Agenda

Day 1: Reverse Engineering and LLM-Assisted Analysis

• Instant Messaging Attack Surface Overview
• Environment Setup: Self-Hosted Inference and API Configuration
• JEB on WhatsApp: Navigating Obfuscated Closed-Source Code
• The LLM RE Loop: Snapshot, Analyze, Rename, Review, Apply
• Manual vs. LLM Rename Comparison on WhatsApp Media Pipeline
• Building a Naming Review Agent: OpenAI API and Claude Agent SDK

Day 2: Dynamic Analysis and Protocol Dissection

• Advanced Frida Scripting
• SSL Unpinning
• The WebP Trap: Why You Trace Before You Build
• Mapping WhatsApp’s Sticker Decode Path
• 0-Click Path Enumeration: From File Download to System Service (DNG, Paragon PDF)
• Telegram MTProto Sniffer
• Cross-Target Methodology: Open Source vs. Closed Source

Day 3: LLM-Powered Vulnerability Research

• Pipeline Architecture: From 800 Functions to 5 Candidates
• Telegram MTProto Client
• LLM Pipeline: Extract, Pre-Filter, Classify, Verify (OpenAI API + Claude Agent SDK)
• Writing Classification and Exploitability Agents
• Cross-Target Pipeline Execution on Native Libraries
• rlottie Internals, Android Security Model

Day 4: Exploiting a Live Vulnerability

• Running Student Pipelines Against rlottie
• Rediscovery of a ZDI-Disclosed Bug Class
• Malicious Animated Sticker Construction
• 0-Click or Not? Server-Side Mitigations and Their Limits
• Bypass Research: Secret Chats, Custom Emoji, Side-Loading
• Debrief: Vulnerability vs. Exploitability

Prerequisites

• Python or equivalent scripting
• Reverse engineering experience
• Familiarity with Android application architecture
• Claude Max subscription (active)
• Anthropic API key with $200 prepaid credits

Hardware and Software

• Unix-based laptop, 30GB free disk space
• Rooted Android device (provided)
• Dedicated GPU inference server (provided)
• JEB Decompiler
• IDA Pro with Hex-Rays, or Ghidra
• adb, python3, frida-tools
• Administrator/root access