shards.info
01_Reverse_Engineering
๐ฌ 01_Reverse_Engineering
SafeTest-Dev | Binary Security Research
A structured collection of reverse engineering labs covering binary analysis, malware inspection, and product security research.
๐ About This Repository
This repository is a hands-on reverse engineering research collection maintained by SafeTest-Dev. Each lab folder contains a self-contained case study targeting a specific binary, firmware, or executable artifact โ documenting the full methodology from initial reconnaissance through exploitation and remediation.
Labs are designed for:
- ๐ Security researchers and students learning binary analysis
- ๐ ๏ธ Practitioners studying real-world trust enforcement mechanisms
- ๐ Reference material for product security assessments
๐งช Labs Index
| # | Lab | Target | Type | Techniques | Severity |
|---|---|---|---|---|---|
| Lab01 | Secure Boot Validator | ELF 64-bit Linux Binary | Authentication Bypass | Static Disassembly, GDB, Binary Patching | ๐ด Critical |
| Lab02 | Encoded Authenticator | ELF 64-bit Linux Binary | Authentication Bypass | Static Disassembly, Radare2, XOR Decoding, Python Solver | ๐ด Critical |
| Lab03 | Algorithm Check | ELF 64-bit Linux Binary | Authentication Bypass | Static Disassembly, Radare2, ROR+XOR+Modular Arithmetic, Python Solver | ๐ด Critical |
| Lab04 | Secure Loader v2.1 | PE32+ Windows Binary | Authentication Bypass | Static Disassembly, Radare2, Wine, NOP Injection, Binary Patching | ๐ด Critical |
| Lab05 | DLL Key XOR Decode | PE32+ Windows Binary + DLL | Two-Stage Key Bypass | Static Disassembly, Radare2, Wine, XOR Brute Force, hexor (Crystal) | ๐ด Critical |
| Lab06 | Notepad++ v8.9.3 Installer | PE32+ NSIS Windows Installer | Control Flow + String Manipulation | Static Disassembly, Radare2, Wine, Jump Redirect, UTF-16LE String Patch | ๐ด Critical |
New labs are added progressively. Each lab follows the same structured methodology.
๐ Methodology
Every lab in this repository follows a consistent analysis pipeline:
1. RECONNAISSANCE
โโโ file, checksec, readelf, strings, wine
2. STATIC ANALYSIS
โโโ Radare2 (r2), objdump, Ghidra, IDA, Binary Ninja
3. DYNAMIC ANALYSIS
โโโ GDB, ltrace, strace, Frida, Wine
4. EXPLOITATION
โโโ Patch, inject, manipulate, bypass
5. DOCUMENTATION
โโโ Full report (.pdf) + README + artifacts
๐ Lab Summaries
Lab03 โ Algorithm Check
Target: algorithm_check (ELF 64-bit, x86-64)
Key Finding: Multi-step transform (ROR + XOR + modular multiply) fully invertible via Python solver. All 32-byte target constants stored in .rodata. Token recovered in <1 second with zero runtime interaction.
Flags: ACCESS GRANTED
Lab04 โ Secure Loader v2.1 (Binary Patching)
Target: loader.exe (PE32+, x86-64, Stripped)
Key Finding: Key validation implemented as a local strcmp + JNE gate. Replacing 2 bytes at 0x140002bad (JNE โ NOP NOP) bypasses authentication entirely with any input.
Flags: FLAG{STAGE1_PASS}
Lab05 โ DLL Key XOR Decode (Two-Stage)
Target: loader.exe (Stage 1) + payload.dll (Stage 2)
Key Finding: Stage 2 DLL key stored as XOR-encoded 64-bit constant (0x335157414d5b53) in .text section. Single-byte XOR keyspace = 255 values โ exhausted instantly by hexor (custom Crystal tool). Key 0x12 โ AI_SEC!.
Flags: FLAG{STAGE1_PASS} + FLAG{STAGE2_DLL_PASS}
Lab06 โ Notepad++ v8.9.3 Installer (Real-World)
Target: npp.8.9.3.Installer.x64.exe (PE32+, NSIS-based)
Key Finding (1): NSIS integrity check implemented as a single je at 0x0040337f โ redirected to bypass with 2-byte jmp patch.
Key Finding (2): NSIS error string stored as UTF-16LE in writable .data at 0x0040a098 โ overwritten with POC-1 GOT IT. Confirmed in NSIS error dialog on re-execution.
POC: POC-1 GOT IT displayed in NSIS Error dialog
๐ ๏ธ Common Tools Used Across Labs
| Category | Tools |
|---|---|
| Identification | file, xxd, strings, binwalk, checksec |
| Disassembly | Radare2 (r2), objdump, Ghidra, IDA Pro, Binary Ninja |
| Debugging | GDB (with pwndbg/peda), ltrace, strace |
| Execution | Wine (PE32+ on Linux), gdb |
| Patching | r2: wa, r2: wx, r2: oo+, dd, python, pwntools |
| Custom Tools | hexor (Crystal โ XOR brute force decoder) |
| Dynamic | Frida, angr, Unicorn |
๐ Lab Types (Planned)
| Type | Description |
|---|---|
| ๐ง ELF Binary | Linux executables โ authentication, license checks, validators |
| ๐ช PE Binary | Windows executables โ keygens, CrackMe, protection schemes |
| ๐ฆ Firmware | Embedded firmware โ UART extraction, filesystem analysis |
| ๐ Shared Library | .so / .dll โ hooking, symbol hijacking |
| ๐ Scripted Payload | Python bytecode, Lua, compiled scripts |
| ๐ฑ APK / DEX | Android reverse engineering |
โ ๏ธ Disclaimer
All content in this repository is created solely for educational and authorized security research purposes under the SafeTest-Dev lab framework.
- โ All binaries analyzed are purpose-built lab samples or analyzed in a controlled environment
- โ All techniques are documented for defensive understanding and incident response
- โ Do not apply these techniques to systems without explicit written authorization
๐ค Author
Michael.A โ SafeTest-Dev
Binary | Reverse | Malware | Exploitation | AI
SafeTest-Dev ยฉ 2026 โ All rights reserved
01_Reverse_Engineering
- 0
- 0
- 0
- 0
- 0
- about 6 hours ago
- March 4, 2026
Sun, 26 Apr 2026 07:41:10 GMT