Neo23x0

<?xml version="1.0" encoding="UTF-8"?>
<Annotations start="0" num="171" total="171">
  <Annotation about="www.bussink.net/*" timestamp="0x0005d7bc4022b026" href="ChF3d3cuYnVzc2luay5uZXQvKhCm4IqBxPf1Ag">
    <Label name="_cse_turlh5vi4xc"/>
    <AdditionalData attribute="original_url" value="https://www.bussink.net/"/>
  </Annotation>
  <Annotation about="*.thedfirreport.com/*" timestamp="0x0005d76dd5f8679d" href="ChUqLnRoZWRmaXJyZXBvcnQuY29tLyoQnc_hr93t9QI">
    <Label name="_cse_turlh5vi4xc"/>
    <AdditionalData attribute="original_url" value="https://thedfirreport.com/"/>
  </Annotation>

Cr4sh

0xfe82801c: addr = 0xfe84804b, type = 0x3d, id = 0x0805, args = 2, name = tzbsp_pil_init_image_ns
0xfe828038: addr = 0xfe8482c1, type = 0x3d, id = 0x0802, args = 1, name = tzbsp_pil_auth_reset_ns
0xfe828050: addr = 0xfe847c85, type = 0x0d, id = 0x0806, args = 3, name = tzbsp_pil_mem_area
0xfe828070: addr = 0xfe847ce7, type = 0x0d, id = 0x0807, args = 1, name = tzbsp_pil_unlock_area
0xfe828088: addr = 0xfe84831b, type = 0x0f, id = 0x0808, args = 1, name = tzbsp_pil_is_subsystem_supported
0xfe8280a0: addr = 0xfe84835f, type = 0x0f, id = 0x0c01, args = 1, name = tzbsp_pil_is_subsystem_mandated
0xfe8280b8: addr = 0xfe84c7d9, type = 0x0d, id = 0x0c02, args = 1, name = tzbsp_write_lpass_qdsp6_nmi
0xfe8280d0: addr = 0xfe8079bd, type = 0x0d, id = 0x0c04, args = 2, name = tzbsp_set_cpu_ctx_buf
0xfe8280ec: addr = 0xfe80972b, type = 0x0d, id = 0x0c06, args = 2, name = tzbsp_set_l1_dump_buf
0xfe828108: addr = 0xfe8097e5, type = 0x0f, id = 0x0c07, args = 1, name = tzbsp_query_l1_dump_buf_size

laxa

#!/usr/bin/env python2

from libformatstr import FormatStr
from pwn import *

import binascii
import struct
import time

def p32(addr):

in7egral

from idc import *
from idaapi import *

def getSysctlSegment():
    addr = 0
    seg = SegByName("__sysctl_set")
    if seg != BADADDR:
        addr = SegByBase(seg)
    return addr

st4rk

''' 
ROP Analyze
Written by St4rk

The code is a total mess and I don't know python (it's one of many reasons 
that I decided to use python here, to learn)
Feel free to modify and do whatever you want
'''

# imports

williballenthin

'''
IDAPython script that generates a YARA rule to match against the
basic blocks of the current function. It masks out relocation bytes
and ignores jump instructions (given that we're already trying to
match compiler-specific bytes, this is of arguable benefit).

If python-yara is installed, the IDAPython script also validates that
the generated rule matches at least one segment in the current file.

author: Willi Ballenthin <[email protected]>

laanwj

Wladimir van der Laan 2016. This document is in the public domain.

BLATSTING reverse-engineering notes. Based on files from the EQGRP free dump,
more specifically in Firewall/BLATSTING/BLATSTING_201381/LP/lpconfig.

In https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html,
BLATSTING is described as "A firewall software implant that is used with EGREGIOUSBLUNDER
(Fortigate) and ELIGIBLEBACHELOR (TOPSEC)".

If true, it's interesting how this implant can target both vendors. Presumably they both use the same Linux

williballenthin

'''
IDAPython plugin that adds the contents of a file as a new segment in an existing idb.
Prompts the user for:
  - file path
  - segment name
  - segment starting offset
  
Useful for reversing engineering packed software and shellcode.

Author: Willi Ballenthin <[email protected]>

ocean1

# rename functions loading addresses using nm

import idaapi
import idc
from subprocess import Popen, PIPE


def make_func(addr):
    idc.MakeCode(addr)
    idc.MakeFunction(addr)

HarmJ0y

#Requires -Version 2

function New-ADPayload {
<#
    .SYNOPSIS

        Stores PowerShell logic in the mSMQSignCertificates of the specified -TriggerAccount and generates
        a one-line launcher.

        Author: @harmj0y