Blog.
Articles on reverse engineering, malware analysis, CTF writeups, and cybersecurity tools by Itay Cohen.
Mapping the connections inside Russia’s APT Ecosystem
Research mapping the connections between Russian APT groups including Turla, Sofacy, and APT29. Analysis of shared code, infrastructure, and organizational ties.
Deobfuscating APT32 Flow Graphs with Cutter and Radare2
Deobfuscating APT32 (Ocean Lotus) control flow graphs using Cutter and radare2. Techniques for removing junk code and simplifying obfuscated binaries.
The Evolution of BackSwap
Analysis of the BackSwap banking trojan and its innovative techniques for stealing money through browser manipulation while evading detection.
CONFidence Teaser CTF – Hidden Flag
Using YARA rules to leak file contents from restricted environments. A technique for extracting data from systems where file scanning is allowed but downloading is blocked.
5 Ways to patch binaries with Cutter
Five methods for patching binaries using Cutter: NOP instructions, reversing jumps, editing assembly, writing bytes, and applying patches from the hex editor.
Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 2
Continued analysis of APT33’s Dropshot malware. Automating string decryption with r2pipe, resource extraction, and completing the malware analysis with Cutter.
‘Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1’
Analyzing APT33’s Dropshot (StoneDrill) malware using Cutter and radare2. String decryption, function analysis, and Jupyter integration for malware research.
Solving PwCTF Prequel
Reversing a Self-Modifying Binary with radare2
Analyzing a packed, self-modifying binary with radare2. Covers UPX-like packers, runtime unpacking, ESIL emulation, and debugging packed executables.
Reverse engineering a Gameboy ROM with radare2
Reverse engineering a Gameboy ROM using radare2. Analyzing the Z80 architecture, Game Boy memory map, and solving a CTF challenge with r2.
A journey into Radare 2 – Part 2: Exploitation
Part 2 of the radare2 tutorial series. Covers exploitation, buffer overflows, ROP chains, and writing exploits with radare2.
A journey into Radare 2 – Part 1: Simple crackme
Step-by-step tutorial for learning radare2 by solving a simple crackme. Covers installation, basic commands, visual mode, analysis, and debugging.
[Pragyan CTF] New Avenger
[Pragyan CTF] Roller Coaster Ride
[Pragyan CTF] Lost Friends
[Pragyan CTF] The Vault
[Pragyan CTF] The Karaboudjan
[Pragyan CTF] Evil Corp
[Pragyan CTF] Supreme Leader
[Pragyan CTF] Answer To Everything
[Pragyan CTF] Interstellar
[Pragyan CTF] Game of Fame
[33C3 CTF] pay2win Writeup
[33C3 CTF] The 0x90s called Writeup
Fantastic Malware and Where to Find Them
Curated list of malware sample repositories, databases, and collections for malware analysts and security researchers.
[H4CK1T 2016] QRb00k – Russia Writeup
[H4CK1T 2016] ch17ch47 – Germany Writeup
[H4CK1T 2016] Belarus – Electronicon Writeup
[H4CK1T 2016] 1n51d3r’5 j0b – Canada Writeup
[H4CK1T 2016] HellMath – Mongolia Writeup
[H4CK1T 2016] Pentest – Mexico Writeup
[H4CK1T 2016] PhParanoid – Malaysia Writeup
[H4CK1T 2016] Hex0gator – Paraguay Writeup
[CSAW 2016] Gametime Writeup
[CSAW 2016] Key Writeup
[CSAW 2016] Sleeping Guard Writeup
[CSAW 2016] mfw Writeup
[CSAW 2016] PWN: Warmup Writeup
[CSAW 2016] Clams Don’t Dance Writeup
[CSAW 2016] Regexpire Writeup
[CSAW 2016] Coinslot Writeup
[CSAW 2016] Kill Writeup
[ASIS CTF] SecuPrim Writeup
[ASIS CTF] Sky Blue Writeup
[ASIS CTF] Smallest MD5 Writeup
[ASIS CTF] CTF 101 Writeup
[TWCTF-2016: Web] Global Page Writeup
[TWCTF-2016: Crypto] Twin Primes Writeup
[TWCTF-2016: PPC] Make a Palindrome! Writeup
[TWCTF-2016: Misc] glance Writeup
[TWCTF-2016: Reverse] Reverse Box Writeup
[TWCTF-2016: PWN] judgement Writeup
[CTF(x) 2016 : WEB] Harambehub – 100 pts Writeup
[CTF(x) 2016 : WEB] north korea – 50 pts Writeup
XOR Files With Python
Python script that XORs two files together. Useful for RAID 5 data recovery, binary deobfuscation, and forensic analysis.
XOR Files With Powershell
PowerShell script that XORs two files together. Useful for RAID 5 data recovery, binary deobfuscation, and forensic analysis.
