Skip to content

Instantly share code, notes, and snippets.


evandrix evandrix

Block or report user

Report or block evandrix

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
Blevene / ElectricFish
Created Aug 14, 2019
CyberCom 8/14/19
View ElectricFish
Original File: 7cf5d86cc75cd8f0e22e35213a9c051b740bd4667d9879a446f06277782bffd1
Related (Yara Rule Results):
from ctypes import windll,c_ushort,byref
import platform
def is_syswow64_process():
if platform.architecture()[0] != "64bit":
# 32-bit OS, no syswow64 handling
return False
# Ok, 64-bit OS, let's see if the process is 32-bit
# Obtain process handle to self
elliptic-shiho /
Created Jun 24, 2019
Solver of Google CTF 2019 Quals "reality" (solved after the competition)
from Crypto.Util.number import long_to_bytes
from Crypto.Cipher import AES
import base64
E = 226611012014558802453288800032037813546
key = long_to_bytes(E)
IV = b'\x00' * 16
ciphertext = base64.b32decode("YQLAC5DCJR57PYVUBQ4PXMH47IO5IETPUI7EDFUR7JWTNIHNTEAA====")
print([, AES.MODE_CBC, IV=IV).decrypt(ciphertext)])
ujin5 / exploit.html
Created Jun 24, 2019
Google CTF Quals 2019 Monochromatic
View exploit.html
<pre id='log'></pre>
<script src="mojo_bindings.js"></script>
<script src="third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
<script src="being_creator_interface.mojom.js"></script>
<script src="food_interface.mojom.js"></script>
<script src="dog_interface.mojom.js"></script>
<script src="person_interface.mojom.js"></script>
<script src="cat_interface.mojom.js"></script>
teixeira0xfffff / MSAcpi_ThermalZoneTemperature.ps1
Created Jun 18, 2019
Anti-VM Techniques with MSAcpi_ThermalZoneTemperature
View MSAcpi_ThermalZoneTemperature.ps1
function Get-AntiVMwithTemperature {
$t = Get-WmiObject MSAcpi_ThermalZoneTemperature -Namespace "root/wmi"
$valorTempKelvin = $t.CurrentTemperature / 10
$valorTempCelsius = $valorTempKelvin - 273.15
$valorTempFahrenheit = (9/5) * $valorTempCelsius + 32
return $valorTempCelsius.ToString() + " C : " + $valorTempFahrenheit.ToString() + " F : " + $valorTempKelvin + "K"
astarasikov /
Last active Jul 22, 2019
Ghidra script to rename functions from debug prints
/* ###
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* Unless required by applicable law or agreed to in writing, software
diff -Naur duktape/src-input/builtins.yaml duktape-ooo/src-input/builtins.yaml
--- duktape/src-input/builtins.yaml 2019-05-11 19:06:14.000000000 -0700
+++ duktape-ooo/src-input/builtins.yaml 2019-05-04 18:07:33.000000000 -0700
@@ -204,80 +204,80 @@
# This could be stripped when DUK_USE_GLOBAL_BUILTIN is disabled
# ("void 0" is the same and safer) but it's commonly used so keep.
- - key: "Object"
+ - key: "OOOObjectOOO"
zeux /
Last active Jul 15, 2019
Frequently asked questions about the Lua VM work we (Roblox) are doing.

We're working on a new Lua VM for Roblox and also introducing optional type checking to Lua (based on a combination of type inference and type annotations - the latter require extensions to the syntax). This page summarizes the questions often asked.

Why not just use LuaJIT?

We obviously know about LuaJIT; it's a fantastic project, and really what inspired us to go down this route - it provided an existence proof that Lua can be much faster. Our primary performance target is a wide set of platforms, many of which (iOS, Xbox) don't allow JIT per se - but LuaJIT has a very fast interpreter. So - use it, we're done? Well...

LuaJIT is a large, almost complete rewrite of Lua VM. Over the years we had a set of changes aimed at improving sandboxing in the VM -

guedou /
Last active Aug 7, 2019
Call the Ghidra decompiler from the command line
// Copyright (C) 2019 Guillaume Valadon <>
// This program is published under a GPLv2 license
* Decompile a function with Ghidra
* analyzeHeadless . Test.gpr -import $BINARY_NAME -postScript $FUNCTION_ADDRESS -deleteProject -noanalysis
View lockergoga.csv
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 3.
first_submitted (epoch),first_submitted,sha256,file_magic,size,num_detections,RESULTS,signers,full_sig,country
1546950000,2019-01-08 12:20:00,c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4,PE32+ executable for MS Windows (DLL) (console) Mono/.Net assembly,2097664,27,"Win64/Filecoder.LockerGoga.A,W64/Filecoder_LockerGoga.A!tr.ransom,Trojan-Ransom.LockerGoga",,,NL
1547710000,2019-01-17 7:26:40,5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c,PE32 executable for MS Windows (GUI) Intel 80386 32-bit,1284112,40,"Trojan[Ransom]/Win32.LockerGoga.a,Ransom.LockerGoga.S5239812,a variant of Win32/Filecoder.LockerGoga.A","""MIKL LIMITED; COMODO RSA Code Signing CA; COMODO SECURE™""","[{""status"":""Trust for this certificate or one of the certificates in the certificate chain has been revoked."",""valid usage"":""Code Signing"",""name"":""MIKL LIMITED"",""algorithm"":""sha256RSA"",""valid from"":""12:00 AM 06/25/2018"",""valid to"":""11:59 PM 06/25/2019"",""serial number"":""3D 25 80 E8 9
You can’t perform that action at this time.