req
:
openssl req -x509 -subj /CN=root.yourdomain.com -days 3650 -noenc \
-out root.crt -keyout root.key
# -x509 - generate a certificate
# -subj - subject
# -days - validity period
This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
#!/usr/bin/env python3 | |
import usb.core | |
import struct | |
from collections import namedtuple | |
APPLE_VID = 0x05ac | |
Target = namedtuple("Target", ["vid", "pid", "name", "model", "total_size"]) |
''' | |
IDA plugin to display the calls and strings referenced by a function as hints. | |
Installation: put this file in your %IDADIR%/plugins/ directory. | |
Author: Willi Ballenthin <william.ballenthin@fireeye.com> | |
Licence: Apache 2.0 | |
''' | |
import idc | |
import idaapi | |
import idautils |
Can you write Python that extracts the copied_alphabet string from the __builtin_strncpy in this function and uses it to decrypt data wtihin the dec_sc_buff variable using the binary ninja API? 👤
🤖 To extract the copied_alphabet string and decrypt data within the dec_sc_buff variable using the Binary Ninja API, you can follow these steps: Extract the copied_alphabet string directly from the provided HLIL. Implement the decryption logic based on the operation described in the HLIL for modifying dec_sc_buff. Use the Binary Ninja API for any additional operations needed. Here is a Python example that accomplishes this:
function Install-DbgHelp { | |
param ( | |
[Parameter(Mandatory=$true, Position=0)] | |
[string] $DbgHelpBaseDir, | |
[Parameter()] | |
[string[]] $DbgHelpFiles = @('dbghelp.dll','symsrv.dll','srcsrv.dll'), | |
[Parameter()] | |
[switch] $Cleanup |
start path "C:\Windows\notepad.exe" | |
g | |
? .thread_intercept_thread = 0; | |
? .target_pid = $pid; | |
? .target_tid = 0; | |
? .target_allocation_address = 0; | |
? .target_allocation_size = 0; | |
? .is_commited = 0; | |
!sysret stage post script { |
# Get IL code and pre-compiled native code disassembly of R2R Assembly methods | |
# Using AsmResolver + Iced + PowerShell | |
# More Info Here: https://docs.washi.dev/asmresolver/guides/peimage/ready-to-run.html | |
# Loading dependecies | |
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\AsmResolver\net6.0\AsmResolver.PE.dll")) | Out-Null | |
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\AsmResolver\net6.0\AsmResolver.DotNet.dll")) | Out-Null | |
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\Iced\netstandard2.1\Iced.dll")) | Out-Null | |
$filePath = [System.IO.Path]::GetFullPath(".\test_files\CompileDecoy_ReplaceReal_SC_Original.dll") # R2R Assembly Sample |
# Recovering strings objects from .NET Heap | |
# Using clrMD "Microsoft.Diagnostics.Runtime.dll" - https://github.com/microsoft/clrmd | |
# Use 32-bit PowerShell to investigate 32-bit process and 64-bit PowerShell to investigate 64-bit process | |
[System.Reflection.Assembly]::LoadFile([System.IO.Path]::GetFullPath("Microsoft.Diagnostics.Runtime.dll")) | Out-Null | |
$processID = (Get-Process -Name "TestStrings_confused").Id | |
$dataTarget = [Microsoft.Diagnostics.Runtime.DataTarget]::AttachToProcess($processID, $false) | |
$clrInfo = $dataTarget.ClrVersions[0] | |
$clrRuntime = $clrInfo.CreateRuntime() | |
$objects = $clrRuntime.Heap.EnumerateObjects().Where{$_.Type.IsString} |
// ==UserScript== | |
// @name Medium Paywall Bypass | |
// @namespace Violentmonkey Scripts | |
// @run-at document-start | |
// @match *://*.medium.com/* | |
// @match *://medium.com/* | |
// @match *://*/* | |
// @grant none | |
// @version 2.4 | |
// @inject-into content |