Rotations and theMechanix
Introducing rotations in AArch64, why ROL doesn’t exist, and a first look at theMechanix — a new tool for malware analysis.
Posts by Tag
- macos-reversing 9
- assembly 7
- apple-security-101 6
- macos-hardening 6
- lore 5
- macos-structure 4
- malware-analysis 2
- 0tH 2
- load-commands 2
- aradia 2
- I-did-the-math-so-you-dont-have-to 1
- #load-commands 1
- #LC_CODE_SIGNATURE 1
- LC_CODE_SIGNATURE 1
- Electric-Eye 1
- Rust 1
- reverse-engineering 1
macos-reversing
Binary Logic, Shifts, and the Zero Register
A hands-on exploration of boolean logic and shift operations on AArch64, driven by debugging rather than theory. This lesson focuses on how small, legal deta...
Understanding Instruction Flow on AArch64 with LLDB
In this post we explore how AArch64 programs actually execute, stepping through instructions with LLDB instead of relying on abstract explanations or “hello ...
More on registers: the ABI
In this lesson we examine what really happens when data moves through registers and execution jumps across routines. We introduce the ABI and AAPCS64, explai...
Introduction to registers
Before we can reverse anything, we need a precise mental model of how ARM64 actually works. In this first lesson we cover the essential foundations: data siz...
Preparing to Reverse
Assembly is the only place where software stops lying. High-level languages hide the truth; instructions expose it. Understanding AArch64 gives you the abili...
Reversing 101 - introduction
A quarter century in pentesting taught me one thing: real reversing knowledge is intentionally rare. Not because it’s hard — but because people want to keep ...
Zero the Hero - A Modern Blade for Carving Through Mach-O
Zero the Hero (0tH) is a modern, Rust-no-panic Mach-O analysis tool focused on precise Load Command parsing, code-signing internals, entitlements, and strict...
After OBTS 8.0
First-hand notes from Objective By The Sea: why I attended Patrick Wardle’s Mac malware course, what I learned, and the ideas worth following up.
assembly
Rotations and theMechanix
Introducing rotations in AArch64, why ROL doesn’t exist, and a first look at theMechanix — a new tool for malware analysis.
Binary Logic, Shifts, and the Zero Register
A hands-on exploration of boolean logic and shift operations on AArch64, driven by debugging rather than theory. This lesson focuses on how small, legal deta...
Understanding Instruction Flow on AArch64 with LLDB
In this post we explore how AArch64 programs actually execute, stepping through instructions with LLDB instead of relying on abstract explanations or “hello ...
More on registers: the ABI
In this lesson we examine what really happens when data moves through registers and execution jumps across routines. We introduce the ABI and AAPCS64, explai...
Introduction to registers
Before we can reverse anything, we need a precise mental model of how ARM64 actually works. In this first lesson we cover the essential foundations: data siz...
Preparing to Reverse
Assembly is the only place where software stops lying. High-level languages hide the truth; instructions expose it. Understanding AArch64 gives you the abili...
Reversing 101 - introduction
A quarter century in pentesting taught me one thing: real reversing knowledge is intentionally rare. Not because it’s hard — but because people want to keep ...
apple-security-101
Apple Defences - APFS and the SSV
APFS does not just store files: it turns filesystem structure into defence. Snapshots, seals, and SSV show why root is no longer the supreme deity of modern ...
Apple Notarization
Notarization is not a seal of approval. It’s a statement of non-objection: Apple scanned an artifact at submission time and found nothing that triggered its ...
Reading LC_CODE_SIGNATURE with 0tH
A deep, hands-on walkthrough of LC_CODE_SIGNATURE across three Mach-O binaries — from an ad-hoc do-nothing app to Safari’s full Apple-grade signature. We in...
Code Signing: SuperBlobs, CodeDirectory, and LC_CODE_SIGNATURE
Code Signing is the foundation of macOS security. Learn how SuperBlobs, CodeDirectory, and LC_CODE_SIGNATURE actually work under the hood.
Apple Gatekeeper
Gatekeeper is macOS’s pre-execution policy engine — not an antivirus, but a trust enforcement layer that decides whether code may run based on its signature,...
Apple Defences
A concise dissection of Apple’s built-in security controls. Not marketing — real mechanisms, real boundaries, and how attackers see them.
macos-hardening
Hardening macOS part 6: The Human Surface and Metadata Risks
Beyond tools: master your security by stripping metadata, securing SSH keys, and managing your digital twin. Learn why the human factor is the ultimate attac...
Hardening macOS 5: Secure Email Clients, Providers, and Encryption Tools
Is email privacy a myth? From PGP and SMTP risks to why Italy’s PEC is just security landscape. A cynical guide to choosing the right providers, clients, and...
Hardening macOS 4: Secrets Management & Hardware Security Keys
Professional macOS secrets management: why Apple Keychain fails for power users and how to master .kdbx, Strongbox, and YubiKeys for a hardened workflow.
Hardening macOS pt.3: Browsers compartmentalisation
Master browser hardening on macOS (2026): A deep dive into Safari and Firefox compartmentalization. Learn to implement advanced sandboxing and reduce your pr...
