#reverse-engineering — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #reverse-engineering, aggregated by home.social.
-
Reverse Engineering and Self-Hosting the OBI Smart Energy Tracker
-
🎉 New release of ECD++ 2026.6.2 is out!
https://github.com/nbauma109/ecd/releases/tag/2026.6.2
#Java #JavaDecompiler #OpenSource #ReverseEngineering #Eclipse -
Yamaha SMAF Player for ringtones from early-2000s phones
#retrodev #reverseengineering #chiptune #coding #programming #synth #emudev #emulation
GitHub - akustikrausch/yamaha-... -
Yamaha SMAF Player for ringtones from early-2000s phones
#retrodev #reverseengineering #chiptune #coding #programming #synth #emudev #emulation
GitHub - akustikrausch/yamaha-... -
Greetings! How are you all doing? It's been raining here on and off for a couple days now. But that's not going to stop #NakedDieFriday is it.
Today's exhibit is a sibling of the venerable 6502. This is almost the same, but made in CMOS: R65C02 by Rockwell. The design has been enhanced in several aspects over the NMOS one.
Full-res map: http://infosecdj.net/map/rockwell/r65c02p3/infosecdj_nikpa40x/
NOTE: The map is layered, you can see the metal layer and the poly layer.
-
Greetings! How are you all doing? It's been raining here on and off for a couple days now. But that's not going to stop #NakedDieFriday is it.
Today's exhibit is a sibling of the venerable 6502. This is almost the same, but made in CMOS: R65C02 by Rockwell. The design has been enhanced in several aspects over the NMOS one.
Full-res map: http://infosecdj.net/map/rockwell/r65c02p3/infosecdj_nikpa40x/
NOTE: The map is layered, you can see the metal layer and the poly layer.
-
Bubbles, Belts, and Bulbs: How the Scantron Works
-
WoWRevived - The Definitive Preservation Project For Jeff Waynes 'The War of the Worlds' 1998 #RTS PC Game
#retrodev #retrogaming #retrocomputing #gamedev #reverseengineering #dev #modding #coding #programming
WoWRevived - The Definitive Pr... -
WoWRevived - The Definitive Preservation Project For Jeff Waynes 'The War of the Worlds' 1998 #RTS PC Game
#retrodev #retrogaming #retrocomputing #gamedev #reverseengineering #dev #modding #coding #programming
WoWRevived - The Definitive Pr... -
TrigonLegacy - Deterministic iOS 7-9 tfp0:
https://therealclarity.github.io/blog/trigon-legacy/
#ios #apple #exploitation #informationsecurity #cybersecurity #vulnerability #reverseengineering
-
TrigonLegacy - Deterministic iOS 7-9 tfp0:
https://therealclarity.github.io/blog/trigon-legacy/
#ios #apple #exploitation #informationsecurity #cybersecurity #vulnerability #reverseengineering
-
I know a lot of folks that follow me are interested in both 👾 #gamepreservation and 🖥️ #reverseengineering, so here's a little treat:
Runic Games released #Torchlight_2 on Windows, Mac, and Linux in 2012, and the last (maybe the final) update for it was in 2017, nearly a decade ago. In the intervening years, multi-player in the game has had all sorts of glitches, and those are probably not ever going to be addressed.
Resident amphibian 🐸 @Froggacuda has taken it upon themself (frogself?—I don't judge) to fix this, and has released an open source (AGPL-3.0) lobby for the game to make multi-player work again without interruption: https://github.com/Froggacuda/tl2-lobby
-
I know a lot of folks that follow me are interested in both 👾 #gamepreservation and 🖥️ #reverseengineering, so here's a little treat:
Runic Games released #Torchlight_2 on Windows, Mac, and Linux in 2012, and the last (maybe the final) update for it was in 2017, nearly a decade ago. In the intervening years, multi-player in the game has had all sorts of glitches, and those are probably not ever going to be addressed.
Resident amphibian 🐸 @Froggacuda has taken it upon themself (frogself?—I don't judge) to fix this, and has released an open source (AGPL-3.0) lobby for the game to make multi-player work again without interruption: https://github.com/Froggacuda/tl2-lobby
-
The website wavesandwild[.]com was compromised with the ClickFix social engineering technique to trick victims into executing malicious commands injected into their clipboard which installs and runs NetSupport RAT, a remote access tool. NetSupport RAT is based on NetSupport Manager, a legitimate tool which is frequently used by bad actors for malicious purposes. NetSupport Manager, used maliciously or otherwise, provides full and complete control over the victim’s device. Once the client has been installed, attackers can access, acquire, and manipulate any data on the device (exfiltrate data, execute additional payloads).
