For the folks who are new here, I’m extremely long winded. You can skip down a bit to see how I got from OSINT to UART enumeration and a remote root terminal if you’d like, but I prefer telling the complete story.

Boring Intro Stuff (Not Hardware Enumeration)

It’s been a while since I’ve posted here. I was doing malware analysis a few years ago, did a bit of embedded device exploitation, used that to get a role at CACI, moved on to government with Sandia…it’s been a busy couple of years. I wanted to post something here sooner, I…

Update: Folks, I’ve encountered two issues that are going to delay the next part of this subseries by a bit. First, the OpenZDK Client for Debugging seems to have been erased from the internet. I can still build programs, but this means that I will have to write my own network based debugger. I’ve written small, simple windows debuggers before, so this should be a fun challenge, but it will take a while.

Second, to prepare for my position this summer, I’m learning Android Linux kernel exploitation. This will be very helpful for Zune exploitation, but it will also take…

This concept is kind of a shaky basis for a full article, so I decided to make it a mini article.

Those who read my last article will remember that while fuzzing Windows Media Player for Pocket PC, I ran into trouble restarting the program:

At the time, I accepted this as an inherent difference in Windows CE resource allocation. Recently, however, I discovered that was not the case. I managed to successfully extract Windows Media Player for Pocket PC and started reverse engineering it. What I found intrigued me.

A short while after I posted my last article, tragedy struck. My Windows CE 2.11 palmtop broke traveling between floors in my building.

My poor little guy

Fortunately, I had a backup plan. My HP iPAQ Pocket PC was ready to go.

My palmtop breaking may have actually been a good thing, because it meant that I was finally free of Windows CE 2.11 and ready to move on to a more modern OS, Pocket PC 2003.

Pocket PC 2003 sports modern features like:

  • CreateProcess() being a powerful API command with usable options rather than a glorified ShellExecuteEx()
  • Modern Winsock commands that allow for…

It’s been quite a long time, friends. As you can probably tell by reading the previous articles series was the start of my reverse engineering journey. I started it back when I was still studying malware analysis in preparation for the GREM. I had always been fascinated by Windows CE PDA’s, and I was aching to learn more about this “exploit development” thing I kept hearing about. With very little knowledge I managed to do some things that I still, with all that I’ve recently learned, find a bit impressive. I managed to learn a long forgotten machine language write…

Author’s Note: I’ll be cross posting this article here and on I’m transitioning away from Medium due to the premium membership requirements for readers.


I decided to make this article after struggling to set up simulated networking on my own malware analysis lab due to outdated guides. I realized that an updated guide may help some people. This guide is also related to an upcoming series where I demonstrate static analysis, dynamic analysis, and memory analysis of kernel mode rootkits.

This guide requires:

  • VirtualBox on a Windows host (7, 8.1, …

I want to preface this article by saying that if you’re like me, new to malware analysis and on a budget, studying without access to course materials may not be the best option for you. The best way to pursue the SANS GREM certification without a source of funding for the course is to apply for the SANS Work Study program for the FOR610 course. In exchange for assisting the course instructor, you will be allowed to evaluate the course and attempt the certification exam. You will also be provided copies of the books and course materials, which cannot be…

Author’s Note: When I say that shellcode is ASCII formatted, I’m referring to functions that accept ASCII strings. Two of the characters used in this shellcode are not valid ASCII characters, but they’ll get past strcpy and most other ASCII string functions that are just looking for a null terminator.

I’ve decided to make this part of the series an interlude because it wanders a bit outside of the scope of the main series. While I may not be able to apply the shellcode I’ve developed in this article to Windows CE 2.11 Unicode filtered buffers, I figured it would…

Author’s Note: This shellcode was produced as part of a PoC exploit for the buffer overflow found in this article:

This is a long article, but I figured some people may only be interested in the principles behind analyzing parameters to create shellcode, the shellcode itself, or the difference between this shellcode and other Windows CE shellcode. For this reason, I broke up the article into sections with bolded headers. I hope you enjoy it!

I decided to include the word “philosophy” in the title because like the vast majority of shellcode examples for Windows CE (three out of the…

Welcome back to SH3 exploit development! Sorry if this part of the series is a bit more informal than the last few. I’m very excited and I want to show you all everything. I’m just going to get into it, I found another buffer overflow that overwrites the PC, but this time there’s also ample space in memory to store shellcode, and I can actually point to it!

This isn’t the only program I’ve been testing while I’ve been gone. Freeware Windows CE 2.11 programs seem to be lousy with buffer overflows. There’s no SEH and program exception handlers can…

Elias Augusto

Enjoys edev, cyber forensics, hardware hacking, and RE, former CACI BIT Systems intern, GREM, Security+

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store