Skip to content

Instantly share code, notes, and snippets.

slipstream/RoL Wack0

View GitHub Profile
@Wack0
Wack0 / getduid.cs
Last active Dec 20, 2018
clipc!GetOfflineDeviceUniqueID PoC.
View getduid.cs
using System;
using System.Runtime.InteropServices;
enum RETRIEVAL_METHOD {
ODUID_DEFAULT = 0,
ODUID_TPM_EK,
ODUID_UEFI_VARIABLE_TPM,
ODUID_UEFI_VARIABLE_RANDOMSEED,
ODUID_UEFI_DEV_LOCK_UNLOCK, // there is no code for this in clipsvc.dll, given the enum name, this could be Windows Phone only?
ODUID_XBOX_CONSOLE_ID, // this should never be seen, with xbox one a different function is called to get the console ID
@Wack0
Wack0 / peb.c
Created Dec 31, 2017
Getting a pointer to the PEB in C, for every architecture that NT was ported to (where at least one build of the port was leaked/released)
View peb.c
// Gets a pointer to the PEB for x86, x64, ARM, ARM64, IA64, Alpha AXP, MIPS, and PowerPC.
// This relies on MS-compiler intrinsics.
// It has only been tested on x86/x64/ARMv7.
inline PEB* NtCurrentPeb() {
#ifdef _M_X64
return (PEB*)(__readgsqword(0x60));
#elif _M_IX86
return (PEB*)(__readfsdword(0x30));
@Wack0
Wack0 / cex_crypto.cs
Created May 23, 2017
Compaq/HP Recovery Media (c. late 1990s-early 2000s) .CEX File Decryptor
View cex_crypto.cs
/*
Compaq/HP Recovery Media (c. late 1990s-early 2000s) .CEX File Decryptor
another rrrring of lightningggg production by slipstream/RoL!
Yesterday I received in the post some Compaq recovery media I ordered from Yahoo! Auctions Japan to dump.
Having done that, I took a closer look at the disc images.
The recovery media came in two CDs: a boot CD ("COMPAQ Restore CD"), and an OS CD ("Compaq CD for Microsoft Windows
NT Workstation 4.0 Operating System").
@Wack0
Wack0 / mastostats.php
Last active Apr 19, 2017
CLI Mastodon network stats script. Uses instances.mastodon.xyz. Updates every 60 seconds.
View mastostats.php
<?php
// This class adapted from: https://www.if-not-true-then-false.com/2010/php-class-for-coloring-php-command-line-cli-scripts-output-php-output-colorizing-using-bash-shell-colors/
class Colors {
private static $foreground_colors = array(
'black'=>'0;30',
'dark_gray'=>'1;30',
'blue'=>'0;34',
'light_blue'=>'1;34',
'green'=>'0;32',
@Wack0
Wack0 / zzazz_fools17.md
Created Apr 5, 2017
missingno.sav Game Boy reversing challenge (TheZZAZZ April Fools challenge 2017) writeup
View zzazz_fools17.md

missingno.sav Game Boy reversing challenge writeup

Introduction

On March 31st 2017, TheZZAZZGlitch released his April Fools 2017 event.
The event being a crafted save file for Pokémon Blue, it being a small game where you need to use memory patching or debugging techniques to beat it.

After you beat the game, a password is generated which allowed you to submit your score to the event website.
The best score (naturally, that score is 31337) can only be obtained by either patching the key-generation routine ("crackme"), or making your own keygen ("keygenme").
I, personally, did the latter.

@Wack0
Wack0 / blob10_pass.php
Created Jan 20, 2017
Blobby 10 password generation algorithm
View blob10_pass.php
<?php
// Blobby 10 zip-password generation algorithm.
array_shift($argv);
foreach ($argv as $zip) {
$p = '[';
$firstchar = ord($zip[0]);
$whitelisted_zips = array(
'9EIAC5FD.ZIP',
@Wack0
Wack0 / SbpParse.cs
Created Jan 13, 2017
Secure Boot Policy parser
View SbpParse.cs
using System;
using System.IO;
using LipingShare.LCLib.Asn1Processor;
using System.Runtime.InteropServices;
using System.Collections.Generic;
using System.Text;
using System.Security.Cryptography;
namespace SbpParse {
View gist:25a155e9f7ecef46da180b55b7e87931

Setup: https://www.virustotal.com/en/file/4280f729d317156706db6e9c87503d636f806e09efdfcf00e73dd3e71740c966/analysis/ App: https://www.virustotal.com/en/file/2260f04aff68f77102525c61ccab4680b869b27672f6939693b23c1c04c7fe82/analysis/ Unpacked + partially-deobfuscated: https://www.virustotal.com/en/file/f754f949651f628b3f1c1fbe327d7b87ea63ecdab6c59b8431d459e67b11cbd2/analysis/

Deobfuscated taskscheduler .xml string:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2016-10-28T00:37:02.5049122</Date>
@Wack0
Wack0 / nit2016.asm
Created Nov 29, 2016
NIT2016? Very similar to the 2013 payload...
View nit2016.asm
; Input MD5 : 614D07EF7777CFF5CFDF741587A097DA
; Input CRC32 : B326AB6B
; ---------------------------------------------------------------------------
; File Name : C:\Users\raylee\nit - Copy.bin
; Format : Binary file
; Base Address: 0000h Range: 0000h - 02FCh Loaded length: 02FCh
.686p
.mmx
@Wack0
Wack0 / upwned247.php
Last active Jan 23, 2019
UCam247/Phylink/Titathink/YCam/Anbash/Trivision/Netvision/others IoT webcams : remote code exec: reverse shell PoC. (works only in qemu usermode)
View upwned247.php
<?php
/*
Updated version, 2016-12-02: fixed shellcode so it *actually* works on QEMU
usermode emulation (seems I pushed an old version), and removed debug output.
-------------------------
NB: THIS PoC ONLY WORKS IN QEMU USERMODE EMULATION!
If anyone wants to fix this, go ahead (no pun intended).
However, I don't have a vulnerable product and am unwilling to acquire one.
You can’t perform that action at this time.