https://tdmathison.github.io/Travis MathisonA blog relating to malware reverse engineering and threat research. 2024-01-31T17:57:12-08:00 Travis Mathison https://tdmathison.github.io/ Jekyll © 2024 Travis Mathison /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png Golang Reverse Engineering Tips2023-09-18T08:00:00-07:00 2023-09-18T08:00:00-07:00 https://tdmathison.github.io/posts/Golang-Reverse-Engineering-Tips/ Travis Mathison Summary The following document is a collection of information I discovered while reverse engineering Golang binaries. This is specific to the context of malware and generally speaking, stripped binaries. The target audience is for those trying to make sense of a stripped golang binary via IDA Pro. There are in depth discussions on many of these topics, however, the goal here was to get right ... Reverse Engineering on Windows 11 ARM (Macbook Pro M1/M2)2023-02-02T20:38:00-08:00 2023-09-15T18:14:43-07:00 https://tdmathison.github.io/posts/Windows-11-ARM-Reverse-Engineering/ Travis Mathison Summary I have recently purchased the new Macbook Pro M2 Max 16” as I finally wanted to switch over into the ARM world on the desktop. One of my main concerns was around my focus on reverse engineering malware and how that will play out on an ARM-based device. The primary questions to be answered were: Will VMware Fusion 13 (the latest at the time of this writing) install Windows 11 ARM pr... Resolving IDA Pro sp-analysis failed Error2023-01-04T03:45:00-08:00 2023-01-04T09:58:49-08:00 https://tdmathison.github.io/posts/sp-analysis-failed-error/ Travis Mathison Summary IDA Pro does not always get the disassembly, and pseudo-C decompilation correct. When it has an issue, it can manifest in several ways but one thing you may see is a red error message in the disassembly saying sp-analysis failed. sp-analysis failed The below screenshot shows an example of what this looks like in disassembly. We can see that at 00537E0F is declares this to be the en... Switching IDA Pro Python Version2023-01-03T15:59:00-08:00 2023-01-03T19:16:36-08:00 https://tdmathison.github.io/posts/Switching-IDAPro-Python-Version/ Travis Mathison Summary In FlareVM you will likely have many versions of Python installed. Not all of these are going to be compatible with IDA Pro and you may need to switch which version IDA Pro is looking at. If you see errors around modules not found, even after you have pip install them, or errors around _ctypes as seen below, you can use a tool provided by Hex-Rays to re-target to a new version. ida... Hex-Rays IDA Tips and Tricks2021-11-23T11:07:00-08:00 2023-01-03T19:16:36-08:00 https://tdmathison.github.io/posts/Hex-Rays-IDA-Tips-and-Tricks/ Travis Mathison Hex-Rays tips and tricks to IDA Pro Igor Skochinsky of Hex-Rays presents a new IDA Pro tip every week. This is more of a pointer toward a “season 1” compilation of these tips and to the Hex-Rays blog where they continue to be posted. The first 52 tips have been compiled into a single PDF document (by Hex-Rays): https://hex-rays.com/blog/igors-tip-of-the-week-season-01/ The continued series i...