Apple Defences - APFS and the SSV
APFS does not just store files: it turns filesystem structure into defence. Snapshots, seals, and SSV show why root is no longer the supreme deity of modern ...
Posts by Category
- macos-security 22
- security-reversing 13
- war-journals 3
- theory 2
- 0tH 2
- service-notices 2
- network-security 2
macos-security
Filesystem Wars: Why Your Choice of Storage is Actually a Security Move
Explore the evolution of filesystems: from FFS and ZFS to APFS. Discover why modern storage is no longer just about data, but a core pillar of macOS platform...
Hardening macOS part 6: The Human Surface and Metadata Risks
Beyond tools: master your security by stripping metadata, securing SSH keys, and managing your digital twin. Learn why the human factor is the ultimate attac...
Reverse with me - Qardio necromancy - pt 2
Frida failed, so I sniffed the air. The QardioBase2 hides raw data in a binary labyrinth but leaves the master key under the mat: plain text JSON measurement...
Hardening macOS 5: Secure Email Clients, Providers, and Encryption Tools
Is email privacy a myth? From PGP and SMTP risks to why Italy’s PEC is just security landscape. A cynical guide to choosing the right providers, clients, and...
Hardening macOS 4: Secrets Management & Hardware Security Keys
Professional macOS secrets management: why Apple Keychain fails for power users and how to master .kdbx, Strongbox, and YubiKeys for a hardened workflow.
Hardening macOS pt.3: Browsers compartmentalisation
Master browser hardening on macOS (2026): A deep dive into Safari and Firefox compartmentalization. Learn to implement advanced sandboxing and reduce your pr...
First hardening of the network layer
Step-by-step macOS network hardening: Deploy a 3-layer defense strategy featuring DNS filtering and advanced firewall rules. Protect your system against pers...
Rotations and theMechanix
Introducing rotations in AArch64, why ROL doesn’t exist, and a first look at theMechanix — a new tool for malware analysis.
macOS Hardening: a new series
Beyond security checklists: A technical series on macOS Hardening (2026). Apply real-world threat modelling to build granular defenses and understand the tru...
Apple Notarization
Notarization is not a seal of approval. It’s a statement of non-objection: Apple scanned an artifact at submission time and found nothing that triggered its ...
Binary Logic, Shifts, and the Zero Register
A hands-on exploration of boolean logic and shift operations on AArch64, driven by debugging rather than theory. This lesson focuses on how small, legal deta...
Understanding Instruction Flow on AArch64 with LLDB
In this post we explore how AArch64 programs actually execute, stepping through instructions with LLDB instead of relying on abstract explanations or “hello ...
Reading LC_CODE_SIGNATURE with 0tH
A deep, hands-on walkthrough of LC_CODE_SIGNATURE across three Mach-O binaries — from an ad-hoc do-nothing app to Safari’s full Apple-grade signature. We in...
More on registers: the ABI
In this lesson we examine what really happens when data moves through registers and execution jumps across routines. We introduce the ABI and AAPCS64, explai...
Introduction to registers
Before we can reverse anything, we need a precise mental model of how ARM64 actually works. In this first lesson we cover the essential foundations: data siz...
Preparing to Reverse
Assembly is the only place where software stops lying. High-level languages hide the truth; instructions expose it. Understanding AArch64 gives you the abili...
Reversing 101 - introduction
A quarter century in pentesting taught me one thing: real reversing knowledge is intentionally rare. Not because it’s hard — but because people want to keep ...
Zero the Hero - A Modern Blade for Carving Through Mach-O
Zero the Hero (0tH) is a modern, Rust-no-panic Mach-O analysis tool focused on precise Load Command parsing, code-signing internals, entitlements, and strict...
Code Signing: SuperBlobs, CodeDirectory, and LC_CODE_SIGNATURE
Code Signing is the foundation of macOS security. Learn how SuperBlobs, CodeDirectory, and LC_CODE_SIGNATURE actually work under the hood.
Apple Gatekeeper
Gatekeeper is macOS’s pre-execution policy engine — not an antivirus, but a trust enforcement layer that decides whether code may run based on its signature,...
