laanwj
laanwj
/ radare2_stackpointers.py
Last active
September 24, 2016 16:18
Compute, at each instruction, the value of the stack pointer relative to the return address. This is a tool to aid in reverse-engineering functions without fixed base frame pointer.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # W.J. van der Laan 2016 | |
| # Compute, at each instruction, the value of the stack pointer | |
| # relative to the return address. | |
| import sys | |
| import json | |
| import re | |
| instructions = json.load(sys.stdin, strict=False) | |
| debug = True |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Wladimir van der Laan 2016. This document is in the public domain. | |
| BLATSTING reverse-engineering notes. Based on files from the EQGRP free dump, | |
| more specifically in Firewall/BLATSTING/BLATSTING_201381/LP/lpconfig. | |
| In https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html, | |
| BLATSTING is described as "A firewall software implant that is used with EGREGIOUSBLUNDER | |
| (Fortigate) and ELIGIBLEBACHELOR (TOPSEC)". | |
| If true, it's interesting how this implant can target both vendors. Presumably they both use the same Linux |
laanwj
/ SecondDate-3.1.1.0.c
Last active
August 19, 2016 21:17
Some functions and data structures from SECONDDATE implant control module (extracted using https://github.com/laanwj/dwarf_to_c)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Basetype: unsigned int */ | |
| typedef unsigned int size_t; | |
| /* Basetype: unsigned char */ | |
| /* Basetype: short unsigned int */ | |
| /* Basetype: long unsigned int */ | |
| /* Basetype: signed char */ | |
| /* Basetype: short int */ | |
| /* Basetype: int */ | |
| /* Basetype: long long int */ | |
| /* Basetype: long long unsigned int */ |
laanwj
/ 18_smt2.py
Created
August 10, 2016 18:33
microcorruption ctf: 'invert' hash for Hollywood level using z3 constriant solver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from __future__ import division, print_function, unicode_literals | |
| from z3 import * | |
| import binascii, struct | |
| def byteswp(a): | |
| ''' | |
| Build expression to swap bytes in 16-bit word. | |
| ''' | |
| return RotateLeft(a,8) # can also be RotateRight, or even Concat(Extract(), Extract()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| # Uses https://github.com/majek/pysiphash | |
| import siphash, struct, binascii | |
| _twoQ = struct.Struct('<QQ') | |
| def check_hash(data, value, sip=None): | |
| if sip is None: | |
| sip = siphash.SipHash_2_4(_twoQ.pack(0x0706050403020100, 0x0F0E0D0C0B0A0908)) | |
| v = sip.update(data).hash() | |
| if v != value: | |
| print('Mismatch for %s: %016x versus %016x' % ( |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| ''' | |
| Example showing the use of RPC batching in Bitcoin Core. | |
| ''' | |
| # W.J. van der Laan | |
| # SPDX-License-Identifier: MIT | |
| import sys,os | |
| # just grab the library from the closest bitcoin instance | |
| sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__)), 'bitcoin', 'test', 'functional')) | |
| from test_framework.authproxy import AuthServiceProxy, JSONRPCException |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| AFLPATH=/store/orion/upstream/testing/afl | |
| CC=${AFLPATH}/afl-gcc CXX=${AFLPATH}/afl-g++ ./configure --disable-shared | |
| export AFL_HARDEN=1 | |
| make |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| set disable-randomization off | |
| set $_exitcode = -999 | |
| set height 0 | |
| handle SIGTERM nostop print pass | |
| handle SIGPIPE nostop | |
| define hook-stop | |
| if $_exitcode != -999 | |
| quit | |
| else | |
| shell echo | mail -s "NOTICE: app has stopped on unhandled signal" root |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| # W.J. 2015 (License: MIT) | |
| import hashlib,sys,os | |
| BLOCKCHARS = '\u0020\u2598\u259d\u2580\u2596\u258c\u259e\u259b\u2597\u259a\u2590\u259c\u2584\u2599\u259f\u2588' | |
| def uhex(x): | |
| return ''.join(BLOCKCHARS[b>>4] + BLOCKCHARS[b&0xf] for b in x) | |
| for filename in sys.argv[1:]: | |
| if not os.path.isfile(filename): |
laanwj
/ bitstomp.py
Last active
October 30, 2015 15:02
Overwrite 4/8-byte heap leak from old mingw binutils
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python2 | |
| # W.J. 2015 (License: MIT) | |
| ''' | |
| Overwrite 4/8-byte heap leak from old mingw binutils. | |
| Input: test.exe test.map | |
| Create linker map with -Wl,-Map=mtest.map | |
| ''' | |
| from __future__ import print_function,division |