Lowyat.NET: Latest topics by MatQuasar

Shortest code for a hexdump program

MatQuasar — Sun, 02 Nov 2025 16:28:15 +0800

The code must be able to open a file, and print the address, hex value, and ASCII char side-by-side like below:

CODE

00000000 7F 45 4C 46 02 01 01 03 00 00 00 00 00 00 00 00 .ELF............
00000010 02 00 3E 00 01 00 00 00 B0 00 40 00 00 00 00 00 ..>.......@.....
00000020 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @...............
00000030 00 00 00 00 40 00 38 00 02 00 40 00 00 00 00 00 ....@.8...@.....

Anyone want to try?

My shortest code is in FASM, but you can try in other programming language.

You can use third-party library or system library.

My solution: (you can import the function in C/ C++ / C#)

» Click to show Spoiler - click again to hide... «

Example of Linux polyglot file

MatQuasar — Sun, 26 Oct 2025 17:49:08 +0800

Some polyglot file can be more than 2 file formats, for example, ELF + PDF + JS.

https://github.com/binarygolf/BGGP/issues/152

Topics not bumped in Service Noticeboard

MatQuasar — Sat, 18 Oct 2025 01:06:21 +0800

Newly bumped topics were not promoted to above older post.

Please ignore this Bug Report if this is the intended behaviour.

A simple PE analysis tool for reverse engineers

MatQuasar — Fri, 17 Oct 2025 23:44:13 +0800

Hi, in April 2025, I created a small Win32 app (minimum requirement: Windows XP) in FASM that can let you open an executable file (e.g. EXE, DLL, SYS) and you'll get simple description such as:
1. "32-bit Console App"
2. "32-bit GUI App"
3. "64-bit Console App"
4. "64-bit GUI App"

For any other type of subsystem, it will just merely states:
1. "32-bit PE file"
2. "64-bit PE file"

The source code (pemenu.txt) is included.

I have published this program in SherpaSec cybersecurity Discord server before. To get the source code to compile, you'll need Flat Assembler for Windows.

The command-line version is only available upon request, since it is not popular. Many prefer GUI app.

My first database program in Assembly language

MatQuasar — Fri, 17 Oct 2025 16:42:21 +0800

My latest hobby project is a Win32 database program written in FASM, based on SQLite3.dll.

It allows CRUD, but I have issue with Update and Remove in indexing if you start remove items in the middle of the list, it won't update the database although it appears correctly in GUI window.

SQLite3.dll is decades old, I got the example and file from another fellow Malaysian "yeohhs", who had uploaded several FASM tutorial examples.

The code to fetch SELECT query in my program is different than what I did last time in Visual Basic 6, the result set returned by 'sqlite3_get_table' function is in memory pointer format, and the first row is always column header. If I have two columns, then each cell is 4-byte long (memory address), which mean each row is 8-byte long.

Nonetheless, it was fun to program a SQL database program in Assembly language. If you are in Developer Kaki group, you may already see I have showcased this in last July.

If you want to run, here's how:
1) Download 'dbform.txt' and 'sqlite3.zip'
2) Unzip sqlite3.zip and you'll get one file - sqlite3.dll
3) Rename dbform.txt to dbform.asm
4) Download Flat Assembler for Windows
5) Run FASMW.EXE and open dbform.asm
6) Click Compile (or Run)
7) Please make sure sqlite3.dll and dbform.exe are in the same directory
8) After you run, you'll notice dbform1.dat file-based database is created

BGGP6 is happening this Saturday

MatQuasar — Thu, 16 Oct 2025 18:40:49 +0800

BGGP is an annual small file competition.

Past challenges were:

- BGGP1 (2020) - Palindrome
- BGGP2 (2021) - Polyglot
- BGGP3 (2022) - Crash
- BGGP4 (2023) - Replicate
- BGGP5 (2024) - Download

For BGGP4 and BGGP5, participants sent in a lot of entries in multiple file formats and programming languages.

BGGP6 for 2025, is expected to begin this Saturday (Oct 18 Eastern Time) as the organizer has postponed it from northern summer to northern fall.

Get your hex editor ready. I will post more once it has begun.

Announcement:
https://haunted.computer/@netspooky/115357200184400163

Website: https://binary.golf

First time using Wireshark

MatQuasar — Fri, 29 Dec 2023 03:11:03 +0800

This is where to download Wireshark:
https://www.wireshark.org/download.html

Wireshark 4.2 for packet analysis, is an open source!
It comes in 64-bit installer for Windows (82MB)

What is a Packet?

QUOTE

In networking, a packet is a small segment of a larger message.
Data sent over computer networks, such as the Internet, is divided into packets.

---Definition by Cloudflare

In other word, a packet is definitely more than a byte, maybe a chunk of bytes.

