cr3ghost

Alexandre Borges has published over 700 pages of free security, malware and vulnerability research. A complete Malware Analysis Series covering Windows, macOS, iOS, Linux and shellcode. An Exploiting Reversing Series covering Windows kernel exploitation, Hyper-V, Chrome, and a three-part deep dive on CVE-2024-30085. No paywall. No course. Just research. Free as in beer. exploitreversing.com Author: @ale_sp_brazil #ReverseEngineering #MalwareAnalysis #InfoSec

@IAMERICAbooted @jonasLyk i was probably in high school when this legend was hacking. I wanted to sell my 0-exploits too but someone told be it is cyber weapon and it’s illegal. So instead I just use in game cheats.

Also, none of that is illegal. In fact many security researchers sell their bugs to brokers instead who then sell them to nation states. TBH, I've never understood why researchers submit to MS bug bounty because everyone knows they pay the least, have a lot of incompetence, and cause so much more work.

Microsoft ships vulnerable by default software... knowingly. Microsoft is not the victim here.

@NinjaParanoid @Octoberfest73 what experiences have you had with EDR vendors? I’m curious to know people’s interactions for reporting bugs or bypasses and their bounty programs. Are they okay with releasing blog posts to bypass them or are they same as anti-cheat vendors?

@Octoberfest73 Its good. I have done this before, but decided to not add it to brc4, since I have seen this getting flagged due to not have the basethreadinithunk and userthreadstart frame, by one specific EDR. You know who 😂

✅Call APIs requiring 5+ args ✅Store return values ✅Chain multiple spoofed calls for sleep obfuscation ✅Zero user code required during execution ✅CET/HSP/Shadow stack compliant Big things coming to the UDRL and Sleepmask Development course...

@cyb3rops do they even have a security team and if they do then why are they not part of the SDLC?

The fix for Meta's AI bot vulnerability was apparently: - remove the feature from the UI ❌ - leave the API endpoint accessible ✅ I wish I was joking.

Server-side authority works well for smaller player counts but at millions of concurrent players the latency and infrastructure cost becomes a real problem. Most studios cannot afford to run authoritative physics and position validation at that scale. Client-side is not ideal but it is a practical reality. The honest answer is both are needed and neither alone solves it.

Difference is installtion is MANDATORY for entertainment purpose and companies with the level of access anticheats give have historically been HORRIBLE with not abusing it. Look at Microsoft with its thousands of diagnostic data points they collect, then resell to 2000 ~ "partners" as well to government agencies. Its on by default and takes extensive OS changes in registry, on disk and on your network to stop. Kernel level anticheats also require mandatory low level access to your device as it scans memory, disk, modules, hooks, (some have been caught scanning browser history), scanning of network traffic, registry, bios, hardware info, TPM info, etc. That information is then commonly all sent back to anticheat companies servers. You *hope* they won't abuse this level of access and privilege but there is hundreds of millions of dollars as incentive and maybe 5% of that at risk from fines if their caught. Why wouldn't they abuse it. Any game without kernel level anticheat I can run within a sandboxIE instance and restrict its external access to other programs memory, files, registry, network, etc and still play the game fine. With limited concern of it "expanding" its access beyond the set limits. I also play games without kernel mode anticheat in a virtual machine with GPU pass through from my host operating system and get near the same frame rate with zero risk to my personal data. Kernel level anticheat is effectively s mandatory rootkit, from for profit companies just to try and enjoy gsmes. Anticheat companies should be focusing on player behavior patterns, limiting information sent from the sever, only sending information needed to each individual client when its needed, statistics and AI based detection mechanisms, etc. The reason being is all the server side, statistics and behavior based detections take much of the control out of the cheater and hack creators hands and limits their severity in the first place so they have exponentially less impact. Say for example bullet trajectories, spread and recoil is all sever side authoritive instead of client side authoritive. Then how exactly would a cheat maker have any control over those functions if its server sided and random. They wouldnt. If ESP requires player positions and player positions aren't sent till the enemy is visible or is soon to be visible near a corner then the effect of ESP is exponentially reduced as you don't have "global" player position awareness st all times. That helps defeat radar, esp, snapline, chams/skeletons, etc almost entirely (yoid have to respond in a split second to the info instead of having unlimited time to respond). The same with aimbot, if I'm tracking player mouse movements/camera movements, I'm monitoring for impossible micro adjustments in the sub 100ms range to stay on target and I'm comparing that information with a players statistics then "rage" hacking is effectively dead given you can't just have 360 degree aimbot coverage and instant reaction anymore with 80%+ headshot rate in sub 100ms times. This forces cheaters into more human gameplay and helps eliminate the disruptive nature of aimbots. If bullet trajectories are server sided then magic bullet is effectively dead. The list goes on and on but my point is kernel level anticheat is the past, the hacker will ALWAYS have the advantage on hardware they control and have 24/7 access to. We have 25 years of evidence for this. Statistics, AI based and sever sided processing and info control is the future as it takes the power away from hack makers and users. While simultaneously eliminating all the data risks and legsp liability linked with kernel level anticheats.

