Step 1: open a binary in IDA and press F5
Step 2: paste the decompiled code into OpenAI's chatbot
Someone's job just got way easier.
Follow
Click to Follow JusticeRage
Ivan Kwiatkowski
@JusticeRage
Security Researcher. Maintainer of Manalyze, writer.
Trolling on a purely personal capacity.
Ivan Kwiatkowski’s posts
I wrote an IDA plugin that queries #ChatGPT and explains decompiled functions. It's still very bleeding edge, but you can find the code here and try it out:
github.com/JusticeRage/Ge
(Yes, the video was performed on a very basic case for simplicity's sake.)
As a reverse engineer, the most difficult part of my job remains to figure out how to format tables in Microsoft Word when I'm writing reports.
Kaspersky released a new blogpost today, documenting an iOS 0day + zero-click exploit used to target cybersecurity researchers. The scope and full victimology are still unknown.
Nobody wants to use GPG. Not even Nigerian scammers who have a victim on the hook ☹️
We released two videos for free from our online reverse engineering course. They focus on Go malware (Sunshuttle).
youtu.be/_cL-OwU9pFQ
youtu.be/YRqTrq11ebg
Almost 2 hours of premium IDA Pro entertainment!
We created cheat sheets for IDA Pro and x64dbg for our online course recently, and were authorized to share them with everyone!
The aim was to list all hotkeys that we use on a daily basis, i.e. only those we feel are worth learning.
I hope you find them useful!
Replying to
J'ai mis en place carton-rouge.net hier soir au cas où cela se produirait, à afficher avec un téléphone portable !
I have written a personal statement about the war in Ukraine, recent criticism about Kaspersky and its founder. blog.kwiatkowski.fr/?q=en/kaspersk
Those words were written from the heart. I humbly hope they give you pause.
I am staying in GReAT, and here is why.
(FR version coming soon.)
Our online reverse-engineering / malware analysis course (intermediate level) is finally launching! xtraining.kaspersky.com/courses/target
and I have been working on it almost exclusively for 6 months now. 50+h of video, 100h of virtual lab time, 10 real-life APT malware cases.
A lot of the value I bring to any company comes in the form of entertainment, specifically through an endless stream of salty emails. AI just made me obsolete.
All hail our new robot overlords.
New blog post about an UEFI firmware bootkit!
securelist.com/cosmicstrand-u
Research was led by our dearly missed
An update to my 0day handling ethics mind-map for cybersecurity researchers.
Version 1.0 did not account for the possibility of becoming accessory to murder.
What a silly oversight on my part.
Curl is being introduced as a standard windows command line tool! Malware authors all over the world must be extatic; stage 1s are going to get smaller.
blogs.technet.microsoft.com/virtualization
Hey Twitter. Did anyone ever find out why TrueCrypt shut down operations back in 2014? We never got answers, but I need closure.
Personal news: I have resigned from my position in 's GReAT team. I'm very grateful for my time there and everything the team accomplished.
I don't have any reason to believe anything I wrote about the company was untrue at the time I wrote it.
I will now take a… Show more
New blog post: a full Process Hollowing / Manalyze tutorial. blog.kwiatkowski.fr/?q=en/process_
New release: a Python script to catch careless intruders on your machines by "booby-trapping" binaries. github.com/JusticeRage/fr
Our research on the new(?) mercenary APT DeathStalker is finally out! securelist.com/deathstalker-m
Please take a look if you're interested in Evilnum or Janicab!
(cc )
I've been working on this for 5 years, and it's finally out! I wrote a dark fantasy book (no computers involved), and it's the hardest thing I have ever done. I'm extremely proud of the final result. (But it's in French, for now.)
lechantducygne.fr/gestalt/
Not to bash on a single individual, which accomplishes nothing - but this is exactly why there is a need for more discussion about ethics in infosec.
Take a minute to think about how your actions have impacted "human and women rights" and "free speech" in 2021.
