Skip to content

Instantly share code, notes, and snippets.

View Cr4sh's full-sized avatar
🌴

Dmytro Oleksiuk Cr4sh

🌴
View GitHub Profile
@Cr4sh
Cr4sh / guide-change-imei-snapdragon.md
Created October 16, 2024 18:31 — forked from Proxy13/guide-change-imei-snapdragon.md
[GUIDE] How to change IMEI on Snapdragon devices

[GUIDE] How to change IMEI on Snapdragon devices

FOR EDUCATIONAL PURPOSE ONLY, CHANGING IMEI IS ILLEGAL IN MOST COUNTRIES, MAKE SURE YOU CONVINCE YOUR ACTIONS BEFORE DOING THIS.

I DON'T RESPONSIBLE IF YOUR DEVICE IS BROKEN OR THE IMEI IS NOT CHANGED CAUSED BY YOU DIDN'T FOLLOW THE STEPS CAREFULLY OR HAVING A DIFFERENT EFS PARTITION SCHEME.

This guide was tested on Google Pixel 3, different device may also have a different EFS partition scheme, please make sure you adjust it with this guide. Other Google Pixel devices may use this guide without adjusting.

Prerequisites:

@Cr4sh
Cr4sh / gist:0e04de6889ce9fc657f1ea0ccdb42119
Created October 18, 2023 10:16
Windows Secure Kernel r/e hints and tips
To find SKPROCESS Policy offset:
__int64 __fastcall SkpspFindPolicy(__int64 a1, __int64 a2, int a3, __int64 a4, __int64 a5)
{
v5 = a4;
v6 = a3;
v7 = a2;
v8 = a1;
v12 = 0i64;
v9 = a1 + 0x1B8; // <--
@Cr4sh
Cr4sh / adder.c
Last active October 4, 2023 20:52
LiteX demo module
#include <stdlib.h>
#include <stdbool.h>
#include <irq.h>
#include <libbase/uart.h>
#include <libbase/console.h>
#include <generated/csr.h>
#include "adder.h"
@Cr4sh
Cr4sh / smm_backdoor_hyper_v.py
Created June 16, 2021 19:37
Example program that uses SMM backdoor to deploy Hyper-V backdoor (see https://github.com/Cr4sh/s6_pcie_microblaze/tree/master/python/payloads/DmaBackdoorHv)
#!/usr/bin/env python
import sys, os, time, platform, ctypes
from struct import pack, unpack
from optparse import OptionParser, make_option
import smm_backdoor as bd
# how many seconds to wait for VM exit occur
VM_EXIT_WAIT = 3
@Cr4sh
Cr4sh / smm_backdoor_privesc_win.py
Created June 16, 2021 19:34
Example program that uses SMM backdoor for local privileges escalation under the Windows
#!/usr/bin/env python
import sys, os, platform, ctypes, ctypes.wintypes
from struct import pack, unpack
import smm_backdoor as bd
# MSR register used by swapgs
IA32_KERNEL_GS_BASE = 0xc0000102
@Cr4sh
Cr4sh / smm_backdoor_privesc_linux.py
Last active May 22, 2024 02:17
Example program that uses SMM backdoor for local privileges escalation under the Linux
#!/usr/bin/env python
import sys, os, platform, ctypes
from struct import pack, unpack
import smm_backdoor as bd
try:
import capstone
@Cr4sh
Cr4sh / kforge.cpp
Created May 15, 2021 03:22
Performing arbitrary kernel function calls on HVCI enabled systems with thread context hijacking
#include "stdafx.h"
// vulnerable driver device name
#define EXPL_DEVICE_PATH "\\\\.\\Global\\RTCore64"
// vulnerable driver service and file name
#define EXPL_DRIVER_NAME "RTCore64.sys"
#define EXPL_SERVICE_NAME "RTCore64"
// vulnerable driver IOCTL codes
@Cr4sh
Cr4sh / output.txt
Last active April 18, 2021 15:46
List of UEFI protocols, interfaces and loaded DXE drivers obtained with DMA attack tools
$ ./uefi.py
[+] Scanning memory range 0x76000000:0xa0000000
[+] Waiting for PCI-E link...
[+] PCI-E link with target is up
[+] Looking for DXE driver PE image...
[+] PE image is at 0x77866000
[+] PE image is at 0x77871000
[+] PROTOCOL_ENTRY address is 0x76bfaa98
[+] Registered UEFI protocols and interfaces:
@Cr4sh
Cr4sh / expl_msr_ko.py
Created July 1, 2020 23:32
msr.ko Linux kernel lockdown bypass PoC
import sys, os, mmap, subprocess
from struct import pack, unpack
from ctypes import *
IA32_SYSENTER_ESP = 0x175
IA32_SYSENTER_EIP = 0x176
class PyObj(Structure):
_fields_ = [( 'ob_refcnt', c_size_t ),
@Cr4sh
Cr4sh / at_commands_grammar.json
Last active June 12, 2020 06:58
AT commands fuzzer grammar file
{
"AT_CMD_GRAMMARS": {
"+CGSN": {
"struct": ["cmd"],
"cmd": "+CGSN"
},
"+CIND": {
"struct": ["cmd"],