Gamers worry about kernel anti-cheats when any user-mode software (ring-3) can already read your passwords, browser history, log your keystrokes, record your camera, steal your files, and exfiltrate your data. Spyware has never needed the kernel. Kernel access is not what makes something spyware. Cheaters have been loading kernel drivers and hypervisors for years to hide from detection. A usermode anti-cheat has no way to detect something already operating below it. Loading at boot is necessary. If anti-cheat loads after a cheat driver is already in the kernel, it has already lost. Read: Why Anti-Cheat Software Utilize Kernel Drivers secret.club/2020/04/17/ker… Author: @vm_call from @the_secret_club #AntiCheat #GameSecurity

@nnwakelam #BugBountyTips 🤣

waiting for bounty payouts

@blackroomsec You can always uninstall Windows and go to Linux.

Please don't use this to do anything of the sort. And, when you find any vulnerabilities, which are definitely present, they'll throw you in jail.

@LowLevelTweets You should search for “MSRC scams security researchers”

Am I using this feature right?

@Pirat_Nation We should call it goddess of love.

Alanah Pearce has confirmed that God of War: Laufey is the project she worked on during her time at Sony Santa Monica Studio. “So here’s the God of War game I spent four years writing.” Now it all makes sense.

@vxunderground Free as in Beer? We wish.

I was sniffing around trying to learn more about this FOIA (Freedom of Information Act) gumpy I found on the internet. *I didn't find it, someone else found it and sent it to me It's from Bloomberg and (currently) behind a paywall as part of their "FOIA News", or whatever silly name they're calling it to make it interesting. > lists victims (but redacted) > interviews witnesses > big shenanigans > solarwinds was precise in what doing > nicknamed "Lazy Fortnite" by government (???) > victim 1 is v v v important assets.bwbx.io/documents/user…

@HackingLZ @github what repos did you have. would be helpful to see what they're flagging so we can reverse the why.

Hey @github fix this

@jonasLyk @IAMERICAbooted do you think it is possible that you are affiliated with a game hacking research group called the back engineering lab and secret club?

@IAMERICAbooted I like finding bugs and programming, but its impossible for me to get any kind of IT job at all. So some bug hunting with eclipse nightmare is the closest i can get to working with a coworker. Submitting bugs is more of a fight then finding them- why would i go through that?

@jonasLyk @wh0crypt @IAMERICAbooted i was talking to the other person. i already know about you jonas, your are a legend.

@cr3ghost @wh0crypt @IAMERICAbooted are you fucking serious?

@jonasLyk @wh0crypt @IAMERICAbooted have you tried releasing zero-days, writing blogs, releasing projects, and updating resume? Then marketing that work on X?

@wh0crypt @IAMERICAbooted i dont know- 15 years doing c and c++ and around 30 cves are apperently totally useless skills. Nobody cares about windows- only phones, and people dont invest in anything not ai related.

