Skip to content

Instantly share code, notes, and snippets.

Avatar
❤️
‌‌

Duncan Ogilvie mrexodia

❤️
‌‌
View GitHub Profile
@mrexodia
mrexodia / undocumented.h
Last active Aug 5, 2020
universal PEB structure
View undocumented.h
#ifndef _UNDOCUMENTED_H
#define _UNDOCUMENTED_H
#include <windows.h>
namespace Undocumented
{
#pragma pack(push)
#pragma pack(1)
View regexmagic.h
// License: public domain/CC0
#include <regex>
#include <string>
#include <cstdio>
#include <utility>
#include <climits>
#include <cinttypes>
bool parseNumber(const char* str, uint64_t& result, int radix = 0)
{
@mrexodia
mrexodia / upx.py
Created Sep 9, 2016
Unpacking UPX with x64dbgpy
View upx.py
from x64dbgpy.pluginsdk import *
import sys
cip = register.GetCIP()
if memory.ReadByte(cip) != 0x60:
gui.Message("Start at UPX entry point (1:[CIP]==0x60)")
exit(0)
x64dbg.DbgCmdExecDirect("bc")
x64dbg.DbgCmdExecDirect("bphwc")
@mrexodia
mrexodia / _typetest_script.txt
Last active May 26, 2020
x64dbg type system
View _typetest_script.txt
ClearTypes
AddStruct ST
AppendMember char, a
AppendMember int, y
SizeofType ST
VisitType ST
AddType "unsigned int", DWORD
SizeofType DWORD
@mrexodia
mrexodia / Encrypted iTunes Library.grammar
Created Dec 16, 2014
Encrypted iTunes Library File Format
View Encrypted iTunes Library.grammar
<?xml version="1.0" encoding="UTF-8"?>
<ufwb version="1.9">
<grammar name="Encrypted iTunes Library" start="id:4" author="Mr. eXoDia" email="mr.exodia.tpodt@gmail.com" fileextension="itl" uti="com.apple.itunes.db">
<description>Grammar for encrypted iTunes Library files.</description>
<structure name="Defaults" id="5" encoding="ISO_8859-1:1987" endian="little" signed="no"/>
<structure name="iTunes Library" id="4" extends="id:5">
<structref name="hdfm" id="8" structure="id:7"/>
<binary name="encryptedData" id="9" length="remaining">
<description>This chunk of data is encrypted using AES/ECB/NoPadding with the key &quot;BHUILuilfghuila3&quot;. After decryption, you have to inflate the data using ZLIB.
@mrexodia
mrexodia / Decrypted iTunes Library.grammar
Created Dec 27, 2014
Decrypted iTunes Library File Format
View Decrypted iTunes Library.grammar
<?xml version="1.0" encoding="UTF-8"?>
<ufwb version="1.9">
<grammar name="Decrypted iTunes Library" start="id:148" author="Mr. eXoDia" email="mr.exodia.tpodt@gmail.com" fileextension="itl" uti="com.apple.itunes.db">
<description>Grammar for decrypted iTunes Library files.</description>
<structure name="Defaults" id="149" repeatmin="0" repeatmax="-1" encoding="ISO_8859-1:1987" endian="little" signed="no"/>
<structure name="iTunes Library" id="148" repeatmin="0" repeatmax="-1" extends="id:149" order="variable">
<structref name="hdfm" id="152" repeatmin="0" repeatmax="-1" structure="id:151"/>
<structref name="msdh" id="154" repeatmin="0" repeatmax="-1" structure="id:153"/>
</structure>
<structure name="hdfm" id="151" length="this.headerLength" repeatmin="0" repeatmax="-1" extends="id:149" endian="big">
View index.php
<?php
function addLog($text, $debug = false) {
if ($debug) {
file_put_contents("debug_log.txt", $text . PHP_EOL, FILE_APPEND);
}
}
function makeResponse($request) {
return array(
"jsonrpc" => "2.0",
@mrexodia
mrexodia / ImportParser.cpp
Last active Feb 29, 2020
PE Import Table Parser
View ImportParser.cpp
#include <windows.h>
#include <stdio.h>
int gtfo(const char* text = "")
{
printf("gtfo! (%s)\n", text);
return -1;
}
int main(int argc, char* argv[])
View capslayer.ahk
; Source: https://www.autohotkey.com/boards/viewtopic.php?p=131059#p131059
CapsLock::
; KeyWait, CapsLock ; wait for Capslock to be released
; KeyWait, CapsLock, D T0.2 ; and pressed again within 0.2 seconds
; if ErrorLevel
; return
; else if (A_PriorKey = "CapsLock")
; SetCapsLockState, % GetKeyState("CapsLock","T") ? "Off" : "On"
return
@mrexodia
mrexodia / reverseshell.cpp
Last active Nov 14, 2019
Reverse shell winapi c++ windows cmd. Useful for debugging production environments.
View reverseshell.cpp
#include <winsock2.h>
#include <windows.h>
#include <ws2tcpip.h>
#pragma comment(lib, "Ws2_32.lib")
/*
THIS IS FOR DEBUGGING ONLY, DO NOT RUN THIS CODE IN PRODUCTION UNDER ANY CIRCUMSTANCE!
https://github.com/dev-frog/C-Reverse-Shell/blob/master/re.cpp
https://github.com/tudorthe1ntruder/reverse-shell-poc/blob/master/rs.c
https://eternallybored.org/misc/netcat/
You can’t perform that action at this time.