Skip to content

Instantly share code, notes, and snippets.

View neomafo88's full-sized avatar
🏠
Remote

Neoma Fong neomafo88

🏠
Remote
31 followers · 42 following
View GitHub Profile
@drego85
drego85 / mirax_extract_pipeline.py
Created April 15, 2026 14:58
Automated Mirax dropper unpacker that derives RESOURCE_KEY and extracts embedded payload APKs from StreamTV-like samples.
#!/usr/bin/env python3
"""
Mirax extraction pipeline for StreamTV-like droppers.
Threat intelligence recap (based on the analyzed streamtv_* samples):
- The visible APK is usually a dropper stage.
- A bootstrap Application class loads a deeply hidden asset from assets/.
- That hidden blob is RC4-encrypted; the RC4 key is hardcoded in the bootstrap class.
- After RC4 decryption, the blob becomes a stage-1 ZIP containing classes*.dex.
- Stage-1 code embeds the RESOURCE_KEY (64-hex), used for storage/payload decryption.
@karpathy
karpathy / microgpt.py
Last active June 15, 2026 03:03
microgpt
"""
The most atomic way to train and run inference for a GPT in pure, dependency-free Python.
This file is the complete algorithm.
Everything else is just efficiency.
@karpathy
"""
import os # os.path.exists
import math # math.log, math.exp
@allenyllee
allenyllee / medium.user.js
Last active June 12, 2026 00:26 — forked from mathix420/medium.user.js
Bypass Medium Paywall - Working at Jan 2026 - Greasy Fork, Violentmonkey, Tampermonkey - Click the RAW button to install
// ==UserScript==
// @name Medium Paywall Bypass (Manual Button + Badge + Fallback + Offline)
// @namespace Violentmonkey Scripts
// @run-at document-start
// @match *://*.medium.com/*
// @match *://medium.com/*
// @match *://*/*
// @grant none
// @version 3.5
// @inject-into content
@ARISTODE
ARISTODE / industroyer-codex-report.md
Created November 4, 2025 05:14

• Investigation Log

  • Connected to IDA session, captured module hashes, enumerated exports (DllEntryPoint, Crash) to frame analysis scope.
  • Decompiled Crash → LaunchConfiguredIec104Sessions:0x100014e0, observed config parsing call and thread fan-out via CreateThread (0x10001547), then traced worker entry StartAddress to identify IEC‑104 workflow.
  • Analyzed ParseIec104ConfigFile:0x10001610; confirmed _wfopen (0x10001674) and _fgets usage, mapped keywords target_ip, target_port, sequence, stop_comm_service, command_type, operation, shift, range, uselog at refs 0x100017B0–0x10002004 to per-session structure fields.
  • Inspected RunIec104SessionWorker:0x10002FE0; documented service-kill logic (OpenProcess 0x1000303D / TerminateProcess 0x10003046), IEC-104 connect (Iec104Connect 0x10003079), handshake (SendStartupSequence 0x1000309D), sequence dispatch (range 0x1000315D, shift 0x100031AE) and command emission (IssueSingleCommand calls at 0x1000331A/0x1000335E/0x100034E6/0x10003507).
  • Reverse engineere
@ARISTODE
ARISTODE / cuba_ransomware.md
Created November 4, 2025 05:12
  • Step 1: Reviewed DriverEntry (0x140001000) to record the device pair \Device\KApcHelper1 / \DosDevices\KApcHelperLink1, blanket dispatch table, and registration of ProcessCreateNotifyHandler plus a dummy thread notify hook.
  • Step 2: Traced the init path into ResolveKernelApis (0x140001244) and LocateThreadFlagSetterPattern (0x1400014B0) to understand which kernel services and hidden thread helpers the driver depends on.
  • Step 3: Decompiled DeviceControlDispatcher (0x140001B70) to map IOCTLs, uncover the handshake scheme, and note how every command is obfuscated by the HandshakeSeed.
  • Step 4: Followed the command flow into HandleHandshakeSeed (0x140001124) to confirm token generation/validation and the use of HandshakeValidated as a global gate.
@ARISTODE
ARISTODE / pikabot-report-codex.md
Created November 4, 2025 05:10

In-memory loader decrypts and manually maps an embedded payload before handing execution to its DllMain.

Investigation Log

  • Step 1: Confirmed IDA attachment to pikabot.exe and enumerated entry points (start at 0x49f3a2, TLS callback at 0x519630) to understand initial execution vectors.
  • Step 2: Reviewed CRT startup at 0x49f22b and wWinMain_ManualLoaderEntry (0x519b8f) to see the real work funneled into ManualMapEmbeddedDll.
  • Step 3: Checked TlsCallback_ProcessDetach (0x519630) and its thunk TlsCallback_CleanupThunk →
@superfashi
superfashi / flare-on-12-write-up.md
Last active March 28, 2026 16:13
Flare-On 12 Write-Up

Flare-On 12 Write-up

Screenshot_25-10-2025_3368_flare-on12.ctfd.io

1 - Drill Baby Drill!

We are given a game written in Python. Once again, the source code is given because this is the first and easiest challenge, so let's dig into it directly.

@0xBruno
0xBruno / CefSharpEnum.js
Last active October 26, 2025 21:31
Enumerate CefSharp JS to .NET bindings
for (const key of Object.keys(window)) {
const value = window[key];
const type = (value != null && typeof value.toString === 'function')
? value.toString()
: Object.prototype.toString.call(value);
if(type instanceof Promise){
console.log(`${key}: ${await window[key].toString()}`);
}
@samhenrigold
samhenrigold / diagnose_lid_sensor.sh
Created September 6, 2025 23:21
#!/bin/bash
# MacBook Lid Angle Sensor Diagnostic Script
# This script helps identify the lid angle sensor on different MacBook models
echo "=============================================="
echo "MacBook Lid Angle Sensor Diagnostic Tool"
echo "=============================================="
echo ""
@Ciarands
Ciarands / librewolf-hotpatcher.py
Last active January 30, 2026 07:52
import os
import sys
import shutil
import zipfile
import platform
import tempfile
MAX_BACKUPS = 5
PATCHES = {
"chrome/devtools/modules/devtools/server/actors/thread.js": {