A practical walkthrough of the BotConf 2026 Android workshop, covering static analysis, dynamic instrumentation, native libraries, and automation as one workflow.

Today I learned about KUSER_SHARED_DATA: a kernel-populated shared page that user mode can read directly. User-mode address User mode reads it at fixed address 0x7FFE0000 (same on x86 and x64). It is …

A packet-capture-driven reverse engineering walk through an Android malware dropper, its SID-based gating logic, and the token chain used to reach the final flag.

An Android app, a fake pizza order form, and an LLM backend that could be pushed into calling internal tools through a Unicode-based prompt injection bypass.

The APK was protected by StringFog — every string literal replaced with an encrypted hex payload decoded at runtime — requiring a Python port of the custom LCG cipher to bulk-decrypt the entire source tree and find the flag.

An Android challenge that taunts you with a fake flag in static analysis, then hides the real one behind a PIN validator and a runtime decryption loop inside a native library.

A packer challenge where the real Java classes are encrypted inside the APK and only decrypted at runtime, requiring extraction and static analysis of the hidden DEX.

Full analysis workflow — from safe extraction and manual GDB unpacking through IDA Pro reverse engineering, XOR config decryption, and ultimately intercepting C2 communications on a WIZ Cloud Security Championship challenge.