This update marks the fortieth to my Binary Analysis Course! The last update was on the 25th of July 2021, which is admittedly longer ago than I had hoped for. In the months between then and now, I reviewed every single article in the course. In the past, I had already reviewed some articles, which is why not all articles in the course are listed in the change log below.
The course contained some factual errors, some inconsistencies, and some spelling mistakes. I fixed what I encountered, and took my time not to rush the review process, however tempting it was. In the meantime, I’ve been searching for samples that are interesting to write about. It is quite difficult to find a suitable sample, as I want to avoid repetition in the course. Tips regarding samples and/or techniques are always welcome, using any of the contact methods listed at the bottom of the page. I do have some ideas for articles in the future, related to scripting with Ghidra.
The changes are listed, in full, below.
Changes
- Rewrote Practical case: Secura Grand Slam CTF “Easy Reverse” article to fix minor mistakes, and to improve the practical case as an introduction to the beginning of the course. Thank you Alex for the feedback!
- Removed the set-up article, as the installation of tools is out-of-scope for this course. Tools, and their versions, are mentioned per article, where the installation is left to the user.
- Added ThreatFox and Triage to the Searching Samples article.
- Updated the Dot Net RAT article by removing some grammatical mistakes, missing closing brackets, and providing some more clarity for some concepts
- Updated the PowerShell string formatting deobfuscation article by clarifying several segments
- Updated the FAQ to contain up-to-date answers to the posed questions. The questions themselves remain unaltered
- Improved the Obtaining samples chapter description to match future article additions
- Clarified the Emotet droppers article by changing some words, and by restructuring the displayed code snippets and their indentation
- The Android SMS Stealer article has been updated by removing spelling mistakes and clarifying minor details
- Updated the Magecart article by updating the punctuation in some paragraphs
- Updated the Corona DDoS bot article to fix some spelling mistakes, synchronised some code segments that weren’t in-line with each other, and added a segment regarding the arguments of the main function and the analysis thereof
- Clarified several segments in the Azorult loader stages article
- Fixed several small spelling mistakes in the following articles: Emotet JavaScript downloader, Corona Locker, ReZer0v4 loader, Article structure, Automatic ReZer0 payload and configuration extraction, Ghidra script to decrypt strings in Amadey 1.09, and Ghidra script to decrypt a string array in XOR DDoS
- Added a link to my McAfee Advanced Threat Research blog with a deep dive into the ReZer0 loader to the Automatic ReZer0 payload and configuration extraction article
To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit, or DM me on Twitter @Libranalysis.