iossefy

开源前核心成果（DeepSeek V4 Flash 驱动）在项目开源之前，我使用 github.com/zhaoxuya520/re… 完成了多项高难度的逆向与安全研究工作，充分验证了模型在实际复杂工程场景下的强大能力：5分钟内完成 Go 编译 EXE 的高质量反汇编：将一个经过 Go 语言编译、符号表被剥离的 PC 端可执行文件，快速还原为接近可阅读的源码结构，极大降低了逆向分析门槛。 Android APK 一键式反编译：成功将某 APK 还原到打包前的工程代码状态（Smali + 资源 + 清单等完整结构），为后续分析和修改提供了清晰的原始框架。 零凭证网页后台入侵：针对使用 GPT-5.5 开发的一套 Web 应用，在完全没有任何账号信息的情况下，快速定位并利用关键漏洞，直接进入管理系统后台，验证了其安全性隐患。 此外，还完成了大量其他复杂任务，包括但不限于：二进制协议逆向、混淆代码去混淆、加密通信流量分析、自动化漏洞挖掘等。 其实还有关于游戏安全相关的 但是担心被人拿去做外挂 所以就在开源版本中删除了游戏安全相关的内容。

We pulled in $117,000 in Chrome bug bounties with simple tricks; on Wednesday, Quang Luong will spill his secrets at the Stanford AI Security Conference: seclab.stanford.edu/RealWorldAIsec/ Fun fact: Quang is probably the only researcher in the known universe who still uses Gemini to find bugs. Before the end of the year, Calif researchers will be presenting at Blackhat USA, Defcon, and Hexacon. We're also hoping to make it to Unprompted AU, OffensiveCon, and Objective By The Sea. At Black Hat USA, Dionysus Blazakis and the team will walk through the bugs and exploit chain used in the Apple MIE bypass discovered a few months ago. #apple-macos-kernel-exploitation-with-mie-building-on-the-ashes-of-100-vulnerabilities-55845" target="_blank" rel="nofollow noopener">blackhat.com/us-26/briefing… At DEF CON, we will tell the story of hacking software that helps run the Internet backbone. At Hexacon in Paris, @brucedang and I will give the keynote. Apple announced MIE there last year, so it'll be a fun one. I suspect they only wanted Bruce, but keynotes require a certain amount of professional nonsense, and Bruce is far too honest for that, so I got invited too. My job is marketing, which is to lie without getting caught. What's wild is that none of this existed at the beginning of the year. We started with a simple realization: very few people have both deep security expertise and access to the best AI models. So we went all in and never looked back. Back in March, we called a company-wide all-hands on a Saturday. The title of the invite was: "AI Tsunami and Our Actions." I don't want to romanticize overwork, but what we were seeing felt too urgent to wait until Monday. Then everyone started cooking. The results have been spectacular. Our research on defeating Apple MIE made it into The Wall Street Journal. We signed major contracts with Anthropic, OpenAI, Google DeepMind, and xAI. While others are celebrating access to the latest models, we've been using them to explore the frontiers of vulnerability research. In the first half of 2026, we're already surpassing our entire 2025 bookings. Most importantly, we've assembled a top-tier team in record time. I've read many strategy books, but this is the first time I've witnessed the power of the right strategy at the right time. Focus is the name of the game. Strategy is deciding what to ignore. For one month and a half, we stopped starting new projects. I've personally shelved a lifelong passion in Vietnam, because it isn't a priority for the company. You can only move fast when you're light. Several people were upset when we changed direction so abruptly. That's normal. If nobody complains, you probably didn't focus. Of course, strategy isn't magic. You can make a focused bet and still be wrong. We were fortunate that this one worked out. None of this would be possible without our partners and supporters across the frontier labs. Thank you.

