Blog Posts

Home /
Blog Posts

Deobfuscation and Analysis of Ring-1.io

As part of this research, we partially deobfuscated multiple Themida-protected binaries used by ring-1.io, including its UEFI bootloader implant. Several critical functions were recovered to enable static analysis of the implant’s behavior. This work provides visibility into mechanisms that are intentionally designed to resist inspection, including virtualization-assisted hooks, execution redirection, and kernel manipulation techniques.

Unauthorized Code Execution in FiveM / GTA V (Pwning the Game Client)

FiveM is an open source extension or modification to the video game Grand Theft Auto V. This popular game, which has recently reached the milestone of 250,000 players online at once, alters essential parts of Grand Theft Auto V to allow for greater customization by developers and players. While in regular Grand Theft Auto Online the player enters game sessions selected automatically, in FiveM he is able to choose from a vast number of dedicated servers

AMD-V Hypervisor Development - A Brief Explanation

This was a part of my 'Understanding of OS theoretical concepts' and emulator series. I enjoy my time with this project, if you're interested in AMD virtualization then read chapter 15 of the AMD manual. There was also a lack of compliance, with the amount of menial projects I've accomplished. I wanted to hit the bigger fish, something with more precedence than my former projects, that was going to be considerably harder. I hope this was helpful for any others who might decide to make an AMD Hypervisor.

Theodosius - Jit linker, Symbol Mapper, and Obfuscator

Existing software protection frameworks typically operate at a small range of compilation levels. The highest level of obfuscation typically operates upon source code directly (source2source), the second highest level is LLVM IR (via optimization passes), and the third and final most common is upon the native binary image (bin2bin).

Writing a Mutation Engine and breaking Aimware

PERSES is a X86 code obfuscation engine that works with Portable Executable files. The obfuscation works by replacing a specific instruction with a larger more sophisticated set that is semantically compatible to the original.

EZVIZ BD-2402B1 Back Engineering and SNES9X Port

EZVIZ BD-2402B1 is a surveillance system DVR which uses hisilicon SoC’s. My goal was to repurpose the hardware to run a custom fork of snes9x. In order to achieve this a serious amount of reverse engineering, and learning was required. Not only was this a hardware based project, but it was also a software heavy project.

EQU8 - Kernel Component Analysis

This blog post will be a complete analysis of the EQU8 anti-cheat's kernel driver. The kernel driver is comprised of only 24 functions, and its main goal seems to be to simply keep away people from making external cheats by accessing the game's memory via traditional handle duplication / opening methods.

EasyAntiCheat Exploit to inject unsigned code into protected processes

For an attacker, a vital piece of the puzzle is to understand how the anti-cheat operates. Therefore, gaining knowledge of what happens inside the anti-cheat makes it possible to hide your tracks. Let us look at how EasyAntiCheat makes the bridge between the kernel and the game with its set of modules. This will reveal how an overlooked design flaw in the driver can allow an attacker to execute dynamic code in any EasyAntiCheat protected game (or perhaps a game protected by other competitor services) with no restriction.

VMProtect 2 - Part Two, Complete Static Analysis

The purpose of this article is to expound upon the prior work disclosed in the last article titled, VMProtect 2 - Detailed Analysis of the Virtual Machine Architecture, as well as correct a few mistakes. In addition, this post will focus primarily on the creation of static analysis tools using the knowledge disclosed in the prior post...

VMProtect 2 - Detailed Analysis of the Virtual Machine Architecture

VMProtect 2 is a virtual machine based x86 obfuscator which converts x86 instructions to a RISC, stack machine, instruction set. Each protected binary has a unique set of encrypted virtual machine instructions with unique obfuscation. This project aims to disclose very significant signatures which are in every single VMProtect 2 binary with the intent to aid in further research...