Story
Tired from all of the craziness in the Inner Sanctum, you decide to venture out to the beach to relax. You doze off in the sand only to be awoken by the loud “reee” of an osprey. A shell falls out of its talons and lands right where your head was a moment ago. No rest for the weary, huh? It looks a little funny, so you pick it up and realize that it’s backwards. I guess you’ll have to reverse it.
Problem details
Hint: The flag format is
pctf{$FLAG}. This constraint should resolve any ambiguities in solutions.
Aleksei Kulaev flatz
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| === iBridge2,1,iBridge2,3,iBridge2,4,iBridge2,5,iBridge2,7,iBridge2,8_3.5_16P5200_Restore.ipsw | |
| Firmware/dfu/iBEC.j137.RELEASE.im4p | |
| 3723c95ba25706b4650a92177afc28af57e0a236fd0e46b83cffb6140392b63355562b5ed671bda6b5929ff728f0b324 | |
| Firmware/dfu/iBSS.j140k.RELEASE.im4p | |
| 34d7aa36e00b5c772bf7381c821253a714ed2714552a48a478b391faac32bc0eef2577d5a04e01f462648754eb9af69e | |
| Firmware/dfu/iBSS.j137.RELEASE.im4p | |
| 4bb3ecf8b19401a009b5c0003b64ac3bae8258f6d9c42b91831927e348957dfde01384caa3fbee1b6e665d168b46fc47 | |
| Firmware/dfu/iBEC.j680.RELEASE.im4p | |
| 893d17aa768a6ebd8f85b4251ef8f692c766f7b1868bd974a3dc9fcd0dd9608e4e0709bd9208752d9515a636c129378c |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <body></body> | |
| <script src="../mojo/public/js/mojo_bindings.js"></script> | |
| <script src="../third_party/blink/public/mojom/plaidstore/plaidstore.mojom.js"></script> | |
| <script src="../third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script> | |
| <script> | |
| var heap; | |
| var replace_data; | |
| var count = 0; | |
| var blob_registry_ptr = new blink.mojom.BlobRegistryPtr(); |
xpn
/ env_var_spoofing_poc.cpp
Created
June 6, 2020 21:25
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
| // setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
| // | |
| // Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
| // and then resuming the process. | |
| // | |
| // (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
| #define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
| #define INJECT_PARAM_LEN 43 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env zsh | |
| set -e; | |
| set +m; # Job control would've been nice, but manual round robin it is, sigh. | |
| if [ -z "${ZSH_VERSION+x}" ]; then | |
| echo 'Try again with zsh.'; | |
| exit 1; | |
| fi; |
cheadrian
/ Youtube_Livestream_Parts_download.py
Last active
August 13, 2024 16:03
Download Youtube Live streamed video from the start or selected time
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #With the help of this script you can download parts from the Youtube Video that is live streamed, from start of the stream till the end | |
| import urllib.request | |
| import os | |
| #E.G: "https://r4---sn-gqn-p5ns.googlevideo.com/videoplayback?expire=1603041842& ..... 2.20201016.02.00&sq=" | |
| #The sound link should contain: &mime=audio in it. | |
| #Here's an example from NASA LIVE: | |
| #VIDEO: https://r5---sn-gqn-p5ns.googlevideo.com/videoplayback?expire=1603165657&ei=eQmOX8TeFtS07gO1xLWwDA&ip=79.115.11.159&id=DDU-rZs-Ic4.1&itag=137&aitags=133%2C134%2C135%2C136%2C137%2C160&source=yt_live_broadcast&requiressl=yes&mh=PU&mm=44%2C29&mn=sn-gqn-p5ns%2Csn-c0q7lnsl&ms=lva%2Crdu&mv=m&mvi=5&pl=20&initcwndbps=1350000&vprv=1&live=1&hang=1&noclen=1&mime=video%2Fmp4&gir=yes&mt=1603143920&fvip=5&keepalive=yes&fexp=23915654&c=WEB&sparams=expire%2Cei%2Cip%2Cid%2Caitags%2Csource%2Crequiressl%2Cvprv%2Clive%2Chang%2Cnoclen%2Cmime%2Cgir&sig=AOq0QJ8wRQIgQMnxy1Yk3HLTpqbOGmjZYH1CXCTNx6u6PgngAVGi4EQCIQDWyaye-u_KGyVQ0HRUsyKVaAzyXbmzDqOGVGpIyP7VtA%3D%3D&lspa |
Thanks to the work of @agraf, @KhaosT, @imbushuo, and others, we have Virtualization.framework working on M1 Macs. These [changes][1] have been merged with QEMU v5.2.0 RC3 (will rebase once the final release is out) and integrated with UTM, a brand new QEMU frontend designed in SwiftUI for iOS 14 and macOS 11.
dougallj
/ aarch64_amx.py
Last active
April 25, 2025 22:23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IDA (disassembler) and Hex-Rays (decompiler) plugin for Apple AMX | |
| # | |
| # WIP research. (This was edited to add more info after someone posted it to | |
| # Hacker News. Click "Revisions" to see full changes.) | |
| # | |
| # Copyright (c) 2020 dougallj | |
| # Based on Python port of VMX intrinsics plugin: | |
| # Copyright (c) 2019 w4kfu - Synacktiv |
theevilbit
/ divide_and_conquer.c
Created
January 17, 2021 15:11
Divide and Conquer NextGen AV bypass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes. | |
| */ | |
| #include <stdio.h> | |
| #include <tchar.h> | |
| #include <windows.h> | |
| #include "Commctrl.h" | |
| #include <string> |
tandasat
/ CheckGuestVmcsFieldsForVmEntry.c
Last active
March 29, 2025 09:50
Simulation of checks performed as per 26.3 CHECKING AND LOADING GUEST STATE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * @file CheckGuestVmcsFieldsForVmEntry.c | |
| * @author Satoshi Tanda ([email protected]) | |
| * @brief Checks validity of the guest VMCS fields for VM-entry as per | |
| * 26.3 CHECKING AND LOADING GUEST STATE | |
| * @version 0.1 | |
| * @date 2021-02-20 | |
| * | |
| * @details This file implements part of checks performed by a processor during | |
| * VM-entry as CheckGuestVmcsFieldsForVmEntry(). This can be called on VM-exit |