Cherry referring to my last name kirschju.re Forward and Reverse Engineering

Code

In general, you can find most of my stuff on github.

IDA Graph Exporter

Plugin for IDA Pro that allows to export a function as rendered in the graph view to a vectorized SVG. The native plugin retrieves all relevant information from the currently focused graph view and stores them into a JSON. The JSON is then processed by a standalone Python script that produces an SVG.

Action Replay / Gameshark GBA V3 Tooling

Collection of scripts allowing to interact with Action Replay / Gameshark cheating devices for Gameboy Advance. The original utility stopped working with the introduction of 64 bit operating systems. The project also contains scripts to encrypt and decrypt cheat codes (ARcrypt).

debugmenot

Collection of anti-debugging tricks targeting gdb / lldb on Linux.

PwIN – Pwning Intel pIN

PwIN is a collection of attacks against the de-facto standard Dynamic Binary Instrumentation engine Intel PIN. Precisely, we show that it is possible for malicious programs to evade instrumentation hooks, break out of the PIN VM, and that otherwise hard-to-exploit bugs become easy to exploit because of the way in which PIN’s JIT engine operates.

Wiedergänger

Wiedergaenger is an attack against glibc-based software systems on Linux that demonstrates how specific out-of-bounds-array-accesses can be escalated to full code execution while bypassing ASLR using constant payload.

Demovfuscator

The demovfuscator is a deobfuscator for binaries that were compiled using Christopher Domas' famous M/o/Vfuscator. The current release is able to reconstruct the CFG of the original program and partially re-substitutes the mov instructions by their equivalent high-level ASM opcodes. Note that the demovfuscator is work in progress software, i.e. patches and comments are very welcome!

TCP Stealth

TCP Stealth is an RFC draft and an extension for the Linux kernel providing a modern version of port knocking for TCP sockets. Unlike other approaches, TCP Stealth is safe against active MitM attacks, is able to ensure the integrity of the first TCP segment sent after the handshake, and requires only minimal changes to existing applications (setsockopt).