This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| __int64 __fastcall sub_1400014F0(int a1) | |
| { | |
| __int64 result; // rax | |
| if ( !(unsigned int)sub_1400012F0() ) | |
| return 0xFFFFFFFFi64; | |
| result = 0i64; | |
| if ( !dword_14000C7C0 ) | |
| return 0xFFFFFFFFi64; | |
| while ( a1 != dword_14000C7C4[2 * result] ) |
ghoulgy
/ llvm_obfuscated_sample.cpp
Created
February 5, 2022 14:37
[RedDev Series #4] LLVM obfuscated psudocode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| __int64 __fastcall sub_140004430(int a1) | |
| { | |
| unsigned int v1; // edi | |
| int v2; // er12 | |
| unsigned int v3; // er13 | |
| int v5; // eax | |
| unsigned int v6; // edx | |
| bool v7; // bl | |
| unsigned __int8 v8; // cl | |
| bool v9; // dl |
ghoulgy
/ bazarloader_decrypted_win_api.txt
Created
November 25, 2021 14:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0x351048: InternetOpenA | |
| 0x351258: InternetConnectA | |
| 0x3512ad: InternetConnectA | |
| 0x351310: InternetCloseHandle | |
| 0x351407: HttpOpenRequestA | |
| 0x3516fd: GetTickCount | |
| 0x351743: GetTickCount | |
| 0x352b64: HttpSendRequestA | |
| 0x352c7f: HttpQueryInfoA | |
| 0x352d78: InternetCloseHandle |
ghoulgy
/ StubApp.java
Last active
November 12, 2021 02:01
arm/StubApp c951e7c322530cbd470cc1ba0c103d93fcf3fd3120af53de3dae128d70adfb38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package arm; | |
| ... | |
| public class StubApp extends Application { | |
| public static final String MAIN_APPLICATION = "com.e4a.runtime.android.E4Aapplication"; | |
| static { | |
| System.loadLibrary("arm_protect"); | |
| } | |
| static void loadDex(List list, Context context) { |
ghoulgy
/ AndroidManifest.xml
Created
October 17, 2021 06:58
Android Manifest for c951e7c322530cbd470cc1ba0c103d93fcf3fd3120af53de3dae128d70adfb38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="23" android:compileSdkVersionCodename="6.0-2438415" package="com.fDEjydykk" platformBuildVersionCode="23" platformBuildVersionName="6.0-2438415"> | |
| <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> | |
| <uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/> | |
| <uses-permission android:name="android.permission.GET_TASKS"/> | |
| <uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES"/> | |
| <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> | |
| <uses-permission android:name="android.permission.ACCESS_WIFI_STATE"/> | |
| <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/> | |
| <uses-permission android:name="android.permission.READ_PHONE_STATE"/> | |
| <uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"/> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // https://wikileaks.org/ciav7p1/cms/page_11628909.html | |
| #include <iostream> | |
| #include <WbemCli.h> | |
| #pragma comment(lib, "wbemuuid.lib") | |
| int wmain(int argc, wchar_t* argv[]) | |
| { | |
| if (argc != 2) { | |
| printf("Usage: binary.exe <command>"); | |
| return 0; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void FUN_140001070(int param_1,longlong param_2,undefined8 param_3,undefined8 param_4) | |
| { | |
| u_short uVar1; | |
| HRESULT HVar2; | |
| int iVar3; | |
| basic_ostream<char,struct_std::char_traits<char>_> *this; | |
| longlong *plVar4; | |
| undefined8 uVar5; | |
| wchar_t *pwVar6; |
ghoulgy
/ qiling_conti_stack_string_dec_get.py
Created
March 15, 2021 08:35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Conti Ransomware | |
| ''' | |
| "OleAut32.dll", | |
| "Iphlpapi.dll", | |
| "Kernel32.dll", | |
| "Shell32.dll", | |
| "Rstrtmgr.dll", | |
| "Netapi32.dll", | |
| "Advapi32.dll", | |
| "Shlwapi.dll", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Conti Ransomware | |
| import json | |
| import pefile | |
| from qiling import * | |
| # Hashes collected from the malware | |
| sample_hashes =["0xd52132a3", "0xf701962c", "0x6a095e21", "0xdf1af05e", "0x5d48fbaf", "0xbe3d21a8", "0xbe3d21a8", "0xbe3d21a8", "0xbe3d21a8", "0xbe3d21a8", "0xbe3d21a8", "0xbe3d21a8", "0xbe3d21a8", "0xbe3d21a8", "0xbe3d21a8", "0xbe3d21a8", "0xbe3d21a8", "0x5fa07416", "0xf06e87ca", "0x1b1acbcc", "0x269e9ef4", "0xb9072e66", "0x92f9234b", "0xf955c4d0", "0xf955c4d0", "0xa5eb6e47", "0xa5eb6e47", "0x2bdbdf4e", "0xcc12507f", "0xd3a7a468", "0xb32feeec", "0xdf1af05e", "0xb32feeec", "0xe6bc0210", "0x5243a16a", "0xeedec24b", "0xe6bc0210", "0xde5dbfdc", "0xd3a7a468", "0xe6bc0210", "0xe6bc0210", "0x1972bf90", "0x78ee4dfa", "0xeedec24b", "0xd3a7a468", "0x4d9702d0", "0x7324a0a2", "0x6a095e21", "0xa5eb6e47", "0xa5eb6e47", "0x1b99344d", "0x1b99344d", "0x2ffbe59f", "0x2ffbe59f", "0xc88071b1", "0x21cca665", "0xc45f4a8c", "0xc45f4a8c", "0xc45f4a8c", "0xf99eabb9", "0xc7dfa7fc", "0xd72e57a9", "0xd72e57a9", "0xd72e57a9", "0xd72e57 |
ghoulgy
/ Ghidra_qak_decode.py
Last active
November 8, 2020 07:02
Qakbot string decode script for GHIDRA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Qakbot string decode script for GHIDRA | |
| #@author ChiamYJ | |
| #@category [Malware Analysis] Qakbot | |
| # The address might be different in your machine. | |
| dec_routine = toAddr(0x10010eff) | |
| enc_strings = toAddr(0x10028a50) | |
| bytes_arr = toAddr(0x1002f188) | |
| comm_addr = 0 |
NewerOlder