Skip to content

Instantly share code, notes, and snippets.

slipstream/RoL Wack0

Block or report user

Report or block Wack0

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
Wack0 /
Last active Apr 13, 2018
Torrents Time bundles certificates and private keys.

Torrents Time bundles certificates and private keys

So, with all the news about how Torrents Time is insecure.. I figured I might as well reverse it.

It seems to have three components, one (on windows) is a native service (TTService.exe) that runs as SYSTEM, another (TTPlayer.exe) runs under a lower privileged user. There's also a nodejs application, server.js.

The native service seems to set up a localhost HTTPd, on either port 12400, 11400, 10400 or 9400, using whichever is open.

So, I browsed to it, and was astonished to discover it was running with TLS, and gave the browser a valid certificate, signed by Thawte! (the cert was issued to, obviously to work around new CA rules. For the record, it currently resolves to as you'd probably expect.)

Wack0 / gist:f865ef369eb8c23ee028
Last active May 9, 2018
Komodia rootkit findings by @TheWack0lian
View gist:f865ef369eb8c23ee028

First off: this is the first time I "seriously" reversed a kernel-mode NT driver, so keep that in mind when you read this..

The Komodia rootkit config is located in a certain registry entry that's hardcoded in the driver. For Qustodio, it's HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qwd\Data.

The config structure is simple enough. An array of the following structure:

DWORD type;
BYTE unknown[32]; // I don't see anywhere that the driver actually *reads* any of this part,
                  // at least, not after writing to it first.
Wack0 /
Created Apr 5, 2017
missingno.sav Game Boy reversing challenge (TheZZAZZ April Fools challenge 2017) writeup

missingno.sav Game Boy reversing challenge writeup


On March 31st 2017, TheZZAZZGlitch released his April Fools 2017 event.
The event being a crafted save file for Pokémon Blue, it being a small game where you need to use memory patching or debugging techniques to beat it.

After you beat the game, a password is generated which allowed you to submit your score to the event website.
The best score (naturally, that score is 31337) can only be obtained by either patching the key-generation routine ("crackme"), or making your own keygen ("keygenme").
I, personally, did the latter.

Wack0 / nit2016.asm
Created Nov 29, 2016
NIT2016? Very similar to the 2013 payload...
View nit2016.asm
; Input MD5 : 614D07EF7777CFF5CFDF741587A097DA
; Input CRC32 : B326AB6B
; ---------------------------------------------------------------------------
; File Name : C:\Users\raylee\nit - Copy.bin
; Format : Binary file
; Base Address: 0000h Range: 0000h - 02FCh Loaded length: 02FCh
Wack0 / upwned247.php
Last active Jan 23, 2019
UCam247/Phylink/Titathink/YCam/Anbash/Trivision/Netvision/others IoT webcams : remote code exec: reverse shell PoC. (works only in qemu usermode)
View upwned247.php
Updated version, 2016-12-02: fixed shellcode so it *actually* works on QEMU
usermode emulation (seems I pushed an old version), and removed debug output.
If anyone wants to fix this, go ahead (no pun intended).
However, I don't have a vulnerable product and am unwilling to acquire one.
Wack0 / gist:bda47c2bfadfb68d73ea
Created Jul 29, 2015
Cards against Security: list of all cards
View gist:bda47c2bfadfb68d73ea
Database: heroku_1ed5a148e6d9415
Table: black_cards
[16 entries]
| id | content |
| 1 | _____ means never having to say you're sorry. |
| 2 | The pen tester found _____ in the trash while dumpster diving. |
| 3 | Our CIO has a framed a picture of _____. |
| 4 | 9 out of 10 experts agree, _____ will increase your security effectiveness. |
Wack0 / peb.c
Created Dec 31, 2017
Getting a pointer to the PEB in C, for every architecture that NT was ported to (where at least one build of the port was leaked/released)
View peb.c
// Gets a pointer to the PEB for x86, x64, ARM, ARM64, IA64, Alpha AXP, MIPS, and PowerPC.
// This relies on MS-compiler intrinsics.
// It has only been tested on x86/x64/ARMv7.
inline PEB* NtCurrentPeb() {
#ifdef _M_X64
return (PEB*)(__readgsqword(0x60));
#elif _M_IX86
return (PEB*)(__readfsdword(0x30));
Wack0 / getduid.cs
Last active Apr 6, 2020
clipc!GetOfflineDeviceUniqueID PoC.
View getduid.cs
using System;
using System.Runtime.InteropServices;
ODUID_UEFI_DEV_LOCK_UNLOCK, // there is no code for this in clipsvc.dll, given the enum name, this could be Windows Phone only?
ODUID_XBOX_CONSOLE_ID, // this should never be seen, with xbox one a different function is called to get the console ID
You can’t perform that action at this time.