Cool write up, reminds me of a .net app I had to RE a few years ago which used a custom bytecode/VM for sensitive functions, such as some string crypt/obfuscate operations which I was trying to grok. Giant pain in the ass.
…until I saw that they re-implemented the same operations in some schema migration code without adding the magic ”obfuscate-me” annotations
I ran into the same thing reverse engineering a piece of exercise equipment
The routines for communicating with sensors were heavily obfuscated in the main application... but the factory sensor test application had been left installed and was completely clear.
…until I saw that they re-implemented the same operations in some schema migration code without adding the magic ”obfuscate-me” annotations