XXX4Fans
oalabs from patreon

oalabs

patreon


oalabs posts

IDA Reverse Engineering - Module 2

oalabs post IDA Reverse Engineering - Module 2 from patreon

Module 2, Part 1 of our IDA reverse engineering series. A step by step guide to marking up Windows PE binaries using IDA. In this tutorial we begin our analysis of the extracted Stage 2. binary. We focus on the entry point of an EXE file, and the CRT main "boilerplate" code.

This is a very basic tutorial that introduce...

View Post

IDA Reverse Engineering - Module 1.2

oalabs post IDA Reverse Engineering - Module 1.2 from patreon

Module 1, Part 2 of our IDA reverse engineering series. A step by step guide to marking up Windows PE binaries using IDA. In this tutorial we continue our analysis of the stage 1 DLL diving into the only export "work".

This is a very basic tutorial that reinforces the concept of Function Definitions, Types, var...

View Post

IDA Reverse Engineering - Module 1

oalabs post IDA Reverse Engineering - Module 1 from patreon

Module 1, Part 1 of our IDA reverse engineering series. A step by step guide to marking up Windows PE binaries using IDA. In this tutorial we open our sample DLL in IDA and mark up the DLLEntryPoint and DLLMain.

This is a very basic tutorial that introduces the concept of Function Definitions, Types, variable Names, Enu...

View Post

Live Stream VOD: Chinese RJ45-USB "Malware" Full Analysis - Part 2

oalabs post Live Stream VOD: Chinese RJ45-USB "Malware" Full Analysis - Part 2 from patreon

In this stream we continue our analysis of "malware" that was apparently automatically launched from a USB Ethernet adapter. In this part we investigate the sandbox results from Hybrid Analysis and ANYRUN which led the original discoverer to believe this was malware!

Sample

2025-01-14 15:02:02 +0000 UTC View Post

Live Stream VOD: Chinese RJ45-USB "Malware" Full Analysis - Part 1

oalabs post Live Stream VOD: Chinese RJ45-USB "Malware" Full Analysis - Part 1 from patreon

In this stream we analyze "malware" that was apparently automatically launched from a USB Ethernet adapter. We reverse engineer the code line-by-line to confirm that nothing is malicious.

In Part 2 we will analyze the sandbox results that lead to the incorrect conclusion that this was malware... stay tuned!

Sampl...

View Post

IDA Reverse Engineering - A Boring Introduction

oalabs post IDA Reverse Engineering - A Boring Introduction from patreon

This an introduction to our series on basic reverse engineering with IDA. It's boring and very much worth watching.

View Post

x64dbg Scripting - Logging C Runtime String Operations

oalabs post x64dbg Scripting - Logging C Runtime String Operations from patreon

Just a quick tip and some x64dbg scripts that can be used to spy on the C Runtime interface. This will only work if the C Runtime is dynamically linked which is uncommon for msvc compiled malware, but is the default for gcc/minGW compiled malware.

Scripts

Live Stream VOD: The Many Faces of CryptBot

In this Twitch stream we explore the past two years of CryptBot iterations as the developers attempt to distance themselves from the original stealer.

Samples

Live Stream VOD: Spectre RAT Exposed

oalabs post Live Stream VOD: Spectre RAT Exposed from patreon

In this Twitch stream we triage Spectre RAT a commodity "implant" used in targeted e-crime intrusions. The RAT is written in C++ and we exploit some silly design choices by the developer to simplify reverse engineering!

πŸ™‰ My OBS crashed half way through the stream but I managed to recover the full VOD, apologies for...

View Post

C++ Strings and C Runtime (CRT) Reverse Engineering Tips

oalabs post C++ Strings and C Runtime (CRT) Reverse Engineering Tips from patreon

in this tutorial we examine C++ strings initialized in the CRT __initterm and how to take advantage of this setup when reverse engineering malware with encrypted strings.

Resources

C++ Strings for Reverse Engineers

oalabs post C++ Strings for Reverse Engineers from patreon

identifying and correctly typing C++ strings is the first step towards easier C++ reverse engineering. In this tutorial we walk through the mechanics (and code) behind the standard strings in C++

Resources

The C++ strings types header can be found here: 2024-11-17 15:00:09 +0000 UTC View Post

Reverse Engineering Lab Setup

oalabs post Reverse Engineering Lab Setup from patreon

If you are just getting started with reverse engineering this the place to start. In this tutorial we provide an overview the current setup that we currently run, this is also the same setup used in all of our live streams and tutorials.

About FlareVM

If you have been with us for a while you may remember ...

View Post

Tropical Live Stream VOD: Latrodectus

oalabs post Tropical Live Stream VOD: Latrodectus from patreon

In this Twitch stream we take a look at the new Latrodectus variant which uses AES to encrypt its strings. Instead of writing an AES string decrypter we take a generic "black box approach" using emulation to simply emulate the full decryption algorithm.

Samples

2024-10-05 14:00:12 +0000 UTC View Post

Intercepting HTTP Traffic With The Debugger

oalabs post Intercepting HTTP Traffic With The Debugger from patreon

In this tutorial we demonstrate how to use x64dbg to intercept network traffic in a target process. We are using Lumma Stealer as an example but the approach is roughly the same for all malware.