The gory (and potentially boring) technical details are as follows. I wanted to share these details for folks like me who track and monitor ClickFix attacks. Do NOT visit or interact with any of the below content. Thanks for sharing this attack!
———————————
Full Attack Chain:
wavesandwild[.]com (compromised site)
--> POST polygon.publicnode[.]com/polygon.drpc[.]org to perform transaction lookup for next domain: "to": "0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A", "data": "0xe00fe2eb" (aka 'EtherHiding')
--> Download and process content on hxxps://sentrydb[.]org/track.php
--> Load victim's clipboard, display ClickFix splash screen
--> Victim copy and pastes malicious obfuscated command to their clipboard
--> powershell downloads and executes feinmotorik.geschenkideen-die-foerdern[.]de/index.html
--> Retrieves feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt
--> Extracts and XOR-decrypts an embedded blob within the PNG file 'clik.txt'
--> Installs and runs NetSupport RAT using embedded configuration files
--> C2 communication established with 216.158.95[.]180:443, tamweelke[.]com:443, or bcrfix[.]com:443
--> Host reconnaissance command results (OS, username, date, application name (SecurityHealth), computer name, IP details) sent to hxxp://172.245.25[.]134:8787/collect, likely for victim prioritization effortsIOCs
wavesandwild[.]com - Compromised website (ClickFix)
polygon.publicnode[.]com - RPC domain lookup
polygon.drpc[.]org - Fallback RPC domain lookup
0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A - wallet address containing the next stage
hxxps://sentrydb[.]org/track.php - Domain retrieved via the RPC lookup which filters victims based on response and if passes checks, delivers the ClickFix command to be pasted into the victim's clipboard
feinmotorik.geschenkideen-die-foerdern[.]de/index.html - URL in obfuscated ClickFix powershell command
feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt - additional URL contacted containing the PNG file with the embedded, encrypted NetSupport RAT
ip-api[.]com/json/?fields=query,country,city - IP address lookup for victim
hxxp://172.245.25[.]134:8787/collect - Exfiltrated recon data destination stolen from victim's host
216.158.95[.]180:443 - NetSupport RAT gateway address
tamweelke[.]com:443 - NetSupport RAT gateway address
bcrfix[.]com:443 - Secondary NetSupport RAT gateway address
CH-124FF74C - index string, potential campaign ID?
29b68bb454600b0abd1aad1f861bd11f28cd6cf9cd39cec53cc36
275e5b085534f64313b50cbdcb08ecd59c57d21c96bb937f140ee92a3d27f792 - SecurityHealth.exe (NetSupport RAT)Interesting findings:
The error messages in the final Powershell script block are in Russian.
The embedded index string is CH-124FF74C (campaign identifier?).
Each stage listed above was heavily obfuscated, making reverse engineering analysis extremely tedious and time-consuming.
The malware attempts to remove all entries from the RunMRU registry key to hide the ClickFix execution evidence.
Clik.txt is not actually a TXT file but rather a PNG file which contains an embedded malicious blob along with the XOR key to decrypt and run the NetSupport RAT.
Sekoia calls this IClickFix - https://www.sekoia.com/blog/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic#clickfix #etherhiding #netsupportrat #netsupportmanager #malware #reverseengineering
-
The website wavesandwild[.]com was compromised with the ClickFix social engineering technique to trick victims into executing malicious commands injected into their clipboard which installs and runs NetSupport RAT, a remote access tool. NetSupport RAT is based on NetSupport Manager, a legitimate tool which is frequently used by bad actors for malicious purposes. NetSupport Manager, used maliciously or otherwise, provides full and complete control over the victim’s device. Once the client has been installed, attackers can access, acquire, and manipulate any data on the device (exfiltrate data, execute additional payloads).
The gory (and potentially boring) technical details are as follows. I wanted to share these details for folks like me who track and monitor ClickFix attacks. Do NOT visit or interact with any of the below content. Thanks for sharing this attack!
