mishap oopsmishap
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| int __stdcall sub_10001100(_DWORD *a1, unsigned int a2, unsigned int a3) | |
| { | |
| _DWORD *v3; // edi | |
| unsigned int v4; // ebx | |
| unsigned int v5; // esi | |
| int v6; // edx | |
| unsigned int v7; // eax | |
| int v8; // ecx | |
| unsigned int v9; // edx | |
| unsigned __int16 *v10; // edx |
oopsmishap
/ astaroth_hide_timewasters.py
Created
January 31, 2023 21:33
Astaroth hide timewaster function calls
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idautils | |
| import idaapi | |
| import ida_bytes | |
| import ida_search | |
| import ida_segment | |
| import ida_nalt | |
| def find_function(pattern): | |
| text = ida_segment.get_segm_by_name('.text') | |
| return ida_search.find_binary(text.start_ea, text.end_ea, pattern, 16, ida_search.SEARCH_DOWN) |
oopsmishap
/ _rhadamanthys_stage3_unpacker.py
Last active
March 18, 2023 16:10
Rhadamanthys stage3 unpacker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| def extract_stage3(stage3_buffer): | |
| # struct stage3_header | |
| # { | |
| # uint32_t magic; | |
| # uint16_t block_count; | |
| # uint16_t header_size; | |
| # uint32_t entry_offset; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| __int64 __fastcall DispatchDeviceControl(PDEVICE_OBJECT DeviceObject, IRP *arg_irp) | |
| { | |
| __int64 idx; // rdi | |
| _IO_STACK_LOCATION *CurrentStackLocation; // rbx | |
| ULONG_PTR len; // rdi | |
| ULONG InputBufferLength; // esi | |
| unsigned __int64 OutputBufferLength; // r12 | |
| int v8; // esi | |
| void *SystemBuffer; // r15 | |
| char v10; // al |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # (C) Rolf Rolles, Mobius Strip Reverse Engineering, 9/21/2021. | |
| import idaapi | |
| from functools import reduce | |
| stl_map_keyvalue_fmt = ("struct {2}_{3}_keyvalue_t" | |
| "{{" | |
| "{0} key;" | |
| "{1} value;" | |
| "}};") |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0x4010c0 handletest_x86.exe|push ebp|ebp=0x19ff74|esp=0x19ff2c | |
| 0x4010c1 handletest_x86.exe|mov ebp, esp|esp=0x19ff28 | |
| 0x4010c3 handletest_x86.exe|push 0x41e9bc|esp=0x19ff28 | |
| 0x4010c8 handletest_x86.exe|call 0x401080|esp=0x19ff24|eip=0x4010c8 | |
| 0x401080 handletest_x86.exe|push ebp|ebp=0x19ff28|esp=0x19ff20 | |
| 0x401081 handletest_x86.exe|mov ebp, esp|esp=0x19ff1c | |
| 0x401083 handletest_x86.exe|sub esp, 8|esp=0x19ff1c | |
| 0x401086 handletest_x86.exe|lea eax, [ebp + 0xc]|ebp=0x19ff1c | |
| 0x401089 handletest_x86.exe|mov dword ptr [ebp - 4], eax|ebp=0x19ff1c|eax=0x19ff28 | |
| 0x40108c handletest_x86.exe|mov ecx, dword ptr [ebp - 4]|ebp=0x19ff1c |
NewerOlder