The CTREE is built from the optimized microcode (maturity at CMAT_FINAL), it represents an AST-like tree with C statements and expressions. It can be printed as C code.
Duncan Ogilvie mrexodia
🍍
trietptm
/ idapython_ctree.md
Created
May 1, 2020 13:56
— forked from icecr4ck/idapython_ctree.md
Notes on CTREE usage with IDAPython
stong
/ cheese.cpp
Last active
August 28, 2024 01:26
pbctf 2020: Jiang Ying's Disasssembler author's writeup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // TLDR: | |
| // Whitebox 128-bit rsa with e=17. Input is multiplied by a constant before the RSA | |
| #include <Windows.h> | |
| #include <stdio.h> | |
| #include <stdint.h> | |
| extern "C" void __fastcall rsa_encrypt (uint8_t* in, uint8_t* out); | |
| // 1. Func is ~90kb, and control flow is simple. Should be decompilable just extremely SLOW. |
bluewalk
/ GetNordVPNWireGuardDetails.md
Last active
August 1, 2025 19:50
Getting NordVPN WireGuard details
Instructions to obtain WireGuard details of your NordVPN account. These can be used to setup a WireGuard tunnel on your router to NordVPN.
Source: https://forum.gl-inet.com/t/configure-wireguard-client-to-connect-to-nordvpn-servers/10422/27
If you have any linux machine, use that or install a vm if you don't have one.
Get their official linux app installed. Make sure you have wireguard installed too. And set the used technology to Nordlynx by running nordvpn set technology nordlynx
tandasat
/ CheckGuestVmcsFieldsForVmEntry.c
Last active
June 16, 2025 18:10
Simulation of checks performed as per 26.3 CHECKING AND LOADING GUEST STATE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * @file CheckGuestVmcsFieldsForVmEntry.c | |
| * @author Satoshi Tanda (tanda.sat@gmail.com) | |
| * @brief Checks validity of the guest VMCS fields for VM-entry as per | |
| * 26.3 CHECKING AND LOADING GUEST STATE | |
| * @version 0.1 | |
| * @date 2021-02-20 | |
| * | |
| * @details This file implements part of checks performed by a processor during | |
| * VM-entry as CheckGuestVmcsFieldsForVmEntry(). This can be called on VM-exit |
stevemk14ebr
/ stpgetargtype_dump.json
Created
April 11, 2021 18:15
DTrace's StpGetArgType accesses a metadata table that stores complete arg type information for every syscall.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| [ | |
| "NtLockProductActivationKeys", | |
| [ | |
| "UInt32 *", | |
| "UInt32 *" | |
| ] | |
| ], | |
| [ | |
| "NtLockProductActivationKeys", |
For some reason IDA executes FreeLibrary() to the plugin immediately after getting its PLUGIN structure's address, so later invocations of the plugin lead to calls to nowhere (that was supposed to be python3.dll). Simply patching the location of the FreeLibrary() call fixes the issue. The location is easy to find: go by cross-references to a place where the call to FreeLibrary is followed by a reference to the string "%s: incompatible plugin version..." and NOP it away.
chris124567
/ DeriveZeroMBA.cpp
Last active
August 26, 2024 20:27
create convoluted MBA expressions that always evaluate to 0. for instance `(a & ~b & ~c | a & ~b & c | a & b & ~c | a & b & c)*1 - (~a & ~b & ~c | a & ~b & ~c | a & ~b & c | a & b & ~c | a & b & c) + (~a & ~b & ~c)` will evaluate to 0 regardless of the values of a, b, or c. code mostly ported from https://github.com/Pusty/Obfuscat/blob/master/ut…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <z3++.h> | |
| #include <armadillo> | |
| #include <array> | |
| #include <cmath> | |
| #include <cstdlib> | |
| #include <ctime> | |
| #include <functional> | |
| #include <iostream> | |
| #include <numeric> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ Extends Ero Carrera's pefile with the functionality for parsing exception tables (SEH support). | |
| Beginning from version 2021.9.3, this functionality has been integrated into pefile, so you will | |
| need pefileseh.py only if you use an older version of pefile. | |
| Only x64 and IA64 architectures are supported. | |
| Classes defined in this module: | |
| * StructureWithBitfields | |
| * ExceptionsDirEntryData |
aaaddress1
/ memBruteforce.cpp
Last active
February 20, 2024 11:16
Windows 32-bit Shellcode Design without TEB & fs:30h
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // memBruteforce.cpp by [email protected] | |
| // brute search loaded moudules in memory | |
| // rewrite from https://www.exploit-db.com/exploits/45293 | |
| #include <Windows.h> | |
| #include <iostream> | |
| #pragma warning(disable:4996) | |
| bool isMemExist(size_t addr) { | |
| int retv; | |
| __asm { |