reverse engineering Archives

Winsage

May 31, 2025

New Malware Compromise Microsoft Windows Without PE Header

A new strain of malware has been operating undetected on Windows systems for several weeks, utilizing advanced evasion techniques that corrupt its Portable Executable (PE) headers to avoid detection. Security researchers discovered this malware embedded in the memory of a compromised system during an investigation, using a 33GB memory dump that revealed its presence in a dllhost.exe process with process ID 8200. The malware, classified as a Remote Access Trojan (RAT) by Fortinet, employs batch scripts and PowerShell commands for its attack and has capabilities for screenshot capture, remote server functionality, and system service manipulation. Its command and control infrastructure uses encrypted communications, complicating detection efforts. The malware's distinctive feature is the deliberate corruption of DOS and PE headers, which hinders reverse engineering and complicates the reconstruction of the executable from memory dumps. Researchers had to manually locate the malware’s entry point and resolve complex import tables for it to function in a controlled environment.

AppWizard

May 20, 2025

Preventing App-Based Threats on Android Devices

By 2025, the Android platform faces increasingly sophisticated app-based threats, including ransomware, fake apps, social engineering, and remote access attacks. Cybercriminals exploit Android's open architecture, prompting the need for advanced security measures. Android's security architecture includes: 1. Google Play Protect: Scans applications before installation using real-time machine learning to detect emerging malware and deceptive tactics. 2. Application Sandboxing: Isolates apps to prevent data access between them, utilizing Linux permissions and SELinux policies. 3. App Signing and Code Integrity: Requires cryptographic signatures for apps, complicating the introduction of rogue certificates and runtime modifications. Advanced protections include Runtime Application Self-Protection (RASP) for high-security apps, which monitors behavior in real time, and secure coding practices that encourage regular code reviews, strong authentication, and data encryption. User vigilance is crucial, emphasizing responsible downloading, limiting permissions, keeping software updated, enabling two-factor authentication, and being cautious with public Wi-Fi. Google continuously updates security measures, ensuring older devices receive new protections, while collaboration with the security community aids in identifying and countering emerging threats.

AppWizard

May 14, 2025

Modders use reverse engineering to bring Mario Party 4 to PC, more GameCube games to follow

The gaming community has seen a rise in reverse-engineering source code from retro console games, particularly from the Nintendo 64 era and earlier, leading to native PC ports. The decompilation of Mario Party 4 is nearly complete, making it the first fully decompiled GameCube title, which will facilitate unofficial PC ports. A port of Mario Party 4 with online multiplayer is in development. Other GameCube titles like Super Smash Bros. Melee and Metroid Prime are also being targeted for decompilation. An unofficial PC port of the Xbox 360 game Sonic Unleashed has been completed. Previous titles such as Super Mario 64 and The Legend of Zelda: Ocarina of Time have received PC ports with enhanced features. Modders are experimenting with advanced technologies like ray tracing for classic games. A modding tool has improved the recompilation process, but technical challenges remain. Nintendo has not taken legal action against these decompilation efforts, and modders use clean room tactics to avoid legal issues, requiring ownership of the original game for PC ports.

Tech Optimizer

May 12, 2025

Defendnot — A New Tool That Disables Windows Defender by Posing as an Antivirus Solution

Defendnot is a tool that disables Windows Defender by using the Windows Security Center (WSC) API, presenting itself as a legitimate antivirus solution. It was created by a developer named “es3n1n” and follows the removal of a previous tool called “no-defender.” The tool engages directly with WSC, which disables Windows Defender when third-party antivirus software is installed to avoid conflicts. Defendnot was developed through reverse engineering of the WSC service and involves understanding how WSC verifies processes. It registers a phantom antivirus product using COM interfaces and undocumented Windows APIs, leading Windows to disable its built-in protection. The tool requires administrative privileges to operate and adds itself to autorun to maintain its functionality after a reboot. Security experts express concern about its potential misuse by malware authors, while it also provides insights into vulnerabilities in Microsoft’s security architecture.