OXLOADER is staging shellcode in the PE .reloc section. Detection rates are low. New research from Elastic Security Labs. Legitimate toolchains don't emit code into .reloc. It's a static-analysis red flag, but most engines aren't catching it in practice. Before dropping the payload, OXLOADER runs 5 checks: - Emulation: malformed WNetAddConnection2W call, expects ERROR_BAD_NAME (0x43) - CPU count: 3+ CPUs required - RAM: 3 GB minimum via GlobalMemoryStatusEx - Display refresh rate: 20 Hz floor via WMI Win32_VideoController - Geography: CIS GEOIDs and Russian LANGID excluded Pass all five, and a copied system DLL gets a new .xtext section injected with the shellcode. DonutLoader wraps the final payload: CASTLESTEALER. Distributed via Google Ads impersonating Node.js. The ad campaign targeted US-based victims. The advertiser account has since been removed. Elastic Defend catches the full chain behaviourally. Static engines largely miss it. Full technical breakdown, YARA rules, and IOCs visit go.es.io/4w1aq4V from @DanielStepanic and @k33b0i:

A new research blog deserves a proper first post. A SecureROM bug seemed appropriate. Allow us to introduce you to #usbliter8. ps.tc/pages/blog-usb…

Apple Internals: Swift in the Kernel open.substack.com/pub/calif/p/ap…

UnCanny - Another new coercion primitive with LPE 0day - machine-account NTLM coercion from a non-admin user via Windows Store InstallService plugin resolution experiments github.com/0xHossam/UnCan…

We sent Claude Mythos Preview spelunking through Squid’s guts, and it surfaced clutching a 29-year-old bug. Meet Squidbleed: a Heartbleed-style vulnerability that leaks internal memory from every version of Squid Proxy, in its default configuration. Full story: blog.calif.io/p/squidbleed-c…

Been exploring WebKit/JSC exploitation and wrote up a step-by-step walkthrough - from a caged OOB bug to cage-free arbitrary R/W with diagrams + a lab you can build. varik.dev/blog/jsc/jsc-e… #WebKit #JavaScriptCore #BrowserExploitation #exploitdev #pwn

Windows Kernel Driver Code & Exploitation Techniques x.com/i/broadcasts/1…

TIL ssh added keystroke timing obfuscation in 2023. Sends garbage packets to avoid revealing what you may be typing based on timing patterns. Another great blog post by @itseieio eieio.games/blog/ssh-sends…

First public macOS kernel memory corruption exploit on Apple M5 🤯🔥 👨‍💻 Calif Team 🔗 blog.calif.io/p/first-public… 🔗 youtube.com/watch?v=tH-4u9…

Windows unprivileged arbitrary 12-byte kernel write to escape the browser sandbox voidsec.com/cve-2026-40369… #infosec

I made this Windows security research toolkit for LPE, persistence, COM hijacking, and attack surface enumeration. Leave a star and follow on GitHub so I can feed my 10 kids <3 github.com/kernelstub/Fer…

Someone tell Microsoft they forgot to add RoguePlanet microsoft.com/en-us/msrc/blo…

Woo, I can confirm "Can AI Do Novel Security Research? Meet the HTTP Terminator" is coming to @defcon! This research was a huge gamble and the result was glorious, can't wait to share!

Arbitrary code execution in objdump -g We have a thing for finding bugs in bug finding tools. IDA Pro, Ghidra, Binja Sidekick, or radare2. You name it we hacked it. Our friends were saying we should try objdump. So here we go. Blog post: blog.calif.io/p/oobdump-relo… AI-generated PoC and writeup: github.com/califio/public…

This article is literally wow. i read it 2 years ago, and coming back to it today, it still feels new. few tutorials teach computers in a way that permanently changes how you think. this is one of them. If you've never built a VM before, you're missing one of the biggest "aha" moments in computer science.

ARM added Pointer Authentication as a hardware defense against ROP attacks. It cryptographically signs pointers using keys stored inside the CPU itself. Researchers defeated it using speculative execution. The CPU speculatively checks wrong signatures, rolls back before raising an exception, and leaks just enough to brute force the key. The hardware mitigation against speculation attacks was broken by a speculation attack. Source: pacmanattack.com