0xca7
/ config_extractor.py
Created
December 31, 2023 17:22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| crappy python script to extract v o l g m e r configuration | |
| see: https://asec.ahnlab.com/en/57685/ | |
| 1. pull the full resource section | |
| 2. search for ZIP magic, cut everything before | |
| 3. get all strings from the binary, one is the password | |
| 4. try all the strings until the zip is decrypted | |
| 5. search for the smaller of the two extracted files, this is the config | |
| 6. parse the config and spew out ip addresses and ports |
0xca7
/ highlight_calls_example.py
Created
September 23, 2023 18:41
Binary Ninja: Highlight ARM32 bl, blx, b calls - an example script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| binary ninja script to highlight all "bl" instructions in | |
| an ARM32 binary. makes assembly easier to read. | |
| """ | |
| from binaryninja import * | |
| TARGET_INSTRS = ['bl', 'blx', 'b'] | |
| # RGB color for bright red |
0xca7
/ gist:696e4e65f72c9aac442340c9d7ef9131
Created
December 23, 2022 09:54
highlight and decrypt strings in recordbreaker malware
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //TODO recordbreaker string decryption via selection | |
| //Applied to sample: 746669c6be1807fdafbc7ee3f1e958e1b584fa31688742bcc044d269af94b0d8 (sha256) | |
| //@author 0xca7 | |
| //@category _NEW_ | |
| //@keybinding | |
| //@menupath | |
| //@toolbar | |
| import ghidra.app.script.GhidraScript; | |
| import ghidra.program.model.mem.*; |
0xca7
/ gist:f5d8d20fa07b69327cffa011296cda8d
Created
September 19, 2022 11:33
get config from sample 7440a7b56d3670d4204a57974fa76ae76ca78168bb181640f565976d192cc159
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| extracts config from sample: 7440a7b56d3670d4204a57974fa76ae76ca78168bb181640f565976d192cc159 | |
| 0xca7 | |
| """ | |
| from elftools.elf.elffile import ELFFile | |
| def read_elf(path) -> bytes: |
0xca7
/ gist:58ad430094fe436649031398b28b324d
Created
August 28, 2022 18:18
ghidrathon - run selected ARM code with unicorn + execution tracing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # use unicorn emulator to run code selected in ghidra graphs or listing views | |
| #@author 0xca7 | |
| #@category Python 3 | |
| #@keybinding | |
| #@menupath | |
| #@toolbar | |
| # the code looks horrible :( | |
| """ |
0xca7
/ mount_jffs2.sh
Created
August 13, 2022 17:54
script to create fake flash drive and mount a JFFS2 image to it
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # change this if needed | |
| TOTAL_RAM_SIZE=32768 | |
| ERASE_SIZE=256 | |
| # just the usage prompt | |
| print_usage() { | |
| echo "usage ./mount_jffs2.sh [ path to image ]" | |
| echo "RUN THIS WITH SUDO / AS ROOT" |
0xca7
/ gist:28ca40a575143926eaaec216c17c8ad8
Created
March 4, 2022 16:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sample: 67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71 | |
| ----------------------------------------------------------------------------------------------------- | |
| got strings via: | |
| FLOSS [sample.exe] > strings | |
| cat strings | grep H4 > encrypted.strings | |
| ----------------------------------------------------------------------------------------------------- | |
| Python Script: |
0xca7
/ gist:d34317b6812ea86d990559814857cdf3
Created
April 5, 2021 15:40
Sample: bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sample: bc0ed3e73b8d1fdc839f2e8ed3578ca3221dba4eb984e581cb00dfb4cdfb7d49 on Malware Bazaar | |
| RSA-1024 + AES-256 | |
| Extracted (static) AES-256 Key: | |
| 08 02 00 00 10 66 00 00 20 00 00 00 FD 29 D4 E4 24 20 18 0E C1 6B D2 24 8D F5 3A 87 34 E0 3C DF BC 3F 7A 5D DA 82 7B B8 1C 79 6A C6 | |
| Extracted 1024-Bit RSA Public Key: | |
| 06 02 00 00 00 A4 00 00 52 53 41 31 00 04 00 00 01 00 01 00 C5 07 26 57 FD DC 59 91 82 70 3B 40 8E B1 E8 E2 4E D8 C5 B1 03 FF BF 95 F4 70 8C 43 C5 D0 A9 13 | |
| D0 42 4A 08 22 B3 53 9C 26 AF 1A 93 3B BE A9 B2 A6 ED CA 59 CB A4 39 1A 74 F8 8C 02 94 2C 3E 67 1F 9F 3C A1 83 92 BF AE 8C 01 77 28 61 A4 BB 1D DB 80 DA C9 |