This #MrRobot episode is the gift that keeps on giving!
sandbox.vflsruxm.net/plans.rar leads to github.com/RedBalloonShen and also:
We're very happy that this research is released: securelist.com/lazarus-on-the
In it, , and I discuss the connection between the VHD ransomware and the Lazarus group.
This work was made possible with huge help from Kaspersky's GERT (IR) team.
Okay Twitter 😶
Sorry non-French speakers, I can't translate this tweet considering how heinous it is. Imagine a hatred bingo combining the N-word, call for violence and nazism.
Hahaha, gotcha #ChatGPT!
They've been patching loads of jailbreaks as they are found, but the possibilities are endless.
I've added a script to Manalyze which plots the compilation timestamps of a PE collection: github.com/JusticeRage/Ma
Credit goes to for the pretty charts.
read image description
ALT
A few days ago, I contributed an IDA Pro script which extracts type information from Go binaries to ' AlphaGolang repository.
We just released an article that gives background on how this works: securelist.com/extracting-typ
Code:
Interesting points on where to host a cybercrime discussion by Fadli Sidek #HITBGSEC17
Ping to all hash crackers: has just released a great set of scripts at github.com/trustedsec/hat.
- Wordlist deduplication
- Analysis of already cracked hashes
- Launches all the run-of-the-mill attacks from a single command
And a lot of other goodies.
I feel like there's a need to clarify what is going on here, it's an interesting anti-sandbox trick.
The SeShutdownPrivilege string is constructed on the stack dynamically, in particular the program uses the first letter of its filename as an index in the string.
Spotted: a French website impersonates at keepass.fr, bundles it with adware (virustotal.com/#/file/1642eac) and worst of all (apologies to non-French speaking readers):
I have stumbled onto something interesting while working on PE resource timestamps. It seems that a build chain, somewhere, is using local (non-UTC+0) timestamps for resources, which can help determine where the binary is compiled. Is this something known?
New release: a python script that uses SMART data to detect evil maid attacks.
github.com/JusticeRage/fr
This has to be the dumbest "forgotten password" form that was ever written. There aren't enough facepalm gifs in the whole Internet to convey how I feel.
In the interest of supporting the discussion on the ethics of releasing PoCs for critical vulnerabilities, I created the following mind map.
It is merely meant as a listing of the available options and associated consequences. No judgement intended.
A few minutes ago at BotConf, I shared a script to import and export Twitter blocklists. I use it to block advertisers on the platform!
Find my code and current list here:
I just realized that XORing a string with 32 (0x20) toggles capitalization. I feel both amazed and stupid.
For the record, this is a clear misrepresentation of my teammates' research.
1) We did *not* attribute these samples to any organization.
2) Lambert is *not* an internal name for the CIA.
If you're going to attribute attacks, do it in your own name. twitter.com/campuscodi/sta
This Tweet is unavailable.
It just seems easier to get a WPA handshake and bruteforce the password, now that you know it's 10 digits. twitter.com/oihamza/status
This Tweet is unavailable.
Following 's article on TTYs, I've written an encrypted Python reverse shell! blog.kwiatkowski.fr/?q=en/ersh
Our team has been investigating #LockerGoga and we can assess with medium confidence that it is linked to GrimSpider.
We believe a Cobalt Strike / meterpreter combination is used during the post-exploitation phase. C2s use the default SSL certificate on port 443 ;)
Our reverse-engineering course has been out for a few months now, and the feedback is amazing :)
If you haven't checked it out, there's IDA scripting, mock C2 development, hardcore deobfuscation and even Go. Feel free to DM me with any question! xtraining.kaspersky.com/courses/target
To be fair, anti-cheat usually only has a single process to protect, which its developers fully own.
EDR and endpoint solutions have to defend whole systems that they have zero control over, which is a much more difficult task.
We welcome constructive feedback from game hackers!
