Hacker Moleskine

Growing a unique function signature without rescanning the binary

Mahmoud — Sun, 31 May 2026 00:00:00 -0700

A byte signature is how a reverse engineer says "this function, the one I named and annotated last week, is the same code over here in the new build." You pick a sequence of bytes from the function, wildcard out the parts that move between compiles (relative call targets, absolute …

How do you know your Cython hot loop is fast enough?

Mahmoud — Fri, 15 May 2026 00:00:00 -0700

A while back I wrote about using Cython to speed up IDA Pro plugins: you keep the Python plugin ecosystem, you cross the Python/C boundary once, and you let the heavy loop run as C. The running example was ida-sigmaker, my signature-maker plugin, which got optional SIMD speedups in …

Building a compile-time x86 assembler in C++20

Mahmoud — Mon, 26 Jan 2026 00:00:00 -0800

When you write shellcode by hand, you typically end up with something like this:

const uint8_t shellcode[] = {
    0x48, 0x89, 0xc3,  // mov rbx, rax
    0x48, 0x83, 0xc0, 0x10,  // add rax, 0x10
    0xc3  // ret
};

It works, but it is error prone. Did I get the REX prefix right? Is 0x89 the correct …

IDA Pro and Cython: super-charging the work-horse of reverse engineering

Mahmoud — Fri, 01 Aug 2025 00:00:00 -0700

Python is an incredibly powerful language. It powers AI research, backend servers and, crucially for security researchers, the scripting interfaces of the big three disassemblers: IDA Pro, Ghidra and Binary Ninja. Because it is easy to read and write, Python has become the de facto lingua franca of malware analysis …

Passing the baton of leadership at VGS (f.k.a. Very Good Security)

Mahmoud Abdelkader — Wed, 16 Nov 2022 11:50:00 -0800

Sensitive data is valuable, but possessing it is risky and costly. This was the understanding Marshall Jones and I had when we started VGS (Very Good Security) almost eight years ago. Storing sensitive data, by accepting customer credit card numbers for instance, enables businesses to charge their customers for the …

A New Year -- a New Beginning

Mahmoud — Wed, 02 Jan 2013 00:00:00 -0800

As we say goodbye to 2012 and welcome 2013, I'd like to reflect on the opportunities ahead, but first, I want to say a few words about last year. Last year has been a tremendous blessing for me, as I've seen personal growth in both leadership and overall as a …

Developing a nose Test Plugin to Time Python Tests

Mahmoud — Mon, 28 Feb 2011 14:28:00 -0800

Nose is a fantastic testing framework. What surprises me though, is that there's no out of the box plugin to time tests to see which tests are the slowest, and most likely, problematic. After all, unit tests are supposed to be wicked fast. I googled, but nothing really came up …

Arbitrary Stack Trace in Python

Mahmoud — Fri, 11 Feb 2011 15:52:00 -0800

I had a need to trace a function's call stack to identify call chain paths in some difficult-to-follow Python code that was laced with lots of magic and abstractions.

I tried stepping through ipdb, but it took forever. So, I thought to myself, why can't I just take a stack …

Reading and Writing Null-Terminated CSV Files in Python

Mahmoud — Sun, 12 Sep 2010 18:42:00 -0700

I've recently had to do some work that required sorting a very large CSV file, containing fields with embedded newlines, quickly. As it turns out, Linux comes with a sort implementation that has a "--zero-terminated" option, which sorts on null-terminated delimited strings instead of the default newline separator.

Writing null-terminated …

A Pythonic n-wise Iterator for Any Iterable

Mahmoud — Tue, 01 Jun 2010 00:48:00 -0700

Over the weekend, I was working on upgrading python-ngrams because I had discovered a bug where the tokenization was incorrect. I was reading a research paper that was describing q-grams and while following their examples, I realized I was getting incorrect results for a fundamental n-gram result.

The tokenization that's …

Python 2.6.4 and Twisted 9 on OS X 10.6 Snow Leopard

Mahmoud — Sun, 27 Dec 2009 02:06:00 -0800

I just recently purchased a MacBook Pro, which comes with Snow Leopard installed, and I noticed that it comes with python 2.6.1 installed. I wanted to upgrade to the latest python release of 2.6.4, so I tried installing the official python Mac OS distribution from python …

Verifying Python64 builds

Mahmoud — Mon, 06 Jul 2009 11:24:00 -0700

At work, I'm migrating over python to our 64bit machines and one thing that I've noticed was that there really was no standard python 64bit verification method to ensure the build was really 64bit or not. I've read somewhere previously, especially for the Mac OS X crowd, that the LDFLAGS …