Hi! I’m a software developer by trade with a passion for reverse engineering. I write about the stuff I find interesting along the way. All views are my own. Feel free to get in touch:

branw branw brandon at branw dot xyz

Customizing OneNote 16's Custom Pens

Modifying the custom pens in OneNote 16 beyond the defined presets

Microsoft’s OneNote is an incredibly useful tool for note organization, and with the advent of 2-in-1 devices, digital inking. I have personally been using the Android version with an active stylus and recently moved over to Windows, only to realize that the default pen colors and sizes are slightly different. For the sake of consistency between notes, I was interested in tweaking these settings to be reasonable similar across versions. Unfortunately, there did not appear to be any OneNote extensions or programs for accomplishing this easily.

This write-up describes the process of discovering where the values are persistently stored and how they can be conveniently modified.

XORing Strings in the Twenty-First Century

Statically encoding strings with runtime decryption

When attempting to remain out of sight from string-reliant detection systems, whether it be anti-cheat engines or even just the novice reverse engineer, XORing is a commonly used technique. This is not a new-fangled technique by far and truly only serves to defeat naïve static analysis; not only can the cipher text be trivially decoded by hand, but the plaintext is stored as clear as day in memory after first use. Rather, this is a way to escape signature scans of, e.g., .rodata.

Such techniques have been employed for quite a while in regard to mainly unsavory programs, including malware and game cheats. Traditionally, this involved a pseudo-preprocessor build step that would replace wrapped strings with encoded equivalents and include a runtime decoding function. With the advent of C++11 and modern template intricacies however, it is now possible to carry out this encoding process at compile-time without any external tooling.

Strategies for CyberPatriot

A look inside how the high school cybersecurity competition CyberPatriot calculates score and the lessons learned from such analysis

CyberPatriot is a secondary school-level cybersecurity competition based around hardening instances of desktop and server machines. Sponsored by the Air Force Association and Northrop Grumman, the program is an initiative to inspire a new generation of engineers for the adapting government landscape. It presents a unique experience, especially to those without any prior introduction to the subject matter.

Unfortunately, much of the competition is hazed with an air of mystery; if not for the upperclassmen who had first introduced me I would have had no idea what CyberPatriot entailed before diving straight in competition day. Even after two years I realized I wasn’t much more aware of what was really going on beyond the Mario coin sound playing every time I got lucky with installing anti-virus software. This expository piece is my effort to alleviate this void in understanding, if not only for myself but for any other CyberPatriot stuck in the same rut.

PACTF 2016 Write-ups

Walkthroughs of the cryptography, forensics, and web challenges of the 2016 Phillip's Academy Capture The Flag competition

PACTF, as hosted by the Phillip’s Academy, was a three-round capture-the-flag that took place from April 10th to May 1st. This competition was unique in that it featured a week-long competition window allowing contestants to select their own forty-eight hour time frame. The rounds covered a variety of subject matters and offered challenges from the beginner to downright difficult levels.

We are the Forest Park Bruins, a team of five high school students and aspiring computer scientists from Woodbridge, Virginia:

  • Brandon Walker, your’s truly
  • Hamza Mir
  • Mathew Cinnamon
  • Michelle Miller
  • Joseph Bokossa

These write-ups will attempt to provide context and strategies for the competition’s problem set. Due to the inopportune timing of the competition however not all solves are documented. Nevertheless, code snippets beginning with $ were run on zsh on Ubuntu 14.04 while snippets beginning with >>> were ran in Python 3.5.