Skip to content

Instantly share code, notes, and snippets.

@Wack0
Wack0 / hashes.txt
Created May 9, 2023 21:01
A list of boot application PE-signing (Authenticode) SHA256 hashes in the SkuSiPolicy.p7b
0021B5B11CEB03402D618134800A36C54E1C4328AD389D50B40EACC1E881DCB5
003F6B0E35ADFFFCD277EBF1595136914789685A777CF93A937F3A0EBD4A463B
005BE4327DED378C051FE408F594124E3893171BC7D7809F0CFB9DC1F334DCD5
00A3848FC09150E51284553E74A6DFA18B4D07A86F69EF5104F78B7A8DA9C778
010168A3BCCA42B3706DAC7A8D07C192692053FB588D4CE7205B3B28987BC9ED
014104339BFA49DE78A4BAF25C9816B4247EA15F6713BF96B112727D50D6634C
0146A05EC4942A291EA2DB8E320D44445977676AD5C6D459FCAB50CD19970406
016510D1AB0628126F605168F59465C54787371F94DFC5EED2A3AC06D5CCF2C4
01701DF013DB380EB264424BFD7EB6D5AD37E221F5449E983637FF86BB652EEF
017FA1F83DCC61F1874EA9585DBB7CBF9E57843C687DE596DE3DE5E7592C297E
@Wack0
Wack0 / blacklotus.cer
Created March 3, 2023 12:09
BlackLotus self-signed cert
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgIQVwtdIrcjtKRCzG7uvCWA6DANBgkqhkiG9w0BAQUFADAb
MRkwFwYDVQQDDBBXaGVuIFRoZXkgQ3J5IENBMB4XDTIyMDgxMzE3NDg0NFoXDTMy
MDgxMzE3NTg0NFowGzEZMBcGA1UEAwwQV2hlbiBUaGV5IENyeSBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMe7LulZX7nuQkZlyUXG5x2kqVvWEhGo
lSspXMBSxinOYuGXeG0EeVilKexQWvgW69w39CSYoI7hzbFILMzpQonvfESKl+NV
mlgqvKrLDsonByedtJ4+f4UtLHIMFrYRrm+b5YHA13jCPIexiNc7k0zfFeue3pfS
E4AlWGnXc8XGYnRU2qONfSMP2i9MyVtUSWPkhcxOcdoyGkRpGn31Iu9aPtbtF3RN
7m+eo1ZjZZE+101wMjJRo/kDDm5IUV2ZYNUCTNiA3snazvm1XPU2dOmWmiGaZ8SR
zKWLSXEP18R36zABRjcZ6gQYR3GAc+uJn9afsDgr67v4eCWQr3QUVd0CAwEAAaNj
@Wack0
Wack0 / getduid.cs
Last active June 20, 2024 02:10
clipc!GetOfflineDeviceUniqueID PoC.
using System;
using System.Runtime.InteropServices;
enum RETRIEVAL_METHOD {
ODUID_DEFAULT = 0,
ODUID_TPM_EK,
ODUID_UEFI_VARIABLE_TPM,
ODUID_UEFI_VARIABLE_RANDOMSEED,
ODUID_UEFI_DEV_LOCK_UNLOCK, // there is no code for this in clipsvc.dll, given the enum name, this could be Windows Phone only?
ODUID_XBOX_CONSOLE_ID, // this should never be seen, with xbox one a different function is called to get the console ID
@Wack0
Wack0 / peb.c
Created December 31, 2017 16:31
Getting a pointer to the PEB in C, for every architecture that NT was ported to (where at least one build of the port was leaked/released)
// Gets a pointer to the PEB for x86, x64, ARM, ARM64, IA64, Alpha AXP, MIPS, and PowerPC.
// This relies on MS-compiler intrinsics.
// It has only been tested on x86/x64/ARMv7.
inline PEB* NtCurrentPeb() {
#ifdef _M_X64
return (PEB*)(__readgsqword(0x60));
#elif _M_IX86
return (PEB*)(__readfsdword(0x30));
@Wack0
Wack0 / cex_crypto.cs
Created May 23, 2017 11:41
Compaq/HP Recovery Media (c. late 1990s-early 2000s) .CEX File Decryptor
/*
Compaq/HP Recovery Media (c. late 1990s-early 2000s) .CEX File Decryptor
another rrrring of lightningggg production by slipstream/RoL!
Yesterday I received in the post some Compaq recovery media I ordered from Yahoo! Auctions Japan to dump.
Having done that, I took a closer look at the disc images.
The recovery media came in two CDs: a boot CD ("COMPAQ Restore CD"), and an OS CD ("Compaq CD for Microsoft Windows
NT Workstation 4.0 Operating System").
@Wack0
Wack0 / mastostats.php
Last active April 19, 2017 16:01
CLI Mastodon network stats script. Uses instances.mastodon.xyz. Updates every 60 seconds.
<?php
// This class adapted from: https://www.if-not-true-then-false.com/2010/php-class-for-coloring-php-command-line-cli-scripts-output-php-output-colorizing-using-bash-shell-colors/
class Colors {
private static $foreground_colors = array(
'black'=>'0;30',
'dark_gray'=>'1;30',
'blue'=>'0;34',
'light_blue'=>'1;34',
'green'=>'0;32',
@Wack0
Wack0 / zzazz_fools17.md
Created April 5, 2017 12:04
missingno.sav Game Boy reversing challenge (TheZZAZZ April Fools challenge 2017) writeup

missingno.sav Game Boy reversing challenge writeup

Introduction

On March 31st 2017, TheZZAZZGlitch released his April Fools 2017 event.
The event being a crafted save file for Pokémon Blue, it being a small game where you need to use memory patching or debugging techniques to beat it.

After you beat the game, a password is generated which allowed you to submit your score to the event website.
The best score (naturally, that score is 31337) can only be obtained by either patching the key-generation routine ("crackme"), or making your own keygen ("keygenme").
I, personally, did the latter.

@Wack0
Wack0 / blob10_pass.php
Created January 20, 2017 22:37
Blobby 10 password generation algorithm
<?php
// Blobby 10 zip-password generation algorithm.
array_shift($argv);
foreach ($argv as $zip) {
$p = '[';
$firstchar = ord($zip[0]);
$whitelisted_zips = array(
'9EIAC5FD.ZIP',
@Wack0
Wack0 / SbpParse.cs
Last active September 9, 2022 20:48
Secure Boot Policy parser
using System;
using System.IO;
using LipingShare.LCLib.Asn1Processor;
using System.Runtime.InteropServices;
using System.Collections.Generic;
using System.Text;
using System.Security.Cryptography;
namespace SbpParse {

Setup: https://www.virustotal.com/en/file/4280f729d317156706db6e9c87503d636f806e09efdfcf00e73dd3e71740c966/analysis/ App: https://www.virustotal.com/en/file/2260f04aff68f77102525c61ccab4680b869b27672f6939693b23c1c04c7fe82/analysis/ Unpacked + partially-deobfuscated: https://www.virustotal.com/en/file/f754f949651f628b3f1c1fbe327d7b87ea63ecdab6c59b8431d459e67b11cbd2/analysis/

Deobfuscated taskscheduler .xml string:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2016-10-28T00:37:02.5049122</Date>