Skip to content

Instantly share code, notes, and snippets.

💭
offline

evandrix evandrix

💭
offline
Block or report user

Report or block evandrix

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Blevene
Blevene / ElectricFish
Created Aug 14, 2019
CyberCom 8/14/19
View ElectricFish
Original File: 7cf5d86cc75cd8f0e22e35213a9c051b740bd4667d9879a446f06277782bffd1
Related (Yara Rule Results):
9049c508327ed3ab72df33328145eb226e53805d90dd74c353067f5b167747f3
22d244fe63f27279db4b082afe296cd931cf377e3b9501fc8ffc372cb31f076a
515fdca93acf6a8d23b4fe67d51d4cab5cda6ddbc3d508dd63b61c432d169ca7
a1260fd3e9221d1bc5b9ece6e7a5a98669c79e124453f2ac58625085759ed3bb
7efe8a7ad9c6a6146bddd5aef9ceba477ca6973203a41f4b7f823095a90cb10f
5d25465ec4d51c6b61947990fb148d0b1ee8a344069d5ac956ef4ea6a61af879
View syswow64detect.py
from ctypes import windll,c_ushort,byref
import platform
def is_syswow64_process():
if platform.architecture()[0] != "64bit":
# 32-bit OS, no syswow64 handling
return False
# Ok, 64-bit OS, let's see if the process is 32-bit
# Obtain process handle to self
@elliptic-shiho
elliptic-shiho / solve.py
Created Jun 24, 2019
Solver of Google CTF 2019 Quals "reality" (solved after the competition)
View solve.py
from Crypto.Util.number import long_to_bytes
from Crypto.Cipher import AES
import base64
E = 226611012014558802453288800032037813546
key = long_to_bytes(E)
IV = b'\x00' * 16
ciphertext = base64.b32decode("YQLAC5DCJR57PYVUBQ4PXMH47IO5IETPUI7EDFUR7JWTNIHNTEAA====")
print([AES.new(key, AES.MODE_CBC, IV=IV).decrypt(ciphertext)])
@ujin5
ujin5 / exploit.html
Created Jun 24, 2019
Google CTF Quals 2019 Monochromatic
View exploit.html
<html>
<pre id='log'></pre>
<script src="mojo_bindings.js"></script>
<script src="third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
<script src="being_creator_interface.mojom.js"></script>
<script src="food_interface.mojom.js"></script>
<script src="dog_interface.mojom.js"></script>
<script src="person_interface.mojom.js"></script>
<script src="cat_interface.mojom.js"></script>
<script>
@teixeira0xfffff
teixeira0xfffff / MSAcpi_ThermalZoneTemperature.ps1
Created Jun 18, 2019
Anti-VM Techniques with MSAcpi_ThermalZoneTemperature
View MSAcpi_ThermalZoneTemperature.ps1
function Get-AntiVMwithTemperature {
$t = Get-WmiObject MSAcpi_ThermalZoneTemperature -Namespace "root/wmi"
$valorTempKelvin = $t.CurrentTemperature / 10
$valorTempCelsius = $valorTempKelvin - 273.15
$valorTempFahrenheit = (9/5) * $valorTempCelsius + 32
return $valorTempCelsius.ToString() + " C : " + $valorTempFahrenheit.ToString() + " F : " + $valorTempKelvin + "K"
}
@astarasikov
astarasikov / RenameFunctionsFromDebugPrints.java
Last active Jul 22, 2019
Ghidra script to rename functions from debug prints
View RenameFunctionsFromDebugPrints.java
/* ###
* IP: GHIDRA
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
View duktape.ooo.diff
diff -Naur duktape/src-input/builtins.yaml duktape-ooo/src-input/builtins.yaml
--- duktape/src-input/builtins.yaml 2019-05-11 19:06:14.000000000 -0700
+++ duktape-ooo/src-input/builtins.yaml 2019-05-04 18:07:33.000000000 -0700
@@ -204,80 +204,80 @@
# This could be stripped when DUK_USE_GLOBAL_BUILTIN is disabled
# ("void 0" is the same and safer) but it's commonly used so keep.
- - key: "Object"
+ - key: "OOOObjectOOO"
value:
@zeux
zeux / roblox-lua-vm.md
Last active Jul 15, 2019
Frequently asked questions about the Lua VM work we (Roblox) are doing.
View roblox-lua-vm.md

We're working on a new Lua VM for Roblox and also introducing optional type checking to Lua (based on a combination of type inference and type annotations - the latter require extensions to the syntax). This page summarizes the questions often asked.

Why not just use LuaJIT?

We obviously know about LuaJIT; it's a fantastic project, and really what inspired us to go down this route - it provided an existence proof that Lua can be much faster. Our primary performance target is a wide set of platforms, many of which (iOS, Xbox) don't allow JIT per se - but LuaJIT has a very fast interpreter. So - use it, we're done? Well...

LuaJIT is a large, almost complete rewrite of Lua VM. Over the years we had a set of changes aimed at improving sandboxing in the VM -

@guedou
guedou / GhidraDecompiler.java
Last active Aug 7, 2019
Call the Ghidra decompiler from the command line
View GhidraDecompiler.java
// Copyright (C) 2019 Guillaume Valadon <guillaume@valadon.net>
// This program is published under a GPLv2 license
/*
* Decompile a function with Ghidra
*
* analyzeHeadless . Test.gpr -import $BINARY_NAME -postScript GhidraDecompiler.java $FUNCTION_ADDRESS -deleteProject -noanalysis
*
*/
View lockergoga.csv
We can make this file beautiful and searchable if this error is corrected: Unclosed quoted field in line 3.
first_submitted (epoch),first_submitted,sha256,file_magic,size,num_detections,RESULTS,signers,full_sig,country
1546950000,2019-01-08 12:20:00,c7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4,PE32+ executable for MS Windows (DLL) (console) Mono/.Net assembly,2097664,27,"Win64/Filecoder.LockerGoga.A,W64/Filecoder_LockerGoga.A!tr.ransom,Trojan-Ransom.LockerGoga",,,NL
1547710000,2019-01-17 7:26:40,5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c,PE32 executable for MS Windows (GUI) Intel 80386 32-bit,1284112,40,"Trojan[Ransom]/Win32.LockerGoga.a,Ransom.LockerGoga.S5239812,a variant of Win32/Filecoder.LockerGoga.A","""MIKL LIMITED; COMODO RSA Code Signing CA; COMODO SECURE™""","[{""status"":""Trust for this certificate or one of the certificates in the certificate chain has been revoked."",""valid usage"":""Code Signing"",""name"":""MIKL LIMITED"",""algorithm"":""sha256RSA"",""valid from"":""12:00 AM 06/25/2018"",""valid to"":""11:59 PM 06/25/2019"",""serial number"":""3D 25 80 E8 9
You can’t perform that action at this time.