Posts

I am currently working on an emulation environment similar to Qiling. Unlike Qiling, it emulates the entire user-space, not just the target application. As Qiling reimplements all APIs (kernel32, vcruntime, …) outside the emulator, it gains a lot of speed (e.g. by not needing to run all the ntdll code during startup), while sacrificing stability (reimplementing all APIs can be error prone) and introducing a whole lot of work. My emulator draws the line on syscall level....

When I announced my Black Ops 3 integrity bypass, someone commented that my research was not impressive and I should try analyzing Denuvo instead. That kinda stuck with me, so I did what everyone would do and spent the last 5 months of my free time reverse engineering and bypassing the Denuvo DRM in Hogwarts Legacy. I am obviously not as skilled and experienced as EMPRESS, who managed to do it within days, but that’s ok 😃...

Call of Duty: Black Ops 3 is protected by a DRM that, among other things, protects the integrity of the game’s code at runtime. Reverse engineering those integrity checks has been a personal goal I had for a long time. In this post I’m going to describe my process of achieving exactly that, so let’s dive in. Disclaimer Just a little disclaimer here. The goal of this post is not to encourage piracy....

I recently started to experiment with hypervisors and their use for bypassing anti-cheat or anti-tampering systems. This post will describe the concept of hypervisor-assisted hooking and a few simple approaches to detect such hooks. What is a hypervisor? In short: A hypervisor allows to run virtual machines with hardware acceleration. The concept of hypervisors in general is a huge topic, but for this post, all that depth doesn’t really matter....

Thanks to Rektinator and TwistedFate for helping me solve this challenge. JIT was one of Google’s pwnable challenges. It implements an artificial assembly language, which gets jit-compiled into x64 assembly. An example program looks like this: MOV(A, 10) STR(A, 1) LDR(A, 2) SUM() JMP(2) RET() It supports basic instructions to move, add and subtract, jump and compare values. Two files were given: compiler.c and FancyJIT.java The c file implements the jit-compilation by translating each indiviual instruction into the corresponding x64 assembly instruction and storing everything in an executable buffer....

For our graduation-party at school two years ago, a friend of mine, Olrik, and I decided to play the Nyan Cat theme on all PCs at school. With the name 9os, we started writing the entire project using 16bit x86 assembly. The task was to draw the rainbow behind the cat, then the cat itself, play the music and in the end draw the stars. Drawing the rainbow was pretty simple, as it consists only of a few stripes that need to be drawn at alternating heights and colors....

After having started to use libraries like libpcap or WinDivert, I got curious about low-level networking protocols like Ethernet, IP, ICMP, ARP, TCP or UDP. Especially the Address Resolution Protocol (ARP) fascinated me, as I have previously used tools like Ettercap or Cain & Abel to experiment with Man-in-the-middle attacks using ARP poisoning, however, I did not know how ARP poisoning worked in detail. Basically, using an ARP request, you can request the MAC address of a particular host behind a local IPv4 address....

A few years ago, I became aware of a security issue in most Call of Duty games. Although I did not discover it myself, I thought it might be interesting to see what it could be used for. Without going into detail, this security issue allows users playing a Call of Duty match to cause a buffer overflow on the host’s system inside a stack-allocated buffer within the game’s network handling....