Quote
bypassing anticheat is harder than bypassing EDR
infosec is cucked by cheat engine users
your entire industry is a joke
I hear a lot of people are looking for Pegasus samples. Dear , please buy the product, get all 0days patched, leak the tools and infra. Burn them to the ground and I swear I will never ever complain again about how my tax money is spent.
I added a script which automatically shelljacks (log term) into users who SSH into a box to my repo! github.com/JusticeRage/fr cc
I just stumbled on to this very interesting Linux post-exploitation talk by : youtu.be/Qr4OVghP_F0?t=
It's full of hidden gems, I'll be watching it again so I can take notes.
Alright. Is it maybe time to talk about using *local* password managers instead of cloud-based ones?
Yes, they're better than no password manager, but come on. Don't trust anyone with such sensitive data as your passwords.
This has got to be the best caption I've ever seen in an malware analysis post.
Dear , considering that you won't allow me to renew my licence, I'd appreciate it if you either:
a) Granted me an OSS dev license, considering the value I bring to your customers for free
b) Refrained from using my work for PR purposes
Cheers
Quote
#Gepetto keeps the first position for the second month in a row! Good job @JusticeRage 
Got a plugin that could be on the top of the chart? Publish it, and let’s see 
plugins.hex-rays.com//?utm_source=S
#IDAPlugin #PluginRoundup #IDAPro #IDAPython
Got a plugin that could be on the top of the chart? Publish it, and let’s see plugins.hex-rays.com//?utm_source=S
#IDAPlugin #PluginRoundup #IDAPro #IDAPython
read image description
ALT
Replying to
*Looks at bio*
"Human & Women's Rights - Free Speech Activist" selling 0days to Zerodium
Yup, that seems about right.
This tweet was deleted in silent shame, but I feel that it should be recorded somewhere for future generations.
hex-rays.com/blog/hex-rays-
Very unhappy and disappointed by this move from . During trainings, how can I justify the investment for newcomers if now they can't use the software after a year?
Replying to
Well well well. Seems like actors are trying to split the #NetNeutrality hashtag to prevent it from trending.
Background on this technique: mashable.com/2017/10/03/twi
I showed this tip to a friend today, and thought maybe it could be useful to other people.
Problem: how to write Yara rules that match a given ASM snippet? Answer in three steps.
1) Open a random program with x64dbg. Break anywhere, entry point is fine.
Next week, I'll be speaking about ethics in infosec. Please come, I promise I'll try to make it entertaining.
I had a Raspberry sitting in a drawer. Just installed Pi-Hole and it looks great! pi-hole.net
Here's an interesting paper on APT campaign modeling: hal.inria.fr/hal-02379869
I like that it focuses on the attacker's lifecycle inside the victim's network.
The video of my talk on ethics in infosec is now online! Of all the talks I've given, it's the one I find the most important. Thanks again to the organizers for accepting it!
I'm very happy to share a project I've been working on for a long time now. A 🔥 scathing 🔥 three-part series on cryptocurrencies & NFTs.
Part I: blockchains and crypto
Part II: NFTs
Part III: the politics of cryptocurrencies
Part I was just released:
When debugging DLLs, I often need to go back and forth between and IDA. So far, here is the quickest way I have found to convert addresses. Is there a better one?
Pro reverse-engineering tip: don't spend too much time looking at code located in kernel32.dll as this can lead to significant lost time and ridicule on Twitter. twitter.com/guelfoweb/stat
This Tweet is unavailable.
I just added new Yara rules to Manalyze based on an idea by . Idea: detect xor'd function names. github.com/JusticeRage/Ma
Very happy to share the results of a new investigation with and !
In this case, we talk more about the things we don't know than the things we do, which is a huge part of threat intelligence. I hope you enjoy the read!
Oh wow, disclosed an LPE affecting polkit, preinstalled on every major Linux distribution. qualys.com/2022/01/25/cve
Patch your systems!
