I hereby claim:
- I am ahm3dgg on github.
- I am ahm3dgg (https://keybase.io/ahm3dgg) on keybase.
- I have a public key ASCIjZUc8v9wuQSrn4fZPyOV-H6-Nj96wbQG4QymNKsrlgo
To claim this, I am signing this object:
ahmed ahm3dgg
ahm3dgg
/ keybase.md
Created
June 30, 2025 12:33
ahm3dgg
/ Fixing an APT sample so it can work on Modern Windows versions - An Exercise in Reverse Engineering.md
Last active
September 25, 2025 00:16
I stumbled upon an old miniduke APT malware, and found that it has some cool tricks, while I won't be explaining how the malware works or what it even does, I will be focusing on showing a code flaw in the sample, that was the reason for a crash that I found while debugging it on Windows 10, as well as showing how we can fix it, that requires some amount of reverse engineering and coding (I will use C & Assembly).
But to give you a quick introduction, that sample comes as 32-bit DLL file, with one export with name 'JorPglt', which is the start of payload, the sample also employs few simple (code mutation / instruction-level obfuscations) that we will discuss as well.
So without getting into much details here is where the code flaw resides