Skip to content

Instantly share code, notes, and snippets.

Avatar
❤️
‌‌

Duncan Ogilvie mrexodia

❤️
‌‌
View GitHub Profile
@mrexodia
mrexodia / LowUtilities.cpp
Last active Jun 21, 2021 — forked from D4stiny/LowUtilities.cpp
A dependency-less implementation of GetModuleHandle and GetProcAddress.
View LowUtilities.cpp
//
// An implementation of GetModuleHandle and GetProcAddress that works with manually mapped modules, forwarded exports,
// without a CRT standard library, and uses no Windows API or dependencies.
//
// Author: Bill Demirkapi
// License: MIT, appended at the bottom of this document if you care about licensing and want to credit me in your own project.
//
#include <Windows.h>
#include <winternl.h>
@mrexodia
mrexodia / index.php
Created Dec 21, 2015
Lightshot API
View index.php
<?php
function addLog($text, $debug = false) {
if ($debug) {
file_put_contents("debug_log.txt", $text . PHP_EOL, FILE_APPEND);
}
}
function makeResponse($request) {
return array(
"jsonrpc" => "2.0",
@mrexodia
mrexodia / undocumented.h
Last active Jun 5, 2021
universal PEB structure
View undocumented.h
#ifndef _UNDOCUMENTED_H
#define _UNDOCUMENTED_H
#include <windows.h>
namespace Undocumented
{
#pragma pack(push)
#pragma pack(1)
@mrexodia
mrexodia / ImportParser.cpp
Last active May 31, 2021
PE Import Table Parser
View ImportParser.cpp
#include <windows.h>
#include <stdio.h>
int gtfo(const char* text = "")
{
printf("gtfo! (%s)\n", text);
return -1;
}
int main(int argc, char* argv[])
@mrexodia
mrexodia / reverseshell.cpp
Last active May 3, 2021
Reverse shell winapi c++ windows cmd. Useful for debugging production environments.
View reverseshell.cpp
#include <winsock2.h>
#include <windows.h>
#include <ws2tcpip.h>
#pragma comment(lib, "Ws2_32.lib")
/*
THIS IS FOR DEBUGGING ONLY, DO NOT RUN THIS CODE IN PRODUCTION UNDER ANY CIRCUMSTANCE!
https://github.com/dev-frog/C-Reverse-Shell/blob/master/re.cpp
https://github.com/tudorthe1ntruder/reverse-shell-poc/blob/master/rs.c
https://eternallybored.org/misc/netcat/
@mrexodia
mrexodia / IntelPIN.cmake
Last active Mar 18, 2021
IntelPIN.cmake
View IntelPIN.cmake
# Website: https://software.intel.com/content/www/us/en/develop/articles/pin-a-binary-instrumentation-tool-downloads.html
# License: https://software.intel.com/sites/landingpage/pintool/pinlicense.txt
# This snippet: https://gist.github.com/mrexodia/f61fead0108603d04b2ca0ab045e0952
# TODO: lunix support
# Thanks to Francesco for showing me this method
CPMAddPackage(
NAME IntelPIN
VERSION 3.18
URL https://software.intel.com/sites/landingpage/pintool/downloads/pin-3.18-98332-gaebd7b1e6-msvc-windows.zip
@mrexodia
mrexodia / Decrypted iTunes Library.grammar
Created Dec 27, 2014
Decrypted iTunes Library File Format
View Decrypted iTunes Library.grammar
<?xml version="1.0" encoding="UTF-8"?>
<ufwb version="1.9">
<grammar name="Decrypted iTunes Library" start="id:148" author="Mr. eXoDia" email="mr.exodia.tpodt@gmail.com" fileextension="itl" uti="com.apple.itunes.db">
<description>Grammar for decrypted iTunes Library files.</description>
<structure name="Defaults" id="149" repeatmin="0" repeatmax="-1" encoding="ISO_8859-1:1987" endian="little" signed="no"/>
<structure name="iTunes Library" id="148" repeatmin="0" repeatmax="-1" extends="id:149" order="variable">
<structref name="hdfm" id="152" repeatmin="0" repeatmax="-1" structure="id:151"/>
<structref name="msdh" id="154" repeatmin="0" repeatmax="-1" structure="id:153"/>
</structure>
<structure name="hdfm" id="151" length="this.headerLength" repeatmin="0" repeatmax="-1" extends="id:149" endian="big">
@mrexodia
mrexodia / Encrypted iTunes Library.grammar
Created Dec 16, 2014
Encrypted iTunes Library File Format
View Encrypted iTunes Library.grammar
<?xml version="1.0" encoding="UTF-8"?>
<ufwb version="1.9">
<grammar name="Encrypted iTunes Library" start="id:4" author="Mr. eXoDia" email="mr.exodia.tpodt@gmail.com" fileextension="itl" uti="com.apple.itunes.db">
<description>Grammar for encrypted iTunes Library files.</description>
<structure name="Defaults" id="5" encoding="ISO_8859-1:1987" endian="little" signed="no"/>
<structure name="iTunes Library" id="4" extends="id:5">
<structref name="hdfm" id="8" structure="id:7"/>
<binary name="encryptedData" id="9" length="remaining">
<description>This chunk of data is encrypted using AES/ECB/NoPadding with the key &quot;BHUILuilfghuila3&quot;. After decryption, you have to inflate the data using ZLIB.
@mrexodia
mrexodia / upx.py
Created Sep 9, 2016
Unpacking UPX with x64dbgpy
View upx.py
from x64dbgpy.pluginsdk import *
import sys
cip = register.GetCIP()
if memory.ReadByte(cip) != 0x60:
gui.Message("Start at UPX entry point (1:[CIP]==0x60)")
exit(0)
x64dbg.DbgCmdExecDirect("bc")
x64dbg.DbgCmdExecDirect("bphwc")