From 5dc7c0dc1ad55f6d7d096f84bb7e6a2b32fdd710 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Fri, 11 Jul 2025 12:44:12 +0000
Subject: [PATCH] Add content from: Evolving Tactics of SLOW#TEMPEST: A Deep
 Dive Into Advanced ...

---
 .../malware-analysis.md                       | 93 ++++++++++++++++++-
 .../reversing-native-libraries.md             |  8 +-
 .../ios-pentesting-without-jailbreak.md       |  2 +-
 .../sql-injection/ms-access-sql-injection.md  |  4 +-
 4 files changed, 99 insertions(+), 8 deletions(-)

diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
index 034701f47..c42a193fb 100644
--- a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
+++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
@@ -169,7 +169,98 @@ If the files of a folder **shouldn't have been modified**, you can calculate the
 
 When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a web shell might be one of the most**.
 
-{{#include ../../banners/hacktricks-training.md}}
+---
 
+## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)
 
+Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`.  A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery.
 
+The technique – showcased by the SLOW#TEMPEST loader – can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator.
+
+### 1. Locate every indirect jump / call
+
+```python
+import idautils, idc
+
+for ea in idautils.FunctionItems(idc.here()):
+    mnem = idc.print_insn_mnem(ea)
+    if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
+        print(f"[+] Dispatcher found @ {ea:X}")
+```
+
+### 2. Extract the dispatcher byte-code
+
+```python
+import idc
+
+def get_dispatcher_start(jmp_ea, count=9):
+    s = jmp_ea
+    for _ in range(count):
+        s = idc.prev_head(s, 0)
+    return s
+
+start = get_dispatcher_start(jmp_ea)
+size  = jmp_ea + idc.get_item_size(jmp_ea) - start
+code  = idc.get_bytes(start, size)
+open(f"{start:X}.bin", "wb").write(code)
+```
+
+### 3. Emulate it twice with Unicorn
+
+```python
+from unicorn import *
+from unicorn.x86_const import *
+import struct
+
+def run(code, zf=0, cf=0):
+    BASE = 0x1000
+    mu = Uc(UC_ARCH_X86, UC_MODE_64)
+    mu.mem_map(BASE, 0x1000)
+    mu.mem_write(BASE, code)
+    mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf)
+    mu.reg_write(UC_X86_REG_RAX, 0)
+    mu.emu_start(BASE, BASE+len(code))
+    return mu.reg_read(UC_X86_REG_RAX)
+```
+
+Run `run(code,0,0)` and `run(code,1,1)` to obtain the *false* and *true* branch targets.
+
+### 4. Patch back a direct jump / call
+
+```python
+import struct, ida_bytes
+
+def patch_direct(ea, target, is_call=False):
+    op   = 0xE8 if is_call else 0xE9           # CALL rel32 or JMP rel32
+    disp = target - (ea + 5) & 0xFFFFFFFF
+    ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))
+```
+
+After patching, force IDA to re-analyse the function so the full CFG and Hex-Rays output are restored:
+
+```python
+import ida_auto, idaapi
+idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))
+```
+
+### 5. Label indirect API calls
+
+Once the real destination of every `call rax` is known you can tell IDA what it is so parameter types & variable names are recovered automatically:
+
+```python
+idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+
+```
+
+### Practical benefits
+
+* Restores the real CFG → decompilation goes from *10* lines to thousands.
+* Enables string-cross-reference & xrefs, making behaviour reconstruction trivial.
+* Scripts are reusable: drop them into any loader protected by the same trick.
+
+---
+
+## References
+
+- [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
+
+{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file
diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
index 03213da50..ea060841d 100644
--- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
+++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
@@ -61,7 +61,7 @@ Java.perform(function () {
   });
 });
 ```
-Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  citeturn5search2turn5search0
+Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  
 
 ---
 
@@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+)
 
 | Year | CVE | Affected library | Notes |
 |------|-----|------------------|-------|
-|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0|
+|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
 |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|
 
 When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
@@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
 
 ### References
 
-- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  citeturn5search0
-- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0
+- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  
+- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) 
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
index 004d7bf0e..791da2761 100644
--- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
 
 ### Automated dynamic analysis with MobSF (no jailbreak)
 
-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
 
 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest
diff --git a/src/pentesting-web/sql-injection/ms-access-sql-injection.md b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
index 913a7a03f..5b9778a7a 100644
--- a/src/pentesting-web/sql-injection/ms-access-sql-injection.md
+++ b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
@@ -141,7 +141,7 @@ Point the UNC path to:
 * a host that drops the TCP handshake after `SYN-ACK`
 * a firewall sinkhole
 
-The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0
+The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. 
 
 ### Other Interesting functions
 
@@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps):
 * Block outbound SMB/WebDAV at the network boundary.
 * Sanitize / parameterise any part of a query that may end up inside an `IN` clause.
 
-The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0
+The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. 
 
 ### .mdb Password Cracker