First hardening of the network layer
Step-by-step macOS network hardening: Deploy a 3-layer defense strategy featuring DNS filtering and advanced firewall rules. Protect your system against pers...
macOS Hardening: a new series
Beyond security checklists: A technical series on macOS Hardening (2026). Apply real-world threat modelling to build granular defenses and understand the tru...
lore
Year Zero
0tH is closed source by design. This post explains why craftsmanship, responsibility, and signal matter more than ideology.I’ll keep building tools that solv...
0tH2026.2.0 Released
Zero the Hero (0tH) 2.0 is out. A Mach-O triage tool for macOS security work, focused on structural inspection and code-signing analysis, with both CLI and R...
Byte Architect War Journal - December
The Byte Architect - December - News
Zero the Hero - A Modern Blade for Carving Through Mach-O
Zero the Hero (0tH) is a modern, Rust-no-panic Mach-O analysis tool focused on precise Load Command parsing, code-signing internals, entitlements, and strict...
Byte Architect War Journal - November
The Byte Architect - November - News
macos-structure
Filesystem Wars: Why Your Choice of Storage is Actually a Security Move
Explore the evolution of filesystems: from FFS and ZFS to APFS. Discover why modern storage is no longer just about data, but a core pillar of macOS platform...
Apple Notarization
Notarization is not a seal of approval. It’s a statement of non-objection: Apple scanned an artifact at submission time and found nothing that triggered its ...
Apple Gatekeeper
Gatekeeper is macOS’s pre-execution policy engine — not an antivirus, but a trust enforcement layer that decides whether code may run based on its signature,...
Apple Defences
A concise dissection of Apple’s built-in security controls. Not marketing — real mechanisms, real boundaries, and how attackers see them.
malware-analysis
Mac Malware Reversing Lab
Step-by-step guide to setting up a macOS virtual machine for malware reversing — from choosing the right hypervisor to securing your environment against self...
After OBTS 8.0
First-hand notes from Objective By The Sea: why I attended Patrick Wardle’s Mac malware course, what I learned, and the ideas worth following up.
0tH
0tH2026.2.0 Released
Zero the Hero (0tH) 2.0 is out. A Mach-O triage tool for macOS security work, focused on structural inspection and code-signing analysis, with both CLI and R...
Zero the Hero - A Modern Blade for Carving Through Mach-O
Zero the Hero (0tH) is a modern, Rust-no-panic Mach-O analysis tool focused on precise Load Command parsing, code-signing internals, entitlements, and strict...
load-commands
Reading LC_CODE_SIGNATURE with 0tH
A deep, hands-on walkthrough of LC_CODE_SIGNATURE across three Mach-O binaries — from an ad-hoc do-nothing app to Safari’s full Apple-grade signature. We in...
Zero the Hero - A Modern Blade for Carving Through Mach-O
Zero the Hero (0tH) is a modern, Rust-no-panic Mach-O analysis tool focused on precise Load Command parsing, code-signing internals, entitlements, and strict...
aradia
Bypassing MFA with Reverse Proxies: Building a Rust-based Firefox Extension to Kill AitM Phishing
MFA is not enough. Discover Electric Eye: a Rust-powered Firefox extension that detects AitM proxies and Reverse Proxies in real-time by sniffing DOM leaks a...
Starkiller Phishing Kit: Why MFA Fails Against Real-Time Reverse Proxies
Starkiller & AitM: Why MFA is no longer enough. Discover how real-time proxies bypass security and how to fight back with FIDO2, JA3 fingerprinting, and ...
I-did-the-math-so-you-dont-have-to
Merkle Trees
A hands-on, mathematically honest walkthrough of Merkle trees.From tagged hashing to proofs, root verification, ordering guarantees, and padding strategies u...
#load-commands
Code Signing: SuperBlobs, CodeDirectory, and LC_CODE_SIGNATURE
Code Signing is the foundation of macOS security. Learn how SuperBlobs, CodeDirectory, and LC_CODE_SIGNATURE actually work under the hood.
#LC_CODE_SIGNATURE
Code Signing: SuperBlobs, CodeDirectory, and LC_CODE_SIGNATURE
Code Signing is the foundation of macOS security. Learn how SuperBlobs, CodeDirectory, and LC_CODE_SIGNATURE actually work under the hood.
LC_CODE_SIGNATURE
Reading LC_CODE_SIGNATURE with 0tH
A deep, hands-on walkthrough of LC_CODE_SIGNATURE across three Mach-O binaries — from an ad-hoc do-nothing app to Safari’s full Apple-grade signature. We in...
Electric-Eye
Bypassing MFA with Reverse Proxies: Building a Rust-based Firefox Extension to Kill AitM Phishing
MFA is not enough. Discover Electric Eye: a Rust-powered Firefox extension that detects AitM proxies and Reverse Proxies in real-time by sniffing DOM leaks a...
Rust
Bypassing MFA with Reverse Proxies: Building a Rust-based Firefox Extension to Kill AitM Phishing
MFA is not enough. Discover Electric Eye: a Rust-powered Firefox extension that detects AitM proxies and Reverse Proxies in real-time by sniffing DOM leaks a...
reverse-engineering
Reverse with me - Qardio necromancy
The Qardio app is gone, leaving the QardioBase2 scale a “zombie.” Follow my journey through iOS BLE logs, GATT discovery, and broken WiFi backends to bring t...