x-yuri

Generating SSL certificates

req:

openssl req -x509 -subj /CN=root.yourdomain.com -days 3650 -noenc \
    -out root.crt -keyout root.key
  # -x509 - generate a certificate
  # -subj - subject
  # -days - validity period

thesamesam

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that

marcnewlin

#!/usr/bin/env python3

import usb.core
import struct
from collections import namedtuple

APPLE_VID = 0x05ac

Target = namedtuple("Target", ["vid", "pid", "name", "model", "total_size"])

Dump-GUY

'''
IDA plugin to display the calls and strings referenced by a function as hints.

Installation: put this file in your %IDADIR%/plugins/ directory.
Author: Willi Ballenthin <william.ballenthin@fireeye.com>
Licence: Apache 2.0
'''
import idc
import idaapi
import idautils

jershmagersh

Can you write Python that extracts the copied_alphabet string from the __builtin_strncpy in this function and uses it to decrypt data wtihin the dec_sc_buff variable using the binary ninja API? 👤

🤖 To extract the copied_alphabet string and decrypt data within the dec_sc_buff variable using the Binary Ninja API, you can follow these steps: Extract the copied_alphabet string directly from the provided HLIL. Implement the decryption logic based on the operation described in the HLIL for modifying dec_sc_buff. Use the Binary Ninja API for any additional operations needed. Here is a Python example that accomplishes this:

awakecoding

function Install-DbgHelp {
    param (
        [Parameter(Mandatory=$true, Position=0)]
        [string] $DbgHelpBaseDir,

        [Parameter()]
        [string[]] $DbgHelpFiles = @('dbghelp.dll','symsrv.dll','srcsrv.dll'),

        [Parameter()]
        [switch] $Cleanup

SinaKarvandi

start path "C:\Windows\notepad.exe"
g
? .thread_intercept_thread = 0;
? .target_pid = $pid;
? .target_tid = 0;
? .target_allocation_address = 0;
? .target_allocation_size = 0;
? .is_commited = 0;

!sysret stage post script {

Dump-GUY

# Get IL code and pre-compiled native code disassembly of R2R Assembly methods
# Using AsmResolver + Iced + PowerShell
# More Info Here: https://docs.washi.dev/asmresolver/guides/peimage/ready-to-run.html

# Loading dependecies
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\AsmResolver\net6.0\AsmResolver.PE.dll")) | Out-Null
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\AsmResolver\net6.0\AsmResolver.DotNet.dll")) | Out-Null
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\Iced\netstandard2.1\Iced.dll")) | Out-Null

$filePath = [System.IO.Path]::GetFullPath(".\test_files\CompileDecoy_ReplaceReal_SC_Original.dll") # R2R Assembly Sample

Dump-GUY

# Recovering strings objects from .NET Heap
# Using clrMD "Microsoft.Diagnostics.Runtime.dll" - https://github.com/microsoft/clrmd
# Use 32-bit PowerShell to investigate 32-bit process and 64-bit PowerShell to investigate 64-bit process

[System.Reflection.Assembly]::LoadFile([System.IO.Path]::GetFullPath("Microsoft.Diagnostics.Runtime.dll")) | Out-Null
$processID = (Get-Process -Name "TestStrings_confused").Id
$dataTarget = [Microsoft.Diagnostics.Runtime.DataTarget]::AttachToProcess($processID, $false)
$clrInfo = $dataTarget.ClrVersions[0]
$clrRuntime = $clrInfo.CreateRuntime()
$objects = $clrRuntime.Heap.EnumerateObjects().Where{$_.Type.IsString}

mathix420

// ==UserScript==
// @name        Medium Paywall Bypass
// @namespace   Violentmonkey Scripts
// @run-at      document-start
// @match       *://*.medium.com/*
// @match       *://medium.com/*
// @match       *://*/*
// @grant       none
// @version     2.4
// @inject-into content