DISASSEMBLE
EVERYTHING_

Writeups on malware analysis, reverse engineering, and CTF challenges — the methodology, the dead ends, and the flag at the end.

filter

★ latest dump0x0000

NSA Codebreaker 2025 — T2

Forensic analysis of a PCAP in Wireshark uncovers a rogue DNS server, suspicious FTP activity, and the IP addresses assigned to a malicious device on the network.

forensics

5 min · 2026-02-21 · wireshark, dns, ftp

0x0040

NSA Codebreaker 2025 — T1

Carving a Linux EXT2 image to surface a hidden malicious artifact and extract its SHA-1 hash.

reforensics

2 min
2026-02-21 0x0080

picoCTF — Investigative Reversing 0

A binary mangles flag data into mystery.png. Reading the transform, then writing its inverse to decode the hidden flag.

ctfforensicspicoctf

11 min
2024-07-24 0x00C0

picoCTF — WebNet1

Decrypting TLS traffic with a provided private key, then pulling decrypted HTTP objects out of Wireshark to recover the flag.

ctfforensicspicoctf

2 min
2024-07-16 0x0100

Flare-On 1 — Challenge 5: 5get_it

Dissecting a 32-bit Windows DLL in Ghidra to walk the keylogger logic and pull the flag out of its character map.

rectfflare-on

1 min
2024-07-11 0x0140

Flare-On 1 — Challenge 4: APT9001.pdf

A deceptive PDF hiding obfuscated JavaScript and encoded shellcode — deobfuscation with Origami and ndisasm, layer by layer, down to the flag.

rectfflare-on

4 min
2024-07-10 0x0180

Flare-On 1 — Challenge 3: such_evil

A PE32 that looks normal until it isn't — chasing shellcode that decodes its own strings at runtime.

rectfflare-on

2 min
2024-07-03 0x01C0

Flare-On 1 — Challenge 2: PHP in a PNG

A PHP script hiding inside a PNG, wrapped in layers of mixed hex and octal obfuscation. Unraveling each layer until the flag falls out.

rectfflare-on

14 min
2024-07-03 0x0200

Unveiling Native Java Secrets in APKs

picoCTF "Droids 4": digging native secrets out of an APK, dissecting the binary, and scripting the decryption in Python.

rectfpicoctf

5 min
2024-06-29 0x0240

Unraveling the Mysteries of Malware in the Wild

Finding a random piece of malware and taking it apart piece by piece — tooling, methodology, and what the sample was really doing.

remalware

17 min
2024-05-14

grep: no records match that tag

0x0280

// about

I'm Aaron. I spend my time pulling binaries apart to see how they work — malware samples, CTF challenges, anything with bytes worth reading. These posts document the process honestly: the tooling, the methodology, and the wrong turns along the way. Grab a coffee and dig in.

$ ldd aaron
  ghidra.so => found
  wireshark.so => found
  python3.so => found
  ida.so => not found (ghidra is free)
  coffee.so => required, loaded