Initial thoughts (Article WIP)
About AI-assisted reverse-engineering
Using AI-assisted reverse engineering
So yeah, that was pretty cool. I managed to get Gemini integrated with GhidraMCP by LaurieWired. I’ve previously talked so much shit about ‘AI slop,’ but this is definitely not AI slop.
Logging into AI Studio had nothing to do with being behind a VPN. It was actually my User Agent for some stupid reason. Gemini AI Studio would not let me create my API token, calling my Ubuntu host operating system ‘scammy.’ So, I installed Google Chrome and changed my user agent to a Windows string—in other words, I lied and said I was on Windows. That’s all it was. It was the same issue I had with iCloud back in September. Technology moves fast, and developers tend to move fast enough to run their heads into walls, making them look like morons.
Another thing: I’m using Bash. I don’t use Zsh. I use Bash even though Zsh is available and installed by default; I still revert to Bash. The reason is that I tend to encounter Bash or standard Unix shells more often when I’m playing offense. I’ll use Zsh whenever possible because it’s clearly superior, but Bash is the standard.
This is why I’m going back to Vegas to grab my gear, specifically my GTX 1080. Reverse engineering is GPU-intensive. I would have used a local model—you can just run a local model from Hugging Face—but you can also just pay for Gemini credits and offload the work to the cloud.
I asked it to scan the base address of HermeticWiper, but unfortunately, I used up all my tokens. I just didn’t want to rack up a ton of charges like in my old days with AEL before the AELBS certification exams ran out. It’s simple enough that I didn’t actually have to make a video guide for it, outside of saying this is one of the few things you can actually use AI for.
AI is a augmentation tool, not your replacement (but has criminal use-cases like for scammers and it is known billionaires manipulate output to spread misinformation)
There are other things people have proven AI is useful for in security. For example, TryHackMe & HackTheBox (and soon OffSec?) has ‘AI Hacking’ or sections on using AI to augment your abilities. It’s only a problem when you use it to replace yourself, which is why I keep bashing brain-rot like those dumbass ‘tier lists.’ John Hammond admits that he uses AI, and that’s fine. There’s nothing wrong with that until you use AI to replace your own brain, your critical thinking, or to perpetuate fraud and scams.
I’m not accusing anyone specifically, although morons who don’t know English or don’t know how to follow the flow of how I speak will try to misinterpret my words. It tends to have issues with certain forms of obfuscation—I’m surprised Gemini can’t read a stack string, but that was the older model. I just didn’t want to spend money yet; I just wanted to make sure the damn thing works since I could’ve just hopped onto another model.
My father just texted me that he got into a car accident and his oil pan is leaking, so I don’t need to be dealing with any bullshit from anyone else right now. People think I am bitchy; no, I’m just vocal about frauds trying to pick my brain for free answers. I checked my account and, thank God, two frauds who were following me on LinkedIn got banned.
I’m going to keep testing what Gemini is capable of. LaurieWired’s YouTube guide specifically uses Claude, but I tested this with Gemini and it works. You just issue a command to the Gemini CLI, pick your appropriate model, and it works with the MCP server. First, I attempted to list malicious functions that were not obfuscated, and then I asked it to rename a random function. It took it a bit too literally because I didn’t ask it for an address; I wanted it to use FUNC_[ADDR] as a variable so I know where it is. That’s how Ghidra names functions: FUN_ followed by the address offset from the base.
HermeticWiper is a 64-bit DLL, so it has an 8-byte base address. Everything else is an offset—the Relative Virtual Address (RVA). When you run this DLL, it doesn’t use the base address; it uses that RVA. I’m glad LinkedIn is helping me out by banning those frauds. I’m not happy about my father hitting a curb and blowing out a tire and his oil pan, but we’ll see what the mechanic says.
So yeah, what do I generally think about AI-assisted reverse engineering? While I don’t have enough tokens to properly evaluate it yet, I know one thing: it ain’t replacing me.
Reverse Engineering, Game Cheaters, and how it’s related to malware and EDR
Without understanding what a Base Address is—much less learning how to rebase a binary for reverse engineering—you’re lost. I’ll give you a tip: rebasing is something I learned from Guided Hacking, which is a game cheating forum. Rebasing means you take the base address—which for standard executables might be 0x400000—and you change it to zero.
