Skip to content

Instantly share code, notes, and snippets.

View xorhex's full-sized avatar

xorhex

23 followers · 6 following
View GitHub Profile
@xorhex
xorhex / theme.css
Created December 17, 2022 17:16
IDA - UI Candy
/* Credit for this template goes to HexRays' Support!
https://hex-rays.com/products/ida/news/8_2/ */
CustomIDAMemo
{
qproperty-line-bg-default: rgba(0, 0, 0, 0.0);
background: white url(/path/to/picture.png);
background-attachment: fixed;
background-repeat: none;
background-position: bottom right;
@xorhex
xorhex / go_macho.yar
Created October 15, 2022 02:47
Look for Go build ID in Macho X86_64 Files
import "macho"
rule is_go_macho {
strings:
$go = { ff 20 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 22 } // \xff Go build ID: \"
condition:
macho.cputype == macho.CPU_TYPE_X86_64
and
for any s in macho.segments : (
@xorhex
xorhex / CallOverString
Created January 6, 2022 14:52
rule CallOverString
{
strings:
$imp_1 = "LoadLibraryA"
$imp_2 = "WinHttpOpen"
condition:
for any of ($imp_*) : (
// Byte at address of string match minus 5 == call with relative offset opcode
@xorhex
xorhex / Dockerfile
Last active December 6, 2021 00:10
YARA Console Branch - Docker
FROM debian:bookworm-slim
RUN apt update && apt -y upgrade && apt install -y git automake libtool make gcc pkg-config libssl-dev libjansson-dev libmagic-dev bash && apt clean
RUN addgroup --gid 1835 yara; adduser --system -uid 1835 --gid 1835 --shell /bin/bash yara
RUN mkdir /home/yara/app && mkdir /home/yara/rules && mkdir /home/yara/malware
RUN chown -R yara:yara /home/yara/app; chown -R yara:yara /home/yara/rules; chown -R yara:yara /home/yara/malware;
USER yara
@xorhex
xorhex / LabyREnth Chl 2016, 1 - Key Check Algorithm Disassembled
Created September 22, 2019 00:43
ups0:004011B0
ups0:004011B0 ; =============== S U B R O U T I N E =======================================
ups0:004011B0
ups0:004011B0 ; Attributes: bp-based frame
ups0:004011B0
ups0:004011B0 ; int __cdecl sub_4011B0(char *Str)
ups0:004011B0 sub_4011B0 proc near ; CODE XREF: _main+3Bp
ups0:004011B0
ups0:004011B0 var_38 = dword ptr -38h
ups0:004011B0 counter = dword ptr -34h
@xorhex
xorhex / LabyREnth Chl 2016, 1 - Script Execution
Created September 22, 2019 00:42
$python keyfinder.py
key: 0x8c var_38: 0x0
Found answer for: 0x8c : P
key: 0xf1 var_38: 0x8c
Found answer for: 0xf1 : A
key: 0x53 var_38: 0x17d
Found answer for: 0x53 : N
key: 0xa3 var_38: 0x1d0
Found answer for: 0xa3 : {
key: 0x8 var_38: 0x273
@xorhex
xorhex / LabyREnth Chl 2016, 1 - Derive the Key
Created September 22, 2019 00:41
#!/usr/bin/env python
import string
secret = []
keys = ['0x8c', '0xf1', '0x53', '0xa3', '0x8', '0xd7', '0xdc', '0x48', '0xdb', '0xc', '0x3a', '0xee', '0x15', '0x22', '0xc4', '0xe5', '0xc9', '0xa0', '0xa5', '0xc', '0xd3', '0xdc', '0x51', '0xc7', '0x39', '0xfd', '0xd0', '0xf8', '0x3b', '0xe8', '0xcc', '0x3', '0x6', '0x43', '0xf7', '0xda', '0x7e', '0x65', '0xae', '0x80']
def hash(var_38, test_char):
return ((var_38 & 0xff) ^ (((((((ord(test_char) ^ 0x33) & 0xFF) + 0x44) & 0xFF) ^ 0x55) & 0xFF) - 0x66) & 0xFF) & 0xFF
@xorhex
xorhex / LabyREnth Chl 2016, 1 - Values to Compare Against
Created September 22, 2019 00:40
keys = ['0x8c', '0xf1', '0x53', '0xa3', '0x8', '0xd7', '0xdc', '0x48', '0xdb', '0xc', '0x3a', '0xee', '0x15', '0x22', '0xc4', '0xe5', '0xc9', '0xa0', '0xa5', '0xc', '0xd3', '0xdc', '0x51', '0xc7', '0x39', '0xfd', '0xd0', '0xf8', '0x3b', '0xe8', '0xcc', '0x3', '0x6', '0x43', '0xf7', '0xda', '0x7e', '0x65', '0xae', '0x80']
@xorhex
xorhex / LabyREnth Chl 2016, 1 - Hash Function
Created September 22, 2019 00:38
def hash(var_38, test_char):
return ((var_38 & 0xff) ^ (((((((ord(test_char) ^ 0x33) & 0xFF) + 0x44) & 0xFF) ^ 0x55) & 0xFF) - 0x66) & 0xFF) & 0xF
@xorhex
xorhex / Walk to IAT - _IMAGE_IMPORT_BY_NAME
Created September 22, 2019 00:25
typedef struct _IMAGE_IMPORT_BY_NAME {
WORD Hint;
BYTE Name[1];
} IMAGE_IMPORT_BY_NAME,*PIMAGE_IMPORT_BY_NAME;