Skip to content

Instantly share code, notes, and snippets.


  • #
Block or report user

Report or block amtal

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
>>> import freki, z3; lift = freki.lift_instruction_at(bv,here); slv = z3.Solver(); lift.constrain(slv); lift
<module 'i8051.freki' from 'C:\Users\amtal\AppData\Roaming\Binary Ninja\plugins\i8051\freki.pyc'>
<Z3Lifter expr:1 constr:0 ssa_vars:['A']>
>>> slv
A#53 ==
Concat(Extract(3, 0, A#52), Extract(7, 4, A#52)))]
>>> lift2 = freki.lift_function(current_function); lift2.constrain(slv); lift2
<Z3Lifter expr:5 constr:2 ssa_vars:['mem', 'rsp', 'rdi', 'rax']>
>>> SFR = lift2.ssa_vars['rax'][1]
amtal /
Last active Aug 3, 2018 is a pretty janky assembly REPL. It works by using keystone for R, and GDB for EPL.
""" Assembly REPL in gdb / possible sketchy binary patcher.
gdb -q ./target
-x adds 'rappel' command
[-write] patches binary on disk, sometimes!
import gdb, tempfile, keystone as ks
class Rappel(gdb.Command):
amtal /
Created Jan 17, 2017
Walkthrough of two dupes and an item corruption exploit for Diablo 2 in layman's terms

This is a common-jargon walkthrough of an interesting Diablo 2 exploit. It provides the necessary background information (network protocol and game mechanics) to gain some understanding of the primitives from which it's constructed. Since the exploit is against a black-box network service with no available code, exact details and subtleties remain a mystery. :)

Exploit effects

Diablo 2 items can have a list of properties with various effects. The most common items (normal or "white" ones) have very few possible effects; however, all items can have sockets. Rune and gem-type items can be inserted into sockets. Some sequences of runes are special - inserting them into a white item makes a runeword item with predictable special properties.

Here's an example runeword "Peace" created by inserting Shael, Thul, and Amn runes into a 3-socket Light Plate:

Peace + Enigma hybrid

amtal / preload.c
Created Sep 29, 2016
LD_PRELOAD scripting
View preload.c
#!/usr/bin/tcc -run
#include <stdio.h> // printf, perror, vsprintf
// injector
#include <stdlib.h> // setenv
#include <unistd.h> // execve
// hoooooks
#define __USE_GNU // man page says _GNU_SOURCE but is wrong lol
#include <dlfcn.h> // dlsym
#include <string.h> // strcmp
#include <curses.h>
"""1-byte opcode list grouped by octet.
So, pretty much but worse!
Requires: capstone, colorama (windows), click
import capstone
import click
engine = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
amtal /
Last active Nov 15, 2015
Exploring with z3py: proof of uniqueness + sub-second solutions
"""Finding fixpoints...
> Vm0 -> Vm0w
> wd2 -> d2Qy
> QyU -> UXlV
[x] base64 = Vm0wd2QyU
> Vm0 -> Vm0w
> wd2 -> d2Qy
> QyU -> UXlV
[x] base64url = Vm0wd2QyU
View futamura.hs
-- S D O
fp_1 :: (src -> i -> o) -- interpreter
-> src -- + source code
-- partial application magic happens here
-> (i -> o) -- = executable
-- Static Dyn Output
fp_2 :: ((src -> i -> o) -> src -> (i -> o)) -- fp_1
-> (src -> i -> o) -- + interpreter
-- partial application magic happens here
amtal /
Created Apr 1, 2015
Poke CPUID from Python via AmihaiN's GetThreadContext wrapper
"""Poke interesting instructions from Python.
Uses the nifty trick in to run snippets then
inspect registers. (Use at own risk, nasm.exe source not verified, etc.)
from pyAsm import pyAsm, A_32BIT
def regs(reg, sep='\n', txt=''):
txt = txt.strip()
acc = []
"""Looking for collisions in Mooltipass "TRNG" output.
The "TRNG" outputs 32 bit blocks whitened with Jenkins one at a time hash,
keeping no state between samples. Running ent or diehard on the output stream
produces a predictable "pass" result, since these tests do not take the 32 bit
block structure into account.
Excessive collisions found by the following test would disprove the null
hypothesis that each 32 bit sample from the "TRNG" is uniformly distributed.
#!/usr/bin/env python3
"""Usage: [FILE]...
Guesses first 64 bytes of vim-encrypted files. Method implemented is sufficient
for plain English (preferably with lots of spaces), but any knowledge of
underlying plaintext would do.
$ ./ 1.txt 2.txt 3.txt 4.txt
You can’t perform that action at this time.