Because of ASLR (Address Space Layout Randomization), which is a security feature in Windows, every address is basically just an offset from a randomly generated base address. This applies to video games and malware alike. Think about the standard evolution of these tools: it’s a conflated timeline, but it basically started with Aimbot cheats for Counter-Strike. We developed Reflective DLL Loading to inject our Aimbots into the game process without touching the disk.
Eventually, EDR (Endpoint Detection and Response) vendors took those same injection techniques and used them for defense. It’s all connected. So, what is my real opinion on using AI with the crappy amount of tokens I had? If you don’t understand the history of game cheating, malware, and EDRs, AI kind of sucks.
AI is supposed to augment you. You correct its output because of what you already know about reverse engineering and malware. It does not replace you.
You can beat up cheaters in Tekken 8 using cross-play against their PCs if you know how cheats work
Another thing about video game cheating: if you don’t like cheaters and you have a console—because arguably you can play a fighting game better on console and it has cross-play—you can easily beat the fuck out of a cheater in Tekken 8 or Virtua Fighter. The reason isn’t just because of game mechanics. 2D games are actually really easy to cheat; you can track and block in both directions, for example. That’s why they have tournament-rated fight pads.
I have a Haute42 fight pad, which is a bootlegged version of a Hitbox. But in order to play the game without the controller being disconnected every eight minutes by my PS5, I needed a Wingman. A Wingman is a device that is tournament-authorized. You also have to have a tournament-authorized chip on your ‘Hitbox,’ because the official Haute42 pads on Amazon are essentially clones. In actual fighting game tournaments, they check the chips to ensure you cannot use SOCD (Simultaneous Opposite Cardinal Direction) to block in both directions at the same time, which is cheating.
So it is trivial for 2D fighting game cheats to do this with software but modern games have kernel-mode anti-cheats like EAC (Easy Anti-Cheat). But a cheater that can block in both directions in a fighting game are vulnerable to a combo-mechanic called a “cross-up”. A cross-up is a specific move where you land a free hit before your opponent turns around, for example one of the basic combos of Black Canary in Injustice 2, where she split-kicks her opponent in the back of the head before the opponent can turn around. Netherrealms Games also implement overhead attacks to overcome those that spam block or are good blockers, but a cheater can just automate a uppercut. Unfortunately cross-ups are usually in the middle of combos and don’t start combos.
In a 3D fighting game like Tekken 8, people on the PC version use auto-block macros and can perform extremely long wall-carry and wall-splat combos through a programmable macro. Because Tekken 8 is aggression-based, that’s a main point of complaint; combinations are installed as macros. Now, I’ve never cheated in Tekken or looked up Tekken 8 cheats, but I’ve read the forums and seen YouTube videos on how the cheaters work.
It is not difficult to beat a cheater in Tekken 8 on PC, which you can easily do from a PlayStation 5 with cross-play enabled. Because it’s a 3D fighting game, you have an additional plane of movement; you can sidestep. That by itself can bypass defenses to land counters. Most characters in Tekken 8 have a sidestep attack as well as a parry. To stop a cheater when you aren’t stuck in a combo, you can parry them because you know exactly how their macro starts up.
I’ve fucked up a lot of cheaters in Tekken 8 via cross-play on my PS5. I wasn’t even that good—I kind of lucked out—but when I countered them, they didn’t like it. They ‘plugged,’ meaning they pulled their Ethernet cable so I wouldn’t get the win. Here is a tip: it’s almost impossible to carry a whole round with a ‘trainer bot’ macro. There is no ‘one macro to rule them all’ in a 3D fighting game. You can easily beat the shit out of a cheater if you know their macros.
In one instance, I was hit with a stresser, which is a script kiddie ddos tool by rented botnets. So after the lil shit plugged after I found a gap in his macros, he plugged (didn’t give me a win), and then ddosed my Cox internet connection and I started running out of monthly data (but I also had a TMO 5G “Trash Can Modem”).