🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

RE tip of the day: When dumping malware samples on a disk (especially with external tools rather than debugger plugins), don't forget to remove software breakpoints as they change the first byte of the command they are set on. #infosec #cybersecurity #malware #reverseengineering

RE tip of the day: Tools like PETools, LordPE or VSD provide researchers with a full memory map view for dumping individual memory ranges. This is useful against malware unpacking its payloads into dynamically allocated memory. #infosec #cybersecurity #malware #reverseengineering

RE tip of the day: Unlike software breakpoints that modify memory and can corrupt the memory dump, hardware breakpoints are stored in dedicated Debug Registers inside the CPU and, therefore, don't have this problem. #infosec #cybersecurity #malware #reverseengineering

RE tip of the day: This is the result of the software breakpoint not being removed before dumping the memory. The first byte of the affected instruction was replaced with the CC byte (int 3), corrupting the actual code. #infosec #cybersecurity #malware #reverseengineering

RE tip of the day: At runtime, Windows Loader parses the import directory to get all the required imports by their names/ordinals, loads the corresponding DLLs into the process's address space and writes the imports' addresses into the IAT. #infosec #malware #reverseengineering

RE tip of the day: When malware is packed, the original file is loaded into memory by the unpacking code with the IAT being populated by it as well. As a result, there may be no original import directory, it needs to be reconstructed after dumping #infosec #cybersecurity #malware

RE tip of the day: When the unpacked code has the IAT populated with addresses but no Import Directory with imports' names/ordinals, the latter can be reconstructed by following these addresses and finding function names in DLLs' Export Directory #infosec #cybersecurity #malware

RE tip of the day: Scylla can automate import reconstruction. It can search for IAT in the selected process by exploring the code near the OEP, use it to rebuild the import directory and inject it into a dump as a new section #infosec #cybersecurity #malware #reverseengineering

RE tip of the day: This is what the reconstructed import directory looks like, it is a new section at the end of the section table. The result is different from what it was before the packing, but it should function as before. #infosec #cybersecurity #malware #reverseengineering

RE tip of the day: Packers may steal instructions from the unpacked code to constantly bring them back to the packed image or a separate memory block. Other options include replacing original instructions with their alternatives. #cybersecurity #malware #reverseengineering

RE tip of the day: You can debug ARM executables on an x86-based machine with the help of emulation. qemu-user can be used with the -g argument to start the GDB server, to which you can connect using your favourite debugger. #infosec #cybersecurity #malware #reverseengineering

RE tip of the day: When emulating ARM malware on x86 using qemu-user, you also need to provide the path to ARM libraries. The easiest way is to install the libc6-armhf-cross/libc6-arm64-cross package and point the QEMU_LD_PREFIX env variable to it #infosec #cybersecurity #malware

RE tip of the day: Once ARM malware is ready to be emulated with qemu-user (-g <port> argument), you can connect to this port using tools like radare2 with the -d argument. For best results, explicitly specify its architecture and bitness! #infosec #malware #reverseengineering

RE tip of the day: The beauty of using GDB servers for debugging ARM samples on x86 machines is that the server can run: * on the same machine when emulating the executable * on the connected device (physical or VM) via network #infosec #cybersecurity #malware #reverseengineering

RE tip of the day: The official Android emulator can be used to emulate an ARM-based Android system on an x86 machine, but unfortunately, it supports only images with the API level <= 27 (the last working one is Oreo 8.1.0). #infosec #cybersecurity #malware #reverseengineering

RE tip of the day: If, despite using the Android image with the API version before 28, you still can't emulate the ARM image on your x86 machine, try the older version of the official Android emulator (34.2.16 or older). #infosec #cybersecurity #malware #reverseengineering

Come say hello if you are attending! #OTCEPForum2025 #cybersecurity #infosec

RE tip of the day: In ARM, the BX instruction is used to not just perform the Branch operation (like the jmp in x86), but also to switch between ARM and Thumb modes. The +1 at the end of it indicates the switch to Thumb mode. #infosec #cybersecurity #malware #reverseengineering

RE tip of the day: Unlike x86, where the names of the instructions match the corresponding operations OR/AND/XOR, in ARM, their names are ORR/AND/EOR. There is no dedicated NOT instruction; it can be achieved using MVN. #infosec #cybersecurity #malware #reverseengineering

RE tip of the day: As ARM instructions are 2- or 4-byte long, it is not possible to hardcode the whole absolute virtual addresses as part of them. Therefore, the combinations of ADRP and ADD instructions are used instead. #infosec #cybersecurity #malware #reverseengineering