Home
Travis Mathison
Cancel

Golang Reverse Engineering Tips

Summary The following document is a collection of information I discovered while reverse engineering Golang binaries. This is specific to the context of malware and generally speaking, stripped bi...

Reverse Engineering on Windows 11 ARM (Macbook Pro M1/M2)

Summary I have recently purchased the new Macbook Pro M2 Max 16” as I finally wanted to switch over into the ARM world on the desktop. One of my main concerns was around my focus on reverse engine...

Resolving IDA Pro sp-analysis failed Error

Summary IDA Pro does not always get the disassembly, and pseudo-C decompilation correct. When it has an issue, it can manifest in several ways but one thing you may see is a red error message in t...

Switching IDA Pro Python Version

Summary In FlareVM you will likely have many versions of Python installed. Not all of these are going to be compatible with IDA Pro and you may need to switch which version IDA Pro is looking at. ...

Hex-Rays IDA Tips and Tricks

Hex-Rays tips and tricks to IDA Pro Igor Skochinsky of Hex-Rays presents a new IDA Pro tip every week. This is more of a pointer toward a “season 1” compilation of these tips and to the Hex-Rays b...

NPM COA@2.0.3 DanaBot Dropper

Table of Contents Executive Summary Actions leading to a DanaBot secondary payload Visual path of execution What gets dropped? IOC’s Technical Analysis ...

Malware Report: CTS

Table of Contents Executive Summary Initial binary Infected binaries MITRE Attack Matrix Indicators of Compromise Threat intel insights Technical Anal...

RC4 Crypto Usage in Malware

Table of Contents Intro The malware sample used in this blog post The KSA and PRGA functions Observing call into function Key-scheduling algorithm (KSA) KSA identity permutatio...

Resolving IAT with AGDCservices Scripts

Table of Contents Intro Attribution My IDA Pro 7.6 plugin scripts (rough conversion of theirs) Details Color coding instructions IAT Resolution The IDA Pr...

String and function hiding techniques

Table of Contents Intro The malware sample used in this blog post Visual of observed flows Notable Techniques Hiding strings via single byte pushes to stack Getting DllBase...