———————————
Full Attack Chain:
wavesandwild[.]com (compromised site)
--> POST polygon.publicnode[.]com/polygon.drpc[.]org to perform transaction lookup for next domain: "to": "0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A", "data": "0xe00fe2eb" (aka 'EtherHiding')
--> Download and process content on hxxps://sentrydb[.]org/track.php
--> Load victim's clipboard, display ClickFix splash screen
--> Victim copy and pastes malicious obfuscated command to their clipboard
--> powershell downloads and executes feinmotorik.geschenkideen-die-foerdern[.]de/index.html
--> Retrieves feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt
--> Extracts and XOR-decrypts an embedded blob within the PNG file 'clik.txt'
--> Installs and runs NetSupport RAT using embedded configuration files
--> C2 communication established with 216.158.95[.]180:443, tamweelke[.]com:443, or bcrfix[.]com:443
--> Host reconnaissance command results (OS, username, date, application name (SecurityHealth), computer name, IP details) sent to hxxp://172.245.25[.]134:8787/collect, likely for victim prioritization effortsIOCs
wavesandwild[.]com - Compromised website (ClickFix)
polygon.publicnode[.]com - RPC domain lookup
polygon.drpc[.]org - Fallback RPC domain lookup
0x6300d82A6e2fabbd165E1833d95E87bD46B38D4A - wallet address containing the next stage
hxxps://sentrydb[.]org/track.php - Domain retrieved via the RPC lookup which filters victims based on response and if passes checks, delivers the ClickFix command to be pasted into the victim's clipboard
feinmotorik.geschenkideen-die-foerdern[.]de/index.html - URL in obfuscated ClickFix powershell command
feinmotorik.geschenkideen-die-foerdern[.]de/clik.txt - additional URL contacted containing the PNG file with the embedded, encrypted NetSupport RAT
ip-api[.]com/json/?fields=query,country,city - IP address lookup for victim
hxxp://172.245.25[.]134:8787/collect - Exfiltrated recon data destination stolen from victim's host
216.158.95[.]180:443 - NetSupport RAT gateway address
tamweelke[.]com:443 - NetSupport RAT gateway address
bcrfix[.]com:443 - Secondary NetSupport RAT gateway address
CH-124FF74C - index string, potential campaign ID?
29b68bb454600b0abd1aad1f861bd11f28cd6cf9cd39cec53cc36
275e5b085534f64313b50cbdcb08ecd59c57d21c96bb937f140ee92a3d27f792 - SecurityHealth.exe (NetSupport RAT)Interesting findings:
The error messages in the final Powershell script block are in Russian.
The embedded index string is CH-124FF74C (campaign identifier?).
Each stage listed above was heavily obfuscated, making reverse engineering analysis extremely tedious and time-consuming.
The malware attempts to remove all entries from the RunMRU registry key to hide the ClickFix execution evidence.
Clik.txt is not actually a TXT file but rather a PNG file which contains an embedded malicious blob along with the XOR key to decrypt and run the NetSupport RAT.
Sekoia calls this IClickFix - https://www.sekoia.com/blog/meet-iclickfix-a-widespread-wordpress-targeting-framework-using-the-clickfix-tactic#clickfix #etherhiding #netsupportrat #netsupportmanager #malware #reverseengineering
-
After #mascon conference at @owasp I got so much feedback for the unity, hermes and flutter plugins I published, some of this feedback was in form of bug reports, so here's a bugfix release for r2hermes! https://github.com/radareorg/r2hermes/releases/tag/1.4.2 #reactnative #reverseengineering #radare2
-
After #mascon conference at @owasp I got so much feedback for the unity, hermes and flutter plugins I published, some of this feedback was in form of bug reports, so here's a bugfix release for r2hermes! https://github.com/radareorg/r2hermes/releases/tag/1.4.2 #reactnative #reverseengineering #radare2
-
Hacking a Reverse Osmosis Water Filter Through its Smart Faucet
-
🎉 New release of JD-GUI Duo 2.0.113 is out!
https://github.com/nbauma109/jd-gui-duo/releases/tag/2.0.113
#Java #JavaDecompiler #OpenSource #ReverseEngineering -
Hardware enclaves (AMD SEV, Intel TDX) are just expensive band-aids for a fundamental software failure. If your threat model assumes a malicious hypervisor, your RAM is already compromised.
I got tired of passive defenses. So, I engineered TITAN NEXUS: A Hostile Runtime Environment in Golang that treats the operating system as an active enemy.
