stong

// TLDR:
// Whitebox 128-bit rsa with e=17. Input is multiplied by a constant before the RSA

#include <Windows.h>
#include <stdio.h>
#include <stdint.h>

extern "C" void __fastcall rsa_encrypt (uint8_t* in, uint8_t* out);

// 1. Func is ~90kb, and control flow is simple. Should be decompilable just extremely SLOW.

trietptm

IDAPython CTREE

Important links

• Hex-Rays Decompiler Primer
• hexrays.hpp

Description

The CTREE is built from the optimized microcode (maturity at CMAT_FINAL), it represents an AST-like tree with C statements and expressions. It can be printed as C code.

dolinenkov

# an example of the way how undocumented option of MSVC compiler, /d1reportallclasslayout,
# can be used to generate static reflection information for C++ sources

import sys
import re
import subprocess

cl_exe = 'C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\Community\\VC\\Tools\\MSVC\\14.16.27023\\bin\Hostx64\\x64\\cl.exe'

file = 'test.cc'

OALabs

import idaapi, idc, idautils


class DecryptorError(Exception):
    pass


def rc4crypt(key, data):
    x = 0
    box = range(256)

wbenny

//
// NtContinueEx is now used by ntdll!KiUserApcDispatcher.
// The KCONTINUE_ARGUMENT structure is built in the KiInitializeUserApc
// function.
//

typedef enum _KCONTINUE_TYPE
{
  KCONTINUE_UNWIND,
  KCONTINUE_RESUME,

icecr4ck

IDAPython cheatsheet

Important links

• Porting IDAPython plugins to IDA 7.4
• Hex-Rays IDAPython official documentation

Basic commands

Get informations on the binary

stecman

This is a technique for extracting all imported modules from a packaged Python application as .pyc files, then decompiling them. The target program needs to be run from scratch, but no debugging symbols are necessary (assuming an unmodified build of Python is being used).

This was originally performed on 64-bit Linux with a Python 3.6 target. The Python scripts have since been updated to handle pyc files for Python 2.7 - 3.9.

Theory

In Python we can leverage the fact that any module import involving a .py* file will eventually arrive as ready-to-execute Python code object at this function:

PyObject* PyEval_EvalCode(PyObject *co, PyObject *globals, PyObject *locals);

cmatthewbrooks

##############################################################################
#
# Name: hello_world_plugin.py
# Auth: @cmatthewbrooks
# Desc: A test plugin to learn how to make these work; Specifically, how to
#       have multiple actions within the same plugin.
#
#       In plain English, IDA will look for the PLUGIN_ENTRY function which
#       should return a plugin object. This object can contain all the 
#       functionality itself, or it can have multiple actions.

jerieljan

I use PlantUML a lot. It's what I use for drawing all sorts of diagrams and it's handy because of its easy markup (once you get used to it) while making things easy to maintain as projects grow (thanks to version control)

This gist explains how I do my PlantUML workspace in a project.

• The idea is to keep a globals directory for all diagrams to follow (like the "stylesheet" below) to keep things consistent.
• I use a stylesheet.iuml file that keeps the use of colors consistent through use of basic FOREGROUND, BACKGROUND and ACCENT colors.
• The style-presets.iuml file defines these colors so you can make "presets" or "themes" out of them.
• As stated in the stylesheet.iuml, you'll need the Roboto Condensed and Inconsolata fonts for these to work properly.
• You can choose to either run the PlantUML jar over your file/s, or use an IDE like VSCode with the PlantUML extension. Here's a preview of example-sequence.puml for example: https://imgur.com/Klk3w2F

vaualbus

#if _CRT_DISABLE

extern "C" int _fltused = 0x9875;

#define WIN32_LEAN_AND_MEAN 
#include <stdint.h>
#include <limits.h>
#include <windows.h>

//#include <Windows.h>