Today I learned about KUSER_SHARED_DATA: a kernel-populated shared page that user mode can read directly. User-mode address User mode reads it at fixed address 0x7FFE0000 (same on x86 and x64). It is …

A packet-capture-driven reverse engineering walk through an Android malware dropper, its SID-based gating logic, and the token chain used to reach the final flag.

An Android malware sample communicating over MQTT with RC4-encrypted messages — decoding the obfuscated broker config, reversing the protocol, and building a bot emulator to trigger flag delivery.

Full analysis workflow — from safe extraction and manual GDB unpacking through IDA Pro reverse engineering, XOR config decryption, and ultimately intercepting C2 communications on a WIZ Cloud Security Championship challenge.