Tech Optimizer

May 12, 2025

Defendnot: A Tool That Disables Windows Defender by Registering as an Antivirus

Cybersecurity developers have created a tool called defendnot, which disables Windows Defender by utilizing undocumented Windows Security Center (WSC) APIs. This tool is a successor to the no-defender project, which was taken down due to DMCA challenges. The developer reverse-engineered WSC’s validation algorithms and identified Taskmgr.exe as a suitable process to host the necessary code. Defendnot persists across reboots by adding itself to Windows autorun and can be managed via a command-line interface with options to disable Windows Defender and Windows Firewall. Unlike its predecessor, defendnot does not use third-party antivirus code. Security experts warn that disabling protection mechanisms should only be done in controlled environments by knowledgeable users.

AppWizard

May 10, 2025

PC gaming remains undefeated: Nintendo now says it has the right to brick your Switch if it thinks you’re pirating games or modifying the console

Nintendo has updated its online user agreement, allowing the company to make a console "permanently unusable" if a user violates the agreement. The revised End User License Agreement (EULA) includes extensive restrictions on actions such as publishing, modifying, or distributing Nintendo Account Services, as well as using unauthorized copies. The EULA also places responsibility on legal guardians for minors and emphasizes that users do not own their games outright but merely license them. Concerns about backward compatibility and potential service discontinuation for the upcoming Switch 2 have emerged, alongside a growing preference among gamers for more control over their gaming experiences.

Winsage

March 26, 2025

ReactOS drops release 0.4.15

ReactOS has released version 0.4.15, its first point-release in several years, following version 0.4.14 from December 2021. This release includes significant improvements such as enhanced plug-and-play support, improved sound and memory management, better Registry handling, a strengthened security subsystem, refinements in the graphical desktop environment, and upgrades to bundled accessories. ReactOS 0.4.15 can run Firefox 52 and successfully installed VirtualBox Guest Additions, recognizing a VirtualBox display adaptor. The operating system operates as an x86-32 platform, identifying itself as Windows NT 5.2 Build 3790: Service Pack 3. ReactOS can install Windows drivers through clean-room reverse engineering, and it features an integrated app store supporting nearly 400 programs, although some functionality issues exist with the built-in "WINE Internet Explorer" browser. The project appeals to users nostalgic for early Windows NT versions and serves as an alternative for those without a Windows license.

Winsage

February 24, 2025

TSforge New Tool Bypasses Windows Activation on All Versions

TSforge is a new exploit developed by researchers that can activate all versions of Windows from Windows 7 onward, as well as all Office versions since Office 2013. It utilizes a technique called the "CID trick," which modifies the CID validation code in sppobjs.dll to allow the use of a counterfeit CID for activation. This activation persists even after service restarts. The researchers identified key locations for activation data storage, including specific files and registry keys that form the "trusted store." They used leaked Windows beta builds to understand the spsys.sys driver and reverse-engineered components to extract private RSA keys for decrypting and re-encrypting the activation data. TSforge can activate any Windows edition without debuggers or kernel exploits and bypasses hardware ID validation and the PKEY2005 encoding system.

AppWizard

December 23, 2024

Another N64 classic has been quietly ported to PC by fans

An unofficial PC port of the Nintendo 64 game Star Fox 64, called 'Starship,' has been released by the Harbour Masters team, who previously created PC ports for Ocarina of Time and Majora's Mask. The port features enhanced capabilities such as higher frame rates and ultra-widescreen resolutions, and players must use their own legally sourced ROMs to access it. The development involved reverse-engineering the original game while ensuring compliance with copyright laws. Original Star Fox programmer Dylan Cuthbert expressed hope for the franchise's future, noting the absence of a new game for eight years since Star Fox Zero on the Wii U. He discussed the game's inspirations and the importance of character development in the franchise.