https://arzedlab.github.io/tags/ghidra/Recent content in Ghidra on Arzedlab 🪵Hugoen-us© RavshanMon, 24 Nov 2025 00:00:00 +0000https://arzedlab.github.io/posts/firmware-reverse-engineering-and-analysis-of-route-2b63648c0bf48023a3fec748d42f3844/Mon, 24 Nov 2025 00:00:00 +0000https://arzedlab.github.io/posts/firmware-reverse-engineering-and-analysis-of-route-2b63648c0bf48023a3fec748d42f3844/<h1 id="firmware-reverse-engineering-and-analysis-of-router-devices">Firmware reverse engineering and analysis of router devices</h1> <h2 id="intro">Intro</h2> <p>First of all, hello everyone. We&rsquo;re here to discuss routers, which are essential devices in our lives. Probably, more people don’t even know what it is. I have always been interested in security. How secure are they? In this post, I will discuss the feasibility of extracting the firmware and attempting to reverse it. Believe me, it is more interesting. In the market, there are routers from high-profile enterprises like Fortinet to budget home brands like TP-Link and Tenda, as well as other Chinese brands.</p>https://arzedlab.github.io/posts/full-technical-analysis-of-dcrat-dissecting-the-st-3a62fe4b93c34c30974b500a24fc7483/Sat, 31 Aug 2024 00:00:00 +0000https://arzedlab.github.io/posts/full-technical-analysis-of-dcrat-dissecting-the-st-3a62fe4b93c34c30974b500a24fc7483/<h1 id="ioc">IOC</h1> <p>Malicious file: “Огохланитриш_хати06.08.2024.pdf.exe_”</p> <p>Hashes</p> <table> <thead> <tr> <th><strong>Тип</strong></th> <th><strong>Значения</strong></th> </tr> </thead> <tbody> <tr> <td>MD5</td> <td>2cdb1d87940645acadcec093307b91dd</td> </tr> <tr> <td>SHA1</td> <td>fb16cec8b295ad76ff7ecbc1aa769e6553c7e5ba</td> </tr> <tr> <td>SHA256</td> <td>e6e93d2ec20e1aec2db995ae2a98eb35231d0b80564d257e4d9b87b0cbfc95af</td> </tr> </tbody> </table> <p><strong>Загруженные исполняемые файлы</strong></p> <table> <thead> <tr> <th><strong>Путь</strong></th> <th><strong>SHA256 Hash</strong></th> </tr> </thead> <tbody> <tr> <td>C:\Users\username\AppData\Roaming\2ZbCeAH0wY.exe</td> <td>caf29650446db3842e1c1e8e5e1bafadaf90fc82c5c37b9e2c75a089b7476131</td> </tr> <tr> <td>C:\Users\username\AppData\Roaming\NjcXx3wcvK.exe</td> <td>7526e43bb967b29c8a3afbb4ae23a86184f5eadf4279dace89c18946b2e63a9e</td> </tr> <tr> <td>C:\Users\username\Desktop\RgkotKHZ.log</td> <td>aab95596475ca74cede5ba50f642d92fa029f6f74f6faeae82a9a07285a5fb97</td> </tr> <tr> <td>C:\Users\usernam\Desktop\MliXleSf.log</td> <td>1f02230a8536adb1d6f8dadfd7ca8ca66b5528ec98b15693e3e2f118a29d49d8</td> </tr> </tbody> </table> <h3 id="dns-requests"><strong>DNS requests</strong></h3> <p><strong>Domain</strong></p> <hr> <p>476072cm[.]nyashsens[.]top</p> <hr> <h2 id="ip-addresses">IP addresses</h2> <hr> <p>20.166.126.56</p> <hr> <p>95.101.149.131</p> <hr> <p>80.211.144.156</p> <hr> <h3 id="httphttps-requests"><strong>HTTP/HTTPS requests</strong></h3> <p><strong>URL</strong></p> <hr> <p>hxxp[://]476072cm[.]nyashsens[.]top/ExternalRequestUpdateMultiuniversallocal[.]php</p> <hr> <p>hxxp[://]ocsp[.]digicert[.]com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D</p> <hr> <p>hxxp[://]www[.]microsoft[.]com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018[.]crl</p> <hr> <p>hxxp[://]www[.]microsoft[.]com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202[.]1[.]crl</p> <hr> <h1 id="introduction">Introduction</h1> <p>DCrat (Dark Crystal RAT) is an advanced remote access trojan that first appeared in 2018 and has since been used by threat actors in a variety of cyberattacks. DCrat is notable for its modular architecture, which lets attackers enable or disable features according to the goals of a campaign.</p>