Brian Baskin Rurik
Rurik
/ multibyte_xor.py
Last active
November 3, 2022 13:05
Generic code to do a multi-byte XOR encoding
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def multibyte_xor(data, key): # Python 2 | |
| from itertools import izip, cycle | |
| return ''.join(chr(ord(x) ^ ord(y)) for (x,y) in izip(data, cycle(key))) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import time | |
| while True: | |
| os.mkdir('F:\\A') | |
| time.sleep(10) | |
| os.rmdir('F:\\A') |
Rurik
/ asm_find_math.py
Last active
September 16, 2023 17:17
Detect subroutines that may have encryption/encoding routines by finding XOR and shift routines.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Automatically find XOR/SHL/SHR routines from an executable | |
| # Uses IDAW (text IDA) | |
| # @bbaskin - brian @ thebaskins.com | |
| # While other, more powerful scripts like FindCrypt find known | |
| # algorithms this is used to find custom encoding or modified | |
| # encryption routines | |
| """ | |
| Script results: | |
| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- |
Rurik
/ gist:6556041
Last active
March 6, 2024 21:31
Python functions to compress folder paths to include their environment variable. This is the opposite of os.path.expandvars(). For example, "C:\Windows\system32\cmd.exe" would resolve to "%WINDIR%\system32\cmd.exe".
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #@bbaskin | |
| import os | |
| import re | |
| # Thanks to Andrew Havens of Cipher Tech for figuring out how to escape the paranthesis to work with | |
| # both expandvars and regex | |
| def generalize_vars_init(): | |
| """ | |
| Initialize a dictionary with the local system's environment variables. |
OlderNewer