It lets me choose external capture tools: (including Android device)

It requires external Npcap or WinPcap to capture live network data.

It also requres external USBPcap to capture USB traffic.

What is Packet Capture?

QUOTE

It enables network managers to capture data packets directly from the computer network.
The process is known as packet sniffing.

...which means Wireshark is the network manager, WinPcap and USBPcap is the external driver required by Wireshark to enable live traffic capture.

So this is how Wireshark Start item loooks like in Start menu:

After the window open, it looks like this:

I choose "Capture Wi-Fi":

You can start, stop, restart capture, or select Capture Filters:

Can see "iPhone local", but not sure if this is useful info:

So far, it says 1565 packets, and keep counting.
Looks like the bottom left pane is a information intrepreted from hexdump on the right pane.

Still don't know how to use Wireshark. Time to watch netspooky "Protocol RE" video from start to finish.

[YOUTUBE]ldVHf-HFKQA[/YOUTUBE]

Why Google allow domain renewed before payment?

MatQuasar — Fri, 15 Dec 2023 18:37:15 +0800

Now it is a problem. Google renewed my domain (I cannot login to cancel auto-renewal) and no payment made.

It says next year won't be renewed. But then my account will owe Google the renewal fee.

Why does Google allow renewal before payment? They should do like Exabytes MY where failure to pay will result cancellation of domain.

My first UEFI App that prints "Hello"

MatQuasar — Sun, 10 Dec 2023 06:18:36 +0800

Hooray, I have minimalize the code needed to print "Hello" in EFI Shell.

Actually this is the second time I compile UEFI app, the first one I think is UEFI boot services driver, from:
https://github.com/MichalStrehovsky/zerosharp (efi-no-runtime, C#)

This is what I get when I run my Hi.EFI.

The source code is in Assembly language, to be compiled by FASM.

CODE

format PE64 EFI DLL on 'nul'

section '.code' code readable executable

entry $

; in: rcx = ImageHandle
; rdx = SystemTable

sub rsp,32

mov rcx, qword [rdx + 0x40]
lea rdx, [_msg]
call qword [rcx + 0x08]

add rsp, 32
retn

_msg db 'H',0,'e',0,'l',0,'l',0,'o',0,13,0,10,0,0,0

Actually I skipped the various struct definition, by directly pointing to the offset in EFI_SYSTEM_TABLE and EFI_SIMPLE_TEXT_OUTPUT_PROTOCOL.

I think my code is the shortest possible. Also I learned that text string in UEFI must be UTF-16 .

If you ask me what can I add to this "Hello" UEFI App, maybe can change it to accept key input from user.

This is how I run it:

CODE

"C:\Program Files\qemu\qemu-system-x86_64" -bios OVMF.fd -hda fat:rw:LYN/

LYN is a subfolder where I put Hi.EFI (1024 bytes) executable.

Before I forget, the "on 'nul'" in

CODE

format PE64 EFI DLL on 'nul'

...is to tell the assembler stop generating DOS stub for this EFI App, from what I heard from Tomasz Grystarz.

Is Intel PC preferred than AMD for virtualization?

MatQuasar — Thu, 07 Dec 2023 15:36:58 +0800

I got this error, saying my AMD-V is incompatible with VMware. Looks like must use Intel VT-x.

I used to be VB guy...

MatQuasar — Sat, 04 Nov 2023 23:42:27 +0800

This is a brief story of what I did these years after not becoming programmer in workforce.

Notably I am in my mid-40 and not doing full-time programmer since 2013. Well, I did do a part-time programmer job in 2020.

I used to be a VB guy, VB6 and VB.NET. But after I quit IT job industry, I spent time to run family business, traveled extensively to Australia, doing dispatch rider for 4 years and... start learning computer fundamentals by doing 32-bit and 64-bit low-level programming.

I miss the full-time programmer job. What I did as hobbyist programmer cannot replace the professional job skill demanded by IT companies these days.
I wish I could leverage .NET C# effortlessly compared to programming menial work using Assembly language where I have to write different source code for each CPU architecture and each operating system. It simply is a lot of work, and not easily scalable. Cross compiler and virtual machine bytecode is really good here.

With my age coming to 50, I think no IT company will hire me anymore, especially now is not VB world anymore.
In the mean time, what I can do is keep doing self-learning, understanding the computer fundamentals.

(End of story)

Hosting webspace using GitHub with custom domain

MatQuasar — Tue, 31 Oct 2023 15:56:04 +0800

I see two examples:

https://github.com/binarygolf/binarygolf.github.io --> https://binary.golf

https://github.com/angch/angch.github.io --> https://angch.com

How they do it? I see there is CNAME file.

