SRSam Russellinlodsb.com·Oct 30, 2023 · 6 min readBinary Ninja Workflows: Fixing branch obfuscationIf you've been reversing x86/x64 for a while then you will have definitely come across functions that end like this: We know two things here: The RET/RETN opcode in x86/x64 pops the stack and jumps to that address The PUSH before the return here i...00
SRSam Russellinlodsb.com·Aug 18, 2023 · 8 min readControl Flow Flattening: How to build your ownI was really really excited when Open Obfuscator was launched. I've enjoyed the challenges that application obfuscation have given us over the years, and it was fun to find a well documented and open source obfuscator that we could play with and try ...00
SRSam Russellinlodsb.com·Aug 3, 2023 · 9 min readRemoving Control Flow Flattening with Binary NinjaIf you've been reversing for a while then eventually you'll come up against a control flow graph that looks like this: This is a simple toy app hosted at https://github.com/samrussell/cff_playground if you feel like following along at home. The plug...00
SRSam Russellinlodsb.com·Jan 3, 2023 · 5 min readBypassing app protection using proxy DLLsI've been modding some games on Steam recently, and some of them make use of the Steamworks product to add an extra layer of security, as well as adding other features such as the overlay and cloud saves. This isn't an article on how Steam DRM and St...00
SRSam Russellinlodsb.com·Nov 18, 2022 · 17 min readExtracting VMProtect handlers with Binary NinjaI've started looking into the Adylkuzz malware, as mentioned by Tim Blazytko in his article on Automated Detection of Obfuscated Code. Initial analysis shows a TLS entry handler that dumps us straight into a VMProtect VMEnter() function, that looks l...00