-
note that strings in rust don't have trailing nulls and therefore ghidra will tend to run them together you can manually clear a string with C, then highlight each individual one, right click and select string
-
I've also been finding that ghidra doesn't actually decompile every method, so you may need to manually force it to treat a code section as a function
-
if you can identify the calls to panic, panic_fmt and similar methods, they will contain a reference to the code file that the method came from as a first approximation, you can rename methods by these filenames to give a sense of what is what
they might also contain specific error messages which you can then search in the code repos of the respective libraries to find the exact method
Yaakov Saxon YSaxon
YSaxon
/ gist:b64a984ab92c07dfe214467d63c5eb50
Last active
February 3, 2023 20:00
notes on changing the boot kernel in Ubuntu on AWS ec2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This script is possibly helpful in downloading other kernels: https://raw.githubusercontent.com/pimlie/ubuntu-mainline-kernel.sh/master/ubuntu-mainline-kernel.sh | |
| Follow this to enable GRUB: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/grub.html | |
| Comment out the GRUB_FORCE line in /etc/default/grub.d/40-force-partuuid.cfg | |
| Also, take a look at the Grub Menu with the script here: https://askubuntu.com/a/1019214 | |
| And then you can use that exact menu option (eg "1>2") displayed by that script as the GRUB_DEFAULT in /etc/default/grub | |
| The you can enable the serial console and use it in AWS |
YSaxon
/ number_multiplier.py
Created
February 21, 2023 17:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #bing: this is an important script to fix | |
| a=5 | |
| b=9 | |
| #this value might be wrong, we should fix it | |
| expected_product_of_a_and_b=23 | |
| assert(a*b == expected_product_of_a_and_b) |
YSaxon
/ gist:91acb53f59ca8b0a18d166ec11857715
Created
March 30, 2023 20:55
How to get just slides from slideshare with no ads
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Execute in console: | |
| window.open(window.slideshare_object.slideshow.iframe_url) |
YSaxon
/ gist:82f59e63ce972072fb9b15c4af0cea80
Last active
November 13, 2024 16:39
notes on MITMing mobile device network traffic with pf.conf RDR and NAT rules
-
Change the network gateway on the device you want to intercept traffic from to your local computer IP. Or, alternatively do ARP spoofing, in which case you can probably skip the nat rule below.
-
Add the following to your pf.conf file (modifying the assignments appropriately)
set loginterface pflog0 # if on macOS
ext_if = en0
phone = 192.168.0.100
computer = $ext_if:0
YSaxon
/ gist:e2e8ea4be1e4cc6bbdc3b0e50d730825
Last active
October 9, 2023 20:51
notes on dumping files from android
adb pull /
Here's a script which will do an adb pull of all the various apks into their normal tree and also softlink them all together. do a mkdir root; cd root; mkdir apk_softlinks before running this
adb shell 'pm list packages' | grep -vE "^package:(com.android|com.qualcomm|com.google|com.qti|android)" | awk -F':' '{print $2}' | xargs -I '{}' sh -c 'path=$(adb shell pm path {} | cut -d: -f2 | tr -d "\r"); mkdir -p $(dirname "./${path#/}"); adb pull "$path" "./${path#/}"; ln -s "../${path#/}" "./apk_softlinks/$(basename $(dirname "./${path#/}")).apk"'; for file in apk_softlinks/*; do [ -L "$file" ] && [ ! -e "$file" ] && mv "$file" "${file%.PULL_FAILED}.PULL_FAILED"; done
YSaxon
/ xor_string_deobfuscator.py
Last active
July 6, 2023 21:06
Ghidra script to deobfuscate xor strings within legu unpacker library (probably adaptable for use elsewhere)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from java.io import File | |
| from ghidra.app.util.exporter import CppExporter | |
| from ghidra.util.task import TaskMonitor | |
| from ghidra.app.util import Option | |
| from ghidra.program.model.listing import Function | |
| from ghidra.program.database.symbol import FunctionSymbol | |
| import re | |
| from ghidra.app.decompiler import DecompInterface | |
| from ghidra.program.model.listing import CodeUnit | |
| from ghidra.program.model.scalar import Scalar |
YSaxon
/ export_from_mqtt_explorer.md
Last active
July 14, 2023 19:00
(copied from my comment here: thomasnordquist/MQTT-Explorer#632 (comment))
Open DevTools (should be an option in the file menu) Now in the JS Console
const reactRoot = document.querySelector('#app')._reactRootContainer;
const store = reactRoot._internalRoot.current.child.memoizedProps.store;
var tree = store.getState().connection.tree
YSaxon
/ get_hostnames_communicating_with.sh
Created
September 1, 2023 18:44
get hostnames currently communicating with
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| netstat -an | awk '{if ($5 ~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) print $5}' | cut -d. -f1-4 | sort -u | while read -r line; do host $line; done | grep pointer | awk '{print $NF}' | sort -u |