Does that mean next time we don't need to pay expensive hosting fee, just register a custom domain, and somehow point to GitHub????

A minor difference between CMD and PS

MatQuasar — Sat, 21 Oct 2023 19:21:45 +0800

Few months ago, I accidentally found out a minor difference in command-line parsing between Command Prompt and PowerShell.

Look!

"test2" is a testing program that print command line string returned from GetCommandLineA (available in Kernel32.dll) Win32 API.

As seen, there are two (2) spaces between APPNAME and FILENAME in CMD, but only one space in PS.

Command Prompt:

CODE

00000000 74 65 73 74 32 20 20 74 65 73 74 2E 61 73 6D 20 test2 test.asm
00000010 00 00 00 00 00 00 00 00 42 84 7C 12 68 7C 00 10 ........B.|.h|..

PowerShell:

CODE

00000000 FF FE 22 00 43 00 3A 00 5C 00 55 00 73 00 65 00 ..".C.:.\.U.s.e.
00000010 72 00 73 00 5C 00 42 00 4F 00 4F 00 5C 00 70 00 r.s.\.B.O.O.\.p.
00000020 72 00 6F 00 6A 00 65 00 63 00 74 00 73 00 5C 00 r.o.j.e.c.t.s.\.
00000030 74 00 65 00 73 00 74 00 32 00 2E 00 65 00 78 00 t.e.s.t.2...e.x.
00000040 65 00 22 00 20 00 74 00 65 00 73 00 74 00 2E 00 e.". .t.e.s.t...
00000050 61 00 73 00 6D 00 00 00 00 00 00 00 00 00 00 00 a.s.m...........

Also, PS returned command-line string in UTF-16 encoding, and in quotes.

Not a big deal if using HLL or through CommandLineToArgvW() (available in Shell32.dll), but a quick fix is needed to extract FILENAME from command-line string using GetCommandLineA myself.

I learn it the hard way, because many of my early Win32 programs only work in CMD, but failed to work in PS because command-line parsing is wrong (they are different by one white space).

I share this as an eye-opener for you.

Which command-line processor you use in Windows?

MatQuasar — Mon, 16 Oct 2023 15:21:06 +0800

My favourite is Windows Terminal..... Now there is bash (WSL), Command Prompt, PowerShell...but when I run Terminal it still shows PowerShell.

Console / GUI App Development Service

MatQuasar — Mon, 18 Sep 2023 03:45:15 +0800

Hi, I am fliermate, a freelancer specializing in console app development, or known as command-line programs.
I mainly use FASM as my primary programming language, may or may not require external dependencies to run the programs, depending on the nature of the programs.

Portfolio:
1. File color visualizer - A hexdump program for Win32 that show different color for binary file and text file.
( https://forum.lowyat.net/index.php?showtopic=5398009&hl= )
2. cpubrand - A Win32 console app that prints 12-char processor brand string.
( https://forum.lowyat.net/index.php?showtopi...ost&p=108485045 )

PM or reply below.

How many platform you can do programming?

MatQuasar — Sun, 17 Sep 2023 20:37:40 +0800

Today I am shocked to see a local coder that is specializing in mobile (iOS/Android), web (PHP) and desktop (C++) with simple games!

I thought the norm is at most web and mobile, or web and desktop, not everything!

How many types of target app you can do? Device driver......?

ADDED: I can only do 1, console app.....

How to create 1024-byte PE for BGGP4 code golf

MatQuasar — Sat, 09 Sep 2023 07:28:30 +0800

BGGP4 challenge ( https://binary.golf ) is to create the smallest self-replicating file in file type of your choice.

Here's how I submit my 1024-byte PE as easy entry for it, without tweaking the headers.

Compile success

Replicate

CFF Explorer ( https://ntcore.com/?page_id=388 )

Section Headers

Import Table

It is noticeable that .flat section (512 bytes) joins code section, data section, and import table together.
With the headers (another 512 bytes), it is thus possible to create 1024-byte PE using FASM 1 code.

Code Section

0x00000200

CODE

;section '.code' code readable executable
;entry $

Data Section

0x000002C8

CODE

;section '.data' data readable writeable

Import Table

0x0000031D

CODE

;section '.idata' import readable

The magic is to define import table as below:

CODE

data import

library kernel32, 'KERNEL32.DLL'

import kernel32,\
CopyFile, 'CopyFile',\
GetStdHandle, 'GetStdHandle',\
WriteConsoleA, 'WriteConsoleA',\
CreateFileA, 'CreateFileA',\
ReadFile, 'ReadFile',\
WriteFile, 'WriteFile',\
CloseHandle, 'CloseHandle',\
ExitProcess,'ExitProcess'

end data

1024 bytes is not the smallest, but it is effortless to achieve nonetheless.