Welcome to Schrödinger’s Cryptography. If the host tries to observe the memory, the memory destroys itself.
How the architecture works:
☢️ 1. GC Eradication: Go's Garbage Collector is a forensic liability. TITAN completely bypasses it. Ed25519 keys are pinned in isolated, non-pageable memory arenas. They never float.
☢️ 2. Trap & Poison: The binary actively monitors for snapshot interrupts or unprivileged state freezes.
☢️ 3. Microsecond Suicide: Before a hypervisor can successfully dump the physical RAM, TITAN triggers an aggressive `sys.Memzero` and violently corrupts its own state.I’m not building walls; I’m building a self-destructing maze.
To the elite Reverse Engineers, Memory Forensics experts, and Red Teamers on this instance:
Can your hypervisor outrace a microsecond memory trap? How do you extract an active payload from a process that intentionally poisons itself the exact millisecond you try to inspect it? 👇Let's talk offensive architectures. Link to the logic in the replies.
#ReverseEngineering #CloudSecurity #Golang #RedTeam #MalwareAnalysis #Cryptography #ZeroTrust #DFIR #InfoSec
-
“Don Matrelli's Legacy” mod for #MSDOS Grand Prix Circuit adding new cars and tracks, as well as stronger opponents
#retrodev #retrogaming #reverseengineering #retrocomputing
Grand Prix Circuit – Don Matre... -
“Don Matrelli's Legacy” mod for #MSDOS Grand Prix Circuit adding new cars and tracks, as well as stronger opponents
#retrodev #retrogaming #reverseengineering #retrocomputing
Grand Prix Circuit – Don Matre... -
🎉 New release of ECD++ 2026.6.1 is out!
https://github.com/nbauma109/ecd/releases/tag/2026.6.1
#Java #JavaDecompiler #OpenSource #ReverseEngineering #Eclipse -
Interesting experiment: #ReverseEngineering Windows Defender with different LLMs:
Deepseek:
https://blog.deeb.ch/posts/reversing-defender-deepseek/
Qwen:
https://blog.deeb.ch/posts/reversing-defender-qwen/
Opus:
https://blog.deeb.ch/posts/reversing-defender-opus/ -
Interesting experiment: #ReverseEngineering Windows Defender with different LLMs:
Deepseek:
https://blog.deeb.ch/posts/reversing-defender-deepseek/
Qwen:
https://blog.deeb.ch/posts/reversing-defender-qwen/
Opus:
https://blog.deeb.ch/posts/reversing-defender-opus/ -
🥱 Oh wow, let's all gather 'round and geek out over the riveting tale of a 40-year-old video card that made the Apple II a "serious" computer. Reverse-engineering ancient tech to understand slot 3's quirks—just what every hip, modern reader was dying to know! 😂💾
https://www.wiseowl.com/articles/a2fpga-videx-01-the-card-that-made-the-apple-ii-serious/ #vintagecomputing #retrotech #reverseengineering #AppleII #techhistory #geekculture #HackerNews #ngated -
🥱 Oh wow, let's all gather 'round and geek out over the riveting tale of a 40-year-old video card that made the Apple II a "serious" computer. Reverse-engineering ancient tech to understand slot 3's quirks—just what every hip, modern reader was dying to know! 😂💾
https://www.wiseowl.com/articles/a2fpga-videx-01-the-card-that-made-the-apple-ii-serious/ #vintagecomputing #retrotech #reverseengineering #AppleII #techhistory #geekculture #HackerNews #ngated -
IBM MCGA Gate Array Reverse Engineering
https://github.com/schlae/IBM_MCGA
#HackerNews #IBM #MCGA #ReverseEngineering #GateArray #TechInnovation #OpenSource #Hardware
-
Luma is here!
This week at the inaugural @owasp MAScon in Vienna, NowSecure security researcher @oleavr unveiled Luma: the official #Frida GUI. Persistent sessions, an interactive REPL, frida-trace, and real-time collaborative editing, all in one native app across macOS, iOS, Linux, and Windows.
Luma is free and open source. NowSecure is proud to sponsor the project and contribute engineering resources to its development.
Huge congratulations to @oleavr and the entire Frida team on an incredible launch and what this release represents for the community: https://loom.ly/KRIF_LI
#Luma #ReverseEngineering #MobileSecurity #DeveloperTools #OpenSource #NowSecure #OWASPMAScon