Reverse Engineering

How I broke Rhysida ransomware encryption

Rhysida derives every per-file AES key from a PRNG seeded with the encryption timestamp. Recover the timestamp and you regenerate every key. A reverse-engineering walkthrough and a minimal decryptor.

Adam Taguirov 14 min ransomwarereverse-engineeringcryptographymalware-analysis
Vulnerability Research

Pointer authentication: why arbitrary read/write isn't game over on arm64e

PAC signs pointers with a hardware-keyed MAC tucked into their unused bits, so a memory leak can no longer forge a callable pointer. We build it from the instruction set up (signing and authentication, keys and modifiers, what Apple's arm64e ABI signs) and show why it breaks the cheap path from arbitrary read/write to code execution.

Adam Taguirov 7 min arm64paciosapple
Vulnerability Research

Sigreturn-oriented programming

One syscall reloads the entire CPU context from the stack at once. Forge the frame it reads and you control every register in a single step. The technique we are named after, built from the ground up.

Adam Taguirov 8 min exploitationlinuxx86-64rop
Vulnerability Research

Exploiting JavaScript engines: from type confusion to code execution

The same primitive ladder works on almost every JavaScript engine: turn one memory bug into a type confusion, build addrof and fakeobj, derive arbitrary read/write, and reach code execution. We build it from scratch on JavaScriptCore and V8, then look at why a working bug is only the beginning on modern iOS.

Adam Taguirov 12 min browserjavascriptexploitationwebkit
Reverse Engineering

Building the smallest ELF program

From a default 16,704-byte hello world down to 80 bytes: stripping the toolchain layer by layer, removing sections, and overlapping the ELF and program headers.

Adam Taguirov 20 min elflinuxassemblyx86-64
Vulnerability Research

Javascript engine exploitation methodology

Recording of my talk on Javascript engine exploitation methodology, given in French at Quarks in the Shell 2023 (Quarkslab).

Adam Taguirov 1 min browserjavascriptexploitationtalk
Vulnerability Research

ActiveX controller exploitation

Reverse-engineering and exploiting CVE-2011-4187, a stack buffer overflow in Novell iPrint Client's ActiveX component, from CVE ID to arbitrary code execution on Windows XP.

Adam Taguirov 8 min cvereverse-engineeringexploitationwindows
Reverse Engineering

Recovering payloads from PE resources

A packer hides a compressed payload inside a PE's .rsrc section and unpacks it in memory at runtime. We reconstruct the technique end to end so we can recognise it and pull the payload back out during analysis.

Adam Taguirov 8 min malwarepackerswindowspe
Linux Internals

Two ways into ring 0: system calls and kernel modules

Two ways to extend the Linux kernel and cross the user/kernel boundary: a static system call compiled into the kernel, and a dynamic module loaded at runtime. We build, test, and contrast both end to end.

Adam Taguirov 17 min linuxkernelsyscallkernel-module