Created on Sat. 11 July 2026
Hello World I am back with a new nugget for you lot! Okay so this one was on my todo list for a long time and I am glad I am finally coming around to doing it!
I am currently completing maldev academy now if you don't know me nor know my exact background (Before 2020 when this blog started). I actually come from the software development world but more specifically C and system programming mainly. I might have covered a bit of my past in some blog posts and I guess it's quite obvious that I am a decent coder not the best but also not the worst. My main moat is mainly get shit done and extract as much value as I possibly can from the project / task ahead. So when I set myself to do maldev academy when it first released I knew a few things: 1. I wanted to do it only in C (my favourite programming language by far) 2. I also wanted to use it to build out a lib of some kind to streamline future projects (This will make sense to you once we cover my background super quick at the start of the blog post). So yeah for the last month or so I have been doing just that nuking maldev academy with a few personally set constraints...
Okay so for the constraints I set myself for maldev academy specifically
you need to first understand my background who am I and it will just click.
So before all of this roughly in 2014 I started coding and pentesting because
well I was bored (I will do a post about this later this year I think) and well
the tutorial to Become a hacker had a few tips which was 1. Learn Programming,
then learn network then you can learn to hack. So then I spent from 2014 up until 2020.
Where I just dedicated to software engineering and networking like a maniac tying it to
offensive security obviously with projects such as p4p1 and larp.
So I started coding by learning Python via the Learn Python The Hard Way book (this book is the best resource to learn coding overall).
From there I was like okay python is built in C I guess I'll learn C next and this is
where things really popped off for me. So I really liked C as a language I built a bunch
of little projects and in France I heard of this college named EPITECH which had
the reputation of the "Hardest" coding course you could take. Now obviously I b-lined
there and signed myself up. I already had at the time a good 2-3 years of C behind me
with some small freelance experience so I was obviously overly prepared compared
to other students. The main point of EPITECH is that all the code you use during
the projects is built from scratch by you, this is why it's known as the hardest.
You actually spend the 1st month of the degree to rebuild stdlib and a bunch of string.h
helper functions so like strlen, strstr, strcmp and whatnot.
From there after spending the first month building everything from scratch
you then code a shit ton of parser this is the main thing you do in that college and honestly
the hardest way to apply C is parsing and other type of projects similar to that. Then
roughly in the middle of the first year there is a project named the corewar. This
was my favourite project at that college it's literally build a assembler and the VM that
understands the custom bytecode.
Alright you have the context of my background so you see I spent roughly 2-3 years coding in C with basically what is roughly Position Independent Code constraints, no stdlib code has to be pure C no external helpers. So when I first started maldev academy and learned about PIC code and whatnot I took it at face value: I can't use stdlib, no problem I will now use lib my_ from my epitech days. Here is a screenshot of what epitech makes you code this is a snippet of my personal lib my_:
EPITECH but also me personally are super stingy on coding style overall now this is not for everyone but when we cover some actual code in this and I explain more in detail how I think explaining this upfront will help you understand everything better trust me. So overall here are the few rules to follow:
These rules are engraved in your brain at that college I did to promote clean code more or less and avoid bad complex logic. Now sometimes it is impossible but clear separation of concern even in big code basses go a very long way. So in practice this would look something like so:
Here is a great example of simple functions doing simple things my_v_printf
handles the general loop of the string, vprintf_flag runs the
logic to call a flag when found etc...
Now this coding style just stuck to me and really helped me throughout my career to be able to look at a glance at old code and clearly know what is happening for example this custom getopt implementation:
int sk4r4b_getopt(struct getopt_ctx *ctx, int argc, char **argv, char const *optstr)
{
char ch;
int res;
while (ctx->optind < argc) {
if (is_terminator(argv[ctx->optind])) {
ctx->optind++;
return (-1);
}
if (!is_opt(argv[ctx->optind])) {
push_to_end(argc, argv, ctx->optind);
ctx->non_opt_count++;
if (ctx->non_opt_count >= argc - ctx->optind)
return (-1);
continue;
}
ctx->non_opt_count = 0;
ch = argv[ctx->optind][ctx->sp];
res = in_optstring(ch, optstr);
if (res == 0) {
ctx->optopt = ch;
ctx->sp++;
if (argv[ctx->optind][ctx->sp] == '\0') {
ctx->optind++;
ctx->sp = 1;
}
return ('?');
}
if (res == 2) {
if (argv[ctx->optind][ctx->sp + 1] != '\0') {
ctx->optarg = &argv[ctx->optind][ctx->sp + 1];
ctx->optind++;
ctx->sp = 1;
return (ch);
}
ctx->optarg = argv[ctx->optind + 1];
ctx->optind += 2;
ctx->sp = 1;
return (ch);
}
ctx->sp++;
if (argv[ctx->optind][ctx->sp] == '\0') {
ctx->optind++;
ctx->sp = 1;
}
return (ch);
}
return (-1);
}
Without going into detail on getopt you can clearly see here yeah okay this
function either returns a character or a ? now we know that getopt
on error will return ? and the found character on success.
