Hacker News: tonygohttps://news.ycombinator.com/user?id=tonygoHacker News RSShttps://hnrss.org/hnrss v2.1.1Thu, 16 Apr 2026 15:40:36 +0000<![CDATA[Compute iOS XNU offset from kernel cache]]>Article URL: https://blog.reversesociety.co/blog/2026/kernel-rw-not-enough-extract-offsets-from-xnu-kernelcaches

Comments URL: https://news.ycombinator.com/item?id=47719968

Points: 34

# Comments: 0

]]>Fri, 10 Apr 2026 15:51:21 +0000https://blog.reversesociety.co/blog/2026/kernel-rw-not-enough-extract-offsets-from-xnu-kernelcachestonygohttps://news.ycombinator.com/item?id=47719968https://news.ycombinator.com/item?id=47719968<![CDATA[New comment by tonygo in "I found a secret protocol in Predator Spyware – iOS"]]>How does mercenary spyware actually control an iPhone? In this video, I reverse engineer the Predator spyware to uncover the secret internal protocol it uses to activate surveillance modules.

This is a summary of my technical research published on the Reverse Society blog. While analyzing the surveillance framework, I discovered a hidden custom text-based protocol that orchestrates the malware's operations (Camera, VoIP, etc.).

]]>Mon, 19 Jan 2026 21:00:19 +0000https://news.ycombinator.com/item?id=46684435tonygohttps://news.ycombinator.com/item?id=46684435https://news.ycombinator.com/item?id=46684435<![CDATA[I found a secret protocol in Predator Spyware – iOS]]>Article URL: https://www.youtube.com/watch?v=Q5A2Ydd1L9A

Comments URL: https://news.ycombinator.com/item?id=46684434

Points: 1

# Comments: 1

]]>Mon, 19 Jan 2026 21:00:19 +0000https://www.youtube.com/watch?v=Q5A2Ydd1L9Atonygohttps://news.ycombinator.com/item?id=46684434https://news.ycombinator.com/item?id=46684434<![CDATA[Predator iOS Spyware: Build a Surveillance Framework]]>Article URL: https://blog.reversesociety.co/blog/2025/predator-ios-malware-surveillance-framework-part-1

Comments URL: https://news.ycombinator.com/item?id=46529920

Points: 2

# Comments: 0

]]>Wed, 07 Jan 2026 18:01:12 +0000https://blog.reversesociety.co/blog/2025/predator-ios-malware-surveillance-framework-part-1tonygohttps://news.ycombinator.com/item?id=46529920https://news.ycombinator.com/item?id=46529920<![CDATA[macOS Ransomware: NotLockBit]]>Article URL: https://www.sentinelone.com/blog/macos-notlockbit-evolving-ransomware-samples-suggest-a-threat-actor-sharpening-its-tools/

Comments URL: https://news.ycombinator.com/item?id=41942457

Points: 1

# Comments: 0

]]>Fri, 25 Oct 2024 05:25:24 +0000https://www.sentinelone.com/blog/macos-notlockbit-evolving-ransomware-samples-suggest-a-threat-actor-sharpening-its-tools/tonygohttps://news.ycombinator.com/item?id=41942457https://news.ycombinator.com/item?id=41942457<![CDATA[Ptrace internals: How it prevents debugger attachment]]>Article URL: https://tonygo.netlify.app//2024/anti-debugging-using-ptrace/

Comments URL: https://news.ycombinator.com/item?id=41928983

Points: 2

# Comments: 0

]]>Wed, 23 Oct 2024 20:26:48 +0000https://tonygo.netlify.app//2024/anti-debugging-using-ptrace/tonygohttps://news.ycombinator.com/item?id=41928983https://news.ycombinator.com/item?id=41928983<![CDATA[New comment by tonygo in "Implementing and Detecting Anti-Debugging with Fork()"]]>I try to transform my C program into a long living one (just adding a sleep).

https://github.com/tony-go/antidebug-examples/pull/1

At first, it appears that the follow fork mode works nicely. But at some point it did not ... If I run it 10 times consequtively in LLDB. Sometimes it works, sometimes not ...

]]>Mon, 14 Oct 2024 08:43:34 +0000https://news.ycombinator.com/item?id=41835525tonygohttps://news.ycombinator.com/item?id=41835525https://news.ycombinator.com/item?id=41835525<![CDATA[New comment by tonygo in "Implementing and Detecting Anti-Debugging with Fork()"]]>I tried, but I was not able to determine so far...

