Skip to content

Instantly share code, notes, and snippets.

View iidx's full-sized avatar
🔍
Nyong

extr iidx

🔍
Nyong
View GitHub Profile
@iidx
iidx / pbctf_vaccine_stealer.md
Last active April 1, 2024 13:42
[PBCTF 2020] Vaccine Stealer Write-up
import json
import twitter
api = twitter.Api(consumer_key='',
consumer_secret='',
access_token_key='',
access_token_secret='')
with open("tweet.js", encoding="utf8") as f:
tweets = json.loads(f.read())
for tweet in tweets:
api.DestroyStatus(tweet['tweet']['id'])
@iidx
iidx / acsc2021_forensics.md
Last active September 23, 2021 06:09
acsc2021_forensics
{
"AFSEnvironment" : 0,
"AFSUrl" : "https://activity.windows.com",
"ActivityStoreInfo" : [
{
"active" : true,
"activityStoreId" : "D2A9DE73-67FE-B86E-A51D-C069D0A2EF6A",
"stableUserId" : "98b5534bd174e8e1"
},
{

To solve the problem, focus on what malware did to the registry after 2020 November 7 14:00 (UTC+9) .Therefore, it is intended to be found using the 'last modification time' of the subkey.

문제를 해결하기 위해선, 2020년 11월 7일 14시(UTC+9) 시각 이후에 실행된 악성코드가 레지스트리에 어떤 행위를 수행하였는가에 초점을 맞추면 됩니다. 따라서, 레지스트리의 마지막 키 수정 시각을 이용해 찾을 수 있도록 의도하였습니다.

The registry hive file in problem is not analyzed by normal registry analysis tools. the analysis tool should be able to load the registry transaction log file with the hive.

해당 문제의 레지스트리 하이브 파일은 일반적인 레지스트리 분석 도구로 분석되지 않습니다. 분석 도구가 레지스트리 트랜젝션 로그 파일을 하이브와 함께 로딩할 수 있어야합니다.

Registry transaction log files serve as a journal to temporarily store data before it is written to the registry hive. If the registry hive is locked, it cannot be written directly, so use that method. You can check the transaction log format from the following link.

레지스트리 트랙잭션 로그 파일은 데이터가 레지스트리 하이브에 기록되기 전에 임시적으로 데이터를 저장하는 저널 역할을 합니다. 레지스트리 하이브가 잠김 상태일 경우 직접 쓸 수 없기 때문에 해당 방식을 사용합니다. 트랜젝션 로그 형식은 다음 링크에서 확인하실 수 있습니다

@import "https://fonts.googleapis.com/css?family=Poppins:300,400,500,600,700";
@font-face {
font-family: 'neon_tubes_2regular';
src: url('/static/font/neontubes2-webfont.woff2') format('woff2'),
url('/static/font/neontubes2-webfont.woff') format('woff');
font-weight: normal;
font-style: normal;
}

Keybase proof

I hereby claim:

  • I am iidx on github.
  • I am extr (https://keybase.io/extr) on keybase.
  • I have a public key whose fingerprint is 375E 3646 C3B3 66B6 D354 AB3A 06AA D146 AB5D 8B26

To claim this, I am signing this object:

@iidx
iidx / LR2IRLog_20160321224723627927_20160522180636453785.csv
Created May 28, 2016 12:08
LR2 IR Connection Log (2016-03-21 22:47:23 - 2016-05-22 18:06:36)
We can't make this file beautiful and searchable because it's too large.
Time, Total BMS, Total Player, Now Playing, Total Score
2016-03-21 22:47:23.627927,225408,78743,175,13876362
2016-03-21 22:48:27.966975,225408,78743,170,13876372
2016-03-21 22:49:31.414692,225408,78743,166,13876380
2016-03-21 22:50:35.234392,225408,78743,161,13876393
2016-03-21 22:51:40.339887,225408,78743,164,13876403
2016-03-21 22:52:45.966743,225408,78743,162,13876409
2016-03-21 22:53:50.267170,225408,78743,157,13876417
2016-03-21 22:54:55.721988,225408,78743,165,13876426
2016-03-21 22:55:59.270184,225408,78743,160,13876437
# -*- coding: utf-8 -*-
import re, json
import urllib2 as u
bmsurl = "http://www.dream-pro.info/~lavalse/LR2IR/search.cgi?mode=ranking&bmsid="
def urlreq(url):
try:
return u.urlopen(u.Request(url)).read()
except Exception as e:
@iidx
iidx / ex.js
Created April 1, 2016 11:22
ex.js
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('b(f("%h%g%2%4%e%5%2%d%1%6%c%0%8%3%1%6%q%0%3%1%7%7%a%o%5%p%i%2%m%4%9%j%0%8%k%0%9%l%1%a%3%n"));',27,27,'30|69|72|3B|28|61|3D|2D|31|22|29|eval|34|20|76|unescape|6F|66|65|32|36|2B|74|7D|7B|6C|3E'.split('|'),0,{}))