Around 2 years ago I decided to start using Havoc at work and during a red team engagement we actively saw that our Havoc agent was downloaded from our website / or a sample was collected by an AV and our Havoc agent was running on some VM in America strange since our company is Austria based right. Well turns out it was the defender VM to analyze malware this bothered me because well our engagements are scope Microsoft didn't pay me for this sample and are now using it debugging it bla bla which for a open source tools like Havoc it's fine but if we ever expanded our internal red team capabilities we would be annoyed if any AV provider could snatch a copy of our malware during a pentest. To avoid this I actually had an idea since I know how to make webapps I could just make a Auth flow on a website store my payload behind it and manually accept agents that I wan't to infect so that the stub that gets taken by microsoft is useless and my professional capabilities stay in house right. So this year I built exactly that as b0mb!
The typical flow is the following: 1. Agent registers on /auth/register
then we can see it inside of the pool on /agents. 2. The Agent can
poll /auth/login to see if it was accepted by the operator. If accepted
the agent can then get a one time download link and get the actual payload used to infect
the machine. Only problem is this my webapp is build in node JS and C code cannot understand
JSON easily so I had a ponder.... I have all this experience building parsers how hard
would it be for me to crap out a JSON parser....
So yeah I obviously made a JSON parser from scratch I already had stdlib under my belt a full assembler / custom bytecode VM why would I not just add JSON to the list. So to start I had a good think of the architecture. What is needed is a clean minimal code base to start I don't want every malware that needs to support JSON to be massive clearly. I also don't really care about grammar that much the JSON parser does not need to be strict what if there is a network error and I get malformed JSON? Then the whole program crashes not very good :/ I also wanted it to be recursive, why ? Cause it's a funny flex recursion done right is actually supper elegant code yeah it leads to stack problems on massive recursions but realistically the whole point of this lib is to handle Authentication flows and light APIs not to be a full frontend right. I also wanted the JSON data to be in some sort of tree during EPITECH I did a few of those but was never that good at them. So in my original design I thought red black tree to have super fast query on the data structure.
We first have the typical JSON type stuff to make the code easier to manage then we have the individual nodes now a single node can be a single type so to avoid having a huge struct for each node we use union here to pack the value to the actual size it needs to be. Then the tree has right / left and parent. Originally it had color for the Red Black proprieties but that was dropped since on rebalancing of the tree it was hard to keep the actual structure of the json together without fucking up the fact a root object / array had to always be at the top. Since those complexities made red black tree annoying to implement I just ditched that idea.
From this data structure all mapped out I then went onto working on the actual parser the idea was to bee super lenient on the grammar, if you find something you understand construct the tree if not skip it:
We first start by skipping spaces and tabs we then look for a character we
understand. Since json root object and either be a object or a array we look
for { and [. After finding that we just advance to
the next call of parser to continue consuming the string. If we find "
we know that this is a key value pair so we parse that accordingly:
Looking at the first character of the value we can determine it's type from there we parse it and add it to a newly created node. If it's a inner object then we can call create object and parse that accordingly by recursively calling the parser function :) Same for arrays.
After getting this to work I was like well why stop here the main reason we want JSON in a data structure like this is to query it and also edit it so I created a few basic helper functions:
The main one is obviously json_get_data to get a node out of the
tree for you and the funny nice to have one is tree_to_json to just
do the opposite of what json_to_tree does.
Alright let's take this lib for a spin first we want the bloc that will
handle the network connection thanks to microsoft API stupidity we can
just connect to websites directly in C with the winAPI <3
To do this we first start with our call to InternetOpenA
to set the user agent and start the connection. Then we call InternetConnectA
this will setup the connection to the backend server. After this we call HttpOpenRequestA
to do the actual GET / POST request here we just register our agent to the /register endpoint.
From here we poll login to wait for acceptance and get our auth token.
To do this we take the result of the server via InternetReadFile
and put this in our json lib. Then the parser kicks in and put's the data in a tree.
We then search for token which is the success indicator of a successful
login if the variable data which contains or not the node to token json
element if it not 0 then it exists so we can extract the token with strndup. From there
we can generate the Authorization header and download our shellcode:
Thank you for reading! I released some stickers! You can support the blog
by getting some here.
Anyway follow me on github and linked-in cause why not hopefully you learned something
cool <3
If you like the content of my website you can help me out by donating through my github sponsors page.