I wanted to fuzz an Android app on-device (not emulator fantasy mode), and I wanted the target to be a JNI .so with a socket parser. So I built one: app listens on 4444 receives bytes JNI/...

When a vendor says “minor security fix”, I automatically assume there is a story hidden in the diff. Binary diffing is how you get that story quickly: what changed where it changed whether...

I wanted a simple thing: Open ida64 Export with BinExport Diff with BinDiff Not get yelled at by plugin loader logs Instead, I got this: /home/fury/.idapro/plugins/binexport12_ida.so: ...

I wanted the usual workflow: open target in Binary Ninja export .BinExport compare in BinDiff not fight plugin errors at 2am What I got instead: [Default] Plugin module '/home/fury/.bi...

Part 2 of the Syzkaller writeup. Part 1 covered layout, install, and building a fuzzable 6.19 kernel for QEMU. Here I bolt on a deliberately broken driver, wire syzkaller to it with syzlang, run th...

What libFuzzer is libFuzzer is LLVM’s in-process, coverage-guided fuzzer. You compile your target with the fuzzer runtime (-fsanitize=fuzzer), implement a single callback LLVMFuzzerTestOneInput(co...

When you open an Android .so in a disassembler, JNI entry points show up as long, mangled symbols: Java_com_example_app_MainActivity_stringFromJNI. The real story lives in the DEX: class name, meth...

Hey everyone! apologies for the delayed post. I got caught up with a few things and couldn’t publish as planned. Thanks for your patience and continued support. Wishing you all a Happy New Year! 🎉...

I’ve been away for a few weeks because I’ve been learning Windows Kernel Exploitation, and soon I’ll be posting my notes on it here. In this post, I’ll be sharing some tutorials on how to use the B...

In this chapter, we’ll create a reverse TCP shell - a shellcode that connects back to an attacker-controlled machine, providing remote access. This is often more effective than bind shells as it by...