Skip to content

Instantly share code, notes, and snippets.

View x0nu11byt3's full-sized avatar

x0nu11byt3

82 followers · 251 following
View GitHub Profile
@stong
stong / tee.py
Last active April 29, 2022 04:48
Duplicate pwntools process output to stdout with tee(2) syscall
import sys
import os
from pwn import *
def tee_process(p):
import threading
import ctypes
libc = ctypes.CDLL(None)
splice = libc.splice
tee = libc.tee
@farazsth98
farazsth98 / harekaze_mini_ctf_2020.md
Last active February 27, 2021 05:24
Harekaze mini CTF 2020

I played Harekaze Mini CTF 2020 for about 3 hours this weekend. The pwn challenges were nice (I especially enjoyed nm-game-extreme). Here are some short writeups.

shellcode

The program just tells you to provide shellcode that will execute execve("/bin/sh", NULL, NULL). It gives you the address of the "/bin/sh" string, so you just create shellcode to do the job and send it:

#!/usr/bin/env python3

from pwn import *
@stong
stong / cheese.cpp
Last active August 28, 2024 01:26
pbctf 2020: Jiang Ying's Disasssembler author's writeup
// TLDR:
// Whitebox 128-bit rsa with e=17. Input is multiplied by a constant before the RSA
#include <Windows.h>
#include <stdio.h>
#include <stdint.h>
extern "C" void __fastcall rsa_encrypt (uint8_t* in, uint8_t* out);
// 1. Func is ~90kb, and control flow is simple. Should be decompilable just extremely SLOW.
@geohot
geohot / prius_kf.py
Last active March 9, 2021 07:36
Prius Steering Angle Kalman Filter
%pylab inline
%load_ext autoreload
%autoreload 2
from tools.lib.route import Route
from tools.lib.logreader import LogReader
r,num = Route("ce2fbd370f78ef21|2020-11-27--16-27-28"),10
#r,num = Route("f66032c2b5aa18ac|2020-12-04--09-33-54"),30
alr = []
for n in range(num-1, num+5):
@LiveOverflow
LiveOverflow / hireme.ipynb
Created November 20, 2020 10:46
Hire me!!!!!!!!
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@byt3bl33d3r
byt3bl33d3r / eventvwr_crash.py
Created September 18, 2020 08:12
Crash the Windows Event Log service remotely (needs admin privs)
# Crash the Windows Event Log Service remotely, needs Admin privs
# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r
#
# Once the service crashes 3 times it will not restart for 24 hours
#
# https://github.com/limbenjamin/LogServiceCrash
# https://limbenjamin.com/articles/crash-windows-event-logging-service.html
#
# Needs the impacket library (https://github.com/SecureAuthCorp/impacket)
@muff-in
muff-in / resources.md
Last active June 26, 2025 21:12
A curated list of Assembly Language / Reversing / Malware Analysis / Game Hacking-resources
@klecko
klecko / prison_heap2.py
Last active June 29, 2021 03:56
from pwn import *
PATH = "./prison_heap_hard"
ENV = {"LD_PRELOAD":"./libc-2.27.so"}
REMOTE = False
OFFSET_LEAK = 0x3ED8C0
OFFSET_SYSTEM = 0x000000000004f440
OFFSET_FREEHOOK = 0x00000000003ed8e8
@klecko
klecko / prison_heap.py
Created April 12, 2020 17:39
import os
from pwn import *
PATH = "./prison_heap"
ENV = {"LD_PRELOAD":"./libc-2.27.so"}
REMOTE = True
OFFSET_LEAK = 0x3EBCA0
OFFSET_SYSTEM = 0x000000000004f440
OFFSET_FREEHOOK = 0x00000000003ed8e8
@Zulko
Zulko / cube_solver.py
Created December 26, 2019 20:12
A cube puzzle resolution script
import numpy as np
segments_lengths = [3, 2, 2, 2, 1, 1, 1, 2, 2, 1, 1, 2, 1, 2, 1, 1, 2]
assert sum(segments_lengths) == 27
def solve(cube, position, direction, segment_number):
if segment_number == len(segments_lengths):
return cube
x, y, z = direction
a1, a2 = np.array([y, z, x]), np.array([z, x, y])