Flare-On 11 is about to start, and I thought I needed some warming-up practice. So I went to Tuts4You, and saw that a Windows crackme challenge by ra1n popped up very recently, featuring a custom V...

Here is a scenario you probably have never encountered. Have you ever decompiled a .NET binary that only consists of a bunch of await keywords and nothing else? Yea me neither. Well… until now ...

You may have seen the recent word about the VMProtect source being leaked to various openly accessible places like GitHub. For obvious reasons I won’t link it here, but from the brief looks that I ...

Programming languages that operate on a virtual machine often promise safety guards against many unsafe operations. However, virtual machines can have pretty serious bugs. In this post, we explore ...

Here is a dumb question that you probably never asked yourself: What is the minimal amount of bytes we need to store in a .NET executable to have the CLR print the string"Hello, World!" to the stan...

On May 27 until May 29, I had the pleasure to join Shellphish in the DEFCON CTF Qualifiers of 2023. I wanted to highlight one of the challenges called brinebid that I ended up working on as well as...

public static void Main(); This is what most people associate with the entry point of a .NET module. However, as it so turns out, this is not the place where it all begins. In this post, we will r...

Patching PE files is easy. Injecting new code that uses functions from external modules, however, is more complicated. In this post, we are implementing a method for rebuilding import directories,...

.NET decompilers and debuggers have become very good at helping reverse engineers figure out the inner workings of a program. However, they also make a lot of assumptions that can be used against t...

In a previous post we dove deep into the inner workings of the call opcode, and used it to confuse decompilers and deobfuscators. We will continue this story by also giving the callvirt opcode some...