le foot, l’e-sport et ... sur Tinder ! youtu.be/9oRDksmH0zM

The award-winning Qualys Threat Research Unit (TRU) has discovered a critical vulnerability in OpenSSH, designated CVE-2024-6387 and aptly named "regreSSHion." This Remote Code Execution bug grants full root access, posing a significant exploitation risk. blog.qualys.com/vulnerabilitie…

"0-click RCE on Tesla Model 3 through TPMS Sensors" 🚗 by David BERARD (@_p0ly_) & Thomas Imbert (Mastho)

CVE-2024-41928: VM escape in FreeBSD's bhyve hypervisor via TPM device passthrough, by Synacktiv freebsd.org/security/advis…

Blind file read to RCE in PHP - without access to files, we need to build reliable arbitrary read primitive from the ISO-2022-CN-EXT overflow (CVE-2024-2961) #CNEXT

Finding and chaining 4 vulns to exfiltrate encryption keys from the Android Keystore on Samsung series A* devices. Did you miss the "Attacking the Samsung Galaxy A* Boot Chain" talk by Maxime Rossi Bellom and Raphaël Neveu earlier this year ? Talk && PoC || GTFO: blog.quarkslab.com/attacking-the-…

LIGHTYEAR: - Can dump large files, even through a GET parameter - Retrieves characters using dichotomy - Does not cause PHP warnings

Nouveau billet ! LE CHAMP ÉLECTROMAGNÉTIQUE EXISTE-T-IL ? On discute électromagnétisme, causalité et facteurs de confusion, et on se demande si l'on peut se passer complètement des champs électriques et magnétiques scienceetonnante.substack.com/p/le-champ-ele…

This year again, I am lucky enough to get nominated twice for the Top Ten Hacking Techniques, for my research on iconv and PHP, and lightyear. This time feels a bit special however, as these are my last blog posts on Ambionics Security. ambionics.io/blog/iconv-cve… ambionics.io/blog/lightyear…

Denuvo Analysis connorjaydunn.github.io/blog/posts/den…

I finally publishing my League of Legends mod from 2020, designed to bypass the anti-cheat system: github.com/DimitriFourny/…

Would you look at that, it's tmp.0ut Volume 4! Happy Friday, hope you enjoy this latest issue! tmpout.sh/4/

In iOS 18.4, Apple introduced a bug in dynamic symbol resolutions for some specific exports. F4b took a long journey down a rabbit hole to understand its root cause. synacktiv.com/en/publication…

Excellent blog post on reverse engineering the Valve Anti-Cheat (VAC) solution codeneverdies.github.io/posts/gh-2/ #infosec #reverseengineering

lightyear just got 6 times faster! Although I now work at Synacktiv, I proposed a PR for the tool to support threading and compression, greatly reducing the time required to dump a file. Dumping the demo /etc/passwd now takes 48s instead of 5m30. github.com/ambionics/ligh…