I first stumbled upon this in the #Hellsing malware family but this rule is not characteristic to that family. It just makes sure that next time there's aPLib in something I'm analyzing, I save a ton of time.

An easy way to speed up reverse engineering is to build up a repository of YARA rules covering benign algorithms.

This rule matches on aPLib, a compression algorithm on the more exotic side. It doesn't use assembly instructions or strings necessary to actually run the algorithm but merely a copyright string, version information, and authorship reference.

```
rule APLib_Strings
{
strings:
$ = "aPLib v1.1.1 – the smaller the better :)"
$ = "Copyright (c) 1998-2014 Joergen Ibsen, All Rights Reserved."
$ = "More information: http://www.ibsensoftware.com/"
condition:
any of them
}
```

https://github.com/100DaysofYARA/2024/pull/5 #100DaysofYARA

import "time" rule year_2024 { condition: time.now() >= 1704067200 }
#100DaysofYARA

For my fellow travelers of the tubes, I OCRed the SHA256 hash in this presentation: 9eca6884b5ec136cdc9f4e89fa728d0a2b6d5b4ff9bc9c94538496dcb7d18111

Breaking "DRM" in Polish trains has been released on media.ccc.de https://media.ccc.de/v/37c3-12142-breaking_drm_in_polish_trains

@shellsharks this category of nullteilerfrei might be worth adding: https://blag.nullteilerfrei.de/category/tech/malware/

On my way to #37c3. HMU if you want to meet and chat. I can offer malware reverse engineering, normal software forward engineering, salsa dancing, high school maths++, and podcasting as topics.

#ghidra 11.0 just dropped. BSim, Go, Rust, GhidraGo URLs... that's all well and good. But have you seen the anniversary video?! The dragon is munching!

https://www.youtube.com/watch?v=0rz5tg6LKcU

@23n27 @G33KatWork it's also what NASA's doing. Rule 7: "Check the return value of all nonvoid functions, or cast to void to indicate the return value is useless".

You know. For space code.

Does anyone know the contact details of someone on the "Open Source Team Endgeräte" at Telekom?

I would very much like to contact them regarding the GPL source code for the Telekom Speedport Pro router 😍

This paper proposes that emergent abilities attributed to LLMs are a mirage and an artifact of the metrics used.

Using more appropriate metrics makes the emergent behavior disappear: https://arxiv.org/abs/2304.15004

Viewing Microsoft’s technical specifications in IDA? That’s possible with Alexander Hanel’s Plugin – msdocviewer. Read our new #PluginFocus article and learn more about this simple but helpful tool 🌐 https://hex-rays.com/blog/plugin-focus-msdocviewer/?utm_source=Social-Media-Post&utm_medium=Mastodon&utm_campaign=Plugin-Focus-msdocviewer

#IDAPython

@G33KatWork it really was a crazy time (thanks for leading me down another Wikipedia rabbit hole)

The handover

🦀 🧵 Rust reversing thread: Let's use panic metadata embedded inside Rust binaries to help us reverse engineer!

(If you prefer reading this thread as a blog post, you can read it here! Using panic metadata to recover source code information from Rust binaries - cxiao.net)

If you've ever looked inside the strings of a Rust binary, you may have noticed that many of these strings are paths to Rust source files (.rs extension). These are used when printing diagnostic messages when the program panics, such as the following message:

thread 'main' panicked at 'oh no!', src\main.rs:314:5

The above message includes both a source file path src\main.rs, as well as the exact line and column in the source code where the panic occurred. All of this information is embedded in Rust binaries by default, and is recoverable statically!

Examining these can be useful in separating user from library code, as well as in understanding functionality. This is especially nice because Rust's standard library and the majority of third-party Rust libraries are open-source, so you can use the panic strings to find the relevant location in the source code, and use that to aid in reversing.

#rust #rustlang #ReverseEngineering #MalwareAnalysis

Just released olefile 0.47 - a python parser for MS OLE/CFB files, used by many projects such as Pillow, oledump, oletools.
This is a long overdue release with several new features and bugfixes.
https://github.com/decalage2/olefile
https://pypi.org/project/olefile/

Thanks to all the contributors who are helping me on this project!
Changelog: https://github.com/decalage2/olefile/blob/master/CHANGELOG.md

I am resuming the work on this project, so new features might be added soon.

36 years ago today was the Max Headroom TV STL hijacking. https://en.wikipedia.org/wiki/Max_Headroom_signal_hijacking

I regard this incident as the best and purest hacking prank in modern history. The combination of sophisticated, meticulous technical planning and execution, utterly juvenile content, essential harmlessness, lack of financial motive, and never getting caught or identified (or later taking credit) remains, in my opinion, unmatched to this day.

Pure art.