Skip to content

Instantly share code, notes, and snippets.

amtal

  • #
Block or report user

Report or block amtal

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View soundtools.py
>>> import freki, z3; lift = freki.lift_instruction_at(bv,here); slv = z3.Solver(); lift.constrain(slv); lift
<module 'i8051.freki' from 'C:\Users\amtal\AppData\Roaming\Binary Ninja\plugins\i8051\freki.pyc'>
<Z3Lifter expr:1 constr:0 ssa_vars:['A']>
>>> slv
[Implies(0@0xc777,
A#53 ==
Concat(Extract(3, 0, A#52), Extract(7, 4, A#52)))]
>>> lift2 = freki.lift_function(current_function); lift2.constrain(slv); lift2
<Z3Lifter expr:5 constr:2 ssa_vars:['mem', 'rsp', 'rdi', 'rax']>
>>> SFR = lift2.ssa_vars['rax'][1]
@amtal
amtal / rappel.py
Last active Aug 3, 2018
Rappel.py is a pretty janky assembly REPL. It works by using keystone for R, and GDB for EPL.
View rappel.py
""" Assembly REPL in gdb / possible sketchy binary patcher.
Usage:
gdb -q ./target
-x rappel.py adds 'rappel' command
[-write] patches binary on disk, sometimes!
"""
import gdb, tempfile, keystone as ks
class Rappel(gdb.Command):
@amtal
amtal / Hybrids.md
Created Jan 17, 2017
Walkthrough of two dupes and an item corruption exploit for Diablo 2 in layman's terms
View Hybrids.md

This is a common-jargon walkthrough of an interesting Diablo 2 exploit. It provides the necessary background information (network protocol and game mechanics) to gain some understanding of the primitives from which it's constructed. Since the exploit is against a black-box network service with no available code, exact details and subtleties remain a mystery. :)

Exploit effects

Diablo 2 items can have a list of properties with various effects. The most common items (normal or "white" ones) have very few possible effects; however, all items can have sockets. Rune and gem-type items can be inserted into sockets. Some sequences of runes are special - inserting them into a white item makes a runeword item with predictable special properties.

Here's an example runeword "Peace" created by inserting Shael, Thul, and Amn runes into a 3-socket Light Plate:

Peace + Enigma hybrid

@amtal
amtal / preload.c
Created Sep 29, 2016
LD_PRELOAD scripting
View preload.c
#!/usr/bin/tcc -run
#include <stdio.h> // printf, perror, vsprintf
// injector
#include <stdlib.h> // setenv
#include <unistd.h> // execve
// hoooooks
#define __USE_GNU // man page says _GNU_SOURCE but is wrong lol
#include <dlfcn.h> // dlsym
#include <string.h> // strcmp
#include <curses.h>
View opcodes.py
"""1-byte opcode list grouped by octet.
So, pretty much http://www.sandpile.org/x86/opc_1.htm but worse!
Requires: capstone, colorama (windows), click
"""
import capstone
import click
engine = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
@amtal
amtal / b64_fixpoint.py
Last active Nov 15, 2015
Exploring http://xlogicx.net/?p=383 with z3py: proof of uniqueness + sub-second solutions
View b64_fixpoint.py
"""Finding fixpoints...
> Vm0 -> Vm0w
> wd2 -> d2Qy
> QyU -> UXlV
[x] base64 = Vm0wd2QyU
> Vm0 -> Vm0w
> wd2 -> d2Qy
> QyU -> UXlV
[x] base64url = Vm0wd2QyU
> JJFEM -> JJFEMRKN
View futamura.hs
-- S D O
fp_1 :: (src -> i -> o) -- interpreter
-> src -- + source code
-- partial application magic happens here
-> (i -> o) -- = executable
-- Static Dyn Output
fp_2 :: ((src -> i -> o) -> src -> (i -> o)) -- fp_1
-> (src -> i -> o) -- + interpreter
-- partial application magic happens here
@amtal
amtal / cpuid.py
Created Apr 1, 2015
Poke CPUID from Python via AmihaiN's GetThreadContext wrapper
View cpuid.py
"""Poke interesting instructions from Python.
Uses the nifty trick in https://github.com/AmihaiN/pyAsm to run snippets then
inspect registers. (Use at own risk, nasm.exe source not verified, etc.)
"""
from pyAsm import pyAsm, A_32BIT
def regs(reg, sep='\n', txt=''):
txt = txt.strip()
acc = []
View mooltipass_trng.py
"""Looking for collisions in Mooltipass "TRNG" output.
The "TRNG" outputs 32 bit blocks whitened with Jenkins one at a time hash,
keeping no state between samples. Running ent or diehard on the output stream
produces a predictable "pass" result, since these tests do not take the 32 bit
block structure into account.
Excessive collisions found by the following test would disprove the null
hypothesis that each 32 bit sample from the "TRNG" is uniformly distributed.
View vimcrypt.py
#!/usr/bin/env python3
"""Usage: vimcrypt.py [FILE]...
Guesses first 64 bytes of vim-encrypted files. Method implemented is sufficient
for plain English (preferably with lots of spaces), but any knowledge of
underlying plaintext would do.
Example:
$ ./vimcrypt.py 1.txt 2.txt 3.txt 4.txt
You can’t perform that action at this time.