Skip to content

Instantly share code, notes, and snippets.

View neomafo88's full-sized avatar
🏠
Remote

Neoma Fong neomafo88

🏠
Remote
View GitHub Profile

MD5 Collision with CRC32 Preimage

Here's the scenario: We want to craft two different messages with the same MD5 hash, and a specific CRC32 checksum, simultaneously.

In other words, we want an MD5 collision attack and a CRC32 preimage attack.

This might seem like a contrived scenario, but it's exactly the one I faced while producing my PNG hashquine (Yes OK maybe that's also a contrived scenario, cut me some slack).

On its own, a CRC32 preimage attack is trivial. You can craft a 4-byte suffix that gives any message a specific checksum, calculated using a closed-form expression (which I am too lazy to derive, not even with assistance from Z3). It's not an attack per-se, since CRC32 was never meant to be cryptograpically secure in the first place.

@pellaeon
pellaeon / child-gating-poc.py
Created September 23, 2022 12:21
Frida child-gating and spawn-gating example
"""
This POC is based on example from https://frida.re/news/#child-gating
and is aimed to instrument child processes along with the main one.
"""
from __future__ import print_function
import frida
from frida_tools.application import Reactor
import threading
@jborean93
jborean93 / Get-SMBApplicationKey.ps1
Last active October 12, 2022 19:44
Gets the SMB2 Application Key from a Logon Session
# Copyright: (c) 2022, Jordan Borean (@jborean93) <[email protected]>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)
<# Example Code to Run on the Server
$pipeServer = [System.IO.Pipes.NamedPipeServerStream]::new("jordan-test", [System.IO.Pipes.PipeDirection]::InOut)
$pipeServer.WaitForConnection()
try {
$tokenStat = Get-NamedPipeClientStatistics -Pipe $pipeServer
$appKey = Get-SMBApplicationKey -LogonId $tokenStat.AuthenticationId
[System.Convert]::ToBase64String($appKey.Applicationkey)
@0xca7
0xca7 / gist:f5d8d20fa07b69327cffa011296cda8d
Created September 19, 2022 11:33
get config from sample 7440a7b56d3670d4204a57974fa76ae76ca78168bb181640f565976d192cc159
"""
extracts config from sample: 7440a7b56d3670d4204a57974fa76ae76ca78168bb181640f565976d192cc159
0xca7
"""
from elftools.elf.elffile import ELFFile
def read_elf(path) -> bytes:
function Get-RdpLogonEvent
{
[CmdletBinding()]
param(
[Int32] $Last = 10
)
$RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
LogName='Security'
ProviderName='Microsoft-Windows-Security-Auditing'
@X-C3LL
X-C3LL / FreshyCalls-VBA.vba
Created September 4, 2022 23:51
Retrieving SSN for syscalling in VBA following FreshyCalls technique
' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)
'Based on:
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
'https://www.crummie5.club/freshycalls/
Private Type LARGE_INTEGER
@NyaMisty
NyaMisty / outline_graph.py
Created September 1, 2022 01:02
IDA Graph view with outlined function included
"""
summary: drawing custom graphs
description:
Showing custom graphs, using `ida_graph.GraphViewer`. In addition,
show how to write actions that can be performed on those.
keywords: graph, actions
"""
from __future__ import print_function
# -----------------------------------------------------------------------
@alexander-hanel
alexander-hanel / bn-cheat.md
Last active June 11, 2025 14:12
Cheat Sheet for Binary Ninja
@janoglezcampos
janoglezcampos / direct_syscall.rs
Last active September 2, 2022 13:26
Simplest rust direct syscall example
#![allow(non_snake_case)]
use std::arch::global_asm;
use std::mem::size_of;
use winapi::shared::ntdef::{OBJECT_ATTRIBUTES, HANDLE, NULL, PHANDLE, NTSTATUS};
use winapi::um::winnt::{ACCESS_MASK, PROCESS_VM_WRITE, PROCESS_VM_READ};
#[cfg(not(target_arch = "x86_64"))]
compile_error!("Only x86_64 machines");
@Armatix
Armatix / httpPostRequest.js
Last active September 12, 2022 22:52
Frida http post request from java/android
function javaPost(url, data) {
const thread = Java.use("java.lang.Thread").$new();
const Tjava = Java.ClassFactory.get(thread.getContextClassLoader());
const Url = Tjava.use("java.net.URL").$new(url);
let connection = Url.openConnection();
connection = Java.cast(connection, Tjava.use("java.net.HttpURLConnection"));
connection.setRequestMethod("POST");
connection.setDoOutput(true);
connection.setRequestProperty("Content-Type", "application/json;");
const postData = Tjava.use("java.lang.String").$new(data);