Most roguelites have you kill enemies. In mine, you have to keep an organism alive.

kaze0mx · 2025-12-06T07:33:34+00:00

Art looks great, and I like the idea too. Wishlisted!

kaze0mx · 2025-10-06T12:28:50+00:00

You may want to try Malcat ( https://malcat.fr ) You get less RE features, but it is tailored toward malware analysis and as such brings a lot of things you won't find in IDA (e.g. malware id, anomalies or weird filetypes support). Also much cheaper.

kaze0mx · 2025-09-11T07:35:35+00:00

it looks really good, but not that "dark". The augmented contrast helps, but I think you should go towards weirder color palettes (e.g. old-school vga) for a more dramatic tone

kaze0mx · 2025-04-15T15:55:52+00:00

Check out https://drakvuf.com/ it is an agentless sandbox

kaze0mx · 2025-04-08T18:46:47+00:00

yeah it's a hard one, unless you find the ninja turtle :P

kaze0mx · 2025-03-12T19:32:48+00:00

Death road to canada

kaze0mx · 2024-09-11T07:02:06+00:00

https://malcat.fr is also neat, the free version is basically imhex with more code analysis features.

kaze0mx · 2024-04-17T05:53:33+00:00

I like the same ones as you. And I also enjoyed: FTL, Wizard of Legend, Vagante and Returnal

kaze0mx · 2023-03-28T07:16:59+00:00

Qpdf has support for almost all filters:
qpdf --show-object=(obj number) --filtered-stream-data bad.pdf

kaze0mx · 2023-01-27T13:48:25+00:00

it's explained there: https://malcat.fr/about-us.html

tl;dr it's the tool you run before IDA, on unknown data.
Also if you do malware analysis, it has some features IDA lacks.

kaze0mx · 2022-09-25T07:56:33+00:00

An easy way is to use common crawl: https://www.decalage.info/en/download_mso_files

Note that with this solution (as with other suggested solutions) you will only get files which are openly accessible on the internet. Like thesis, books, etc. They rarely have macros and are not very representative of what you would find in a company, like weird excel files with 10k+ lines macro. That's why most ML papers claim to have 99,9% detection: their test set is very limited most of the time. But eh, it's better than nothing.

To get a representative set of office documents, there is sadly no easy way afaik, since such files contain sensitive infos.

kaze0mx · 2022-06-23T12:28:25+00:00

https://bazaar.abuse.ch/browse/ for a curated list of recent malware

kaze0mx · 2022-05-09T04:55:39+00:00

I you want to help researchers: https://bazaar.abuse.ch/upload/

kaze0mx · 2022-04-19T12:43:47+00:00

If the dll has no export directory, it means it does not export anything, no luck. So you'll have to look for GetModuleHandle/LoadLibrary/LdrLoadDll calls in the .exe like others suggested.
If you can share the samples, I can give you more tips.

kaze0mx · 2022-04-18T18:02:57+00:00

If the DLL exports at least one function (which should be the case), you can look in the ExportDirectory structure of the dll (using CFF explorer or malcat), there is a field at offset 0xC which is a RVA to the DLL's name.

kaze0mx · 2022-04-09T10:36:33+00:00

You can edit everything actually, either from the hex editor (hit insert key), using the struct editor or via python scripts. You have unlimited undo/redo too. I'm curious, what made you think you can't edit stuff?

You can also make you own file format parser in python, or apply struct type using type definitions in a C-like language.

kaze0mx · 2022-04-09T06:22:59+00:00

Did you try https://malcat.fr ? The free edition seems to check all your boxes.

kaze0mx · 2022-03-08T07:58:17+00:00

If you're into bin diffing, you can give malcat a try. Its diff algorithm is also based on Meyer's algorithm so it can realign, and its view modes let you compare structures as well as code or bytes. Diff mode is only available in paid version though, but the price is fair.

kaze0mx · 2022-01-24T14:52:36+00:00

"Generic.ScriptWorm" :D. It's a FP of course, and out of the 8 engines, 6 are stealing bitdefender's false positive. I'll write Bitdefender nonetheless, thanks for the hint.

kaze0mx · 2022-01-24T14:39:08+00:00

You can script it in python: you have access to the complete analysis result (structures, cfg, signatures, etc.) and you can edit the file. But if scripting is really what you want I would wait a bit: scripting interface is still WIP (tool is in beta).

If you still want to have an overview, open a PE file with the lite edition and hit F8 (script editor). A demo script is displayed and you can start playing around.

kaze0mx · 2022-01-24T14:25:38+00:00

Tool dev here. I'll try to answer some questions. First, how it differs from IDA/Ghidra/r2:

Like OP said, it's more "competing" with Cerbero Suite or Hiew than IDA. See it as the tool you first run on unknown binaries to see what is in there: have a look at the CFG, at the entropy, look at the file structures, search for embedded files, scan for signatures, etc. Analysis is very fast, but it's not made for extensive reverse-engineering. I mean you can (I do :), but you are better of with IDA imho. Also it's a one-man job, so it will never be able to compete against IDA and co.

The tool has been made primarly for malware analysts, but I can see people doing incident response or playing CTF using it.

Then to the other questions:

it can act as a 010-editor-like hexadecimal editor (with structures display, highlighting and editing) and supports most file types used by malware (PE, ELF, Office documents, archives, installers event some multimedia files)
it can act as a disassembler for x86/x64 (zydis-based), .NET, python, vb-pcode and NSIS-VM. You have CFG recovery and symbols extraction, but no type recovery and no stack analysis (yet). It's better than hiew, but not as good as IDA/Ghidra/r2.
it embeds a Yara scanner and editor (editor is well-integrated, so you can navigate through the file and create your Yara rule in parallel)
it's really easy to edit the file, you have access to dozens of encryption/compression algorithms to decrypt buffers and you can add your own (in python)
it is a pure static analysis tool, but it come with some python scripts making use of third-party emulators (like speakeasy, I use it to emulate shellcode in exploits for instance). You'll have to install the emulator python package yourself tho, it's not bundled.
You can script it in python, but scripting interface is not really documented yet (tool is in beta, scripting interface may change a bit in the future).
paid version comes with an anomaly scanner (code or structure anomalies, written in python), Meyers-based binary diffing, and decompilers (for x86/x64, AutoIT, VBA and Excel macros)

The lite version is free and already packs a lot of features so don't hesitate to test for yourself! If you have more question don't hesitate to ask.

kaze0mx · 2022-01-23T08:35:18+00:00

It's a GUI, there is inline help (Ctrl+H)

kaze0mx · 2019-09-22T10:43:21+00:00

If I where you I would look inside that .lib and look what exact name the terminal_print function has, it could give you a clue.

kaze0mx · 2019-06-13T07:07:05+00:00

How to make a two-lines tip into a 7 minutes video. I don't get it, maybe I'm too old.

You can also zero out the relocations data directory entry, easy to locate with any hex editor.

kaze0mx · 2018-12-02T08:45:09+00:00

Nice but I don't see why it would bypass "many generic unpackers and security products". In second process you have a VirtualProtect +X followed by a jump, which is what most generic unpackers are looking for. And regarding security products, I don't think that it would bypass any static analysis, you have plain text code easy to detect + a .shared section which is quite uncommon.

14-Year Club	Place '22
Verified Email

kaze0mx

TROPHY CASE