Skip to content

Instantly share code, notes, and snippets.

View neomafo88's full-sized avatar
🏠
Remote

Neoma Fong neomafo88

🏠
Remote
16 followers · 39 following
View GitHub Profile
@Dump-GUY
Dump-GUY / hint_calls.py
Created March 18, 2024 07:30
Modified version of Willi Ballenthin IDA Plugin hint_calls.py ported to support Python2/3 and IDA>=7.4 (tested IDA 7.7, 8.4)
'''
IDA plugin to display the calls and strings referenced by a function as hints.
Installation: put this file in your %IDADIR%/plugins/ directory.
Author: Willi Ballenthin <[email protected]>
Licence: Apache 2.0
'''
import idc
import idaapi
import idautils
@jershmagersh
jershmagersh / generate_api_code_with_db_context.md
Last active February 26, 2024 01:54

Can you write Python that extracts the copied_alphabet string from the __builtin_strncpy in this function and uses it to decrypt data wtihin the dec_sc_buff variable using the binary ninja API? 👤

🤖 To extract the copied_alphabet string and decrypt data within the dec_sc_buff variable using the Binary Ninja API, you can follow these steps: Extract the copied_alphabet string directly from the provided HLIL. Implement the decryption logic based on the operation described in the HLIL for modifying dec_sc_buff. Use the Binary Ninja API for any additional operations needed. Here is a Python example that accomplishes this:

@awakecoding
awakecoding / Install-DbgHelp.ps1
Created December 12, 2023 03:27
function Install-DbgHelp {
param (
[Parameter(Mandatory=$true, Position=0)]
[string] $DbgHelpBaseDir,
[Parameter()]
[string[]] $DbgHelpFiles = @('dbghelp.dll','symsrv.dll','srcsrv.dll'),
[Parameter()]
[switch] $Cleanup
@SinaKarvandi
SinaKarvandi / intercepting-memory-allocations.ds
Created November 24, 2023 09:10
intercepting-memory-allocations
start path "C:\Windows\notepad.exe"
g
? .thread_intercept_thread = 0;
? .target_pid = $pid;
? .target_tid = 0;
? .target_allocation_address = 0;
? .target_allocation_size = 0;
? .is_commited = 0;
!sysret stage post script {
@Dump-GUY
Dump-GUY / GetR2RMethodDisassembly.ps1
Created November 20, 2023 17:06
# Get IL code and pre-compiled native code disassembly of R2R Assembly methods
# Using AsmResolver + Iced + PowerShell
# More Info Here: https://docs.washi.dev/asmresolver/guides/peimage/ready-to-run.html
# Loading dependecies
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\AsmResolver\net6.0\AsmResolver.PE.dll")) | Out-Null
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\AsmResolver\net6.0\AsmResolver.DotNet.dll")) | Out-Null
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\Iced\netstandard2.1\Iced.dll")) | Out-Null
$filePath = [System.IO.Path]::GetFullPath(".\test_files\CompileDecoy_ReplaceReal_SC_Original.dll") # R2R Assembly Sample
@Dump-GUY
Dump-GUY / GetStringHeapObjects.ps1
Created November 13, 2023 14:08
# Recovering strings objects from .NET Heap
# Using clrMD "Microsoft.Diagnostics.Runtime.dll" - https://github.com/microsoft/clrmd
# Use 32-bit PowerShell to investigate 32-bit process and 64-bit PowerShell to investigate 64-bit process
[System.Reflection.Assembly]::LoadFile([System.IO.Path]::GetFullPath("Microsoft.Diagnostics.Runtime.dll")) | Out-Null
$processID = (Get-Process -Name "TestStrings_confused").Id
$dataTarget = [Microsoft.Diagnostics.Runtime.DataTarget]::AttachToProcess($processID, $false)
$clrInfo = $dataTarget.ClrVersions[0]
$clrRuntime = $clrInfo.CreateRuntime()
$objects = $clrRuntime.Heap.EnumerateObjects().Where{$_.Type.IsString}
@jlumbroso
jlumbroso / decrypt_all_pdfs.py
Created November 3, 2023 21:59
A Python script to recursively decrypt PDF files using `qpdf --decrypt`, handling files without passwords and overwriting the originals if decryption is successful.
#!/usr/bin/env python3
"""
decrypt_all_pdfs.py
Author: Jérémie Lumbroso <[email protected]>
Date: November 3, 2023
Description:
This script recursively finds all PDF files within a specified directory path,
checks if they are encrypted (without a password), and attempts to decrypt them
@csm10495
csm10495 / locked_cookie_test.py
Last active April 5, 2025 19:59
POC that fetches cookies from a locked cookies file on Windows with Chromium based browsers
@mathix420
mathix420 / medium.user.js
Last active May 5, 2025 02:32
Bypass Medium Paywall - Working late 2023 - Greasy Fork, Violentmonkey, Tampermonkey - Click the RAW button to install
// ==UserScript==
// @name Medium Paywall Bypass
// @namespace Violentmonkey Scripts
// @run-at document-start
// @match *://*.medium.com/*
// @match *://medium.com/*
// @match *://*/*
// @grant none
// @version 2.4
// @inject-into content
@0x07dc
0x07dc / torrc
Last active October 26, 2024 17:56
Torrc Exit Node Country Codes List (Filter Exit Nodes)
# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1, and Tor will ignore it
ClientOnionAuthDir D:\Program Files\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth
DataDirectory D:\Program Files\Tor Browser\Browser\TorBrowser\Data\Tor
GeoIPFile D:\Program Files\Tor Browser\Browser\TorBrowser\Data\Tor\geoip
GeoIPv6File D:\Program Files\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6
# SafeSocks 1 # Apparently only needed for Socks4 proxies -- Tor is using Socks5
TestSocks 1