Abusing XFG: Mitigations are a reverser's friend

With the release of Windows 11, Microsoft is introducing another iteration of control flow integrity mitigation called “eXtended Flow Guard” or XFG. In short, it further restricts targets of indirect calls to not only valid function entry points, but to a subset of functions that have a particular signature consisting of return value type, number and types of parameters and other function properties.

Surely, this added metadata can somehow aid us in our reverse engineering process. To see how, we’ll need to understand the implementation details.

Film X-ray imaging for reverse engineering

A cabinet x-ray machine is a handy tool for any reverse engineer of electronics, but the price tag keeps convenient x-ray photography beyond the reach of most hobbyists, particularly when the digital sensor works. In this lecture, we’ll show two film alternatives to digital photography, generating x-ray pictures first with a proper dark room under a red light and second with polaroid/fujiroid film in the absence of wet chemistry. We’ll also explain where film can be a better alternative to a digital sensor, offering better resolution and dynamic range at a much larger surface area.

Lytro Unlock - Making a bad camera slightly better

I’ve recently spent some time playing with and reverse engineering this curious piece of tech that was a first consumer oriented,though odd looking, lightfield camera called Lytro. Killer feature of this new technology was the ability to refocus the image after it was taken! The bad side was that the software was pretty bad, the camera was trying to solve a problem that didn’t exist and the whole endeavor mostly failed.

Rooting Bosch lcn2kai Headunit

My Nissan Xterra came with a (for the time) modern head unit that has a touch screen, built-in navigation, backup camera display, multimedia features and smartphone connectivity. Some of the more advanced features are only available through NissanConnect App which requires registration and subscription. I’ve never used it and I’m not even sure if it’s still supported.

Wouldn’t it be neat if were able to get code execution on the device and even develop extensions and apps of our own?

Smart Response XE & CC1101

This project repurposes the Smart Response XE device for digital radio trickery by adding a CC1101 module to it. Initial application is a proof of concept DAPNET pager receiver. Currently in very early stage that can only properly receive short frames.

Additionally, there is a spectrum analyzer application showcased in above photo.

Fast Cash for Useless Bugs!

Every one of us who has ever looked at a piece of code looking for vulnerabilities has ended up finding a number of situations which are more than simple bugs but just a bit too benign to be called a vulnerability. You know, those bugs that lead to process crashes locally, but can’t be exploited for anything else, and don’t bring a remote server down long enough to be called a Denial Of Service.