amtal

## cpuid.py
"""Poke interesting instructions from Python.

Uses the nifty trick in https://github.com/AmihaiN/pyAsm to run snippets then
inspect registers. (Use at own risk, nasm.exe source not verified, etc.)
"""
from pyAsm import pyAsm, A_32BIT

def regs(reg, sep='\n', txt=''):
    txt = txt.strip()
    acc = []

## futamura.hs
--       S      D    O
fp_1 :: (src -> i -> o) --   interpreter
     -> src             -- + source code
     -- partial application magic happens here
     -> (i -> o)        -- = executable

--        Static            Dyn    Output
fp_2 :: ((src -> i -> o) -> src -> (i -> o))  --   fp_1
     -> (src -> i -> o)                       -- + interpreter
     -- partial application magic happens here

## b64_fixpoint.py
"""Finding fixpoints...
> Vm0 -> Vm0w
> wd2 -> d2Qy
> QyU -> UXlV
[x] base64 = Vm0wd2QyU
> Vm0 -> Vm0w
> wd2 -> d2Qy
> QyU -> UXlV
[x] base64url = Vm0wd2QyU
> JJFEM -> JJFEMRKN

## opcodes.py
"""1-byte opcode list grouped by octet.

So, pretty much http://www.sandpile.org/x86/opc_1.htm but worse!

Requires: capstone, colorama (windows), click
"""
import capstone
import click

engine = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)

## preload.c
#!/usr/bin/tcc -run
#include <stdio.h>  // printf, perror, vsprintf
// injector
#include <stdlib.h> // setenv
#include <unistd.h> // execve
// hoooooks
#define __USE_GNU // man page says _GNU_SOURCE but is wrong lol
#include <dlfcn.h> // dlsym
#include <string.h> // strcmp
#include <curses.h>

## Hybrids.md

      
              1 file
            
          
              5 forks
            
          
              11 comments
            
          
              27 stars
            
          
                amtal
                / Hybrids.md
            
            
              Created
              January 17, 2017 08:28
            
              
                Walkthrough of two dupes and an item corruption exploit for Diablo 2 in layman's terms
              
          
    This is a common-jargon walkthrough of an interesting Diablo 2 exploit. It provides the necessary background information (network protocol and game mechanics) to gain some understanding of the primitives from which it's constructed. Since the exploit is against a black-box network service with no available code, exact details and subtleties remain a mystery. :)
Exploit effects

Diablo 2 items can have a list of properties with various effects. The most common items (normal or "white" ones) have very few possible effects; however, all items can have sockets. Rune and gem-type items can be inserted into sockets. Some sequences of runes are special - inserting them into a white item makes a runeword item with predictable special properties.
Here's an example runeword "Peace" created by inserting Shael, Thul, and Amn runes into a 3-socket Light Plate:


## rappel.py
""" Assembly REPL in gdb / possible sketchy binary patcher.

    Usage:
        gdb -q ./target
            -x rappel.py    adds 'rappel' command
            [-write]        patches binary on disk, sometimes!
"""
import gdb, tempfile, keystone as ks

class Rappel(gdb.Command):

## soundtools.py
>>> import freki, z3; lift = freki.lift_instruction_at(bv,here); slv = z3.Solver(); lift.constrain(slv); lift
<module 'i8051.freki' from 'C:\Users\amtal\AppData\Roaming\Binary Ninja\plugins\i8051\freki.pyc'>
<Z3Lifter expr:1 constr:0 ssa_vars:['A']>
>>> slv
[Implies(0@0xc777,
         A#53 ==
         Concat(Extract(3, 0, A#52), Extract(7, 4, A#52)))]
>>> lift2 = freki.lift_function(current_function); lift2.constrain(slv); lift2
<Z3Lifter expr:5 constr:2 ssa_vars:['mem', 'rsp', 'rdi', 'rax']>
>>> SFR = lift2.ssa_vars['rax'][1]
	"""Poke interesting instructions from Python.

	Uses the nifty trick in https://github.com/AmihaiN/pyAsm to run snippets then
	inspect registers. (Use at own risk, nasm.exe source not verified, etc.)
	"""
	from pyAsm import pyAsm, A_32BIT

	def regs(reg, sep='\n', txt=''):
	txt = txt.strip()
	acc = []
	-- S D O
	fp_1 :: (src -> i -> o) -- interpreter
	-> src -- + source code
	-- partial application magic happens here
	-> (i -> o) -- = executable

	-- Static Dyn Output
	fp_2 :: ((src -> i -> o) -> src -> (i -> o)) -- fp_1
	-> (src -> i -> o) -- + interpreter
	-- partial application magic happens here
	"""Finding fixpoints...
	> Vm0 -> Vm0w
	> wd2 -> d2Qy
	> QyU -> UXlV
	[x] base64 = Vm0wd2QyU
	> Vm0 -> Vm0w
	> wd2 -> d2Qy
	> QyU -> UXlV
	[x] base64url = Vm0wd2QyU
	> JJFEM -> JJFEMRKN
	"""1-byte opcode list grouped by octet.

	So, pretty much http://www.sandpile.org/x86/opc_1.htm but worse!

	Requires: capstone, colorama (windows), click
	"""
	import capstone
	import click

	engine = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
	#!/usr/bin/tcc -run
	#include <stdio.h> // printf, perror, vsprintf
	// injector
	#include <stdlib.h> // setenv
	#include <unistd.h> // execve
	// hoooooks
	#define __USE_GNU // man page says _GNU_SOURCE but is wrong lol
	#include <dlfcn.h> // dlsym
	#include <string.h> // strcmp
	#include <curses.h>
	""" Assembly REPL in gdb / possible sketchy binary patcher.

	Usage:
	gdb -q ./target
	-x rappel.py adds 'rappel' command
	[-write] patches binary on disk, sometimes!
	"""
	import gdb, tempfile, keystone as ks

	class Rappel(gdb.Command):
	>>> import freki, z3; lift = freki.lift_instruction_at(bv,here); slv = z3.Solver(); lift.constrain(slv); lift
	<module 'i8051.freki' from 'C:\Users\amtal\AppData\Roaming\Binary Ninja\plugins\i8051\freki.pyc'>
	<Z3Lifter expr:1 constr:0 ssa_vars:['A']>
	>>> slv
	[Implies(0@0xc777,
	A#53 ==
	Concat(Extract(3, 0, A#52), Extract(7, 4, A#52)))]
	>>> lift2 = freki.lift_function(current_function); lift2.constrain(slv); lift2
	<Z3Lifter expr:5 constr:2 ssa_vars:['mem', 'rsp', 'rdi', 'rax']>
	>>> SFR = lift2.ssa_vars['rax'][1]