DJ Katy

Hacking with Math: Cracking a 1990s pay TV smart card (Part 3 of 4)

Greetings! This is a continuation of a mini-series about gaining an advantage in reverse engineering certain problems by learning some math, hopefully in a hacker-friendly way! In part 1 of this series, we did a quick crash course in writing equations and modular arithmetic. In part 2, we looked at the message signing algorithm in…

Hacking with Math: Understanding an algorithm in a 1990s pay TV smart card (Part 2 of 4)

In the first part of this mini-series, we hammered through a quick primer on equations and modular arithmetic in prime fields. In this part, we’ll examine a case study and use what we learned to: As we go along, I’ll provide code equivalents to all the math to help you understand what all the symbols…

Hacking with Math (Part 1 of 4)

Programming and reverse engineering usually don’t involve more complex math than simple addition, subtraction, multiplication and division. Knowing how to handle hexadecimal and binary is a boon. Deeper math is generally only required in specialized fields such as computer graphics, cryptography and finance. Whenever I see books or papers on these topics, it is always…

Essential Rust Tips for C++ / C# / Java Developers

Having just wrapped up the MVP of my first Rust side project (about 7,500 lines of code), I want to share a few tips about some of the nuances of the language if you’re coming from something like C++, C# or Java.

Roguebook: How not to do Day 1 DLC

[Update 21.06.2021: Since I penned this article, Nacon have released a statement announcing that the Apex Predator Pack day 1 DLC will be included in the base game for all customers at no extra cost. I would like to thank them for paying attention to this matter and appreciate this decision] Slay The Spire is…

IL2CPP Tutorial: Finding loaders for obfuscated global-metadata.dat files

Game publishers are loving it lately. Over the last few months I’m starting to see all kinds of weird and wacky obfuscation schemes designed to prevent Il2CppInspector from loading IL2CPP games. While it’s quite amusing to see narrowly targeted attacks percolate, it does make the support tickets pile up on the issue tracker, and I…

Reverse Engineering Adventures: Brute-force function search, or how to crack Genshin Impact with PowerShell

Today, I thought we’d have a bit of fun and show you a novel and unorthodox alternative way to find any function with known discrete inputs and an assumption about the possible outputs in a compiled application – specifically for this example, a decryption function in a game. We’re going to crack it with PowerShell.…

Reverse Engineering Adventures: VMProtect Control Flow Obfuscation (Case study: string algorithm cryptanalysis in Honkai Impact 3rd)

Recently, while reverse engineering Honkai Impact 3rd I came across some string decryption code that was obfuscated by VMProtect‘s implementation of control flow flattening. It takes an encrypted table of string data plus an index as an input, retrieves the encrypted string at the specified index in the table, decrypts it and returns it. IDA…

Reverse Engineering Adventures: Honkai Impact 3rd (Part 3)

This is a continuation of the Reverse Engineering Adventures: Honkai Impact 3rd mini-series – read part 1 and part 2 first! Recap So far, we have decrypted global-metadata.dat, and identified and resolved the data obfuscation of Il2CppGlobalMetadataHeader and the four obfuscated metadata tables. We have observed that the string data is still out of our reach, and…

Reverse Engineering Adventures: Honkai Impact 3rd (IDA Decompiler Techniques) (Part 2)

This is a continuation of the Reverse Engineering Adventures: Honkai Impact 3rd mini-series – read part 1 first! In this article, we’ll look at comparative data deobfuscation and how to work with the IDA decompiler. Recap When we left off our previous exploits, we had peeled off the first layer of encryption from global-metadata.dat and…