]]>Fri, 04 Oct 2024 07:52:39 +0000https://news.ycombinator.com/item?id=41738894tonygohttps://news.ycombinator.com/item?id=41738894https://news.ycombinator.com/item?id=41738894<![CDATA[New comment by tonygo in "Implementing and Detecting Anti-Debugging with Fork()"]]>Thanks a lot :)

I think that I should dig more on ptrace! Maybe a next post?

]]>Wed, 02 Oct 2024 08:01:11 +0000https://news.ycombinator.com/item?id=41718265tonygohttps://news.ycombinator.com/item?id=41718265https://news.ycombinator.com/item?id=41718265<![CDATA[New comment by tonygo in "Implementing and Detecting Anti-Debugging with Fork()"]]>Hi :)

I am not really experienced with ARM haha :) So the way that I approached it was: - how could I remove the call of fork (because I don't want to fork) - how could I patch the register that should contains the result of the fork operation

I guess that it sounds like a naive approach haha

Feel free to propose an alternative I patch, I could update the post and credit you :)

]]>Wed, 02 Oct 2024 07:59:48 +0000https://news.ycombinator.com/item?id=41718260tonygohttps://news.ycombinator.com/item?id=41718260https://news.ycombinator.com/item?id=41718260<![CDATA[New comment by tonygo in "Implementing and Detecting Anti-Debugging with Fork()"]]>> You may still think that mode could be still able to catch a new child process but apparently people have tried and the answer is no

Not sure I got this. IIUC there is a link between the fact that we used dlsym and the fact the child process is not catched by lldb in the follow fork mode?

]]>Wed, 02 Oct 2024 07:55:18 +0000https://news.ycombinator.com/item?id=41718241tonygohttps://news.ycombinator.com/item?id=41718241https://news.ycombinator.com/item?id=41718241<![CDATA[New comment by tonygo in "Implementing and Detecting Anti-Debugging with Fork()"]]>Also it could come from a messy thing in the code.

]]>Fri, 27 Sep 2024 08:02:25 +0000https://news.ycombinator.com/item?id=41667542tonygohttps://news.ycombinator.com/item?id=41667542https://news.ycombinator.com/item?id=41667542<![CDATA[New comment by tonygo in "Implementing and Detecting Anti-Debugging with Fork()"]]>I tried with LLDB using `settings set target.process.follow-fork-mode child` but for some reasons I feel like it still exit from the parent process.

I also tried with a long living process: https://github.com/tony-go/antidebug-examples/tree/main/swif...

And I got this:

``` (lldb) run Process 14345 launched: '/anti-debug/swift/build/anti_debug' (arm64) start pid = 14345 exit parent process for child pid = 14348 continue as child process pid = 14348 Process 14345 exited with status = 0 (0x00000000) ```

The UI did not even appeared as it should.

Maybe I miss something in my LLDB config...

]]>Fri, 27 Sep 2024 07:58:58 +0000https://news.ycombinator.com/item?id=41667530tonygohttps://news.ycombinator.com/item?id=41667530https://news.ycombinator.com/item?id=41667530<![CDATA[New comment by tonygo in "Implementing and Detecting Anti-Debugging with Fork()"]]>> A far more effective actual anti-debugging technique is to have the parent become the debugger of the child,

Do you have example of that? I am really curious, thanks for sharing tho :)

]]>Fri, 27 Sep 2024 07:43:12 +0000https://news.ycombinator.com/item?id=41667423tonygohttps://news.ycombinator.com/item?id=41667423https://news.ycombinator.com/item?id=41667423<![CDATA[Implementing and Detecting Anti-Debugging with Fork()]]>Article URL: https://tonygo.netlify.app//2024/anti-debugging-detection-with-fork/

Comments URL: https://news.ycombinator.com/item?id=41627027

Points: 58

# Comments: 16

]]>Mon, 23 Sep 2024 15:11:21 +0000https://tonygo.netlify.app//2024/anti-debugging-detection-with-fork/tonygohttps://news.ycombinator.com/item?id=41627027https://news.ycombinator.com/item?id=41627027<![CDATA[XPC Sniffer for LLDB]]>Article URL: https://github.com/tony-go/snixpc

Comments URL: https://news.ycombinator.com/item?id=41140995

Points: 3

# Comments: 0

]]>Fri, 02 Aug 2024 17:53:22 +0000https://github.com/tony-go/snixpctonygohttps://news.ycombinator.com/item?id=41140995https://news.ycombinator.com/item?id=41140995