@PELock what are you talking about?

@C5venom And what about license-key-encrypted sections? They will still be encrypted without the key unless they can beat modern PKI. Also, a tutorial without working unpacker is dubious... Themida had many, many versions, same for VMprotect, a single unpacked file isn't equal to unpacker

Themida turns a few lines of code into thousands of VM handler instructions. Completely unreadable. back engineering built a static devirtualizer that lifts it all to IR, resolves the control flow, and recovers the original logic. The before/after in the repo is genuinely shocking. Works on pretty much any VM obfuscator, not just Themida. Blog: back.engineering/blog/09/05/202… Devirt output: github.com/backengineerin… Author: @BackEngineerLab #ReverseEngineering #InfoSec #Malware

@DrWhax i dont think they like ur bio given what they do haha

lolol

@5mukx @github do you know if any threat actor used your code to do bad things?

@cr3ghost @github Nah i dont have any private repos that contains botnets or malware. Just pushed some major updates to My Rustypacker. Got shadow banned : (

Hey @github . My github profile Whitecat18 was accidentally flagged without prior mail and activies, i was trying to push my code from dev to main branch. I can login, but my profile shows a public 404 error. Appeal submitted under ticket ID: #4440743. Kindly look and resolve the issue.

@_RastaMouse how is this new?

SOMA and Alien Isolation are perfect references. The moment you give players a weapon they stop being scared and start optimising. Subnautica 1 understood this too, the Reaper Leviathan is terrifying until you figure out you can technically fight it. Removing that option entirely is the cleaner design decision.

Subnautica 2 Design Lead Anthony Gallegos recently explained the reasoning behind the game’s no-killing policy in an interview with MinnMax. Gallegos said the decision was not made because the studio opposes violence in games: “We’re not like ‘we’re a game about pacifism’ or ‘we’re a non-violent studio’the studio was founded by modders who made Half-Life mods, and their first mods were all about shooting aliens.” Instead, he said the team had two main goals. The first was to shape how players interact with the world: “Our intent, actually, was two things. One, we wanted to avoid giving players the attitude that they were dominators over the world, because the message of the game was very much about people learning to live in parallel with the world they’re in.” Gallegos also explained that the team wanted to preserve the sense of danger and tension and cited SOMA and Alien: Isolation as major inspirations: “We’re really inspired by games like SOMA and Alien: Isolation.” “If [SOMA] ever gave players the means to fight things, no matter how intentionally miserable they made the experience, players would always be like ‘it’s always better to master the crappy combat than it is to deal with the constant threat of the thing’.” According to Gallegos, removing creature killing helps maintain the feeling of vulnerability and encourages players to survive, adapt, and coexist with the alien ecosystem rather than simply eliminating every threat they encounter.

@0xdf_ @ippsec really cool. i really like you ippsec and you 0xdf. good content creators without any cringe

Watching @ippsec inspired a question - How does auto-calibration (-ac) work in ffuf? Let's explore it! youtube.com/watch?v=scHcQI…

The 60 minute disclosure window is the real conversation here. One click full token theft is bad enough but shipping this while the patch is still warm is exactly the kind of thing that gets developers hurt before they can update. Responsible disclosure exists for a reason but MSRC sucks.

Yeah, so pretty much this guy is releasing an exploit in solidarity with Nightmare Eclipse guy. He said he notified GitHub about the exploit 60 minutes before releasing this paper. I don't do web stuff, and I'm not a VSCode nerd, so I'm confused by the underlying technologies. If you're a stinky GitHub and VSCode nerd maybe you'll understand. tl;dr click github dev, github dev opens editor, in github dev editor have javascript, javascript does shortcuts automatically. github treats javascript shortcuts as real human input, or something. use javascript shortcut stuff to automatically install vscode extension. the vscode extension steals your data tl;dr tl;dr user clicks 1 link, 1 click steals all data from your github blog.ammaraskar.com/github-token-s…