Skip to content

Instantly share code, notes, and snippets.

>>> import freki, z3; lift = freki.lift_instruction_at(bv,here); slv = z3.Solver(); lift.constrain(slv); lift
<module 'i8051.freki' from 'C:\Users\amtal\AppData\Roaming\Binary Ninja\plugins\i8051\freki.pyc'>
<Z3Lifter expr:1 constr:0 ssa_vars:['A']>
>>> slv
[Implies(0@0xc777,
A#53 ==
Concat(Extract(3, 0, A#52), Extract(7, 4, A#52)))]
>>> lift2 = freki.lift_function(current_function); lift2.constrain(slv); lift2
<Z3Lifter expr:5 constr:2 ssa_vars:['mem', 'rsp', 'rdi', 'rax']>
>>> SFR = lift2.ssa_vars['rax'][1]
@amtal
amtal / rappel.py
Last active June 23, 2023 04:03
Rappel.py is a pretty janky assembly REPL. It works by using keystone for R, and GDB for EPL.
""" Assembly REPL in gdb / possible sketchy binary patcher.
Usage:
gdb -q ./target
-x rappel.py adds 'rappel' command
[-write] patches binary on disk, sometimes!
"""
import gdb, tempfile, keystone as ks
class Rappel(gdb.Command):
@amtal
amtal / Hybrids.md
Created January 17, 2017 08:28
Walkthrough of two dupes and an item corruption exploit for Diablo 2 in layman's terms

This is a common-jargon walkthrough of an interesting Diablo 2 exploit. It provides the necessary background information (network protocol and game mechanics) to gain some understanding of the primitives from which it's constructed. Since the exploit is against a black-box network service with no available code, exact details and subtleties remain a mystery. :)

Exploit effects

Diablo 2 items can have a list of properties with various effects. The most common items (normal or "white" ones) have very few possible effects; however, all items can have sockets. Rune and gem-type items can be inserted into sockets. Some sequences of runes are special - inserting them into a white item makes a runeword item with predictable special properties.

Here's an example runeword "Peace" created by inserting Shael, Thul, and Amn runes into a 3-socket Light Plate:

Peace + Enigma hybrid

@amtal
amtal / preload.c
Created September 29, 2016 05:37
LD_PRELOAD scripting
#!/usr/bin/tcc -run
#include <stdio.h> // printf, perror, vsprintf
// injector
#include <stdlib.h> // setenv
#include <unistd.h> // execve
// hoooooks
#define __USE_GNU // man page says _GNU_SOURCE but is wrong lol
#include <dlfcn.h> // dlsym
#include <string.h> // strcmp
#include <curses.h>
@amtal
amtal / opcodes.py
Last active June 25, 2016 06:49 — forked from anonymous/opcodes.py
"""1-byte opcode list grouped by octet.
So, pretty much http://www.sandpile.org/x86/opc_1.htm but worse!
Requires: capstone, colorama (windows), click
"""
import capstone
import click
engine = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
@amtal
amtal / b64_fixpoint.py
Last active November 15, 2015 17:47
Exploring http://xlogicx.net/?p=383 with z3py: proof of uniqueness + sub-second solutions
"""Finding fixpoints...
> Vm0 -> Vm0w
> wd2 -> d2Qy
> QyU -> UXlV
[x] base64 = Vm0wd2QyU
> Vm0 -> Vm0w
> wd2 -> d2Qy
> QyU -> UXlV
[x] base64url = Vm0wd2QyU
> JJFEM -> JJFEMRKN
-- S D O
fp_1 :: (src -> i -> o) -- interpreter
-> src -- + source code
-- partial application magic happens here
-> (i -> o) -- = executable
-- Static Dyn Output
fp_2 :: ((src -> i -> o) -> src -> (i -> o)) -- fp_1
-> (src -> i -> o) -- + interpreter
-- partial application magic happens here
@amtal
amtal / cpuid.py
Created April 1, 2015 06:54
Poke CPUID from Python via AmihaiN's GetThreadContext wrapper
"""Poke interesting instructions from Python.
Uses the nifty trick in https://github.com/AmihaiN/pyAsm to run snippets then
inspect registers. (Use at own risk, nasm.exe source not verified, etc.)
"""
from pyAsm import pyAsm, A_32BIT
def regs(reg, sep='\n', txt=''):
txt = txt.strip()
acc = []
"""Looking for collisions in Mooltipass "TRNG" output.
The "TRNG" outputs 32 bit blocks whitened with Jenkins one at a time hash,
keeping no state between samples. Running ent or diehard on the output stream
produces a predictable "pass" result, since these tests do not take the 32 bit
block structure into account.
Excessive collisions found by the following test would disprove the null
hypothesis that each 32 bit sample from the "TRNG" is uniformly distributed.
#!/usr/bin/env python3
"""Usage: vimcrypt.py [FILE]...
Guesses first 64 bytes of vim-encrypted files. Method implemented is sufficient
for plain English (preferably with lots of spaces), but any knowledge of
underlying plaintext would do.
Example:
$ ./vimcrypt.py 1.txt 2.txt 3.txt 4.txt