N.Korean campaign targeting security researchers

MatQuasar — Fri, 08 Sep 2023 14:56:32 +0800

Active North Korean campaign targeting security researchers
Sep 07, 2023

3 min read

Source: https://blog.google/threat-analysis-group/a...ty-researchers/

QUOTE

Similar to the previous campaign TAG reported on, North Korean threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package.

Upon successful exploitation, the shellcode conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits.

QUOTE

While our analysis of this campaign continues, we are providing an early notification of our initial findings to warn the security research community. We hope this post will remind security researchers that they could be targets of government backed attackers and to stay vigilant of security practices.

DO NOT Download the following software:

Stay Away from @paul091_ social media account.

QUOTE

Actor controlled sites and accounts
GetSymbol:

https://github[.]com/dbgsymbol/
https://dbgsymbol[.]com
50869d2a713acf406e160d6cde3b442fafe7cfe1221f936f3f28c4b9650a66e9
0eedfd4ab367cc0b6ab804184c315cc9ce2df5062cb2158338818f5fa8c0108e
2ee435bdafacfd7c5a9ea7e5f95be9796c4d9f18643ae04dca4510448214c03c
5977442321a693717950365446880058cc2585485ea582daa515719c1c21c5bd
C2 IPs/Domains:

23.106.215[.]105
www.blgbeach[.]com
X (formerly Twitter) Accounts

https://twitter.com/Paul091_
Wire Accounts

@paul354
Mastodon Account:

https://infosec.exchange/@paul091_

Upgraded from WSL1 to WSL2

MatQuasar — Wed, 06 Sep 2023 17:00:23 +0800

I have just upgraded my WSL1 to WSL2 (Windows Subsystem Linux)

A screenshot tells thousand words:

Reference: Comparing WSL Versions https://learn.microsoft.com/en-us/windows/w...ompare-versions

In short, WSL2 is full Linux kernel, others are same as WSL1. I heard that WSL2 supports GUI app, but I got "Segmentation fault" error when running my own Linux GUI program.

This is how I follow the online tutorial to convert from WSL1 to WSL2:

Start PowerShell and Run as Administrator:

CODE

Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform

After that need to restart PC....

Then download and install wsl_update_x64.msi ( https://wslstorestorage.blob.core.windows.n..._update_x64.msi )

Finally type:

CODE

wsl --set-default-version 2

CODE

wsl --set-version Ubuntu-22.04 2

....where Ubuntu-22.04.2 may vary depending on what you see on:

CODE

C:\WINDOWS\system32>wsl --list --verbose

NAME STATE VERSION
* Ubuntu-22.04 Stopped 2

Finding AddressOfEntryPoint of PE using PE-bear

MatQuasar — Mon, 04 Sep 2023 12:50:13 +0800

Hello all, from now on I will share my reverse-engineering articles on here.

If you miss my previous articles (in forum posts format), here are they:

* First time using WinDbg ( https://forum.lowyat.net/topic/5348191 )
* First time using IDA Free! ( https://forum.lowyat.net/topic/5369013 )
* Using IDA Free - Part 2 ( https://forum.lowyat.net/topic/5375495 )
* Using IDA Free, Part 3, Investigate Windows syscall ( https://forum.lowyat.net/topic/5385943 )
* Introducing ProcMon, "Hack" software process ( https://forum.lowyat.net/index.php?showtopic=5001505 )

(Tullamarine, FlierMate4 and FlierMate were my forum user accounts.)

Today, I will try using PE-bear for the first time, for a simple task, finding the AddressOfEntryPoint in PE (Portable Executable) files.

PE-bear ( https://github.com/hasherezade/pe-bear ) is a tool made by malware analyst hasherezade.

Let's start! I will try analyze Windows WordPad (write.exe).

AddressOfEntryPoint is 0x1430, a Virtual Address relative to Image Base. It is runtime address in memory, not disk offset (0x830).

PE-bear disassembles the first instruction as: sub rsp, 0x20 (stack alignment commonly seen in PE32+)

I can verify the findings in PE-bear using other tools like PE Dump, or PeBytesF.exe by 440bx ( https://forum.lazarus.freepascal.org/index.php?topic=46617.0 ).

As seen in the screenshot below, AddressOfEntryPoint RVA is 0x1430, and FO (File Offset) is 0x830.

Or I can also use CFF Explorer ( https://ntcore.com/?page_id=388 ).

The last resort is using hex editor / viewer to locate the offset in Optional Header. As seen from binary analysis of PE-bear for write.exe, the offset is 0x108 from the beginning of file, but this is tricky if the PE file has custom size of DOS Stub (where I will need to read offset in 0x3C).

I think that's all for my first guide. Thank you for reading!