Skip to content

Instantly share code, notes, and snippets.

slipstream/RoL Wack0

Block or report user

Report or block Wack0

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Wack0
Wack0 / 1-torrents-time-certs-keys.md
Last active Apr 13, 2018
Torrents Time bundles certificates and private keys.
View 1-torrents-time-certs-keys.md

Torrents Time bundles certificates and private keys

So, with all the news about how Torrents Time is insecure.. I figured I might as well reverse it.

It seems to have three components, one (on windows) is a native service (TTService.exe) that runs as SYSTEM, another (TTPlayer.exe) runs under a lower privileged user. There's also a nodejs application, server.js.

The native service seems to set up a localhost HTTPd, on either port 12400, 11400, 10400 or 9400, using whichever is open.

So, I browsed to it, and was astonished to discover it was running with TLS, and gave the browser a valid certificate, signed by Thawte! (the cert was issued to localhost.ttconfig.xyz, obviously to work around new CA rules. For the record, it currently resolves to 127.0.0.1 as you'd probably expect.)

@Wack0
Wack0 / gist:f865ef369eb8c23ee028
Last active May 9, 2018
Komodia rootkit findings by @TheWack0lian
View gist:f865ef369eb8c23ee028

First off: this is the first time I "seriously" reversed a kernel-mode NT driver, so keep that in mind when you read this..

The Komodia rootkit config is located in a certain registry entry that's hardcoded in the driver. For Qustodio, it's HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qwd\Data.

The config structure is simple enough. An array of the following structure:

DWORD type;
BYTE unknown[32]; // I don't see anywhere that the driver actually *reads* any of this part,
                  // at least, not after writing to it first.
@Wack0
Wack0 / zzazz_fools17.md
Created Apr 5, 2017
missingno.sav Game Boy reversing challenge (TheZZAZZ April Fools challenge 2017) writeup
View zzazz_fools17.md

missingno.sav Game Boy reversing challenge writeup

Introduction

On March 31st 2017, TheZZAZZGlitch released his April Fools 2017 event.
The event being a crafted save file for Pokémon Blue, it being a small game where you need to use memory patching or debugging techniques to beat it.

After you beat the game, a password is generated which allowed you to submit your score to the event website.
The best score (naturally, that score is 31337) can only be obtained by either patching the key-generation routine ("crackme"), or making your own keygen ("keygenme").
I, personally, did the latter.

@Wack0
Wack0 / nit2016.asm
Created Nov 29, 2016
NIT2016? Very similar to the 2013 payload...
View nit2016.asm
; Input MD5 : 614D07EF7777CFF5CFDF741587A097DA
; Input CRC32 : B326AB6B
; ---------------------------------------------------------------------------
; File Name : C:\Users\raylee\nit - Copy.bin
; Format : Binary file
; Base Address: 0000h Range: 0000h - 02FCh Loaded length: 02FCh
.686p
.mmx
@Wack0
Wack0 / getduid.cs
Last active Dec 20, 2018
clipc!GetOfflineDeviceUniqueID PoC.
View getduid.cs
using System;
using System.Runtime.InteropServices;
enum RETRIEVAL_METHOD {
ODUID_DEFAULT = 0,
ODUID_TPM_EK,
ODUID_UEFI_VARIABLE_TPM,
ODUID_UEFI_VARIABLE_RANDOMSEED,
ODUID_UEFI_DEV_LOCK_UNLOCK, // there is no code for this in clipsvc.dll, given the enum name, this could be Windows Phone only?
ODUID_XBOX_CONSOLE_ID, // this should never be seen, with xbox one a different function is called to get the console ID
@Wack0
Wack0 / gist:bda47c2bfadfb68d73ea
Created Jul 29, 2015
Cards against Security: list of all cards
View gist:bda47c2bfadfb68d73ea
Database: heroku_1ed5a148e6d9415
Table: black_cards
[16 entries]
+----+--------------------------------------------------------------------------------------------------------------+
| id | content |
+----+--------------------------------------------------------------------------------------------------------------+
| 1 | _____ means never having to say you're sorry. |
| 2 | The pen tester found _____ in the trash while dumpster diving. |
| 3 | Our CIO has a framed a picture of _____. |
| 4 | 9 out of 10 experts agree, _____ will increase your security effectiveness. |
@Wack0
Wack0 / upwned247.php
Last active Jan 23, 2019
UCam247/Phylink/Titathink/YCam/Anbash/Trivision/Netvision/others IoT webcams : remote code exec: reverse shell PoC. (works only in qemu usermode)
View upwned247.php
<?php
/*
Updated version, 2016-12-02: fixed shellcode so it *actually* works on QEMU
usermode emulation (seems I pushed an old version), and removed debug output.
-------------------------
NB: THIS PoC ONLY WORKS IN QEMU USERMODE EMULATION!
If anyone wants to fix this, go ahead (no pun intended).
However, I don't have a vulnerable product and am unwilling to acquire one.
@Wack0
Wack0 / peb.c
Created Dec 31, 2017
Getting a pointer to the PEB in C, for every architecture that NT was ported to (where at least one build of the port was leaked/released)
View peb.c
// Gets a pointer to the PEB for x86, x64, ARM, ARM64, IA64, Alpha AXP, MIPS, and PowerPC.
// This relies on MS-compiler intrinsics.
// It has only been tested on x86/x64/ARMv7.
inline PEB* NtCurrentPeb() {
#ifdef _M_X64
return (PEB*)(__readgsqword(0x60));
#elif _M_IX86
return (PEB*)(__readfsdword(0x30));
You can’t perform that action at this time.