Marcos Álvares mabj
mabj
/ smokeloader_pe.py
Created
June 10, 2020 16:11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| from lief import PE | |
| # Constants | |
| IMAGE_BASE = 0x02060000 | |
| ENTRY_POINT_OFFSET = 0x734 | |
| CODE_PAYLOAD_FILE = 'explorer_02060000.bin' | |
| DATA_PAYLOAD_FILE = 'explorer_00B60000.bin' | |
| FILE_ALIGNMENT = 0x200 |
mabj
/ HexCopy.py
Created
June 6, 2020 14:32
— forked from herrcore/HexCopy.py
IDA Plugin for quickly copying disassembly as encoded hex bytes (updated for IDA 7xx)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################################ | |
| ## | |
| ## One-Click Hex Copy! | |
| ## | |
| ## Updated for IDA 7.xx | |
| ## | |
| ## All credit for actual IOCTL decode logic: | |
| ## http://www.osronline.com/article.cfm?article=229 | |
| ## | |
| ## Big thanks to @gaasedelen for the IDA 7 update ideas: |
mabj
/ calls_compression_looper.cpp
Created
January 13, 2020 11:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _WIN32_WINNT 0x0501 | |
| #define _GLIBCXX_USE_C99 1 | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <windows.h> | |
| #include <iostream> | |
| #include <string> | |
| #include <sstream> |
mabj
/ calls_compression_pseudo_003.py
Last active
January 12, 2020 23:33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class Compressor: | |
| def init(level): | |
| buffer = List(level*2) | |
| def add(element): | |
| tmp = None | |
| if not element: | |
| return tmp | |
| if len(buffer) == level*2: |
mabj
/ calls_compression_pseudo_002.py
Last active
January 12, 2020 23:33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| compressors = [] | |
| for i in range(1,level): | |
| compressors.append(Compressor(i)) | |
| for e in data: | |
| e1 = checksum(e) | |
| c = compressors[0] | |
| out = c.add(e1) | |
| for c in compressor[1:]: | |
| out = c.add(out) |
mabj
/ calls_compression_snip_003_output.txt
Last active
January 12, 2020 21:40
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ['call_0', 'call_1', 'call_2', 'call_2', 'call_2', 'call_2', 'call_0', 'call_1', 'call_2', 'call_2', 'call_2', 'call_2'] | |
| [{'label': 'call_0', 'repeated': 2}, {'label': 'call_1', 'repeated': 2}, {'label': 'call_2', 'repeated': 8}] |
mabj
/ calls_compression_snip_003.py
Last active
January 12, 2020 21:38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import logging | |
| import hashlib | |
| import numpy | |
| from random import randint | |
| from itertools import groupby, chain | |
| logger = logging.getLogger(__name__) |
mabj
/ calls_compression_snip_002_01.py
Last active
January 12, 2020 21:04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| data = [0, 1, 2, 2, 2, 2, 0, 1, 2, 2, 2, 2] | |
| lrs = calculate_lrs(data) # [0, 1, 2, 2, 2, 2] <= First While | |
| while lst: | |
| lrs = calculate_lrs() | |
| # [2, 2] <= Second while |
mabj
/ calls_compression_snip_002.py
Last active
January 12, 2020 20:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| data = [] | |
| for entry in log_entries: | |
| c = checksum(entry) | |
| data.append(c) | |
| map = {} | |
| lrs = True | |
| while lrs: | |
| lrs = calculate_lrs(data) | |
| while lrs: |
mabj
/ calls_compression_snip_001_output_compressed.txt
Last active
January 12, 2020 20:28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (line1, c_001) | |
| (line3, c_002) x5 | |
| (line4, c_003) x5 | |
| (line6, c_004) x3 | |
| (line7, c_005) |
NewerOlder