Rogue Byte Jump Chains

Technical Introduction

So you might be wondering, exactly why the hell am I doing this and is this cutting-edge stuff? No, it’s not—at least for the second question. I have been sitting on these TTPs (Tactics, Techniques, and Procedures) for about three years. I could have weaponized them any time I wanted to, but to answer the first question: due to sudden hot takes almost every six to 12 hours in the United States—and it negatively affects not just me, but my family within the United States—there must be some sort of means of rapid personal empowerment and rearmament.

I know it’s not just the big-shot names that are technically capable, and for that reason, I throw these neutered write-ups and how-tos out without giving any actionable directive or code in many cases. This is to help facilitate defending and loving the communities that you have surrounded yourself with, to hopefully stabilize this chaos, as well as having the means to defend yourselves against extrajudicial transgressions.

Now, that being said, I do have a potential interview with a notable—I wouldn’t say notorious or infamous, but very famous—organization. And by the time I get everything checked off and cleared, and I get my contract role or a paid salary role, I must roll things back in my public behavior instead of some, you know, ‘super revolutionary’ talk, as you may say.

For that reason, I want you to look at this Infographics Show video, because their channel has usually been loaded with like, brain rot—like, ‘oh, what happens if you live forever’ and all that stuff. But this new one is particularly interesting: ‘World War III has already started. You just don’t know it.’ And I mostly agree with about 70% of what they’re saying. Not 100%, but 70%. Because of this, I have decided—I wouldn’t call this a manifesto—I decided, okay, all those old TTPs, all I did was modernize them and then just disclosed how they work. It is not actionable until someone who’s technically capable can do this, if that makes sense.

Technical Transcript: Rogue Byte Jump Chains

“Okay, so let’s do another lecture, right? Um, basically, I just transcript and I just have LLMs do the only thing that they probably are only useful for, which is, you know, correcting misspellings from transcripts from my accent.

And let’s talk about rogue byte jump chains. So, I’ve been experimenting with rogue byte jump chains, randomizing rogue byte jump chains—and you might be wondering, what the fuck’s a rogue byte jump chain? It came from either the book Practical Malware Analysis or Binary Analysis, released under No Starch Press, I believe. And the idea is, in many threat actors (not specifically from any country), they insert a rogue byte that does not disassemble statically correctly.

And there are many of these rogue bytes, and what I did was I created a proof-of-concept tool to evaluate these rogue bytes. It’s a combination of an emulator, like Unicorn Engine, as well as an assembler, such as Keystone Framework in Python—or you can create your own interpreter in C. I had issues running Keystone with the rogue bytes because it would attempt to evaluate and execute the rogue byte instead of correctly jumping over it. So that was the main issue.

I can show you how my rogue byte injection works, but I was like, ‘well, why do we have to have one rogue byte? Let’s have 20—a combination of 20 jumps up and down the stack before we enter our true malicious function.’ And these are done through a pool of rogue bytes because the real trick about rogue byte jump chains is you need to have it execute a short jump. That’s a jump between 1 to 255 bytes up and down the stack to a NOP sled that’s randomized.

What I like to do is I like to throw in some software breakpoints and then a NOP sled (Hex 90, usually). And because we’re just dealing with ANSI strings slash executable code, we are not going to be dealing with what are called Unicode-compatible NOPs, also from Christopher Anley’s Venetian Blind techniques. So that’s not relevant because that’s just for what I said before in one of my videos: wide characters format in Windows, also known as Unicode encoding. But it really just means UTF-16 Little-Endian encoding. We’re not going to be dealing with that. We’ll just stick with rogue byte chains, tampering with NOP sleds so it can jump to the next rogue byte.

And the reason why I’m doing all this tomfoolery is there’s a really practical reason: because if you can randomize the rogue byte chains in Ghidra, IDA, Cutter, or Binja—well, probably not Binja, because Binja is really granular in being open to re-represent disassembly. And on top of that, I never had a VTL license before, not even the cheap $60 license, just FYI. I always liked Ghidra better.

But anyways, so if you can randomize and frustrate the analyst statically with rogue byte jump chains, then that means that each time they pull off a layer of 20 rogue jumps before it even does anything in our malicious function, they have to constantly patch and calculate randomized offsets. Does that make sense? Because it can jump 1 to 255 bytes as a short jump to the next rogue byte, which continues to tamper with how it’s rendered down the stack. And we’re doing this—and I just for a number, 20—randomly selected and evaluated rogue bytes that it’s jumping over.

What’s the performance overhead? Oh, this will rip right through on any x86 or CISC processor, okay? It would just rip right through in a millisecond, even shorter than that. But to an analyst, this would drive them crazy. And if they try to dynamically allocate it through unpacking tricks, great, well, we can try using Structured Exception Handlers (SEH) and raising our own exceptions to mess with their debugger.

So I’m just spitballing this through yet another transcript. I do have my jump chain, I just never implemented it, you know? I’m like, ‘well, why not just mess up the analysts a little bit more?’ So let’s have an opaque predicate, which means we know which way control flow goes, and then we have basically a dangling pointer that goes to junk code that still renders because we tampered with the optimization settings of our malware.

So it goes in at least two passes; maybe the second unreachable path goes into control-flow flattened loops, and that control-flow flattened loop has eight branches, and each branch goes to a fake DLL that is executable, but all it does is insult the analyst with a MessageBox payload with emojis. I’m not kidding. MessageBoxes now—you can throw emojis in them.

So that’s just the concept, but I did prove it works. I just never bothered to have the time to create malware to... I mean, I’m not really trying to do this out of malice, but maybe we should just, you know, commit a junior analyst to a mental health hospital before they harm themselves, right?”

Disclaimer: So let me just add, as far as I can tell in my blogs—outside of what I promised to do, and what I promised to do is I will give you tutorial guides of the basics—well, outside of that, people can steal my content as much as they like. I don’t like it, of course, and you will lose my respect, very much like all the other assholes who have either stolen my content, or my friends’ content, or the content of my circles to pass off as their own. And like I keep saying before, they’ll just, you know, bring down the companies that they scammed their way into getting hired by, right? So that’s mainly it—I tend to keep my most dangerous theories that I have proven. And that’s something that one of my friends says: the difference between me and other people within the group I used to be in in Vegas is that I had the capability of taking what was merely theory in textbooks and research papers, and I implemented it and weaponized it. But the real truth is that I did it maybe two to three years ago for most of my abilities. And that’s why I’m posting so spastically and so frequently; it’s because I already did it a really long time ago. That being said, every person that I have heard of who stole my abilities in a fake interview—for example, in one of these job fraud scams—they failed to replicate what I was able to do, and they got fired or they brought the company they scammed down with them. So that’s why I’m not really worried about talking about all this crazy shit, because this crazy shit actually works. How do I know this crazy shit actually works? I read it from a research paper or a textbook or even a No Starch Press book, and instead of just listening to theory and acting like it was a magic box, I did everything I could to implement it and then just not tell anybody about it. Because why the hell would I give up all my cards? That’s idiotic. If I can just reuse a vulnerable driver that was one out of many, but the target was worthless, exactly why the hell should I use a relatively unknown vulnerable driver? I mean, the person wasn’t worth burning a modern vulnerable driver, right? So, you know, that’s just my disclaimer part.