Apple Defences
A concise dissection of Apple’s built-in security controls. Not marketing — real mechanisms, real boundaries, and how attackers see them.
security-reversing
Reverse with me - Qardio necromancy
The Qardio app is gone, leaving the QardioBase2 scale a “zombie.” Follow my journey through iOS BLE logs, GATT discovery, and broken WiFi backends to bring t...
Rotations and theMechanix
Introducing rotations in AArch64, why ROL doesn’t exist, and a first look at theMechanix — a new tool for malware analysis.
Binary Logic, Shifts, and the Zero Register
A hands-on exploration of boolean logic and shift operations on AArch64, driven by debugging rather than theory. This lesson focuses on how small, legal deta...
Understanding Instruction Flow on AArch64 with LLDB
In this post we explore how AArch64 programs actually execute, stepping through instructions with LLDB instead of relying on abstract explanations or “hello ...
Reading LC_CODE_SIGNATURE with 0tH
A deep, hands-on walkthrough of LC_CODE_SIGNATURE across three Mach-O binaries — from an ad-hoc do-nothing app to Safari’s full Apple-grade signature. We in...
More on registers: the ABI
In this lesson we examine what really happens when data moves through registers and execution jumps across routines. We introduce the ABI and AAPCS64, explai...
Introduction to registers
Before we can reverse anything, we need a precise mental model of how ARM64 actually works. In this first lesson we cover the essential foundations: data siz...
Preparing to Reverse
Assembly is the only place where software stops lying. High-level languages hide the truth; instructions expose it. Understanding AArch64 gives you the abili...
Reversing 101 - introduction
A quarter century in pentesting taught me one thing: real reversing knowledge is intentionally rare. Not because it’s hard — but because people want to keep ...
Zero the Hero - A Modern Blade for Carving Through Mach-O
Zero the Hero (0tH) is a modern, Rust-no-panic Mach-O analysis tool focused on precise Load Command parsing, code-signing internals, entitlements, and strict...
Code Signing: SuperBlobs, CodeDirectory, and LC_CODE_SIGNATURE
Code Signing is the foundation of macOS security. Learn how SuperBlobs, CodeDirectory, and LC_CODE_SIGNATURE actually work under the hood.
Mac Malware Reversing Lab
Step-by-step guide to setting up a macOS virtual machine for malware reversing — from choosing the right hypervisor to securing your environment against self...
After OBTS 8.0
First-hand notes from Objective By The Sea: why I attended Patrick Wardle’s Mac malware course, what I learned, and the ideas worth following up.
war-journals
Year Zero
0tH is closed source by design. This post explains why craftsmanship, responsibility, and signal matter more than ideology.I’ll keep building tools that solv...
Byte Architect War Journal - December
The Byte Architect - December - News
Byte Architect War Journal - November
The Byte Architect - November - News
theory
Filesystem Wars: Why Your Choice of Storage is Actually a Security Move
Explore the evolution of filesystems: from FFS and ZFS to APFS. Discover why modern storage is no longer just about data, but a core pillar of macOS platform...
Merkle Trees
A hands-on, mathematically honest walkthrough of Merkle trees.From tagged hashing to proofs, root verification, ordering guarantees, and padding strategies u...
0tH
0tH2026.2.0 Released
Zero the Hero (0tH) 2.0 is out. A Mach-O triage tool for macOS security work, focused on structural inspection and code-signing analysis, with both CLI and R...
Reading LC_CODE_SIGNATURE with 0tH
A deep, hands-on walkthrough of LC_CODE_SIGNATURE across three Mach-O binaries — from an ad-hoc do-nothing app to Safari’s full Apple-grade signature. We in...
service-notices
Memento, deinde loquere
Why I use LLMs to polish my tone. Think first, then speak.
Service Notice — Noise, Filters, and a Short Downtime
Noise filtering in progress. Brief downtime scheduled. Nothing changes for real readers.
network-security
Bypassing MFA with Reverse Proxies: Building a Rust-based Firefox Extension to Kill AitM Phishing
MFA is not enough. Discover Electric Eye: a Rust-powered Firefox extension that detects AitM proxies and Reverse Proxies in real-time by sniffing DOM leaks a...
Starkiller Phishing Kit: Why MFA Fails Against Real-Time Reverse Proxies
Starkiller & AitM: Why MFA is no longer enough. Discover how real-time proxies bypass security and how to fight back with FIDO2, JA3 fingerprinting, and ...