There's currently a summer sale on our online reverse-engineering training! The price dropped by over 25% for this month: please check it out if you were considering it before!
DMs are open if you have any questions about the course.
Big update to #Gepetto today, with support for GPT-4! This will only work if you have access to the corresponding API (via a waiting list AFAIK).
Lots of refactoring in preparation for more features, so it might be a little bleeding edge!
github.com/JusticeRage/Ge
Get Reality Winner blamed for your crap: here is a pre-watermarked Word template. manalyzer.org/static/winners #opsec #winner
Takeaways of the war in Ukraine for the cybersecurity community: securelist.com/reassessing-cy
I contributed to this article along with and . As with any analysis piece, there's some deal of personal opinion in there, so I'm very interested in other assessments.
Replying to
As a general rule, its knowledge of recent world events and extremely niche domain-specific knowledge is limited... But I guess it could get there at some point?
I'm blown away.
Over the weekend, I implemented a new API for manalyzer.org, to submit files and/or access reports. No API keys, no rate-limiting.
Code: gist.github.com/JusticeRage/f6
Documentation: docs.manalyzer.org/en/latest/inte
I wrote a piece for SecureList on the future of cyber conflicts. securelist.com/the-future-of-
I'm very happy it's finally out, and that Kaspersky allowed me to work on that. I hope to share more on policy in the future.
Also be sure to check 's securelist.com/researchers-ca!
Fedor Sinitsyn has just written an extensive primer on the Maze cartel: securelist.com/maze-ransomwar
Recommended reading for anyone interested in ransomware.
Dear infosec community, this is the Jonathan Scott everyone is talking about right?
I suppose I shall wear this as a badge of honor.
Quote
Replying to @JusticeRage @StopRusTrolls and 7 others
Bro…the fact that you used MVT-Tool shows that you literally know nothing about how to find malware on an iOS device.
In a shocking twist, the world discovers that millionaires don't actually care about the common good. #ParadiseLeaks
Very important investigation from about hacking for hire firms. I'm willing to bet that this is only scratching the surface of this ecosystem. (h/t )
reuters.com/investigates/s
I gave the closing conference at #pts23 with a talk titled "why cyber offense will never be regulated".
While it's not perfect, I was able to make a number of points that are very important to me. I hope you enjoy it!
passthesalt.ubicast.tv/videos/2023-wh
Here is the direct link to APT3's indictment: kingpin.cc/wp-content/upl
Boyusec employees are charged for attacks on Moody's, Siemens and Trimble.
The only interesting data point is that defendants were identified despite routing their traffic through compromised machines (how?).
Very noteworthy research led by my APAC teammates presenting an attacker with man-on-the-side capabilities active in China: securelist.com/windealer-deal
Recommended read!
Airport WiFi security: request a code to access the internet, have a squid proxy on the gateway that accepts any request.
On Nov 17, , and I will be presenting our APT landscape predictions for next year and look back to the ones we made in 2020 (TL;DR: we got almost everything right).
Researcher friends, it's way less dull than it sounds. Come hang out! kas.pr/z9kp
. and I (and other colleagues not on Twitter) have been working on this blog post for a while: securelist.com/holy-water-ong
This research describes a series of watering holes targeting an Asian ethnic / religious group.
Replying to
This is a follow-up of the last few days' experiments: twitter.com/JusticeRage/st
I'm still figuring out exactly how much we can do here. There may be a way do do a decompilation plugin too, but it will require more work to integrate with IDA. I'll post more as I discover more!
Quote
Step 1: open a binary in IDA and press F5
Step 2: paste the decompiled code into OpenAI's chatbot
Someone's job just got way easier.
Part II of my 🔥 series 🔥 on blockchains, cryptocurrencies and NFTs is now available! kaspersky.com/blog/crypto-ac
In it, I discuss (rant about) Ethereum, NFTs, DAOs and digital ownership. I hope you enjoy it! There will be a final part in the coming weeks too.