References

Tropical Live Stream VOD: Polyglot Emmenhtal Analysis

oalabs post Tropical Live Stream VOD: Polyglot Emmenhtal Analysis from patreon

Is it a benign PE file, is it a malicious HTA script? In this live stream we explore an interesting polyglot loader! Short and sweet, hope you all like scripts!

Sample

dd52a6b3e9d1f368ed000d5a506331ce5b3f194512f9d075b494510ae1583a1f  [2024-09-24 17:03:08 +0000 UTC View Post

Tracing The Pain Away Module 6 - Introduction to DTrace

oalabs post Tracing The Pain Away Module 6 - Introduction to DTrace from patreon

An introduction to DTRace and D-generate.

References

Tracing The Pain Away Module 5 - Dynamic Binary Instrumentation with PIN

oalabs post Tracing The Pain Away Module 5 - Dynamic Binary Instrumentation with PIN from patreon

An introduction to DBI with PIN and TinyTracer.

References

Tropical Live Stream VOD: Zharkbot Dynamic Analysis

oalabs post Tropical Live Stream VOD: Zharkbot Dynamic Analysis from patreon

In this live stream we take a different approach to analyzing the annoying string encryption in Zharkbot; dynamic analysis!

Sample

1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109 [U...

View Post

Tracing The Pain Away Module 4 - Instruction Tracing

oalabs post Tracing The Pain Away Module 4 - Instruction Tracing from patreon

Instruction tracing with x64dbg.

References

Tracing The Pain Away Module 3 - Syscalls

oalabs post Tracing The Pain Away Module 3 - Syscalls from patreon

Syscall tracing with x64dbg.

References

Tropical Live Stream VOD: Dynamic Python Deobfuscation Attacking The Interpreter

oalabs post Tropical Live Stream VOD: Dynamic Python Deobfuscation Attacking The Interpreter from patreon

In this live stream we analyze an unknown python stealer that comes bundled as a PyInstaller, but instead of static analysis we opt for dynamic analysis with x64dbg!

Sample

2a19ba63e85ce75d5f2d884011dfc94f616b176ed89a67c1acc0fe2179e8b591 [2024-09-01 01:24:13 +0000 UTC View Post

Tracing The Pain Away Module 2 - Debugger Basics

oalabs post Tracing The Pain Away Module 2 - Debugger Basics from patreon

Introduction to API tracing with the debugger.

References

Tracing The Pain Away Module 1 Part 2 - Code Obfuscation Basics With VM Protection

oalabs post Tracing The Pain Away Module 1 Part 2 - Code Obfuscation Basics With VM Protection from patreon

A brief overview of how VM protection works.

References

Lab 0 - Introd...

View Post

Tracing The Pain Away Module 1 Part 1 - Introduction to Static and Dynamic Analysis

oalabs post Tracing The Pain Away Module 1 Part 1 - Introduction to Static and Dynamic Analysis from patreon

A quick refresher on static vs. dynamic analysis.

View Post

Tracing The Pain Away Introduction

oalabs post Tracing The Pain Away Introduction from patreon

Tooling Setup

To complete the labs you will need the following setup. 

  • Windows VM running at least Windows 10 (64bit) 20H1, later versions of 64bit Windows are also acceptable including Windows 11.

  • A copy of ID...

    View Post

πŸ‘‹ DEF CON 32

oalabs post πŸ‘‹ DEF CON 32 from patreon

Hey Reverse Engineers,

Long time no post! if you are wondering why it has been two weeks since our last stream we have been busy putting the final touches on our DEF CON workshop! Sadly tickets have already sold out but if you show up at the door you may get lucky!

Also, for those of you not attending, no worri...

View Post

Live Steam VOD: New Rust Packer Protects Zharkbot

oalabs post Live Steam VOD: New Rust Packer Protects Zharkbot from patreon

In this twitch stream we take a look at a new packer being used to protect the latest version of Zharkbot... plot twist, the packer is written in rust!

Sample

068ef78225ab94c3f9c228d6248911986c23317d269f0bb5d0a46bd15cd93e80 [ View Post

Tracing Memory With X64dbg and Advanced Breakpoints

oalabs post Tracing Memory With X64dbg and Advanced Breakpoints from patreon

In this tutorial we combine multiple concepts and transform x64dbg into a memory tracing tool using conditional breakpoints. Many of the concepts used in this tutorial build on our previous tutorials. The following may be helpful for a deeper explanation of the topics discussed.

Tutorials

Live Steam VOD: RansomHouse Part 2 - PE Rebuilding

oalabs post Live Steam VOD: RansomHouse Part 2 - PE Rebuilding from patreon

This is the second part in our analysis of RansomHouse ransomware loader. In this stream we rebuild a custom PE format used by the loader.

Sample

2024-06-27 14:00:12 +0000 UTC View Post

Live Steam VOD: RansomHouse Part 1 - Password Protection

oalabs post Live Steam VOD: RansomHouse Part 1 - Password Protection from patreon

Back to basics, full reverse engineering! In this stream we investigate how the password protection feature works on RansomHouse/WhiteRabbit ransomware.

Sample

View Post