Reverse Engineering consulting protection solutions tooling research
Deep technical expertise at the intersection of security and engineering excellence.
Trusted by leading organizations
Codedefender
CodeDefender provides comprehensive protection against tampering, exploitation, and reverse-engineering. Built for stability and speed, it seamlessly supports modern Windows security mechanisms.
B.L.A.R.E
B.L.A.R.E., short for "Binary Lifting and Recompiler Engine", is the ultimate swiss army knife framework for working with compiled binaries. With this powerful framework, we can build custom tools tailored to your needs.
LLVM-MSVC
We actively maintain an open-source fork of LLVM, delivering state-of-the-art compatibility with Microsoft Visual C++. Build high-performance applications with modern optimization capabilities and seamless MSVC integration.
Our Blog
View All Posts →
Unauthorized Code Execution in FiveM / GTA V (Pwning the Game Client)
Computer programs take, often transform data, sometimes use it to transform themselves. Other times, the programmer at fault, they can be corrupted by data. Knowing this, I had always imagined exploiting a computer program, as it is said, to be a fascinating challenge.
AMD-V Hypervisor Development - A Brief Explanation
This was apart of my 'Understanding of OS theoretical concepts' and emulator series. I enjoy my time with this project, if you're interested in AMD virtualization then read chapter 15 of the AMD manual. There was also a lack of complacent, with the amount of menial projects I've accomplished. I wanted to hit the bigger fish, something more precedence than my former projects, that was going to be considerable harder. I hope this was helpful for any others whom might decide to make an AMD Hypervisor.
Theodosius - Jit linker, Symbol Mapper, and Obfuscator
Existing software protection frameworks typically operate at a small range of compilation levels. The highest level of obfuscation typically operates upon source code directly (source2source), the second highest level is LLVM IR (via optimization passes), and the third and final most common is upon the native binary image (bin2bin).
Writing a Mutation Engine and breaking Aimware
PERSES is a X86 code obfuscation engine that works with Portable Executable files. The obfuscation works by replacing a specific instruction with a larger more sophisticated set that is semantically compatible to the original.
EZVIZ BD-2402B1 Back Engineering and SNES9X Port
EZVIZ BD-2402B1 is a surveillance system DVR which uses hisilicon SoC's. My goal was to repurpose the hardware to run a custom fork of snes9x. In order to achieve this a serious amount of reverse engineering, and learning was required. Not only was this a hardware based project, but it was also a software heavy project.
EQU8 - Kernel Component Analysis
This blog post will be a complete analysis of the EQU8 anti-cheat's kernel driver. The kernel driver is comprised of only 24 functions, and its main goal seems to be to simply keep away people from making external cheats by accessing the game's memory via traditional handle duplication / opening methods.
EasyAntiCheat Exploit to inject unsigned code into protected processes
This is not an attack on EasyAntiCheat Oy. EasyAntiCheat has done an outstanding job protecting games and will continue to do so for years to come. I gathered this content through private research of EasyAntiCheat's modules and is not in any way tied to the work of public game hack publishers or other entities.
VMProtect 2 - Part Two, Complete Static Analysis
The purpose of this article is to expound upon the prior work disclosed in the last article titled, VMProtect 2 - Detailed Analysis of the Virtual Machine Architecture, as well as correct a few mistakes. In addition, this post will focus primarily on the creation of static analysis tools using the knowledge disclosed in the prior post...
VMProtect 2 - Detailed Analysis of the Virtual Machine Architecture
VMProtect 2 is a virtual machine based x86 obfuscator which converts x86 instructions to a RISC, stack machine, instruction set. Each protected binary has a unique set of encrypted virtual machine instructions with unique obfuscation. This project aims to disclose very significant signatures which are in every single VMProtect 2 binary with the intent to aid in further research...
Voyager - A Hyper-V Hacking Framework
Voyager is a Hyper-V hijacking project based upon existing Hyper-V hijacking work by cr4sh which aims to extend the usability to AMD and earlier Windows 10 versions. This project however does not support secure boot or legacy bios yet. I would highly suggest checking out cr4sh's work on Hyper-V as this project is almost entirely based upon it with some minor differences in inject techniques...
Hyperspace - Hidden Address Spaces
On Windows, each process has its own virtual address space. The CR3 value loaded into a logical processor is located inside of the KPROCESS structure...
Reverse Injector - Merging Address Spaces
The bottom 256 PML4E's are what map all code, data, and stacks. The 256th PML4E maps modules such as ntdll.dll, and other loaded modules. As you can foresee, some PML4E index's overlap. In order to handle overlapping PML4E's, Reverse Injector simply finds empty PML4E's and inserts the remote PML4E's into them.
MSREXEC - Elevate Arbitrary WRMSR to Kernel Execution
MSREXEC is a library to elevate arbitrary MSR (Model Specific Register) writes to kernel execution. The project is extremely modular and open ended on how writes to MSR's are achieved...
PTM - Page Table Manipulation From Usermode
PTM is a Windows 10 C++ library that allows a programmer to manipulate all memory, physical, and virtual from user-mode. The project inherits an interface from VDM allowing the use of a physical memory read-write primitive to fuel this project. VDM is used solely to configure the page tables in such a way that PTM can manage them from user-mode. Once the page tables are configured for PTM VDM is no longer required. However, VDM can inherit an instance of PTM as a means to read and write physical memory. Both VDM and PTM work extremely well together and independently from each other.
VDM - Vulnerable Driver Manipulation
Exploiting vulnerable Windows drivers to leverage kernel execution is not a new concept. Although software that exploits vulnerable drivers has been around for a long time, there has yet to be a highly modular library of code that can be used to exploit multiple drivers exposing the same vulnerability...
PSKP - Process-Context Specific Kernel Patch
Knowing that PML4(E)'s of the kernel are not globally mapped, one could rebuild the paging tables for a given address. This idea of rebuilding is simply allocating a new page, copying all entries into the new page and finally editing the paging table entry specified by the corresponding paging table index in the linear virtual address. An illustration of this process of rebuilding is illustrated below.
Virtual Memory - Intro to Paging Tables
Virtual memory is probably one of the most interesting topics of modern computer science. Although virtual memory was originally designed back when physical memory was not an abundant resource to allow the use of disk space as ram, it has stuck with us, offering security, modularity, and flexibility. Unlike the rest of the content on my sites which is bound to an operating system, virtual memory is really a CPU level concept.
Unfairgame - Reverse Engineering of unfairgame.co
Unfairgame is an online game cheat provider that sells game cheats specifically for competitive play games...
Physmeme - Windows Unsigned Kernel Driver Mapper
Physmeme is a driver mapper that works with any form of read and write to physical memory. It is highly modular code that allows a reverse engineer to easily integrate their own vulnerable driver. If you are able to read and write to physical memory you can now map an unsigned driver into your kernel just by coding four functions...